Dropbox Users scammed into handing over credentials through a Phishing Page sent over SSL

Dropbox Users scammed into handing over credentials through a Phishing Page sent over SSL

Dropbox Users scammed into handing over credentials through a Phishing Page sent over SSL

After the massive leak of 700,000 Dropbox userids and passwords, which Dropbox denies it has been stolen from their servers, people are wary about the Dropbox security.

It so happens that a new style of stealing Dropbox credentials has emerged.  Cyber criminals try steal credentials for Dropbox and web-based email service by having created a fake log-in page that is hosted on the file sharing website, taking advantage of its secure protocol.  This scam which was discovered by Symantec.

The modus operandi

As usual the potential victims receive a email with a subject stating it as ‘Important’ from known party (who has also been a victim). The email is said to contain a large file which can be view only over Dropbox. Once the victim clicks on the link, he/she is led to a clone Dropbox page where he/she is asked for their Dropbox credentials.

The problem with this clone Dropbox page is that it is served over a secure website containing the words https before the url and further contains a exact replica of the Dropbox logo.  This makes the victim believe they are on real Dropbox page and handover their credentials to cybercriminals.  The image which is given below is of the said page and can fool even die hard prudent user.

Dropbox 1.png

Log in pages served over a webpage using a secure protocol

As soon as the “sign in” button is hit, the username and password entered in the log in fields are delivered to a PHP script on a compromised server, Symantec’s Nick Johnston says in a blog post.

The master strategy of the cybercriminals to use a secure protocol to host their nefarious cloned site works in most cases. Sending the data to the machine accessed by the crooks is also carried out using the secure protocol, which does not raise any suspicion to the victim. Otherwise, since the fake page is accessed through an encrypted connection, the web browser would inform that an insecure communication channel is used for delivering the data, warning that it could be intercepted and read by a third-party.

Johnston adds in his blogpost that that not all the resources of the phishing page are delivered over SSL.  The non secure items are marked in the web browser left top part which will display a different padlock in the address bar conveying some parts of the page are unsecure. However seeing the padlock and the https at the start of the page is enough for most users and that puts them at a greater risk.

“The fake login page is hosted on Dropbox’s user content domain (like shared photos and other files are) and is served over SSL, making the attack more dangerous and convincing,” says the researcher.

This is not the first case of abusing Dropbox cloud storage service. In late August, an SMS phishing (smishing) campaign was observed relying on the same method, the difference being that the crooks delivered a fake/cloned Facebook page.

However given the scale of recent leaks which hit the cyberspace last week , user discretion is advised to avoid falling into such traps.

read more

Malicious eBay listings redirects iPhone buyers to phishing site

Malicious eBay listings redirects iPhone buyers to phishing site

Buying a cheap iPhone on eBay is dangerous!!!

The worlds most popular auction site eBay has come in for severe criticism  as it appeared to fail to fix a  cross-site scripting (XSS) vulnerability for approximately 12 hours, which allowed attackers to redirect genuine buyers to fall prey on a phishing page.  eBay was notified about the cross-site scripting (XSS) vulnerability buy a IT worker from Scotland who is also a certified ‘eBay PowerSeller’.

Paul Kerr, a IT worker was surfing on eBay and happened to come on a iPhone listing.  He discovered that the listing for that particular iPhone was rigged in such a manner as to redirect potential buyers to a cloned eBay page, which could easy steal the victims login details and then steal all the important credentials by logging in to official eBay site.

Paul Kerr said he happened to visit the listing by chance, and being from IT background, immediately recognized the redirection for what it was: a phishing attempt. At the time, the advert had been up for 35 minutes, he noted, and he immediately notified eBay of the problem.

The problem was that even after notifying eBay about the fake listing and the redirections, the security team of eBay took 12 hours to delete the listing.  Kerr insisted that the listing was available to potential victims, despite getting assurances that the matter will be dealt with immediately from eBay. Kerr claims. “They should have nailed that straight away, and they didn’t,” he commented.

 About the XSS

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. In eBay’s case, the hackers had apparently exploited the common vulnerability to inject malicious Javascript into several listings for cheap iPhones which are in news recently due to the launch of iPhone6 and iPhone6 Plus.

Once a potential clicked on these they were taken to cloned eBay log-in page. However, on further inspection the page is actually hosted elsewhere and has been designed to harvest user log-ins for the hackers.  The victims login and password once saved by the hackers could be used to go the actual eBay site and steal the credit card/banking information saved by the victim for the purchases.

According to the BBC website, there were in total three listing posted by the same malicious seller, and at least two contained the redirection code.  However, eBay security team  confirmed existence of only one.

All three listings have been removed by eBay, the spokesman added that,  “We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links”

It is not known how many eBay buyers may have fallen victim to this iPhone listing in the 12 hours that it was online. There are chances that a good number of people may have actually fallen in the hackers trap considering the iPhone’s popularity.

This is not the first time that XSS vulnerabilities in the eBay website have been misused by malicious actors, and it probably won’t be the last.  Kerr made a video about the vulnerability and maybe this will help future buyers of eBay from noticing good from the bad.

read more

Phishing continues its Race, McAfee Labs reports

Phishing continues to be effective, McAfee Labs report shows

All type of Cyber Awareness Programs seem to fail because Phishing continues to be an effective tactic, according to the McAfee Labs Threats Report: August 2014.

While Techworm recently reported Phishing Campaign using Nude Models’ Photos, McAfee’s reports clarify the picture more. From your Bank account to your Facebook Account, everything seem to be under the trap of Phishing. While organizations are trying their best to stop phishing, Hackers are coming with new type of Phishing Techniques everyday.

Out of 16,000 business users who took the McAfee Phishing Quiz, which asks users to select if they are viewing a phishing email or legitimate email, 80 percent fell for at least one of seven phishing emails, according to the report.

Human resources staffers performed the worst, with employees in accounting and finance falling not far behind, the report indicates, adding research and development staff performed the best, with IT workers being a close runner-up.

McAfee observed that spoofed email addresses was most effective at fooling respondents, explaining in the report that a UPS phishing email using this tactic, coupled with carefully placed branding elements, was the most successful.

Rather than trying to reduce susceptibility to zero, organizations should focus on improving attack detection by nurturing human sensors that will report suspicious emails.

Some tell-tale signs of phishing are emails that appeal to emotions through fear or urgency, contain and ask users to open unexpected links or attachments, request login credentials, and contain elements such as overly generic text and greetings, Belani said.

In a post, Symantec warns that the Kelihos botnet is being used to send phishing emails purporting to be from Apple.

In a sample email, the message indicates that the user’s Apple ID was used to make a purchase on a device not previously linked to that account. The user is urged to check their Apple ID by clicking a link in the email. Clicking the link brings the user to an Apple phishing page that asks for an Apple ID and password, and presumably steals the credentials if entered, the post indicates.

read more

Phishing campaign lures victims with models’ photos

New phishing campaigns are capitalizing on two female models’ looks to steal Facebook login information from users.
Phishing is the most common process to hack Facebook accounts. But nowadays it’s too much hard to lure someone to get into the phishing page. But this type of  NSFW image Phishing Page will definitely make some people land into that page wishing to have a sex chat or to see more NSFW images and that is what Hackers are taking advantages of.
Celebrity lures continue in the world of phishing. We have seen several phishing sites in the past that used altered celebrity images to get users’ attention. Today, we have a couple of examples in which phishers continued their celebrity  promotion campaigns with glamour models Martisha and Denise Milani. These phishing sites are typically developed for the purpose of stealing personal information from a large number of these celebrities’ fans.
In one campaign, the phishing page spoofed Facebook’s branding and contained an image of glamour model Martisha along with a message in the Arabic language. This message translates to “Chat with Arab boys and girls on Facebook”. The phishing site gave the impression that the user could get involved in adult chats when they entered their login credentials. In reality, after the user logged in their login credentials, they were redirected to the legitimate Facebook login page while their information was sent to the phishers. The phishing site was hosted on servers based in Damietta, Egypt.
Though the Phishing Page does not look too much professional but it’s enough to phish some ‘really dumb’ people. 
In another campaign, the phishing site also mimicked Facebook’s appearance in order to obtain user login credentials. The background image contained a photograph of Denise Milani from a previous modeling photo shoot. The phishing site’s appearance suggested that the user could gain access to adult material when they entered their login credentials. However, as with the previous phishing campaign, once the user submitted their login credentials, they were redirected to the legitimate Facebook login page. This phishing site was hosted through a free Web hosting service. If the user became a victim to these campaigns, the phishers would have successfully stolen their information for identity theft purposes.

To prevent yourself get phished here are some good habits you should follow:

  • Check the URL in the address bar when logging into your account to make sure it belongs to the website that you want to visit
  • Do not click on suspicious links in email messages
  • Do not provide any personal information when replying to emails
  • Do not enter personal information in a pop-up page or window
  • When entering personal or financial information, ensure that the website is encrypted with an SSL certificate by looking for the padlock icon or “HTTPS” in the address bar
read more

Step by step tutorial for Fixing your Hacked Facebook Account

When Facebook is strengthening it’s social networking presence all over the world, hacking it’s users account is becoming alluring thing to many a hackers, day by day. The rapid increase in the hacked Facebook account shows the trend of hacking going up day by day.
How to Fix your Hacked Facebook Account
To many people Facebook is the main time passing stuff and it’ll surely be a shocking news if one day you find it HACKED. So in Techworm, it’s our duty to keep our readers safe and sound from this kind of hacks. there are many ways to hack a Facebook account but describing all of them is beyond the scope of this article. today we are going discuss how to fix that hacks.

Reclaim your account

If you can no longer login to Facebook, you’ll want to follow these instructions from the Facebook Help Center

My account is hacked. If your account is sending out spam (ex: advertisements or suspicious links) or was taken over by someone else, secure it here.

After you’ve navigated to, click the blue “Continue” button and follow the instructions.  Once done, you can reclaim your account.  Be sure to set a very complex password this time around. 

Change your Facebook password

It’s possible your Facebook woes are coming from the result of a phishing scam. Someone may have created a fake website that looks like Facebook or another online service you visit and tricked you into logging in. Their goal was to steal your password and other account credentials, and they may have succeeded.

In this case, you should change your password on Facebook. 

If changing your password fixes your Facebook problems, you should change your password for all your other services too, especially if you use the same password for them as you previously used on Facebook. If this doesn’t fix the problem, try the next step. 

Remove unwanted Facebook apps

It’s possible your Facebook woes are coming from some rogue app that you accidentally installed or were tricked into installing. Every Facebook app asks for certain permissions to when you install the same.  Some of these permissions you can modify, while others you cannot.  Rogue apps tend to use your Facebook timeline for their phishing or spam endeavours.

Your best bet is to remove all the Facebook apps you find suspicious.
If you don’t know how to Remove Facebook Apps, here is a short described method.
Go to Account Settings>App>Select the App you find suspicious>Remove App>in the Confirmation click on the Remove> Done!
If cleaning out your apps fixes your Facebook problems, tell your friends they should do the same (chances are the app asked your friends to install it as well). If this doesn’t fix the problem, try the next step. 

Get some security software and run a virus scan

It’s possible your Facebook woes are coming from some sort of malware, be it a keylogger, a trojan, or some other type of virus. Even if you think your computer is clean, it can’t hurt to check.

We wholeheartedly recommend Microsoft Security Essentials –it’s free and gets the job done very well. Another good one is Malwarebytes. Other free alternatives include Avira and Avast.
The aforementioned security programs are for Windows. If you have a Mac, try using the antivirus from Sophos.
After running the virus scan, clean out whatever the program detects. If you’re not sure about what the AV has  found save the log file and ask a friend who might.  All Antivirus products generate a log file which you can use to troubleshoot your machine.  You can also ask for help in various tech forums.
Hope this Helps. Don’t forget to comment if you have any questions or facing some other kind of problems with your facebook account. Stay Tuned For More Tutorials for safeguarding your PC from cyber criminals.

You may ask relevant trouble shoot questions to the admin of techworm in the comments section.
read more

Fake Bitcoin leaks(username and passwords) leads to phishing attacks ending in genuine users loosing their own bitcoins

Who says only developers have imaginative ideas, scamsters are always one step ahead of ideas even in the field of creativity.  A top trending paste on Pastebin says that a user by the name of Jim the The P1st0l has hacked the website of under an operation called Operation Piratecrypt and has leaked around 261 email ids and passwords. Now a little bit of background check on the affected website ie reveals that this is a phishing site hosted on a free webhosting ( and the Paste has affectivly been posted to lure bitcoin owners into divulging their ids to the scamters. 
Fake Bitcoin leaks(username and passwords) leads to phishing attacks
The scam works on simple theory of acting on the greed and curiosity of the pastebin reader.  Acting on the leaks, a person may enter the email id and password from the leak to transfer the bitcoins to his/her name.  To transfer any bitcoin, they need to put their credentials and ultimately giving their own bitcoins wallet information to the scamsters and loose the bitcoins in their own accounts.  The scamsters, in this case hoped for a similar result.  The Paste which is pasted on Pastebin here, has been trending for last 24 hours so the scamsters may feel that some of the readers may fall prey to their phishing campaign.

Logging into the takes users to another website which then asks the users for the wallet ids and passwords to which they want the bitcoins to be transfered.  
Fake Bitcoin leaks(username and passwords) leads to phishing attacks
Subdomains under have already been marked as phishing pages by Clean MX, a realtime data base regulator.  In addition to, Clean MX also states that the domain is being used for phishing PayPal, MasterCard and Interbank account holders.
Fake Bitcoin leaks(username and passwords) leads to phishing attacks
Eset and several other Antivirus firms have classified the domain  as a phishing threat

Fake Bitcoin leaks(username and passwords) leads to phishing attacks

A search on google gives the description of as 

What is LIXTER? Built and operated in the United Kingdom, LIXTER is the next generation crypto trading platform created by security professionals. We are …

Fake Bitcoin leaks(username and passwords) leads to phishing attacks

It is possible that there are several more phishing websites like these, Readers are advised not to fall prey to such fake pastes and such phishing scams. 
read more

Beware your Spotify App version 1.1.1 and below for Android may lead to phishing attack on you

Phishing through a popular Android App is a unknown phenomenon upto now but Trend Micro today reported that they have discovered a vulnerability that affects older versions of the Spotify App for Android. Trend reported that only older version including Spotify 1.1.1 are affected by this vulnerability.   If you have a Spotify App version 1.1.1 and below,  you did better upgrade it now!

Beware your Spotify App version 1.1.1 and below for Android may lead to phishing attack on you
Beware your Spotify App version 1.1.1 and below for Android may lead to phishing attack on you
Trend has reported that the vulnerability, which can be exploited by a cyber criminal and can allow him/her to control what is being displayed on the Spotify App interface. By using this flaw to control what appears on the victims smartphone or tablet can be abused by cybercriminals to launch phishing attacks that may result to data loss or theft.

Trend informed Spotify about the vulnerability and Spotify immediately fixed the flaw and released a upgrade for the App. Therefore if you are using Spotify kindly upgrade it by visiting it at Google Play here.

Trend has reported that the vulnerability affects a specific activity (, which is designed to retrieve and show Spotify web pages on the App UI. The vulnerability causes the content of these exported web pages to be visible to other apps installed in the phone. Furthermore, the bug can allow a separate App, process, or thread to trigger the activity without the need for additional permissions.

Using a malicious app, an attacker can exploit this activity to alter the content being shown by the App to users. Spotify was able to show the harmless Google homepage on the Spotify App but a cyber criminal with a sinister intent can use it to fake your banks home page to gain confidential information.

Trend Micro has also reported that the malicious App can trigger and “minimize” the activity at will of the attacker. If a user tries to stop the Spotify app by using the “Back” button, the malicious content will show up on the screen. Users who may not be overly familiar with the App might view this action as a normal routine for the App and click it.

Because potential attacks do not require additional permissions, users may not be aware of any suspicious activity that may arise from this situation. No additional permissions also mean that the Anti Virus App on your Android smartphone / tablet cannot detect and analyze malicious activity going on in the background.
read more

Guardian webpage copy used for phishing readers by posting a self congratulatory article about a finance company

As first sight, it looked like the well known news website guardian had been hacked.  But a close scrutiny it looks virtually identical copy of the normal webpage page of the Guardian put up only to carry out phishing attack on unsuspecting victims. The webpage had the same layout, typography, links to other sections, and comments below the line. The only giveaway was the story published on this fake page.  
It gave a glowing review of a company called Business Grants & Loans extolling its revenue models, returns to investors and increasing toplines. Sadly this was a phishing attack as the page was entirely fake, hosted on a copycat website and apparently designed by fraudsters to give the impression that the company has won independent endorsement from the Guardian with a sole motive to to lure victims into handing over hundreds of pounds each.

Making copy cat websites for phishing trade has been a ancient practise but mostly phishers tend to clone bank websites or institutions such as HM Revenue & Customs. These websites are then used by cyber criminals who send out “phishing” emails which convince victims to come to this cloned website and enter their login credentials. In reality these website are designed to illegally capture log-ins and password details.

The fake website page used the address “” instead of the regular and it was taken down immediately after Guardian complained about the same to the ISP concerned.  But not before the fake website had managed to scam a couple of victims.  Guardian itself was alerted about the cloned website by a victim who paid £175 to Business Grants & Loans by bank transfer, but then failed to receive the loan of £15,000 that she had been promised.

As a part of the phishing campaign she had been sent an email from the company which read: “To back things up, in 2013 we were mentioned in the Guardian. We would strongly suggest you read the article below, this should give you the confidence you need in our company …”

In the fake article which extolled the virtues of taking loans from Business Grants & Loans.  It also said that Business Grants & Loans is an “expanding company” which is “helping 76% of applicants achieve the funding they desire”. It tells readers to head to the company’s website, and goes to extraordinary lengths to make the article appear genuine, even creating fake below-the-line comments from regular readers of Guardian Money, such as “Halo572” and “oommph”.

Resource : The Guardian
read more

Doctor in New Zealand loses $300,000 to Nigerian fraudsters who hacked his dad’s email

The New Zealand Herald has reported a hacking by Nigerian scammers which has cost  a Auckland Doctor $300,000 and he is fighting to get it back.  As per the news, an Auckland doctor lost $300,000 after a Nigeria-based scammers hacked into his father’s email account and then posing as the father transferred $300,000 from his account.
Doctor in New Zealand loses $300,000 to Nigerian fraudsters who hacked his dad's email
The doctor who wished to remain anonymous, works in emergency section at a Auckland hospital is fighting to get the money back and has also warned other users to be vigilant against the Nigerian fraudsters.  The doctor said that the father and son duo were holding over @300,000 of family money in a bank in New Zealand. They had earmarked this money to buy  a property in Auckland or England.  His parents stay in Britain and they had been zeroing on a deal before this scam happened.  The doctor said that they had arrived at a decision to make an offer on a property in England and the doctor spoke to his father on the phone about transferring the money to a UK account.

“He told me verbally to send the money over, but later sent an email saying not to do it as the offer had been rejected,” the doctor told the Herald.

“Twelve hours later I got another email sounding like it was continuing on from that conversation. It said good news, the offer has been accepted so send the money through. I had an ongoing conversation with who I thought was my father.”

The doctor transferred the money to a bank account that appeared to have been set up in his father’s name. As he was communicating with his father from his legitimate email address, he had no reason to suspect anything was amiss. When he spoke to his father days later he realised he had been scammed.

He now believes the fraudster used a phishing technique to gain access to his father’s email account in which a fake password prompt was sent to “confirm” the user’s personal details.

The fraudster who the Auckland police think is a Nigerian, then used those details to access the email account and monitor the father and son’s conversation before stepping in and pretended to be the older man. The doctor contacted both his bank and the one that he transferred the money to, as well as the police. He is waiting to find out if there is any way he can recoup his loss.

“My main error was that I didn’t make the telephone call to my dad for confirmation. But I’m pretty busy, I don’t have the time to speak to my parents on the phone all the time. I think I should have though,” he said.

“We are all frustrated, it’s a massive chunk of money. I feel somewhat stupid, but when I go and read back through the email chain [the scammer] was pretty convincing.”

The Nigerian fraudster gangs are always on look out for phishing victims and their way of scamming is called 419 scams.  In fact they are so good at it that unsuspecting victims always fall prey to their scams world over.

read more

Search for Cristiano Ronaldo and other star footballers leads to suspected malware webpages

With just 8 days to go for the start of Football World Cup 2014 at Rio de Janeiro, its obvious that lot of the fans want to catch a glimpse of their star players or news about them.  Among the leaders in the searches is Portuguese star Cristiano Ronaldo. However it not only the fans who are interested in these star footballers.  According McAfee, the cyber criminals are well aware of the fans interest in Cristiano Ronaldo and likely to use the Portugese star’s name to lure visitors to web pages designed to infect them with malware. 
Search for Cristiano Ronaldo and other star footballers leads to suspected malware webpages
McAfee has prepared a list of most vulnerable names in the football arena who can be used by cyber criminals to lure visitors to such pages.  It has named the list as McAfee ‘Red Card Club’  The Red Card Club showcases the top 11 players who are in Brazil for the World Cup, whose web pages are considered to be risky for fans to search for online. Ronaldo lead the pack while  Argentina’s Lionel Messi, Spain’s Iker Cassillas, Brazil’s Neymar and Algeria’s Karim Ziani are also most probable baits for these cyber criminals. 

Like in tragic circumstances, it is common for the cyber criminals to leverage on the high level of interest in the world cup. Techworm has brought you information how the cyber criminals used the Malaysian Airlines MH370 video and Universal Studios Roller Coaster Accident(fake video) to lure them to websites rigged with malware and adware.  Some of the fake webpages host very malicious codes capable of infecting a user’s machine and stealing passwords and personal information. 

It is during such times of high interest that the cyber criminals strike at the unsuspecting victims.  In the latest case, the hype around the world cup make the football fans run the greatest risk when visiting sites offering screensaver downloads and videos showcasing the extraordinary skills of the footballers. 

McAfee says that searching for the latest Cristiano Ronaldo content yields more than a 3.7% chance of landing on a website that has tested positive for online threats, such as spyware, adware, spam, phishing, viruses and other malware. 

McAfee has prepared the “Red Card Club” by giving scores among the top eleven positions in terms of greatest percent chance of web page risk. 

“Consider the McAfee ‘Red Card Club’ as our effort to warn consumers against allowing passion to trump digital hygiene,” said Paula Greves, director of web security research at McAfee. “Cybercriminals can’t resist taking advantage of ‘fever-pitch’ excitement around this summer’s epic matchups in Brazil. The danger is that this anticipation could lead fans to download content from pages they shouldn’t to fulfill their football experience.”
read more