In the cyber-world, not only are everyday users at risk of having their personal details stolen, but so too are new cybercriminals as was evident on the underground site leakforums, writes PAUL DUCKLIN, Senior Security Advisor, Sophos.
Not all malware is ransomware, even though ransomware hogs the spotlight these days.
Keyloggers are still popular in the cybe runderworld, because they help crooks to steal passwords. Armed with email passwords, for example, crooks can pull off much more audacious crimes than ransomware, such as business email attacks, also known a CEO fraud or wire-wire scams (that’s where a crook logs in with a stolen password to send an email that doesn’t just look as though it came from your CEO’s account, it really did come from her account.)
The fraudulent email in a wire-wire scam won’t be a demand for $300 in bitcoins, which is a typical price-point in ransomware, but an official-sounding corporate instruction to put through a massive funds transfer. The amount may be $100,000 or even more, and the email will typically claim that that the funds are part of time-critical business venture such as an acquisition, to justify both the large sum and the urgency.
In other words, there’s still big money in Keyloggers, and one of the most popular keyloggers these days is KeyBase, a product that was originally sold as a legitimate application before being abandoned in apparent disgust by its author.But KeyBase lives on, with cyber crooks giving it a new home all over the cybercriminal underground.
Dishonour among thieves
Sometimes crooks turn on their own kind, as happened in this story. A user on the popular underground site leakforums, going by the name pahan12, popped up offering a PHP Remote Access Trojan called SLICK RAT.But newbie crooks who ran the installer didn’t get what they paid for. Instead, they ended up infected with the KeyBase data stealer instead, and their stolen passwords were sent off to a data-collection website. (The “Pahan” connection continued here, because the URL contained the text pahan123.)
My guess is that Pahan was after his victims’ logins for leakforums and other hacker sites, in order to build up his rank in the underground, and went after users on other crime forums, too.,
(Interestingly, Pahan has a history of this sort of double-cross, promoting one cybercrime tool but infecting it with another. In November 2015, Pahan was offering a malware scrambling tool called Aegis Crypter).
Cryptors take an existing malware program as input, and churn out a modified, scrambled, compressed and obfuscated program file as output, in the hope that this will bypass basic virus-blocking tools. But Pahan’s version of Aegis included its own “secret sauce”: a zombie Trojan called Troj/RxBot than hooks up infected computers to an IRC server from which remote command-and-control instructions can be sent to the network of zombies. The IRC channels on the server that were used by Pahan’s zombie were pahan12 and pahan123.
And in March 2016, a user going by pahann was promoting a version of the KeyBase toolkit, which can be used to generate keylogger files to order.
This KeyBase malware generation toolkit was itself infected, in a weird sort of “malware triangle”.
By this time, things were getting quite complicated for Pahan, who had samples of SLICK RAT for sale that were infected with KeyBase; of Aegis Crypter infected with Troj/RxBot; and of KeyBase infected with COM Surrogate, which delivered Troj/RxBot and Cyborg.
Things didn’t go so well for the duplicitous Pahan, a.k.a. Pahan12, a.k.a. Pahan123, a.k.a. Pahann, after that… Just last week, when our team of experts were looking around to see what Pahan had been up to recently, we found a number of intriguing data and postings relating to him. Amusingly, (if cyber criminality can ever be truly funny), it seems as if Pahan/12/123/n has managed to infect himself with one or more of the malware samples he’s been juggling recently.
So, if you’ve ever wondered what a cybercrook keeps up his sleeve, this might give you some ideas: we can see a ransomware sample, various pre-prepared malware binaries, scanners, a sniffer, remote access tools and more. Maybe his next step will be to scramble his own files with the ransomware we can see stashed there in his Google Drive account?
So, if you had to write the story “What Pahan did next?”…
…what would you say? (And if you could choose, what would you wish for?)
(This article first appeared on Sophos Naked Security, August 16, 2016: https://nakedsecurity.sophos.c
Opera launches built-in VPN on Android browser
Opera has released a new version of its mobile browser, which features a built-in virtual private network service.
Opera has released a new version of its mobile browser, Opera for Android 51, which features a built-in VPN (virtual private network) service.
A VPN allows users to create a secure connection to a public network, and is particularly useful if users are unsure of the security levels of the public networks that they use often.
The new VPN in Opera for Android 51 is free, unlimited and easy to use. When enabled, it gives users greater control of their online privacy and improves online security, especially when connecting to public Wi-Fi hotspots such as coffee shops, airports and hotels. The VPN will encrypt Internet traffic into and out of their mobile devices, which reduces the risk of malicious third parties collecting sensitive information.
“There are already more than 650 million people using VPN services globally. With Opera, any Android user can now enjoy a free and no-log service that enhances online privacy and improves security,” said Peter Wallman, SVP Opera Browser for Android.
When users enable the VPN included in Opera for Android 51, they create a private and encrypted connection between their mobile device and a remote VPN server, using strong 256-bit encryption algorithms. When enabled, the VPN hides the user’s physical location, making it difficult to track their activities on the internet.
The browser VPN service is also a no-log service, which means that the VPN servers do not log and retain any activity data, all to protect users privacy.
“Users are exposed to so many security risks when they connect to public Wi-Fi hotspots without a VPN,” said Wallman. “Enabling Opera VPN means that users makes it difficult for third parties to steal information, and users can avoid being tracked. Users no longer need to question if or how they can protect their personal information in these situations.”
According to a report by the Global World Index in 2018, the use of VPNs on mobile devices is rising. More than 42 percent of VPN users on mobile devices use VPN on a daily basis, and 35 percent of VPN users on computers use VPN daily.
The report also shows that South African VPN users said that their main reason for using a VPN service is to remain anonymous while they are online.
“Young people in particular are concerned about their online privacy as they increasingly live their lives online,” said Wallman. “Opera for Android 51 makes it easy to benefit from the security and anonymity of VPN , especially for those may not be aware of how to set these up.”
Setting up the Opera VPN is simple. Users just tap on the browser settings, go to VPN and enable the feature according to their preference. They can also select the region of their choice.
The built-in VPN is free, which means that users don’t need to download additional apps on their smartphones or pay additional fees as they would for other private VPN services. With no sign-in process, users don’t need to log in every time they want to use it.
Opera for Android is available for download in Google Play. The rollout of the new version of Opera for Android 51 will be done gradually per region.
Future of the car is here
Three new cars, with vastly different price-tags, reveal the arrival of the future of wheels, writes ARTHUR GOLDSTUCK
Just a few months ago, it was easy to argue that the car of the future was still a long way off, at least in South Africa. But a series of recent car launches have brought the high-tech vehicle to the fore in startling ways.
The Jaguar i-Pace electric vehicle (EV), BMW 330i and the Datsun Go have little in common, aside from representing an almost complete spectrum of car prices on the local market. Their tags start, respectively, at R1.7-million, R650 000 and R150 000.
Such a widely disparate trio of vehicles do not exactly come together to point to the future. Rather, they represent different futures for different segments of the market. But they also reveal what we can expect to become standard in most vehicles produced in the 2020s.
The i-Pace may be out of reach of most South Africans, but it ushers in two advances that will resonate throughout the EV market as it welcomes new and more affordable cars. It is the first electric vehicle in South Africa to beat the bugbear of range anxiety.
Unlike the pioneering “old” Nissan Leaf, which had a range of up to about 150km, and did not lend itself to long distance travel, the i-Pace has a 470km range, bringing it within shouting distance of fuel-powered vehicles. A trip from Johannesburg to Durban, for example, would need just one recharge along the way.
And that brings in the other major advance: the i-Pace is the first EV launched in South Africa together with a rapid public charging network on major routes. It also comes with a home charging kit, which means the end of filling up at petrol stations.
The Jaguar i-Pace dispels one further myth about EVs: that they don’t have much power under the hood. A test drive around Gauteng revealed not only a gutsy engine, but acceleration on a par with anything in its class, and enough horsepower to enhance the safety of almost any overtaking situation.
Specs for the Jaguar i-Pace include:
- All-wheel drive
- Twin motors with a combined 294kW and 696Nm
- 0-100km/h in 4.8s
- 90kWh Lithium-ion battery, delivering up to 470km range
- Eight-year/160 000km battery warranty
- Two-year/34 000km service intervals
Click here to read about BMW’s self-driving technology, and how Datsun makes smart technology affordable.