Crooks are exploiting unpatched Android flaw to drain users’ bank accounts

Hackers are actively exploiting StrandHogg, a newly revealed Android vulnerability, to steal users’ mobile banking credentials and empty their accounts, a Norwegian app security company has warned.

“StrandHogg is unique because it enables sophisticated attacks without the need for the device to be rooted. To carry out attacks, the attacker doesn’t need any special permissions on the device. The vulnerability also allows an attacker to masquerade as nearly any app in a highly believable manner,” they noted. 

StrandHogg allows attackers to show to users fake login screens and ask for all types of permissions that may ultimately allow them to:

• Read and send SMS messages (including those delivering second authentication factors)
• Phish login credentials
• Make and record phone conversations
• Listen to the user through the microphone
• Take photos through the device’s camera
• Get access to photos, files on the device, location and GPS information,the contacts list, phone logs, etc.

As, according to the researchers, there’s no effective block or reliable detection method against StrandHogg on Android devices, users are advised to be on the lookout for things like: 

Tips for telling if an app is exploiting StrandHogg include: 

• Permissions asked from an app that shouldn’t require or need the permissions it asks for. For example, a calculator app asking for GPS permission.

• Permission pop-ups that don’t contain an app name

• Typos and mistakes in the user interface.

• Buttons and links in the user interface that does nothing when clicked on.

• Back button does not work like expected.

As always, you can keep yourself safer—not fully protected, but safer—by sticking to recommended apps on the Google Play Store. If an app seems suspicious in name, description, or awkwardness of reviews, do a little extra research to vet it before you slap it on your device. And resist the urge to sideload apps outside of the Google Play Store; you never know what you’re installing on your device, and you lose any potential protections Google can provide. And once a “dropper” app gets on your device, installing something that can then masquerade as a real app is all too easy.

How do I get rid of StrandHogg-exploiting apps? 

If you think you’re stuck with an app that’s exploiting StrandHogg, you can always factory-reset your device. Set it up as a brand-new device, rather than restoring from a backup, and you’ll be back to square one. 

Otherwise, you’ll have to figure out which app on your device is sketchy. I think the easiest way to do this is to just start from scratch or, at minimum, delete any apps on your device that you’ve previously downloaded.

You can also try installing Lookout’s Security & Antivirus app, but there’s no guarantee that it’ll be able to detect every StrandHogg-exploiting app on your device.

Cybersecurity Tips

Don't click on direct links (in emails, text messages, etc.), especially those that are asking you to enter sensitive information. It's best to go directly to the source/website. 

Don't respond to phone requests asking for personal or financial information. If you are concerned, find the correct number and call the organization yourself. 

Don't overshare on social media. These details can provide hackers with your location, ammunition to craft spear phishing attacks, and answers to security questions. Think before you share! 

Don’t go “out of bounds” for comms. E.g. if you’re buying something on eBay, and the other party wants to negotiate via email instead of the bidding system. 

Look out for emails which claim to have your password and say they’ve seen you visit bad websites, or recorded you in compromising positions. 

Be skeptical of any request to change banking or wiring instructions, even if from a trusted person who you regularly conduct business with. Always verify before following through by calling the person using a previously discussed phone number. 

Never reuse passwords between any website or service 

Always be skeptical of any unexpected invoice, or request to get or pay for anything by using gift cards. 

Create policies which require people getting unexpected requests for payment or changes in payment information to first verify by directly calling the person using a previously trusted phone number. 

Never answer authentication recovery questions (e.g. What is your mother’s maiden name?) with real answers. Try to avoid altogether, but if forced to use, don’t use real answers. Treat each question and answer as a sort of password (e.g. frogdog65). Sadly, that means you’ll have to write down each question and answer for each website that requires them, but you’ll be far less likely to have your account hijacked.

[Scam of the Week] Heads-Up: Amazon Phishing Attack in Progress

HackRead has come across a phishing scam that’s trying to trick Amazon customers into handing over their account credentials, personal information, and financial details. The phishing emails purport to be notifications from Amazon informing the recipient that they need to update their information within twenty-four hours or their account will be permanently disabled.

When a victim clicks the “Update Now” button in the email, they’ll be taken to a convincing imitation of an Amazon login page. After the victim enters their credentials, the phishing page will present a form for them to input their name, address, city, state, ZIP code, phone number, and date of birth. Next, they’ll be asked to provide their credit card and bank account information.

Finally, the phishing site informs the victim that their account has been recovered and says they’ll be automatically logged out. The victim is then redirected to the real Amazon website.

Video Becomes the Next Big Bait for Social Engineering

Scammers are always looking for new ways to get potential victims to engage. It appears that the latest trend is to leverage our familiarity with watching video to spawn an attack.

Everyday, people all over the world are engaging with video content on social media as a stimulating medium to learn from or be entertained. So, it makes sense that the bad guys would want to take advantage of the lowered defenses of individuals through the use of fake links to videos.

Video links can be sent to a potential victim via email or social media channels, usually using an “Is this you in the video???” angle of attack to create an emotional response – and get them to click.

 

It’s important to note that almost none of these attacks involve video at all; they are simply creating the need for a victim to click a malicious link under the guise of it being a video of interest.

You should always be weary of such requests, even when seemingly coming from someone you know. Hacked social media accounts are valuable social engineering assets to cybercriminals, as they can be used to send the same “Is this you?” message to everyone connected to the compromised account.

Smishing and Vishing

What is smishing?
Smishing definition: Smishing (SMS phishing) is a type of phishing attack conducted using SMS (Short Message Services) on cell phones.

Just like email phishing scams, smishing messages typically include a threat or enticement to click a link or call a number and hand over sensitive information. Sometimes they might suggest you install some security software, which turns out to be malware. 

Smishing example: A typical smishing text message might say something along the lines of, “Your ABC Bank account has been suspended. To unlock your account, tap here: https://bit.ly/2LPLdaU” and the link provided will download malware onto your phone. Scammers are also adept at adjusting to the medium they’re using, so you might get a text message that says, “Is this really a pic of you? https://bit.ly/2LPLdaU” and if you tap that link to find out, once again you’re downloading malware. 

What is vishing?
Vishing definition: Vishing (voice phishing) is a type of phishing attack that is conducted by phone and often targets users of Voice over IP (VoIP) services like Skype. 

It’s easy to for scammers to fake caller ID, so they can appear to be calling from a local area code or even from an organization you know. If you don’t pick up, then they’ll leave a voicemail message asking you to call back. Sometimes these kinds of scams will employ an answering service or even a call center that’s unaware of the crime being perpetrated.

Once again, the aim is to get credit card details, birthdates, account sign-ins, or sometimes just to harvest phone numbers from your contacts. If you respond and call back, there may be an automated message prompting you to hand over data and many people won’t question this, because they accept automated phone systems as part of daily life now. 

How to prevent smishing and vishing 

We’re on our guard a bit more with email nowadays because we’re used to receiving spam and scams are common, but text messages and calls can still feel more legitimate to many people. As we do more of our shopping, banking, and other activities online through our phones, the opportunities for scammers proliferate. To avoid becoming a victim you have to stop and think. 

Although the advice on how to avoid getting hooked by phishing scams was written with email scams in mind, it applies to these new forms of phishing just as well. At root, trusting no one is a good place to start. Never tap or click links in messages, look up numbers and website addresses and input them yourself. Don’t give any information to a caller unless you’re certain they are legitimate – you can always call them back.
 
It’s better to be safe than sorry, so always err on the side of caution. No organization is going to rebuke you for hanging up and then calling them directly (having looked up the number yourself) to ensure they really are who they say they are.

Scam Of The Week: Equifax Settlement Phishing

ALERT: Internet bad guys are now trying to trick you into filing an Equifax claim and get a $125 payment because your personal data was in the Equifax data breach.  They are sending phishing attacks that look like they come from Equifax and when you click on the links, you wind up on a fake website that looks like it's Equifax, but will try to steal your personal information. Don't fall for it.

Here is an example of the phishing email:

 

if you want to file a claim, go the the legit FTC website and click on the blue "File a Claim" button. The website will check your eligibility for that claim, not everyone's information was compromised.  Here is the link to the FTC site: https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement

Evite Data Breach

The data breach monitoring service Haveibeenpwned.com has added a database dump of almost 101 million Evite users who had their information exposed when attackers gained unauthorized access to their servers.

In May 2019, Evite posted a data incident notice that disclosed an unauthorized third-party had gained access to their servers starting on February 22, 2019 and were able to access member's personal data. No financial information or social security numbers, though, were part of the breach.

"Potentially affected information could include names, usernames, email addresses, passwords, and, if optionally provided to us, dates of birth, phone numbers, and mailing addresses."

The original leaked database was being sold on the online underground market named Dream Market. This site has since been shut down, so it is not currently known where or if this larger Evite database is being sold online as well.

Due to the large amount of exposed users, anyone who has an Evite account is advised to change their password. Furthermore, if you use that same password at other sites, you should change it there as well to prevent them being used in credential stuffing attacks.

Scam Of The Week: Microsoft OneNote Audio Note Phishing Emails

All: Internet Criminals are sending phishing attacks where they try to trick you into listening to a fake "Audio Note". They show you screen shots and attempt to scam you into clicking on links or even log into a fake Microsoft login page. 

Security Forums are reporting that: "This campaign comes in the form of an email with the subject "New Audio Note Received" and claims that you have received a new audio message from a contact in your address book. In order to listen to the message, though, you will need to click on a link to listen to it.

Sample email screenshot

 

For Microsoft accounts and Outlook.com logins, it is important to remember that Microsoft login forms will just be on microsoft.com, live.com, microsoftonline.com, and outlook.com domains only.

If you are presented with a Microsoft login page from any other URL, avoid it and use your normal bookmarks to go to these sites.