Keyless Smart Cars are now target for hackers

Now it is the turn of smart keyless car becoming target for hackers, that high-tech keyless car security system is pretty sweet for hackers. According to a new report in Wired, thieves can use off-the-shelf hardware and software to impersonate a vehicle's security fob and break into a car in no more than a few minutes.

This vulnerability in keyless vehicles illustrates what is practically an axiom in technology: Convenience often reduces security. And in a corollary truth, hackers are usually at least one step ahead of the technologies intended to thwart them.

Australian security researcher Silvio Cesare plans to review his findings about this new approach to keyless break-ins at this week's Black Hat Internet security conference in Las Vegas. The annual event is a place where people from law enforcement, security experts, military intelligence and even the shady side of the street come together.

People have previously found weaknesses in keyless entries. In 2012, for instance, a rash of Chicago car break-ins were linked to someone using some kind of electronic tool.

Meanwhile, Swiss researchers have found a way to get someone's key fob to broadcast an open command so it can be duplicated, potentially allowing thieves to break into and operate a car.

However, Cesare thinks that he may be the first to actually crack the encryption intended to guard they keyless systems. He built a device that would keep pressing the buttons on his own fob. After collecting thousands of samples of the codes intended to be picked up by the car, he found patters that reduced the number of possible codes to unlock a vehicle from 43 million to less than 13,000.

That's still a big number for humans, but computers can try that many sequences without getting bored, wasting time or needing a bathroom break.

Other auto threats are also a topic of discussion at the Black Hat conference. According to InformationWeek, as cars increasingly feature on-vehicle wireless networks that connect with satellite services and smartphones, they become more vulnerable to remote attacks. By breaking into a car's Bluetooth network or a phone app, for instance, someone could in theory control a car's steering, braking or automated parking.

Last year, researchers showed how they could take control of many basic functions in a 2010 Toyota Prius and 2010 Ford Escape. Among new vehicles, the 2014 Jeep Cherokee, 2014 Infiniti Q50 and 2015 Escalade are the most vulnerable to attack, according to security researchers. A 2014 Audi A8 was deemed the least vulnerable model to electronic attack because the car's networked systems are separate from its physical operational systems.

The automobile industry has begun to take such threats more seriously. Last month it announced a mechanism to share security vulnerabilities.

One million Android devices infected in China

One million Android devices in China were infected with an Xshqi SMS worm on August 2, the day the country celebrated Valentine’s Day.

Experts at Kaspersky Lab revealed that a malware, dubbedTrojan.AndroidOS.Xshqi.a, infected neatly 500,000 Android devices in just six hours last week in China, but Chinese media provided a more pessimistic estimate declaring that the number of infected mobile is over 1 million smartphones.

The attackers operated in conjunction of the day the country celebrated Valentine’s Day as explained by Kaspersky team.

“The fact that this Trojan combination appeared on the Chinese Valentine’s Day is premeditated, taking advantage of user credulity on this special day. And it uses social engineering techniques to spread as much as possible and infect more devices. This Trojan is a good example of why it’s always worth thinking twice about trusting a link received on your mobile phone. No matter who sends it, it could still be a malicious program.,” reported researcher Vigi Zhang in a blog post.

The malware has been classified as a mobile SMS worm, but it includes also two malicious modules, the XXshenqi.apk and its asset Trogoogle.apk, the first one is used to spread the malicious code meanwhile the other component is a backdoor.

Once a mobile device is infected by Trojan.AndroidOS.Xshqi.a, the malware sends malicious SMSs to all the contacts in the victim’s address book. The link is used by malware authors to get victims to install the Trojan as well, Trojan.AndroidOS.Xshqi.a that verify the presence of the Trogoogle.apk, if it isn’t installed it displays a dialog window to prompt the user to install Trogoogle.apk. detected by Kaspersky as Backdoor.AndroidOS.Trogle.a.

The backdoor is used by cybercriminals to perform numerous operations, for example in order to steal victim’s personal information it asks user to register the app. The backdoor also enables the attackers to control victim’s device and send different commands to perform several operations, for example to create and send text messages.

Chinese law enforcement has already identified the author of the malicious campaign, he is a 19-year-old college student that admitted creating the malicious code, but he claimed that he only did it for fun. The young man was detained in the city of Shenzhen while visiting his parents.

Russian Cyber criminals hacked 1.2 billion usernames and Passwords

A Russian group has hacked 1.2 billion usernames and passwords belonging to more than 500 million email addresses, according to Hold Security - a US firm specialising in discovering breaches.

Hold Security described the hack as the "largest data breach known to date".

It claimed the stolen information came from more than 420,000 websites, including "many leaders in virtually all industries across the world".

Hold Security did not give details of the companies affected by the hack.

"They didn't just target large companies; instead, they targeted every site that their victims visited," Hold Security said in its report.

"With hundreds of thousands of sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites."

These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems”

Hold Security

The New York Times, which first reported the findings, said that on its request "a security expert not affiliated with Hold Security analysed the database of stolen credentials and confirmed it was authentic".

"Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information," the paper said.

The paper added: "Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable."

The Wall Street Journal later revealed that Hold intended to offer website owners the ability to check whether they had been affected, but only if they paid a fee.

The firm initially posted a message on its site saying it would charge $120 (£71) a month for the "breach notification service", however the details have since been replaced with a message saying "coming soon!".

Multi-pronged attack?

Hold Security, which has previously reported about hacks on Adobe and Target, said it took more than seven months of research to discover the extent of the latest hack.

The firm claimed the gang initially acquired databases of stolen credentials from fellow hackers on the black market.

"These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems," Hold Security said.

The hackers also got access to data from botnets - a network of computers infected with malware to trigger online fraud.

Hold Security said the botnets helped the hacking group - which it dubbed CyberVor - identify more than 400,000 websites that were vulnerable to cyber attacks.

"The CyberVors used these vulnerabilities to steal data from these sites' databases," the firm said.

"To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totalling over 1.2 billion unique sets of e-mails and passwords."

Read more at: http://www.bbc.com/news/technology-28654613

Wall Street Journal’s Facebook Page Hacked

On July 21, the Journal confirmed that its Facebook account was hacked and false comments posted. "We are aware that our Facebook page was compromised," the newspaper said. "We have deleted the posts and are looking into it."

News site Mashable took screen-grabs of the fake comments. One of the comments read, "#BREAKING: US Air Force One crash feared as air traffic controller loses contact with pilot over Russian air space."

The Journal confirmed to Information Security Media Group that the unauthorized postings to its Facebook page were due to a compromise of a third-party account. "We acted quickly to remove the erroneous material and have reset affected accounts," according to a statement from the newspaper.
What's At Stake?

The incident highlights the many risks of a corporate social media account takeover, says Nikki Junker, communications and media manager at the Identity Theft Resource Center. "These risks range from damage to a brand's reputation to global financial impact, as was seen in the hacking of an Associated Press Twitter account last year," which caused the Dow Jones Industrial Average to drop 143 points, she says (see: Social Media Needs 2-Factor Authentication).

Shirley Inscoe, a security analyst at consultancy Aite Group, says the attack could have been a test to see if the hackers could post the false items successfully and how long it would take to be removed. "Media and social websites need to be much more security conscious than they have proven to be to date," she says.

It's important to take advantage of two-factor authentication offered by many social networks, Junker says. "You can set both your Twitter and Facebook accounts to send you a text message with a verification code which must be entered in order to log-in to an account," she says. "While it may take a bit of extra time, it can help prevent serious problems for your organization."

For more details: http://www.databreachtoday.com/wsj-facebook-page-hacked-a-7087#.U9_LW5azwOQ.twitter

Hacker's White Label Money Laundering Services

Laundering the spoils from cybercrime can be a dicey affair, fraught with unreliable middlemen and dodgy, high-priced services that take a huge cut of the action. But large-scale cybercrime operations can avoid these snares and become much more profitable when they’re able to disguise their operations as legitimate businesses operating in the United States, and increasingly they are doing just that.

The typical process of “cashing out” stolen credit card accounts
Today’s post looks at one such evolution in a type of service marketed to cybercrooks that has traditionally been perhaps the most common way that thieves overseas “cash out” cybercrimes committed against American and European businesses, banks and consumers: The reshipping of goods purchased through stolen credit cards.

Cybercrooks very often rely on international reshipping services to help move electronics and other goods that are bought with stolen credit cards, shipped abroad, and then sold for cash. Many fraudsters use stolen credit cards to pay for U.S. Postal Service and FedEx shipping labels a.k.a. “black labels” but major shipping providers appear to be getting better at blocking or intercepting packages sent with stolen credit cards (at least according to anecdotal evidence from the cybercrime forums).

As a result, crooks increasingly are turning to a more reliable freight: So-called “white label” shipping services that are paid for with cybercrime-funded bank accounts via phony but seemingly legitimate companies in the United States.

CASHING OUT
In the case of a breach at an online merchant that exposes the card number, expiration and card verification value (CVV), the compromised card numbers typically are used to purchase high-priced electronics at online stores that are known to be “cardable” that is, the stores will ship to an address that is different from the billing address.

In the case of “card present” breaches (such as at those that have hit Target, Neiman Marcus, P.F. Chang’s and others) where attackers use malicious software to compromise cash register transactions and gather data that can be used to fabricate new cards fraudsters employ teams of “runners” who use the card data to create counterfeit cards and buy high-priced merchandise at big box retailers.

In either card-present or card-not-present fraud, one of the most lucrative ways for fraudsters outside of the United States to cash out stolen credit cards is to have carded goods shipped overseas, where electronics and other luxury items typically sell for a much higher price than in the United States.

The hardest step in this whole process is successfully getting the goods out of the United States, because a large percentage of retailers simply refuse to ship to areas like Russia and Ukraine due to high rates of fraud associated with those regions.

Traditionally, fraudsters get around this restriction by turning to reshipping services that rely on “mules,” people in the United States who get recruited to reship packages after responding to work-at-home job scams. These reshipping mules are sent multiple packages containing electronics that have been purchased with stolen credit and debit cards. They’re also sent prepaid and pre-addressed shipping labels, and the mules are responsible for making sure the goods are reshipped quickly and accurately.

Over the past year, however, more and more users of reshipping services advertised in the cybercrime underground have reported problems with a greater share of their packages being intercepted or canceled. Apparently, the shipping companies are getting better at detecting shipping labels that are paid for with stolen credit cards and hijacked accounts.

LABEL CITY
Enter LabelCity, a “white label” service that advertises “corporate rates” for shipping Priority Mail International through the U.S. Postal Service (USPS) rates that come in slightly below the rates that the USPS charges retail on its shipping calculator.

LabelCity’s “corporate” rates for its “white label” USPS International shipping service.

“Our service provides 100% guarantee on delivery of the goods. Return of funds to 30 days,” the proprietor of LabelCity promises in an online advertisement. “We started doing white labels (i.e., cash disbursed-for)! Our labels are made automatically through the admin panel, and automatic replenishment! Our corporate rates will surprise you, minus 15-20% of the price of USPS!”

Services like LabelCity explain why reshipping operations remain among the most popular methods of cashing out many different forms of cybercrime: Buying luxury goods that can be resold overseas at a significant markup amplifies the fraudster’s “profit.”

A slightly redacted ad for LabelCity’s services pimps black and white labels.

Take, for example, the scourge of IRS tax refund fraud, an increasing form of cybercrime that has been documented extensively on this blog. With refund fraud, the IRS is tricked into sending the fraudsters prepaid credit cards that can be used like cash. But rather than merely pulling the cash from those cards out of ATMs all around the world, it makes more sense for the crooks to take that cash and reinvest it into purchasing goods here in the United States that can often sell for twice the purchase price in countries like Russia and Ukraine.

LabelCity is a great reminder that cybercrime is seldom an isolated event or a single-victim crime: Much of it is connected in some way. In most cases, one fraud begets another, and thieves particularly those perpetrating such crimes from across international borders often string together multiple forms of fraud in a bid to extract maximum value from their activities.