Scary Granny zombie game slurps credentials, spawns phishing attack

By Danny Bradbury

Halloween came a little early for some Android users this year after a horror-themed computer game was found stealing their account credentials and displaying potentially malicious ads.

Researchers at mobile security company Wandera found the game, called Scary Granny ZOMBYE Mod: The Horror Game 2019, doing sneaky things behind the scenes. Upon installation, it tries to get the user to pay £18 (about $22) for the game, and then connects to an ad network that appears to spam the user’s device with commercials for other malicious games. Finally, it tries to phish the user’s Google account.

The game, apparently based on another highly successful Android game called Granny, releases a phishing attack against the target device, displaying a notification that asks the user to update their Google Security services. When the unwitting user agrees, it presents a fake login page to slurp their credentials.

For those that took the bait, the phishing code uses a browser built into the app to access the user’s account and downloads their recovery emails and phone numbers, their verification, their cookies and tokens (which could give the attackers access to third-party apps) and their verification codes. Wandera explained:

We could see the user information including cookies and session identifier being gathered and shipped off to the attacker without the user knowing. This is a proof point that this attack goes beyond typical credential theft that usually happens via social engineering.

The researchers also discovered code that seemed to attempt the same phishing technique with Facebook credentials, although they didn’t see that part of the program in action.

Read more at https://nakedsecurity.sophos.com/2019/07/02/scary-granny-android-game-slurps-users-data/

Dating app Jack’d fined $240K for leaving private photos up for a year

By Lisa Vaas

A $240,000 fine has been imposed on Online Buddies, the company behind gay/bi/trans/curious dating app Jack’d – for leaving users’ private, often nude, photos up for grabs for a year.

“Only you can see your private pictures until you unlock them for someone else,” Jack’d promised, even after a researcher found that that was far from true. In fact, anyone with a web browser who knew where to look could access any Jack’d user’s photos, be they private or public – all without authentication or even the need to sign in to the app.

The Office of New York Attorney General Letitia James on Friday announced the settlement, handed down for:

Failure to protect private photos of users of its ‘Jack’d’ dating application … and the nude images of approximately 1,900 users in the gay, bisexual, and transgender community.

From the announcement:

Although the company represented to users that it had security measures in place to safeguard users’ information, and that certain photos would be marked ‘private,’ the company failed to implement reasonable protections to keep those photos private, and continued to leave security vulnerabilities unfixed for a year after being alerted to the problem.

The Attorney General office’s release said that Jack’d – a dating app that claims to have hundreds of thousands of active users worldwide and which markets itself as a tool to help men in the LGBTQIA+ community to hook up and date – “explicitly and implicitly” assures users that its private pictures feature can be used to exchange nude images securely and privately.

Read more at https://nakedsecurity.sophos.com/2019/07/02/dating-app-jackd-fined-240k-for-leaving-private-photos-up-for-a-year/

Medtronic rushes to replace insulin pumps after flaws found

By John E Dunn

Note. Naked Security cannot provide medical advice nor answer questions about specific Medtronic devices. If you’re concerned please contact your health professional or Medtronic directly on (US) 855-275-2717.

US medical equipment giant Medtronic has announced the immediate recall of all MiniMed 508 and Paradigm series insulin pumps after researchers uncovered serious security flaws which can’t be patched.

The news emerged last week when the company started sending recall letters to all US users of the device, a warning echoed by a public alert issued by the US Food and Drug Administration (FDA).

According to the FDA, Medtronic has identified around 4,000 US patients using affected models although an unknown number of others (including patients in other countries) will have received them through third parties.

This is still a relatively small number, which is perhaps explained by the fact that both pumps are older models dating back to 2012 that were withdrawn from sale in October 2018.

The pumps

The job of a pump is to deliver insulin to a patient throughout the day via a catheter implanted under the skin, which removes the need for regular injections to maintain stable blood glucose levels.

However, to do this, the pumps need to connect to a separate continuous glucose monitor (CGM) sensor which for a decade or so has been implemented wirelessly using Bluetooth.

Read more at https://nakedsecurity.sophos.com/2019/07/02/medtronic-rushes-to-replace-insulin-pumps-after-flaws-found/

Relatives’ DNA in genealogy database leads to murder conviction

By Lisa Vaas

At the time that the brutalized bodies of a Canadian couple were discovered near Washington’s Mount Rainier nearly 32 years ago, police believed that the killer left his plastic gloves in plain view near their van so as to taunt investigators.

Detective Robert Gebo of the Seattle Police Department:

He leaves those behind as a sign to the police that you needn’t look for fingerprints because I wore these gloves. And he has confidence that there’s nothing that’s going to connect him with these crimes.

That killer’s self-confidence was misplaced. Decades later, he was tracked down through links to the DNA of two cousins. On Friday morning, a Snohomish County jury found William Earl Talbott II guilty on two counts of aggravated murder in the first degree for the deaths of 21-year-old Jay Cook and his 17-year-old girlfriend, Tanya Van Cuylenborg.

First DNA database conviction

This is believed to be the first murder conviction of a suspect who was identified through genealogy databases. CeCe Moore, a genetic genealogist who works for forensic company Parabon NanoLab, had used a public DNA site, GEDmatch, to help build this family tree for what would turn out to be the now-convicted murderer, based on DNA evidence from the crime scene. That tree shows the links between Talbott and two of his cousins who had uploaded their genetic profiles to GEDmatch.

Read more at https://nakedsecurity.sophos.com/2019/07/02/relatives-dna-in-geneology-database-leads-to-murder-conviction/

RDP BlueKeep exploit shows why you really, really need to patch

By Mark Stockley

About six weeks ago Microsoft took the highly unusual step of including a patch for operating systems it no longer supports in its May Patch Tuesday output.

It’s something the software juggernaut has only ever felt the need to do on a handful of occasions, so when it does happen it can be taken as a sign that something very serious indeed is going on. In this case, the something serious was CVE-2019-0708, a very serious RDP vulnerability, that would soon become better known as BlueKeep.

RDP (the Remote Desktop Protocol) is what allows people to control Windows machines via a full graphical user interface, over the internet. The millions of internet-connected machines running RDP includes everything from cloud-hosted servers to Windows desktops used by remote workers, and each one is a potential gateway into an organisation’s internal network.

The ‘wormable’ BlueKeep vulnerability, announced by Microsoft with the release of patches to protect against it, could theoretically be used to run attackers’ code on every one of those machines, without a username and password.

The only sliver of hope that came with May’s patches was that CVE-2019-0708 was difficult to exploit. That difficulty created a window of time for organisation’s to patch against BlueKeep before crooks figured out how to abuse it. There was even the outside chance that it would prove too difficult to reverse engineer.

It was a hope that didn’t last long.

Since CVE-2019-0708 became public, a small number of organisation’s and security researchers have credibly claimed the ability to successfully exploit it.

Read more at https://nakedsecurity.sophos.com/2019/07/01/rdp-bluekeep-exploit-shows-why-you-really-really-need-to-patch/

ETERNALBLUE sextortion scam puts your password where your name should be

By Paul Ducklin

Remember sextortion?

That’s the name for the cybercrime where crooks blast you with spam claiming to know something about your sex life or sexuality that you’d probably want to keep private if it were true…

…and then threaten to tell the world (or at least your colleagues, friends and family) all about it.

Unless you send them money right away, usually in the form of a cryptocurrency like Bitcoin, and usually within 48 hours.

It’s all a pack of lies, of course – the crooks blast out millions of these messages in the hope that the contents will be close enough to the truth that at least some victims will pay up.

Generally, the crooks say they have taken screenshots of you viewing porn, synchronized with a recording they made at the same time via your webcam.

But even if you never watch porn, or don’t have a webcam, or both, this sort of email can still be alarming because the crooks also claim to have total control of your computer, typically including:

• Access to your passwords.
• Access to you what you type in even if you go and change your passwords.
• Access to your email and social media contact lists.

Also, to increase your fear, the crooks may offer “proof” that they’ve already stolen private data from you by including one or more snippets of personal information in the email.

The crooks often include your phone number or one of your passwords recovered from an existing data breach, or they pretend that they sent the email directly from your own account.

Read more at https://nakedsecurity.sophos.com/2019/07/01/eternalblue-sextortion-scam/

Cloud computing giant PCM hacked

By Danny Bradbury

A hacking group has gained access to the internal infrastructure of large cloud services provider PCM.

California-based PCM provides a mixture of solutions including cloud services and hardware, and made over $2bn in revenues in 2018. According to a report by specialist cybersecurity journalist Brian Krebs, the company discovered the breach in mid-May. Sources told him that the attackers stole administrative credentials for Office 365 accounts, and that they were mostly interested in using stolen data to conduct gift card fraud.

The modus operandi in this case was similar to other attacks on large IT providers we’ve seen, in which the hacking group sends phishing emails to companies including retailers, employee reward programs, customer loyalty and recognition businesses, and other organizations dealing in gift cards.

After compromising a system, the group would use a custom version of a malware strain called Mimikatz, which collects usernames and passwords from memory.

Once the group has access to the infrastructure of companies that deal in gift cards, it would then use money transfer services, payment processing services, and clearing houses to monetize that information. The report added:

A possible theory for targeting could be that gift cards provide access to liquid assets outside of the traditional western financial system.

Read more at https://nakedsecurity.sophos.com/2019/07/01/cloud-computing-giant-pcm-hacked/