Having multiple accounts online is a common practice as we use all sorts of services from carrying out transactions on PayPal to social networking through Facebook and buying groceries from Walmart. Hackers have now come up with another way of exploiting unsuspecting users’ identity, said the information security training  professionals.

darkweb jpg 1

But, if all of your accounts could be hacked and sold to fraudsters, your entire identity on the web will be hijacked.

According to the findings of a team of information security experts from the UK-based Virtual Private Network comparison service Top10VPN, fraudsters on Dark Web are now after all your accounts on the web. Reportedly, malicious hackers operating on the Dark Web can buy someone’s entire identity-which cybercriminals refer to as Fullz-for as low as £820. The startling revelations were made in the first ever Dark Web Market Price Index by Top10VPN.

Information security training experts analyzed tens of thousands of ID lists uploaded in 2018 on three mainstream markets on the Dark Web namely Wall Street Market, Dream, and Point. As per their findings, a person’s bank details can be acquired for around £168 while PayPal logins can fetch nearly £280. Passport details can be obtained for just £40 and details of online shopping accounts on platforms like Amazon, Walmart and Tesco are available for £5.

darkweb jpg 2

All kinds of login credentials are in demand from Match.com login IDs to Airbnb profiles, social media accounts like on Facebook or Twitter, Netflix accounts and even eBay and Deliveroo credentials. Almost every type of account can be hacked and sold on the Dark Web.

The reason why these hacked IDs are so in demand is that hackers are able to carry out identity theft by using these credentials as a backdoor for just some bucks.

According to the information security training researcher, Simon Migliano: “Our research is a stark reminder of just how easy it is to get hold of personal info on the dark web and the sheer variety of routes that fraudsters can take to get hold of your money. This really underlines the importance of two-factor authentication and more generally the secure use of websites and apps.”

It was not clarified by the researchers whether personal identity information prices are going up or down on the Dark Web but information security experts are observing a plunging trend. McAfee’s chief scientist Raj Samani states:

“It seems like the prices are a little lower than 2015. However, there are certainly more services on offer than before. Validity rates are not included so like-for-like comparisons are challenging.”

Information security training specialists are concerned about the low rates of this sort of vital information as such valuable personal data is so easily and readily available in such low rates that anyone can buy them and carry out a variety of malicious attacks.

Posted in Uncategorized | Leave a comment


According to an information security firm, China is attempting to cover up inexplicable delays in public reporting of high-risk software security holes by changing the dates of vulnerability publication to its national vulnerability database so they match those in the U.S. database.

A previous investigation, in November, discovered that China is finding and disclosing information on software security holes faster than the United States, except when those vulnerabilities are high risk and might be used in targeted attacks.

china ciudadf.jpg

Now the information security firm Recorded Future has discovered that China National Vulnerability Database (CNNVD) altered the original publication dates for at least 267 vulnerabilities in its research published in November 2017. The information security training expert said it expects the changes were made to conceal evidence it revealed in its previous report.

CNNVD is managed by China’s Ministry of State Security (MSS). “CNNVD takes longer to publish high threat vulnerabilities than low threat vulnerabilities,” Priscilla Moriuchi, information security training researcher.

China’s National Vulnerability Database has a website but appears to be separate from the China’s Ministry of State Security MSS, the firm said in previous research. MSS is akin to the US Central Intelligence Agency. Unlike the CIA, however, MSS is not just a foreign intelligence service, but it also has a large, and arguably more important domestic intelligence mandate.

Recognizing the importance of the domestic mission is key to understanding why the MSS would manipulate data that is primarily consumed by Chinese or regional users. In other words, China is in no hurry to publish information about serious vulnerabilities because it wants to give MSS time to evaluate how the government might use them in offensive cyber operations. “CNNVD’s outright manipulation of these dates implicitly confirmed this assessment,” the firm said.

Now it seems China also is trying to cover its tracks and hide its intent. The dates changed in the CNNVD were for vulnerabilities that the U.S. NVD had reported in six days and the CNNVD took more than twice as long as its average of 13 days to report. Information security training analysts first noticed the discrepancies between publication dates in two Microsoft Office security holes identified as outliers in its November report.

“The initial CNNVD publication dates for the two vulnerabilities had been backdated to match NVD and erase the publication lag,” the information security firm said in its report. Screenshots of the vulnerabilities records from November and February, respectively, are provided in the report, highlighting the date alteration.

The information security firm found that 267 of the 268 CNNVD original publication dates had been altered since November 17. Moreover, each date was changed post-publication to approximate or beat publication date in the U.S. vulnerability database.

“What we found was that CNNVD had changed the publication date to hide the publication lag,” information security training professional Moriuchi said.”This would hide the evidence of (Ministry of State Security) influence and any other processes that would create the publication lag in the first place and it would limit the methods we were using and any other organizations would use to anticipate Chinese APT behavior.”

The firm identified 74 new outlier vulnerabilities, published between September 13 and November 16, 71 of which “were backdated and the publication lags erased,” researchers said.

From a public service and transparency perspective, there could be larger liability issues for companies and institutions that rely solely on CNNVD data, researchers said. “If a company is victimized by an exploit for a vulnerability during the altered period of time, unless they kept a historical record of all CNNVD initial report dates, they could face questions about why they did not remediate a vulnerability for which they did not know about,” according to the firm report.

Additionally, China recently instituted a Cybersecurity Law (CSL) mandating that companies operating in China adopt a “tiered system of network security protections,” information security training researchers said. The law allows the state to hold companies both legally and financially responsible for what officials deem a “network security incident.”

In light of the activity uncovered by Recorded Future, for a  foreign multinational company to comply with all the provisions of the CSL could mean that it may at the same time violate Western laws or regulations against cooperating with Chinese security and intelligence services.

Moriuchi said that the more worrying issue is China’s willingness to cloud or distort information to serve its ends. After all, vulnerabilities published on the US NVD or China’s CNNVD have already been publicly disclosed. That means they are unlike so-called vulnerability “equities”:  undisclosed software vulnerabilities that state intelligence agencies discover (or purchase) and may keep secret for use in offensive cyber operations.

Posted in Uncategorized | Leave a comment


RMH Franchise Holdings revealed on Friday afternoon that PoS (point of sale) systems at the Applebee’s restaurants were infected with a PoS malware.

According to information security training specialists, the PoS malware was used to collect names, payment card numbers, expiration dates, and card verification codes. On Friday afternoon, RMH Franchise Holdings published a link to the data breach notice on its website.


“RMH Franchise Holdings recently learned about a data incident affecting certain payment cards used at RMH-owned Applebee’s restaurants that we operate as a franchisee.” states the notice of the data breach.

“We are providing this notice to our guests as a precaution to inform them of the incident and to call their attention to some steps they can take to help protect themselves. RMH operates its point-of-sale systems isolated from the broader Applebee’s network, and this notice applies only to RMH-owned Applebee’s restaurants.”

The security breach was discovered on February 13, the RMH promptly started an investigation with the help of and law enforcement. The infection lasted between December 6, 2017, and January 2, 2018, as per investigation of information security training experts.

Almost any restaurant operated by RMH was impacted, the incident affects more than 160 restaurants in Alabama, Arizona, Florida, Illinois, Indiana, Kansas, Kentucky, Missouri, Mississippi, Nebraska, Ohio, Pennsylvania, Texas, and Wyoming.

The security breach does not affect online payments systems, clients using self-pay tabletop devices were not affected too. RMH clarified that its payment systems are not affected by the incident because they are isolated from the payment network used Applebee’s.

“After discovering the incident on February 13, 2018, RMH promptly took steps to ensure that it had been contained. In addition to engaging third-party information security training professionals to assist with our investigation, RMH also notified law enforcement about the incident and will continue to cooperate in their investigation.”RMH added.

“Now, RMH is continuing to closely monitor its systems and review its security measures to help prevent something like this from happening again.”

Posted in Uncategorized | Leave a comment


This week, GitHub’s code hosting website hit with the largest-ever distributed denial of service (DDoS) attack that peaked at record 1.35 Tbps. According to data security researchers, attackers did not use any botnet network, instead weaponized misconfigured Memcached servers to amplify the DDoS attack.

The attackers abuse of Memcached, popular open-source and easily deployable distributed caching system, to launch over 51,000 times powerful DDoS attack than its original strength. Cyber security experts explain that the amplification DDoS attack works by sending a forged request to the targeted Memcrashed server on port 11211 using a spoofed IP address that matches the victim’s IP.

github attack

A few bytes of the request sent to the vulnerable server trigger tens of thousands of times bigger response against the targeted IP address.

“This attack was the largest attack seen to date, more than twice the size of the September 2016 attacks that announced the Mirai botnet and possibly the largest DDoS attack publicly disclosed,” said a data security company that helped Github to survive the attack.

In a post, Github said, “The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the Memcached-based that peaked at 1.35Tbps via 126.9 million packets per second.”

cyber security professional said, “though amplification attacks are not new, this attack vector evolves thousands of misconfigured Memcached servers, many of which are still exposed on the Internet and could be exploited to launch massive attacks soon against other targets”.

Posted in Uncategorized | Leave a comment


Another AWS Bucket exposed to the public. This time the AWS Bucket belonged to Birst.

A cyber security team have discovered a massive trove of data exposed due to an unprotected Amazon Web Services (AWS) S3 bucket. The database belonged to Birst, a Cloud Business Intelligence (BI) and Analytics firm.

The exposed database contained 50.4 GB worth of data of one of Birst’s users Capital One, a financial services giant and eighth-largest commercial bank in the United States. The leaked data contained technical information on Birst device specially configured for Capital One’s cyberinfrastructure.


According to the cyber security researchers report, the data also contained passwords, administrative access credentials and private keys for use within Capital One systems by an on-premise Birst cloud environment. The exposed data was enough to guide an attacker on how Brist device used by Capital One could have been compromised and to dig deeper into the company’s IT system.

The data was discovered on January 15th, 2018 by the data security professional Chris Vickery, and located at the sub-domain “capitalone-appliance” and allowing anyone to access.

One of the files identified was labeled “Client.key” carrying encryption key to decrypt data. However, the key was stored with the encrypted device which could have allowed hackers to decrypt the device.

Furthermore, the data security researcher claimed to identify usernames and their hashed password used by the company in the database for the device.

“The good news is that the attacker would first need to compromise Capital One’s network to use the leaked credentials to attempt to compromise the Birst device. This leak does not expose all the information stored in those other systems. Rather, this leak multiplies the effect of any successful attack, whether through phishing, malware, social engineering, or insider threat- to a potentially catastrophic scale”, cyber security researcher concluded.

Days after the discovery, the cyber security team deleted their blog post about Birst’s exposed database. In an email, spokeswoman for Capital One said that “At no time was any Capital One information exposed. This was simply an instance of a vendor’s software that was hosted in their cloud environment. The referenced passwords and credentials are generic and are used for installing this software. As a matter of standard practice, Capital One changes all default settings, including credentials, prior to deploying third-party software. Because of this, there is no impact to the security of Capital One systems and data.”

But this week, the data security team restored and updated its blog post according to which “Capital One has reached out to the team to provide further comments on the intended use of the Birst device in their environment.”

Posted in Uncategorized | Leave a comment


Hijacker is a Graphical User Interface for the penetration testing tools Aircrack-ng, Airodump-ng, MDK3 and Reaver. It offers a simple and easy UI to use these tools without typing commands in a console and copy&pasting MAC addresses.

This requires an ARM android device with a wireless adapter that supports Monitor Mode. Cyber security experts said that a few android devices do, but none of them natively. This means that you will need a custom firmware. Nexus 5 and any other device that uses the BCM4339 chipset will work with Nexmon. Devices that use BCM4330 can use bcmon. An alternative would be to use an external adapter that supports monitor mode in Android with an OTG cable.

The required tools are included for armv7l and aarch64 devices as of version 1.1. The Nexmon driver and management utility for BCM4339 are also included. Data security professional comments that root is also necessary, as these tools need root to work.


Information Gathering:

  • View a list of access points and stations (clients) around you
  • View the activity of a specific network, by measuring beacons and data packets, and its clients
  • Statistics about access points and stations
  • See the manufacturer of a device (AP or station) from the OUI database
  • See the signal power of devices and filter the ones that are closer to you
  • Save captured packets in .cap file


  • Deauthenticate all the clients of a network, either targeting each one or without specific target
  • Deauthenticate a specific client from the network it’s connected
  • MDK3 Beacon Flooding with custom options and SSID list
  • MDK3 Authentication DoS for a specific network or to everyone
  • Capture a WPA handshake or gather IVs to crack a WEP network
  • Reaver WPS cracking, pixie-dust attack using NetHunter chroot and external adapter


  • Leave the app running in the background, optionally with a notification
  • Copy commands or MAC addresses to clipboard
  • Includes the required tools, no need for manual installation
  • Includes the nexmon driver and management utility for BCM4339 devices
  • Set commands to enable and disable monitor mode automatically
  • Crack .cap files with a custom wordlist
  • Create custom actions and run them on an access point or a client easily
  • Sort and filter Access Points with many parameters
  • Export all the gathered information to a file
  • Add an alias to a device (by MAC) for easier identification


data security professional said that you have to make sure: you are on Android 5+, you are rooted, SuperSU is required, if you are on CM/LineageOS install SuperSU, and also have a firmware to support Monitor Mode on your wireless interface.

When you run Hijacker for the first time, you will be asked whether you want to install the nexmon firmware or go to home screen. If you have installed your firmware or use an external adapter, you can just go to the home screen. Otherwise, click ‘Install Nexmon’ and follow the instructions. Keep in mind that on some devices, changing files in /system might trigger an Android security feature and your system partition will be restored when you reboot. After installing the firmware you will land on the home screen and airodump will start. Make sure you have enabled your WiFi and it’s in monitor mode.

Posted in Uncategorized | Leave a comment


The Android spyware was used to steal personal data of victims – The campaign also shows why users should never use their real photos on Facebook.

There are almost 2 billion monthly active users on the social media giant Facebook and that makes it one of the most lucrative targets for hackers and cybercriminals. Recently, the researchers at Czech IT security researchers at Avast reported a sophisticated campaign in which attackers used Facebook and Facebook messenger to trick users into installing a highly sophisticated Android spyware.


The scam was reported to Avast by one of their customers informing about receiving messages on their Facebook messenger carrying strange looking links sent by unknown profiles going by the names of Alona, Christina, and Rita using images of attractive women.

Upon analyzing the scam, researchers quickly identified that the profiles used in the scam were fake, stolen images from real people and used without their knowledge or consent. The women lured the victim to click on the link and install the latest version of Kik Messenger app on their device in order to continue their “flirty conversations”.

Hackers spread Android spyware through Facebook using Fake profiles
The screenshot shows the link sent by hackers to their victims. (Credit: Avast)

However, the link only disguised as the Kik Messenger app, in reality, it would take victims to a “very convincing” phishing website and which hosted the malicious version of Kik Messenger app. Once installed, the spyware app would steal personal data from the device.


Dubbed Tempting Cedar Spyware by Avast researchers, the attack aims at stealing personal data from victims Android devices including photos, contacts list, SMS, call logs, victims’ location and recording surrounding sounds including call conversations.

According to Avast, the operation has been targeting Android users since 2015 and so far it has hunted hundreds of victims in the Middle East. The most targeted victims were from Israel while a small number of victims were identified in China, France, Germany and the United States.

Based on the evidence such as login activity, IP addresses, Middle Eastern time zones, registrant data of domains used by hackers to distribute malware, Avast researchers believe that this campaign is being run from Lebonan. However, at the time of publishing this article, it was unclear if the Tempting Cedar Spyware campaign is still targeting users or it has been shut down.

“The cybercriminals behind the Tempting Cedar Spyware were able to install a persistent piece of spyware by exploiting social media, like Facebook, and people’s lack of security awareness, and were thus able to gather sensitive and private data from their victims’ phones including real-time location data which makes the malware exceptionally dangerous, concluded Avast.”

Just last month researchers at Lookout Security exposed a cyber espionage campaign called Dark Caracal in which attackers targeted thousands of victims across 21 countries. The researchers identified that the campaign is being run from Beirut, Lebanon from a building owned by the Lebanese General Directorate of General Security (GDGS).


Avast has shared a few blurred photos used by hackers in the operation which indicates that social media users on any site should refrain from using their real photos. On Facebook, users should avoid using their photos as cover or profile photos and make sure their personal photos are only visible to their close friends.

Hackers spread Android spyware through Facebook using Fake profiles
Credit: Avast


This is not the first time when hackers have used photos of attractive women to trap their victims. In fact, this is not the first campaign in which Israeli users have been lured into installing spyware on their phone by hackers using fake photos of attractive women. In January 2017, Hamas was found hacking dozens of smartphones belonging to IDF (Israel Defense Forces) soldiers using tons of seductive female images on Facebook and tricking soldiers into downloading malware which stole their text messages photos, contacts, WhatsApp conversations and identified their location.

In a 2015 incident, hackers used photos of female IDF soldiers to target officials with Poison Ivy trojan and breached Israeli military servers to steal sensitive information. According to Israeli cybersecurity specialists, an unknown Lebanon-based political/governmental group was behind the campaign.

Posted in Uncategorized | Leave a comment