SMS company exposes millions of text messages, credentials online

By Danny Bradbury

Researchers have found yet another massive database inadvertently exposed online, leaking millions of records.

This time, it was a database of SMS messages from enterprise texting services provider TrueDialog, and the people that found it claim that the exposure could have compromised tens of millions of people.

Researchers Noam Rotem and Ran Locarat at vpnMentor first found the database on Microsoft’s Azure cloud platform on 26 November 2019. It displayed what they described as a “massive amount of private data”, including tens of millions of SMS text messages. Also in public view were millions of account usernames and passwords, they said.

Founded in 2008, Texas-based TrueDialog provides SMS solutions for businesses, enabling them to send mass texts for marketing purposes, along with sector-specific applications such as student SMS notifications for the education industry.

According to a blog post on the vpnMentor website, the database contained 604 GB of data comprising nearly a billion entries. These included email addresses, usernames, passwords stored in plain text, and some other passwords using base64 encoding (which is a system used to preserve data integrity during transmission, rather than a password protection encryption mechanism).

Aside from the account logins, the researchers also found message content, the full names of recipients and TrueDialog account holders, and phone numbers. They added:

We also found in the database logs of internal system errors as well as many http requests and responses, which means that whoever found it could see the site’s traffic. This could by itself had exposed vulnerabilities [sic].

The leaky system logs could also have given competitors a look at TrueDialog’s backend systems and potentially a way to gain a competitive edge over the company, vpnMentor’s blog post suggested. It also warned that anyone who accessed the data could have taken over user accounts and engaged in corporate espionage by snooping on account holders’ SMS texts or even stealing leads generated by the SMS system.

Read more at https://nakedsecurity.sophos.com/2019/12/03/sms-company-exposes-millions-of-text-messages-credentials-online/

Mixcloud user accounts up for sale on dark web

By John E Dunn

A hacker is ransoming account data stolen from UK-based music streaming service Mixcloud, according to news websites contacted by the attacker last week.

News of the breach first emerged on Vice, which received 1,000 sample accounts from a claimed total of 21 million that a hacker called ‘A_W_S’ seems to have nabbed on or around 13 November.

The data includes account holders’ email addresses, IP addresses, and password hashes, which Vice was able to verify as genuine. No financial data or mailing addresses are involved as the company says it doesn’t store these.

The sum reportedly demanded by the hacker is a surprisingly modest 0.5 bitcoins, equivalent to $3,700 at this week’s exchange.

This is a dark web auction so it’s possible this is simply a starting price against which the hacker wants Mixcloud to bid to have the data returned.

It’s also possible that the hacker doesn’t have as much data as claimed – for now, it’s impossible to know.

Mixcloud’s CTO and co-founder Mat Clayton told Vice he’d not been aware of the breach until told about it by journalists and that the company was “actively investigating” what had happened.

A subsequent announcement by Mixcloud confirmed the breach but offered reassurance regarding the strength of the password hashing used, reportedly SHA-256:

The passwords that Mixcloud does store are encrypted with salted cryptographic hashes to ensure that they are extremely difficult to unscramble. This means that they are unlikely to be decrypted by hackers.

Read more at https://nakedsecurity.sophos.com/2019/12/03/mixcloud-user-accounts-up-for-sale-on-dark-web/

IM RAT spy tool seller raided, busted, kicked offline

By Lisa Vaas

Imminent Methods – a marketplace where hackers could buy spyware for as little as $25 – has been taken down after an international investigation that’s led law enforcement to nine countries as they seek out the people who sell, buy and use its tool.

The UK’s National Crime Agency (NCA) said last week that 14,500 buyers picked up the tool, which is called the Imminent Monitor Remote Access Trojan (IM RAT).

Once a crook covertly slips the tool onto a targeted computer, IM RAT gives them full access, enabling them to turn off anti-virus software, steal data or passwords, record keystrokes, and eavesdrop on their victims via their webcams.

The Australian Federal Police (AFP) led the operation, with the North West Regional Organised Crime Unit (NWROCU) leading the UK investigation and the NCA supporting it. The action started a week ago, on 25 November, with 21 search warrants executed in the UK alone. The UK warrants – all of which were for suspected users of the RAT – led to nine arrests and seizure of what the NCA said was more than 100 pieces of evidence.

In total, worldwide, police executed 85 warrants arrested 14 people and seized more than 400 items.

On Friday, police took down the Imminent Methods site. Pulling the site down means that the RAT can’t be used by the crooks who bought it, the NCA said.

Phil Larratt, from the NCA’s National Cyber Crime Unit, said that the IM RAT was used by individual crooks and organized crime outfits to break the UK’s Computer Misuse Act in a number of ways: by fraud, theft and voyeurism.

Cyber criminals who bought this tool for as little as US$25 were able to commit serious criminality, remotely invading the privacy of unsuspecting victims and stealing sensitive data.

Detective Inspector Andy Milligan, from the NWROCU, said that this has been “a complex, challenging cyber investigation with international scope” that was supported by Europol and Eurojust, among other cybercrime fighters. There well may be plenty of similar tools for sale elsewhere, but at least this one – what sounds like a cyberstalker/cyberburglar’s dream – is hopefully out of the running for good.

Read more at https://nakedsecurity.sophos.com/2019/12/03/im-rat-spy-tool-seller-raided-busted-kicked-offline/

Ad fraud: Fake local news sites are rolling in the dough

By Lisa Vaas

Amazing – local media outlets are giving off death rattles if they’re not already dead and buried, but a newly launched “news” site for the teensy Texas town of Laredo has seen its traffic shoot through the roof: from 200K page views in August 2019 to 3.7m visits a mere three months later.

What’s the secret sauce for laredotribune.com, created in June 2019?

According to Social Puncher, a firm that’s analyzed what it concludes is a series of sham news sites, the Laredo Tribune site is running on the fumes of pure ad fraud.

The fakery is funded by advertisers who are unwittingly paying fraudsters who pump up the page views on small “news” sites to eye-watering levels. They’re doing so by buying fake traffic from bots: evidenced by anomalies such as nearly all the traffic coming from mobile devices. That’s atypical, unless a site is specifically targeted at a mobile audience.

Other red flags include the fact that the average number of pages visited and the time that the “users” spent on the site were sky-high, particularly for mobile users, and that most visits came from outside the site’s target geography.

Social Puncher’s Vlad Shevtsov, director of investigations, estimates that each of these fake news sites – which have astonishingly high traffic rates but mysteriously blink out of existence after only a short time – makes at least $100,000 (£77,450) a month.

But real news costs money to make. Writing it requires humans. Why go to all that trouble, when you can just rip off evergreen articles that are years old and post them to sites with gazillions of pages that aren’t even shown to real, live humans? From the first in a series of reports titled The fake traffic schemes that are still rotting the Internet:

The annual losses from ad fraud are estimated at billions, and even tens of billions of dollars. There are thousands, and even tens of thousands of fake sites that just simulate real media to deceive advertisers. But almost no one wonders what such sites should look like.

Read more at https://nakedsecurity.sophos.com/2019/12/03/ad-fraud-fake-local-news-sites-are-rolling-in-the-dough/