Hacking news

HSBC Bank in U.S. suffers data breach

HSBC Bank in U.S. suffers data breach

HSBC confirms 1% of bank customers affected by the data breach

HSBC Bank, one of the largest banking and financial services organizations in the world, on Tuesday confirmed it suffered a data breach last month, which it believes affected less than 1% of its bank customers in the U.S.

In a Notice of Data Breach to customers, which has been filed with California’s Attorney General’s office, the bank says: “HSBC became aware of online accounts being accessed by unauthorized users between October 4, 2018 and October 14, 2018.

“When HSBC discovered your online account was impacted, we suspended online access to prevent further unauthorized entry of your account.”

The information that might have been possibly accessed includes full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history.

HSBC has not provided exact details as to how many people were affected by this breach nor it is immediately clear if any money was stolen.

“HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously. We responded to this incident by fortifying our log-on and authentication processes, and implemented additional layers of security for digital and mobile access to all personal and business banking accounts,” Rob Sherman, U.S. head of media relations, HSBC External Affairs said in a statement.

The bank is also offering a one-year free subscription with credit monitoring and identity theft protection service by Identity Guard to its affected customers.

“We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identity theft protection service.”

Although the bank’s official statement does not specify how did hackers gain access to their customers’ data, it is believed that hackers gained access via the HSBC online app.

In order to prevent credential stuffing attacks, the bank is urging its customers to keep their accounts safe by regularly changing and using strong passwords, and use unique passwords at each site they visit. The customers should also monitor transactions in their accounts for any unauthorized activity.

read more

Personal Facebook Messages Of 81,000 Hacked Users Up For Sale

Personal Facebook Messages Of 81,000 Hacked Users Up For Sale

Private conversations stolen from 81,000 Facebook users are up for sale

Hackers have published private messages from the compromised accounts of some 81,000 Facebook users and put them up for sale on the internet, according to a BBC News report.

The hackers told the BBC Russian Service that they had personal information of more than 120 million accounts, which they were attempting to sell. Many of the users whose details have been compromised are based in Ukraine and Russia but some were also from the UK, US, Brazil and elsewhere.

“The hackers offered to sell access for 10 cents per account. However, their advert has since been taken offline,” the report added.

Data stolen by the hackers include photos of a recent holiday sent privately between two Facebook friends, private messages between couples, complaints about a son-in-law and a chat about a recent Depeche Mode (British rock band) concert.

Russian Facebook users whose private messages had been uploaded were contacted, who confirmed to the BBC that the information was indeed theirs.

The breach was discovered in September when a user named FBSaler posted an advertisement on an English-language internet forum offering to sell the details of 120 million Facebook accounts at 10 cents a handle.

However, Facebook responded to the report and said its security had not been compromised and the messages were reportedly obtained through malicious browser extensions.

“We have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores,” Facebook executive Guy Rosen told the BBC. “We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts.”

The social media giant also assured its users that it had taken preventive measures to avoid further accounts from being affected.

Cybersecurity company Digital Shadows investigated the claim for the BBC and confirmed that the compromised data of the 81,000 users posted online as samples included private messages.

Earlier in September, there was a report that over 50 million Facebook accounts were hacked, which included accounts Facebook CEO Mark Zuckerberg and chief operating officer, Sheryl Sandberg. Later, in October, Facebook confessed that hackers had broken into nearly 30 million users’ accounts by stealing their “access tokens” or digital keys.

read more

Stolen Facebook logins put up for sale on the dark web for $3

Stolen Facebook logins put up for sale on the dark web for $3

Hackers are selling stolen Facebook logins on the dark web for as little as $3

Facebook accounts are being sold on the dark web for as low as $3, reports The Independent. This news comes shortly after a massive security breach that exposed data of approximately 50 million of Facebook users last month.

Hackers had exploited the security flaw and stolen “access tokens”, which is equivalent of digital keys that keep users logged into their accounts and include users’ sensitive data. However, the company back then claimed that it did not find any evidence of Facebook Logins being used by hackers.

But now, these stolen Facebook logins are being sold on the dark web for as little as $3 with the most expensive being sold for $12. Value of the entire stolen data has been estimated to be around $150 million and $600 million.

According to The Independent, dozens of listings for sale were noticed on the dark web marketplace, Dream Market, which use a similar rating system to other online retailers like Amazon and eBay to verify its vendors. Interested buyers can purchase the account login details through cryptocurrencies such as bitcoins.

Basically, the access tokens allow users to stay logged into Facebook apps on smartphones even when they close them. However, the hackers can misuse it to take control of user accounts, or for cybercriminal crimes such as identity theft, credit card fraud, spam and fraud emails, or even blackmailing.

Facebook CEO Mark Zuckerberg in a post to Facebook last week said: “We face constant attacks from people who want to take over accounts or steal information around the world… The reality is we need to continue developing new tools to prevent this from happening in the first place.”

As a precautionary measure, Facebook has taken down the “view as” feature, known as a privacy tool to let users see how their profiles look to other people. In short, how their information is displayed to friends or friends of friends or to anyone.

Also Read- Top 10 Ways That Hackers Use To Hack Facebook Accounts

read more

North Korean hacker charged for WannaCry and Sony cyberattacks

North Korean hacker charged for WannaCry and Sony cyberattacks

U.S. charges North Korean hacker for WannaCry, Sony cyber attacks

The U.S. government on Thursday charged and sanctioned a North Korean hacker for the 2014 Sony hack and the 2017 WannaCry global ransomware cyberattack, U.S. officials said.

The accused, Park Jin Hyok worked as part of a team of hackers, also known as the Lazarus Group, has been charged under the strategy planned by the U.S. government for naming and shaming the hackers in order to prevent future cyber attacks.

According to an FBI wanted poster released on Thursday, Park is identified as an alleged North Korean programmer who is accused of being “part of a state-sponsored hacking organization responsible for some of the costliest computer intrusions in history.”

Those attacks include the Sony Pictures Entertainment hack, the WannaCry attack and “a series of attacks targeting banks across the world that collectively attempted to steal more than one billion dollars,” according to the FBI.

Also Read- Top 9 hacking groups sponsored by governments

The U.S. Treasury Department sanctioned Park, a computer programmer, and the North Korea entity, Chosun Expo Joint Venture, the company he worked for.

The Treasury said the joint venture, also known as Korea Expo Joint Venture, is “a front for the North Korean government,” according to the Justice Department.

“The scale and scope of the cyber-crimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations,” said Assistant Attorney General for National Security John C. Demers.

“The complaint alleges that the North Korean government, through a state-sponsored group, robbed a central bank and citizens of other nations, retaliated against free speech in order to chill it half a world away, and created disruptive malware that indiscriminately affected victims in more than 150 other countries, causing hundreds of millions, if not billions, of dollars’ worth of damage.”

Park is also suspected of trying to hack into Lockheed Martin’s THAAD Missile defense system project currently deployed in South Korea. He is suspected of working for North Korea’s Reconnaissance General Bureau, a leading intelligence agency of that country.

The complaint against Park describes a “wide-ranging, multi-year conspiracy to conduct computer intrusions and commit wire fraud by co-conspirators working on behalf of the government of the Democratic People’s Republic of Korea, commonly known as North Korea.”

In 2014, the U.S. officials said unnamed North Korean hackers were responsible for the cyber attacks launched on Sony, which resulted in the loss of internal documents and data.

The hack on Sony Pictures came after Pyongyang sent a letter to the United Nations demanding that the movie production house not move forward with the movie “The Interview,” that showed the North Korean dictator Kim Jong Un in a negative light.

Park exploited multiple social media personas by sending malicious links to individuals involved in the production of the movie, the complaint said. The malicious links carried North Korean-controlled malware.

In 2017, WannaCry ransomware made headlines as one of the most widespread cyber attacks in history that brought up to 3,00,000 computers running Windows operating system in 150 countries to a standstill. Among the victims were Britain’s National Health Service (NHS), which had to close emergency rooms in a number of hospitals due to the hack.

Federal prosecutors have charged Park, who is not in custody, with conspiracy and conspiracy to commit wire fraud.

The Treasury Department, in a press release, said, “North Korea has demonstrated a pattern of disruptive and harmful cyber activity that is inconsistent with the growing consensus on what constitutes responsible state behavior in cyberspace.”

“Our policy is to hold North Korea accountable and demonstrate to the regime that there is a cost to its provocative and irresponsible actions.”

John Demers, the Assistant Attorney General of the National Security Division, said on Thursday, “The department has charged, arrested and imprisoned hackers working for the governments of China, Russia, and Iran. Today, we add the North Korean regime to our list, completing frankly four out of four of our principal adversaries in cyberspace.”

This is the first time the U.S. law enforcement agencies have formally charged a hacker involved in the North Korean “sponsored” cyber attacks. However, North Korea has denied the allegations of hacking.

read more

Celebgate hacker jailed for role in theft of Jennifer Lawrence’s nude photos

Jennifer Lawrence’s hacker who posted her nude images sentenced to prison

Jennifer Lawrence’s hacker who posted her nude images sentenced to prison

One of the four hackers involved in the 2014 ‘Celebgate’ scandal was sentenced on Wednesday in a federal court in Bridgeport, Connecticut. The accused has been sentenced to eight months in prison after which he has to serve three years of supervised release and perform 60 hours of community service.

George Garofano, 26, had hacked into more than 200 iCloud accounts of Hollywood stars including Jennifer Lawrence, Kirsten Dunst, Kate Upton as well as ordinary members of the public, and had posted their intimate pictures on Reddit.

The North Branford man admitted to posing as a member of Apple’s online security team and using a phishing scheme to send emails to the victims asking for their usernames and passwords. He then used the information from victims to steal personal information, including photos and videos. He also traded the credentials and personal information with others.

Earlier this month, Garafano pled a judge for a shorter sentence after claiming his “life has been ruined” by the scandal.

In a court filing, he said: “It will take me a while to forgive myself for this, and I am disappointed in myself.

“I feel remorse for anyone that could have been affected by this on any scale, public or private.

“It is a part of my life that I will always regret, as it has never been a reflection of who I am as an individual.”

“He now stands before the court having matured, accepting responsibility for his actions and having not been in trouble with the law since,” defense attorney Richard Lynch wrote. “There is nothing to suggest that he would ever engage in this or any other criminal conduct in the future.”

However, the prosecution wrote in a sentencing memo to the court: “Mr Garofano’s offence was a serious one. He illegally hacked into his victims’ online accounts, invaded their privacy, and stole their personal information, including private and intimate photos.

“He did not engage in this conduct on just one occasion. He engaged in this conduct 240 times over the course of 18 months.

“Not only did Mr Garofano keep for himself the photographs he stole, he disseminated them to other individuals. He may have also sold them to others to earn ‘extra income’.”

It added: “In committing this offense, Mr Garofano acted in complete and utter disregard for the impact on his victims’ lives.”

Two of the other hackers who were involved in the nude leak have already been sentenced. Ryan Collins, 36, was sentenced to 18 months in prison after pleading guilty to felony hacking and violating the Computer Fraud and Abuse Act; while Edward Majerczyk, 28, pled guilty to the same and was sentenced to nine months in prison. The fourth accused, Emilio Herrera, 32, also pled guilty and is scheduled to be sentenced this month.

read more

16-year-old hacks Apple and steal 90GB of secure files

16-year-old hacks Apple and steal 90GB of secure files

Australian teenager hacks into Apple’s secure network and steals 90GB of data

An Australian teenager is facing criminal charges for repeatedly breaking into Apple’s computer system after the company contacted the FBI, reports The Age. The teenager who began hacking at the age of 16, reportedly hacked into Apple’s private servers and stole over 90GB of sensitive corporate information on multiple occasions over a year.

The teen, who cannot be publicly named, was well known in the international hacking community. He pled guilty in Australian Children’s Court on Thursday, with sentencing set for next month. The teenager’s lawyer said in court that the boy was a big fan of Apple who “dreamed” of working for the company.

“Hacky hack hack”

During a raid on his family home in Melbourne, the authorities found downloaded files saved in a folder called “Hacky hack hack.” They also seized two Apple laptops, along with a mobile phone and hard drive. According to the prosecution, the two Apple laptops that were seized and their serial numbers matched the serial numbers of the devices which accessed the internal systems.

Modus operandi of the teenager

Apparently, the boy downloaded tens of gigabytes of secure files and accessed “authorized keys” that granted login access to users. He then managed to use security keys that “worked flawlessly” to access Apple’s information. He also allegedly had a look at customer accounts. The teenager used a virtual private network (VPN) to disguise his location.

Apple last year alerted the FBI, when it detected the unauthorized access and blocked the source of the intrusions, who launched the investigation. FBI, then coordinated the case with the Australian Federal Police (AFP), after the source of the intrusions was traced to Australia.

It is unclear if any of the acquired data was forwarded to third parties. However, it is understood that the teen hacker used WhatsApp to communicate his intrusion to others. Also, there is no clarity on the extent of the breach, or what type of accounts or other information were accessed, and if the breach was only limited to Australia or was it worldwide.

Apple has not yet commented on the case.

read more

Instagram hack locking users out of their accounts

Instagram hack locking users out of their accounts

Instagram hack: Users become victims of a strange account locking hack

In a widespread Instagram hacking campaign, hundreds of users are reporting that their accounts have been compromised. Besides losing access to the Instagram account, the profile image, email address, phone number, and bios related to the accounts of the affected users have been changed too.

Instagram Users Reporting Strange Hacks

Instagram users have been reporting of the bizarre hack since the beginning of August. Users are reporting that they are getting ‘logged out’ of their account, and if they try to log in again, it shows that their username no longer exist. The affected users also found hackers had altered their profile info and changed contact details.

Many of them saw their profile pictures typically set to a Disney or Pixar character with the new email addresses switching to a Russian .ru email address. Also, their bios and personal information have been deleted.

“My account has been hacked! Username, email, and password have been changed. Now someone called Laitus Maria has all my pics,” one Instagram user complained. While another disgruntled user tweeted:

Instagram responds to the widespread hack

The Facebook-owned app in a blog post said that people who have been locked out of their accounts can regain access here with a new, secure email address.

The company wrote, “If you received an email from us notifying you of a change in your email address, and you did not initiate this change, please click the link marked ‘revert this change’ in the email, and then change your password. We advise you pick a strong password.”

Instagram hack - account security

Instagram also shared the following safety measures to avoid falling victim to similar hacks:

  • Use a strong password—at least six numbers, letters, and symbols—different from those used elsewhere on the web.
  • Revoke access to suspicious third-party applications.
  • Activate two-factor authentication (2FA).

Instagram added, “We have dedicated teams helping people to secure their accounts. If you have reached out to us about your account, you will hear back from our team soon.”

While the motive behind the attacks on Instagram is still unknown, the use of .ru email addresses indicates that the source may be from Russia or perhaps threat actors pretending to be from the country.

Instagram is currently dependent on text messages for two-factor authentication (2FA), which is believed to be less secure than other app-based 2FA methods. However, the company says that it is working on improving its 2FA settings.

We recommend you to visit the Instagram Help Centre dedicated to hacked accounts for more information. Keep watching this space for more updates!

read more

US indicts 12 Russians Intelligence Agents for hacking and leaking DNC emails

US indicts 12 Russians Intelligence Agents for hacking and leaking DNC emails

U.S. charges 12 Russian intelligence officers of hacking Democrats in 2016 election campaign

Twelve Russian intelligence officers were charged on Friday by the U.S. Justice Department for hacking the computer networks of 2016 Democratic presidential candidate, Hillary Clinton and the Democratic Party. The shocking announcement comes just two days before U.S. President Donald Trump, who is currently on a visit to Britain, is scheduled to meet Russian President Vladimir Putin, for a summit in Helsinki, Finland.

The indictment, was secured by Robert Mueller, the special counsel investigating alleged Russian election meddling in the November 2016 vote and whether any members of Trump’s campaign team conspired with Moscow.

The 11 count, 29-page indictment, accuses all the 12 Russian military intelligence agency known as the GRU for carrying out “large-scale cyber operations” to steal Clinton campaign and Democratic Party documents and emails, as part of a Russian government effort to interfere with the election.

According to Mr. Mueller, the agents used “spearphishing” — a hacking method involving the use of deceptive email addresses — to fake Clinton campaign and DNC staffers and hacked into the election database of a U.S. state. The hackers then filtered the pilfered material through fake personas called DC Leaks and Guccifer 2.0, as well as others, to try to influence voters.

The suspects “covertly monitored the computers, implanted hundreds of files containing malicious computer code, and stole emails and other documents,” said Deputy Attorney General Rod Rosenstein while announcing the indictments at a press conference in Washington on Friday. “The goal of the conspirators was to have an impact on the election. What impact they may have had .?.?. is a matter of speculation; that’s not our responsibility.”

However, Rosenstein said the indictments did not claim that the cyber-attacks eventually affected vote count or changed the outcome of the 2016 election.

“There’s no allegation that the conspiracy changed the vote count or affected any election result,” Rosenstein said.

“There’s no allegation in this indictment that any American citizen committed a crime,” Rosenstein added, although the “conspirators corresponded with several Americans during the course of the conspiracy through the internet.”

However, he added, “there’s no allegation in this indictment that the Americans knew they were corresponding with Russian intelligence officers.”

Rosenstein said he had briefed Trump “earlier this week” on the impending indictment and that the timing was determined by “the facts, the evidence, and the law.”

Rudolph W. Giuliani, Trump’s lawyer said on Twitter that the indictments “are good news for all Americans. The Russians are nailed. No Americans are involved.” He then called on Mueller “to end this pursuit of the president and say President Trump is completely innocent.”

On the other hand, Trump while speaking in Britain before the indictments were revealed, had said that he would question Putin about the allegations of election interfering.

“I will absolutely, firmly ask the question, and hopefully we’ll have a good relationship with Russia,” he told a joint press conference with British Prime Minister Theresa May.

At the same time, he also condemned the Mueller investigation as a “rigged witch hunt,” and said he has been “tougher on Russia than anybody.”

Russia rejected accusations that it meddled in the U.S. presidential election and has denied any role in the attack to help Trump win.

Senator Chuck Schumer, the Democratic Senate minority leader, advised Trump to cancel the Putin talks.

“These indictments are further proof of what everyone but the president seems to understand: President Putin is an adversary who interfered in our elections to help President Trump win,” Schumer said in a statement.

“President Trump should cancel his meeting with Vladimir Putin until Russia takes demonstrable and transparent steps to prove that they won’t interfere in future elections.”

Similarly, Republican Senator John McCain said the summit should be called off if Trump is not ready to warn Putin there is a “serious price to pay for his ongoing aggression towards the United States and democracies around the world.”

“If President Trump is not prepared to hold Putin accountable, the summit in Helsinki should not move forward,” McCain said.

Responding to the calls for cancellation of the summit to be held on Monday, the White House spokeswoman Sarah Sanders said, “It’s on.”

read more

15 Chinese PUBG hackers arrested and fined $5.1 million USD

15 Chinese PUBG hackers arrested and fined $5.1 million USD

PUBG Cheat: Chinese police arrest 15 suspects and fine over $5 million USD

Last week, PUBG Corporation, the developer behind the popular online battle royale game, “PlayerUnknown’s Battlegrounds” (PUBG), confirmed in an announcement made through the game’s Steam page that 15 suspects were arrested in China for allegedly creating and selling hacks for the PUBG game.

According to the Steam post, the suspects not only illegally affected PUBG with the programs but also used Trojan horse software. “Earlier this month, on April 25th, 15 suspects were arrested for developing and selling hacking/cheating programs that affect PUBG,” the announcement said. “It was confirmed that malicious code, including Trojan horse software, was included in some of these programs and was used to steal user information.”

The game’s developer revealed that it has been working with the local Chinese authorities to arrest and fine the makers of PUBG hack programs.

“As you all now know, we’ve been doing everything possible to root out cheating from PUBG,” the Steam post reads. “The ultimate goal is to create an environment for players that’s completely safe from hackers and cheaters.”

The PUBG team provided the following information on the case that was translated by the local authorities:

“15 major suspects including “OMG”, “FL”, “??”, “??” and “??” were arrested for developing hack programs, hosting marketplaces for hack programs, and brokering transactions. Currently the suspects have been fined approximately 30mil RNB ($5.1mil USD). Other suspects related to this case are still being investigated.

“Some hack programs that are being distributed through the internet includes a Huigezi Trojan horse*(Chinese backdoor) virus. It was proven that hack developers used this virus to control users’ PC, scan their data, and extract information illegally.”

The post also added, “The longstanding rumor that hacking/cheating programs extract information from users’ PCs has been confirmed to be true. Using illegal programs not only disrupts others, but can end up with you handing over your personal information.

Last December, anti-cheat company BattlEye had tweeted that it had banned over 1.5 million accounts until then and over a million more in January alone. “Unfortunately, things continue to escalate,” it said.

Hacking is a big issue for PUBG and it is taken “extremely seriously,” the post read. It also reminded players that developing, selling, promoting, or using unauthorized hacking/cheating programs is not only unfair for others playing PUBG but also against the law. It said that the efforts between PUBG Corp. and the proper authorities to root out cheating from PUBG will continue.

“We’ve upgraded our security measures, improved our anti-cheat solutions, and recently even added a new anti-cheat solution on top of all that. In the meantime, we’ve also been continuously gathering information on hack developers (and sellers) and have been working extensively with multiple partners and judicial authorities to bring these people to justice,” the post added.

“We’ll continue to crack down on hacking/cheating programs (and their creators) until our players are free to battle it out in a totally fair environment.”

read more

Hackers built a ‘master key’ that unlocks millions of hotel rooms

hackers created master key to unlock rooms

Hackers find a serious security vulnerability in hotel key system

Researchers from the Finnish cyber security firm, F-Secure have discovered a critical flaw that allows hackers to use a used or even a discarded hotel key card to create a master key for the entire building within minutes without leaving a trace.

According to Tomi Tuominen and Timo Hirvonen, security consultants for Finnish data security company F-Secure said that they discovered a vulnerability in the software of the electronic hotel room keys of VingCard Elsafe (a brand under Assa Abloy), a global provider of hotel locking systems. The vulnerable software in question is called ‘Vision’ and it could affect millions of rooms as they are available in 166 countries and in over 40,000 buildings, F-Secure researchers estimate. Some of the hotel chains who have used Abloy’s lock systems over the years are Intercontinental, Hyatt, Radisson, and Sheraton.

“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” Tuominen said.

“I wouldn’t be surprised if other electronic lock systems have similar vulnerabilities,” Hirvonen added. “You cannot really know how secure the system is unless someone has really tried to break it.”

Tuominen and Hirvonen from F-Secure started studying the vulnerability 15 years ago after a laptop belonging to one of their colleagues was stolen from the hotel room.

The duo wanted to figure out if it’s possible to open an electronically locked room without leaving a trace, and developed their own software to hack into the keycards.

“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” explained Hirvonen. “Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”

The researchers found that an attacker just needs access to an electronic key (RFID or magnetic stripe) to the hotel or facility they are targeting. They found that information from a single keycard, even an expired and discarded one, can be scanned and copied using a small device to spoof more keys to the hotel or facility. It takes only a minute to decipher the card using the custom software, and produce a master key, which can bypass any lock, allowing unrestricted access to any hotel or facility.

“The hack consists of three steps,” Tuominen explains to The Independent. “Firstly, get access to a key card, it doesn’t matter which. Secondly, use a relatively-cheap piece of hardware, combined with our custom software, to read the card and search for the master key code. Thirdly, write the master key onto the key card, or any other key card, to gain access to any room in the facility.”

The two consultants have since worked with lock manufacturer Assa Abloy to fix the software flaw with an update, where some of the locks has been patched at the central server. However, it is expected to take a long time to roll out the fix across all hotels affected.

“We appreciate F-Secure’s ethical approach in bringing these issues to our attention,” a spokesperson for Assa Abloy said.

“We strive for the utmost security and quality in our products, so we are glad to have the opportunity to ensure our products pass the most rigorous evaluations. With these updates, we have elevated hospitality security to the next level.”

The researchers are set to present their findings at the Infiltrate conference later this week.

read more