Facebook launches anonymous login

Yesterday on F8 Conference, Facebook have made number of announcements. On those one is introducing Facebook Anonymous login feature. According to this feature, Facebook users will be able to log in to third party apps anonymously using their Facebook login. This will help users to log into there account without sharing their personal information.

CEO Mark Zuckerberg, explain the Anonymous Login tool as, many users did not feel comfortable sharing their details with an app that allowed Facebook login, without trying the app first. By selecting the “Log In Anonymously” option, users will now be able to log in to apps and services and ascertain whether the app is worth using and if it can be trusted with their details. If users are afraid that logging into a certain app will result in their friends being spammed with requests, then they can opt for the anonymous login. Doing so will ensure that the app developers do not get to see your identity or details and will only be able to do so once you choose to sign in to the app in a regular manner.

Another announcement that highlights Facebook’s attempts at improving user privacy also dealt with app logins. The social network will now allow users to see and control all data that an app requires when you’re logging in. The new login screen will allow users to uncheck any part of their data they don’t want the app to receive before actually logging in. The granularity of this means that users can (as an example) choose to let an app see their likes and email address but not their friends list and birthday. Users will also get a newly designed app control panel that gives them a better view of the apps they use and control their permissions.

Facebook Webinject Leads to iBanking Mobile Bot

iBanking is a malicious Android application that when installed on a mobile phone is able to spy on its user’s communications. This bot has many interesting phone-specific capabilities, including capturing incoming and outgoing SMS messages, redirecting incoming voice calls, and even capturing audio using the device’s microphone. As reported by independent researcher Kafeine, this mobile application was for sale in underground forums and was used by several banking Trojans in an attempt to bypass a mobile two-factor authentication method put forth by some financial institutions. This method, usually called “mobile transaction authorization number” (mTAN) or mToken in the financial realm, is used by several banks throughout the world to authorize banking operations, but is now also increasingly used by popular internet services such as Gmail, Facebook and Twitter.

Recently, it was revealed by RSA that iBanking’s source code was leaked on underground forums. In fact, the web admin panel source was leaked as well as a builder script able to change the required fields to adapt the mobile malware to another target. At this point, we knew it was only a matter of time before we started seeing some “creative” uses of the iBanking application.
Webinject

Through our monitoring of the banking Trojan Win32/Qadars, first discussed on our blog here, we have witnessed a type of webinject that was totally new for us: it uses JavaScript, meant to be injected into Facebook web pages, which tries to lure the user into installing an Android application.
When we initially saw that webinject, we immediately knew that something interesting was at play:

Webinject as downloaded by Win32/Qadars bot

Once the user logs into his Facebook account, the malware tries to inject the following content into the webpage:

Fake Facebook Verification Page Leading to Malicious Android Application

Once the user enters his phone number, he is then shown the following page if he indicates that his mobile is running Android.

SMS Verification Step

If the SMS somehow fails to reach the user’s phone, he can also browse directly to the URL on the image with his phone or scan the QR code. There is also an installation guide available that explains how to install the application.

iBanking Installation Guide

The way iBanking is installed on the user’s mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud. Although the Facebook two-factor authentication feature has been around for quite a while, it may be that there is a growing number of people using it, thus making account takeover through a regular account credentials grabber ineffective. It might also just be a good way to make the user install iBanking on his phone so that the bot masters can make use of the other spying functionalities of iBanking.
iBanking

iBanking, detected by ESET as Android/Spy.Agent.AF, is an application that showcases complex features when compared with other earlier mobile banking malware, such as Perkele. It can be used in conjunction with any malware able to inject code into a webpage and is generally used to redirect incoming SMS messages to bypass two-factor authentication. As iBanking technical analysis has already been done in the past, we did not study thoroughly this sample. We will keep this analysis, if relevant, for a future blog post.

As stated in our previous blog, Perkele’s mobile component has already been used as part of one of Win32/Qadars’s campaigns in an effort to bypass two-factor authentication mechanisms put forth by banks. Now we see that it is also using iBanking. This does not come as a surprise, as we believe that all webinjects deployed by the Win32/Qadars operators are bought in underground forums; thus they are not tied to any particular platforms. On the other hand, since this webinject is available through a well-known webinject coder, this Facebook iBanking app might be distributed by other banking Trojans in the future. In fact, it is quite possible that we will begin to see mobile components targeting other popular services on the web that also enforce two-factor authentication through the user’s mobile.

ZitMo, SpitMo, Citmo, Perkele and iBanking are all mobile components that have been used in the past by banking Trojans. The latter two were not bound to specific desktop malware and were for sale on various underground forums. This commoditization of mobile banking malware has given several smaller banking Trojans the means to try to bypass some two-factor authentication measures put in place by banks. Now that mainstream web services such as Facebook are also targeted by mobile malware, it will be interesting to see whether other types of malware will start using webinjects. Will we see content injection functionalities and mobile malware used in non-financial types of malware so that they can take over accounts from popular web services? Time will tell, but because of the commoditization of mobile malware and the associated code source leaks, this is a distinct possibility.





SHA1 Hashes
Win32/Qadars: acd994ac60c5b8156001a7e54f91413501394ca3
Android/Spy.Agent.AF: fc13dc7a4562b9e52a8dff14f712f2d07e47def4


Read this article at: http://www.welivesecurity.com/2014/04/16/facebook-webinject-leads-to-ibanking-mobile-bot/

Hackers use SMS to get cash from ATMs

Microsoft is going to drop out Windows XP from its service from next month, and about 95 percent of the ATM's all over the world will get effected by this, as All ATM's machine runs on Microsoft Windows XP. This is will be the major problem for all the Banks worldwide. Some of the Banks have decided to pay sum of the amount to Microsoft to keep the security update. But India is the only country who is migrating from Windows to Linux, and applying their own developed Linux distro "BOSS" to ATM's through out the country.
As usual ATMs are in the target of cyber criminals from a long wide, and once again hackers have found the new way to get the pay from the ATM in a illegal way. According to the Symantec, hackers have found a way to steal money from ATM's using a text message. This attack was first noticed by the firm in late last year, when the attacks were happening in Mexico.



On Monday, Symantec made a post which stats that Firm have noted a new malware called Backdoor.Ploutus. The Ploutus malware allows attackers to send an SMS message to a phone that is attached to an ATM. The ATM will then spit out the amount of money requested.



Symantec explains "The attacker first needs to upload the Ploutus malware to the ATM using either aUSB drive or a CD-ROM. Once Ploutus has been uploaded, the attacker also needs to attach a cell phone to the ATM using USB tethering. This allows the ATM and the cell phone to share an Internet connection while simultaneously charging the cell phone. The attacker then needs to send the attached cell phone two SMS messages. According to Symantec, the first “must contain a valid activation ID in order to enable Ploutus in the ATM” and the second “must contain a valid dispense command to get the money out”. The Ploutus malware will then tell the ATM to dispense a preset amount of money, which is then picked up by what Symantec calls a “money mule”.

To prevent this attack, Symantec recommends to update the operating system from XP to Latest version. Apart from this, physical security also to be taken, as attacker cannot be done entirely remotely. Symantec also recommends full-disk encryption and preventing booting up from unauthorized disks or USB drives.

Watch Video about ATMs Malware attack:  http://www.youtube.com/watch?v=53vjNDV4RAY&feature=youtu.be