Feed aggregator

SQL Fiddle

Hacker News - Thu, 02/29/2024 - 11:20am
Categories: Hacker News

February Roundup

Hacker News - Thu, 02/29/2024 - 11:19am
Categories: Hacker News

German Steelmaker Thyssenkrupp Confirms Ransomware Attack

Security Week - Thu, 02/29/2024 - 11:07am

German steelmaking conglomerate Thyssenkrupp confirms one of its automotive units was disrupted by a ransomware attack.

The post German Steelmaker Thyssenkrupp Confirms Ransomware Attack appeared first on SecurityWeek.

Categories: SecurityWeek

phishing

Security Wire Daily News - Thu, 02/29/2024 - 11:00am

Airbnb scam sends you to a fake Tripadvisor site, takes your money

Malware Bytes Security - Thu, 02/29/2024 - 9:00am

One of my co-workers who works on Malwarebytes’ web research team just witnessed a real life example of how useful his work is in protecting people against scammers.

Stefan decided to visit Amsterdam with his girlfriend, and found a very nice and luxurious apartment in Amsterdam on Airbnb. In the description the owner asked interested parties to contact them by email.

“The property is listed on several websites so contact me directly by mail to check for availability.”

So Stefan emailed the owner. They replied, asking Stefan to book the property through Tripadvisor because, they said, the Airbnb platform was having some problems and the fees were higher than on Tripadvisor.

“My name is Carla Taddei, I am a co-host of this property, your dates are available.

The nightly rate is €250, also a €500 security deposit is required which will be fully refunded at the check out date (in case of no damages to the property). Cleaning and disinfection are included in the price. FREE CANCELLATION, FULL REFUND WITHIN 48 HOURS PRIOR THE CHECK IN.

Currently , we are encountering technical difficulties with the Airbnb calendar system, so we decided to use tripadvisor.com as our main platform. Because the Airbnb platform has very high fees, I choose to use only tripadvisor.com

If you would like to book our property, I need to know first some information about you, your name, your country and how many persons will stay with you in our property, also I want you to confirm me your email address. I will then make all the arrangements and I will send a tripadvisor invitation through tripadvisor.com in order to complete the reservation.”

Included in the mail were two shortened URLs which the owner claimed linked directly to the same property.

However, the link didn’t point to the real Tripadvisor site, but instead a fake one, which became clear when Malwarebytes Browser Guard popped up a warning advising Stefan not to continue.

Stefan received a mail that claimed to be from Tripadvisor, but more alarm bells were triggered when the sender email showed up as support@mailerfx.com — not exactly the email address you’d expect from Tripadvisor itself.

The owner sent a follow up email, saying the booking request had been sent out and insisting that Stefan had to pay and send confirmation before the booking could be validated.

“Everything was arranged from my side and you should have the booking request by now. My device routed it to my promotion folders so just check all your email folders because you must have it.

Please note, the full payment including the security deposit is required on the same time. The deposit is required for the security of the property, if there are any damages or something else is missing from the property and it is fully refundable on the day when you leave the property.

Please forward and the payment confirmation once done so I can validate your booking.”

The scammer hoped Stefan would click on the booking button on the fake Tripadvisor site. If he had done, he would have seen a prompt to register with ‘Tripadvisor’.

One step further and he’d have been asked to enter his credit card details, at which point he would have been likely to pay a lot more than the agreed €2000 for an apartment he would never see from the inside.

Further research based on the URL to the fake Tripadvisor website showed us that these scammers have probably been active for quite some time.

We found 220 websites related to this particular scam campaign. 26 of them were structured similar to tripadvisor-pre-approved-cdc0-4188-b6e5-0e742976f964.nerioni.cfd, and related sites. And 194 were structured similar to airbnb-pre-approved-0e03cd9c-7f5e.mucolg.buzz, and related sites.

How to recognize and avoid scams

There are several ways in which this procedure should have set your scam spidey senses in action, even if you’re not a professional like Stefan.

  • When it’s too good to be true, it’s probably not true. Don’t fall for a ‘good deal’ that turns out to be just the opposite.
  • Book directly via the platform you are on. If someone tries to get you to do something that’s not typical behaviour for that service, then they may well be up to no good.
  • Check the links in the emails are going to where you expect. Even though the links in the email say tripadvisor.com, in reality they pointed to tinyurl.com. The use of URL shorteners where there is no actual need to shorten a URL is often done to obfuscate the link.
  • In the same vein, check the address in your browser’s address bar to check if it is going to where you would expect. The fake Tripadvisor site was hosted at https://tripadvisor-pre-approved-7f18-4bf6-8470-a6d44541e783.tynoli.cfd/d07f/luxury-apartment-for-rent-in-amsterdam/f47fde which has been taken offline now.
  • Don’t get rushed into making decisions. Scammers are always trying to create a sense of urgency so you click before you can think.
  • Double check the website again before entering personal details or financial information.
  • Keep your software updated and use a web filter that will alert you to suspicious sites.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Categories: Malware Bytes

Facebook bug could have allowed attacker to take over accounts

Malware Bytes Security - Thu, 02/29/2024 - 6:16am

A vulnerability in Facebook could have allowed an attacker to take over a Facebook account without the victim needing to click on anything at all.

The bug was found by a bounty hunter from Nepal called Samip Aryal and has now been fixed by Facebook.

In his search for an account takeover vulnerability, the four times Meta Whitehat award receiver started by looking at the uninstall and reinstall process on Android. By using several different user agents he encountered an interesting response in the password reset flow.

After investigation, a few characteristics of the login code made it an interesting attack vector:

  • The code was valid for two hours
  • It did not change during that period when requesting it
  • There was no validation if you attempted a wrong login code

Combined with the fact that these codes are only 6 digits, Samip saw opportunities for a brute force attack, where an attacker repeatedly tries to access login credentials in the hope of eventually getting into an account.

After uncovering all this information, and with his extensive knowledge about the Facebook authentication process, Samip found the method to take over an account was relatively simple:

  • Pick any Facebook account.
  • Try to login as that user and request a password reset (Forgot password).
  • From the available reset options choose “Send code via Facebook notification”.
  • This creates a POST request. As part of a POST request, an arbitrary amount of data of any type can be sent to the server in the body of the request message.
  • Copy that POST request and use a method to try all the 100,000 possibilities. Note, 100,000 possibilities may sound like a lot, but given the two hour time-frame there are plenty of options to do that.
  • The matching code responds with a 302 status code, a redirect that confirms the search was successful.
  • Use the correct code to reset the password of the account and the attacker can now take over the account.

There was one caveat. The owner of the account will see the notification on the device they are logged in with. And strangely enough the notifications came in two flavors.

The difference in notification which makes it a zero-click or not

The first one works as described above, but the second one does require the account owner to tap that notification before Facebook generates a login code. That makes it a lot harder to take over the account.

A detailed report of how Samip found the vulnerability is available on his Medium page.

Facebook has awarded Samip a bounty and fixed the issue. Together with other bounty hunters, Samip submitted hundreds of reports to Meta which they resolved, making Facebook and other platforms a safer place along the way.

Paying attention pays off

There are a few takeaways from this method that Facebook users, and users of other platforms for that matter, might use to their advantage.

  • Pay attention to the signs that a password request has been initiated (email, notifications, texts, etc.) Somebody could be trying to take over your account. Follow the instructions on the password reset notification if it’s not you doing the reset.
  • Don’t use the Facebook login option on other platforms, and certainly not on ones that have personal or financial information about you.
  • Turn on 2FA for Facebook to make it harder for criminals to hijack your account.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Categories: Malware Bytes

Pages