Categories
privacy security

OCBC phishing scam – how it could have happened

Disclaimer: The following analysis of what could have happened is pure speculation based on publicly available information.

On 8 Jan 2022, news broke that as many as 469 OCBC bank customers were affected by phishing scams, racking losses of up to S$8.5 million in total. This should be one of the biggest and most successful phishing attack of a Singapore bank in recent memory.

Based on details of the news report, it appears that the scam works mainly as a result of 2 factors:
1. Successful social engineering
2. Possible SMS hijacking

Fake bank SMS

According to reports, users who got scammed received SMS messages that appear to originate from the bank. Scammers prey on user’s tendency to trust messages that appear alongside previous legitimate SMSes. How scammers are able to do this is to make use of a feature of SMS sending known as Alphanumeric sender ID. Meaning, they can send an SMS with a chosen sender ID that the bank uses. In this case, they chose “OCBC” as the sender ID. When the user receives such a SMS, it will appear alongside existing SMSes from the same sender ID “OCBC”.

As a quick test, I sent myself a test message with sender ID set to “BOC SG” (what Bank of China Singapore uses) and this is what I see:

This is just to show how easy it is to fake a sender ID. Interestingly, I was unable to reproduce this using “OCBC” as the sender ID, probably because the service provider/ISP is filtering out such IDs.

If a user thinks that it is a legitimate message from the bank, they tend to let their guard down and click on the link that the “bank” has sent – especially if it’s worded as something urgent. In this case it directs to a phishing site that looks exactly like the bank’s login page. Once the user enters their login user/password, the scammer would have captured their login credentials.

SMS hijacking

Just having login credentials is insufficient to make the attack successful. Because most banks would require 2FA for full login and to perform other more important actions like money transfer. This is where the SMS hijacking comes in.

It has been known for quite some time that SMS is NOT a reliable form of 2FA. To understand why, we have to dig into how SMS is implemented. Those who are interested can find out more here. There are some sites – which I won’t link to – that offers to provide such hijacking service for as little as $16.

To cut the long story short, if an attacker knows your mobile phone number, they can intercept your SMS messages, without you knowing. Shocking. I know. But this is well known and has been repeatedly demonstrated in cybersecurity conferences and other public forums.

With both the login credentials and hijacked SMS messages carrying OTP messages, an attacker can in theory carry out transactions without the user being notified.

Actually that is not all, if the bank calls your mobile number – for example, to verify the transaction – that can be intercepted as well via the same mechanism.

Closing the gap

The attack worked in this case because Singapore allows for Alphanumeric sender ID without requiring pre-registration by the sending organization. There are now renewed calls to make pre-registration compulsory to use this feature.

Fixing SMS hijacking – if it’s indeed the mechanism being used – will take more effort and probably require all ISPs to put in place mitigation in their systems. The easier fix may be to deprecate SMS as a 2FA option and stick to other more secure options like authenticating through app or physical tokens.

There are also some questions as to why automatic fraud detection that banks usually have in place is not working in this case. I shall not speculate on this but wait for further information from the investigation.

Conclusion

OCBC customers are not the first to fall prey to scams and neither will they be the last. As we move more and more to the digital world we can expect cyber criminals to keep exploiting both technical loopholes as well as human weaknesses to achieve their objectives. User education remains important and so are improving processes and closing technology gaps.

Categories
privacy security

Malware found in coa and rc, two npm packages with 23M weekly downloads

It’s a worrying trend to see more and more hijacking of popular packages to spread malware. The threat actor apparently gained access to the packager maintainers account and inserted a post install script to download malware.

The security team of the npm JavaScript package manager has warned users that two of its most popular packages had been hijacked by a threat actor who released new versions laced with what appeared to be password-stealing malware.

Source: Malware found in coa and rc, two npm packages with 23M weekly downloads

Categories
privacy security

Samy Kamkar – NAT Slipstreaming

Another impressive hack from Samy. In this article, he introduces a novel technique to gain remote connection to any TCP/UDP service on your machine simply by having you visit a malicious website (with some conditions). To be clear, this isn’t remote code execution or remote shell – the exploit is at the networking level – but it could serve as a first step towards that. For example, the hacker could connect to the victim’s RDP port and start password brute-forcing.

exploit NAT/firewalls to access TCP/UDP services bound on a victim machine

Source: Samy Kamkar – NAT Slipstreaming

Categories
privacy security

Private data gone public: Razer leaks 100,000+ gamers’ personal info | Ars Technica

Yet another data leak incident due to service misconfiguration. The usual suspects include Elasticsearch, MongoDB, AWS S3.

No need to breach any systems when the vendor gives the data away for free.

Source: Private data gone public: Razer leaks 100,000+ gamers’ personal info | Ars Technica

Categories
privacy security

Ebay is port scanning visitors to their website – and they aren’t the only ones – nem.ec

Ebay – and others – have been caught deploying port scanning on your machine when you visit their website. We’re not talking about scanning your gateway. We’re talking about scanning the very machine that you’re using to visit their website. How is this possible? Well, modern browsers support a technology known as WebRTC that makes it possible to do video conferencing – among others – without installing software. This technology is what enables port scanning to be done by the website. To protect yourself, you should install browser add-ons to disable WebRTC when not in use.

Websites are scanning for open ports on your PC to help fight fraud, but this data also flows into a massive, global tracking database.

Source: Ebay is port scanning visitors to their website – and they aren’t the only ones – nem.ec

Categories
privacy security

Zero-day in Sign in with Apple

Apply awarded a 100K bug bounty for a relatively simple – but admittedly high impact – bug. This researcher got lucky.

What if I say, your Email ID is all I need to takeover your account on your favorite website or an app. Sounds scary, right? This is what a bug in Sign in with Apple allowed me to do.

Source: Zero-day in Sign in with Apple

Categories
privacy security

The problem with Zoom

The rise of Zoom is undeniable in today’s climate. Work, school, communities, etc. are all adopting Zoom and other video messaging platform as a primary means of communication. However, Zoom – the company – has some questionable practices, which leads to Zoom – the product – having many security and privacy issues. Here is an entire article devoted to problems with Zoom:

Every Zoom Security and Privacy Flaw So Far, and What You Can Do to Protect Yourself
https://tidbits.com/2020/04/03/every-zoom-security-and-privacy-flaw-so-far-and-what-you-can-do-to-protect-yourself

The problems with Zoom extend beyond its recent troubles. More articles related to Zoom issues:

2020-04-09
MOE suspends use of Zoom in home-based learning following breaches involving obscene images
https://www.channelnewsasia.com/news/singapore/moe-suspends-zoom-home-based-learning-obscene-images-12626534

Who has banned Zoom? Google, NASA, and more
https://www.techrepublic.com/article/who-has-banned-zoom-google-nasa-and-more/

‘Zoombombing’ City Hall: Online Harassment Surges As Public Meetings Go Virtual
https://www.npr.org/2020/04/09/829265445/zoombombing-city-hall-the-struggle-to-keep-public-meetings-going-virtually

2020-04-08
Google Told Its Workers That They Can’t Use Zoom On Their Laptops Anymore
https://www.buzzfeednews.com/article/pranavdixit/google-bans-zoom

2020-04-03
Zoom admits some calls were routed through China by mistake
https://techcrunch.com/2020/04/03/zoom-calls-routed-china/

Security and Privacy Implications of Zoom
https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html

Thousands of Zoom video calls left exposed on open Web
https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/

A Quick Look at the Confidentiality of Zoom Meetings
https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/

2020-04-02
New Zoom Hack Lets Hackers Compromise Windows and Its Login Password
https://thehackernews.com/2020/04/zoom-windows-password.html

2020-04-01
Zoom is Leaking Peoples’ Email Addresses and Photos to Strangers
https://www.vice.com/en_us/article/k7e95m/zoom-leaking-email-addresses-photos

2020-03-26
Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account
https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account

2019-07-15
The Zoom Desktop App Lets Any Website Take Over Your Mac’s Camera. Here’s What To Do About It.
https://www.buzzfeednews.com/article/nicolenguyen/zoom-webcam-hacker-watching-you-vulnerability

2019-07-11
Apple has pushed a silent Mac update to remove hidden Zoom web server
https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/

Categories
privacy security

Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access

This vulnerability affects WhatsApp desktop – which I didn’t know exists – for Mac and Windows. It does so by exploiting unpatched bugs in the older version of Electron that WhatsApp desktop uses.

Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access

Source: Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access

Categories
privacy security

1.2 billion people exposed in data leak includes personal info, LinkedIN, Facebook

Another data leak, this time involving, let’s see, 1.2 billion people. This was found by security researchers in an unsecured ElasticSearch server – the server is now down. According to analysis, the data most likely comes from data enrichment companies.

A total count of unique people across all data sets reached more than 1.2 billion people, making this one of the largest data leaks from a single source organization in history. The leaked data contained names, email addresses, phone numbers, LinkedIN and Facebook profile information.

For a very low price, data enrichment companies allow you to take a single piece of information on a person (such as a name or email address), and expand (or enrich) that user profile to include hundreds of additional new data points of information.

Source: 1.2 billion people exposed in data leak includes personal info, LinkedIN, Facebook

Categories
network privacy security

Vulnerability in Linksys and Cisco routers

This is a not a good week for network equipment manufacturers.

First, it was discovered that over 25000 Linksys Smart Wifi routers are vulnerable for sensitive information disclosure flaws.

Using data provided by BinaryEdge, our scans have found 25,617 Linksys Smart Wi-Fi routers are currently leaking sensitive information to the public internet, including:

  • MAC address of every device that’s ever connected to it (full historical record, not just active devices)
  • Device name (such as “TROY-PC” or “Mat’s MacBook Pro”)
  • Operating system (such as “Windows 7” or “Android”)

In some cases additional metadata is logged such as device type, manufacturer, model number, and description – as seen in the example below.

The picture is worst for even Cisco, which embedded a default SSH keypair in all of its 9000 series devices. Basically this means that anyone (who knows the IPv6 address and keypair) can SSH into a vulnerable device and take over it completely. It is so serious that some have described it as a backdoor.