BackBox News
Latest news and insights on Security
Company Blogs
Hacking Tools
- SafeLine - Serve As A Reverse Proxy To Protect Your Web Services From Attacks And Exploits
- PolyDrop - A BYOSI (Bring-Your-Own-Script-Interpreter) Rapid Payload Deployment Toolkit
- Secator - The Pentester'S Swiss Knife
- Damn-Vulnerable-Drone - An Intentionally Vulnerable Drone Hacking Simulator Based On The Popular ArduPilot/MAVLink Architecture, Providing A Realistic Environment For Hands-On Drone Hacking
- File-Unpumper - Tool That Can Be Used To Trim Useless Things From A PE File Such As The Things A File Pumper Would Add
- Mass-Assigner - Simple Tool Made To Probe For Mass Assignment Vulnerability Through JSON Field Modification In HTTP Requests
- Imperius - Make An Linux Kernel Rootkit Visible Again
- BYOSI - Evade EDR's The Simple Way, By Not Touching Any Of The API's They Hook
- Psobf - PowerShell Obfuscator
- ModTracer - ModTracer Finds Hidden Linux Kernel Rootkits And Then Make Visible Again
Exploit DB
- [webapps] SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated)
- [webapps] dizqueTV 1.5.3 - Remote Code Execution (RCE)
- [webapps] openSIS 9.1 - SQLi (Authenticated)
- [webapps] reNgine 2.2.0 - Command Injection (Authenticated)
- [dos] Windows TCP/IP - RCE Checker and Denial of Service
- [webapps] Gitea 1.22.0 - Stored XSS
- [webapps] Invesalius3 - Remote Code Execution
- [webapps] NoteMark < 0.13.0 - Stored XSS
- [webapps] Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Authentication Bypass
- [webapps] Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Device Config
Roblox Developers Under Attack by New Malicious NPM Campaign
/in General NewsRoblox developers are being targeted by a new malicious npm campaign. Cybercriminals have created fake Roblox npm packages with the aim of deploying a remote access trojan called Quasar.
Cyware News – Latest Cyber News – Read More
Novel Attack on Windows Spotted in Chinese Phishing Campaign
/in General NewsThe malicious DLL implant for the Cobalt Strike attack toolkit gets injected into the Windows binary “runonce.exe,” giving total control to the attackers. The campaign further deploys various malicious tools for reconnaissance and data exfiltration.
Cyware News – Latest Cyber News – Read More
Secrets Exposed: Why Your CISO Should Worry About Slack
/in General NewsIn the digital realm, secrets (API keys, private keys, username and password combos, etc.) are the keys to the kingdom. But what if those keys were accidentally left out in the open in the very tools we use to collaborate every day?
A Single Secret Can Wreak Havoc
Imagine this: It’s a typical Tuesday in June 2024. Your dev team is knee-deep in sprints, Jira tickets are flying, and Slack is
The Hacker News – Read More
Chrome 128 Updates Patch High-Severity Vulnerabilities
/in General NewsGoogle has released two Chrome 128 updates to address six high-severity vulnerabilities reported by external researchers.
The post Chrome 128 Updates Patch High-Severity Vulnerabilities appeared first on SecurityWeek.
SecurityWeek – Read More
New Flaws in Microsoft macOS Apps Could Allow Hackers to Gain Unrestricted Access
/in General NewsEight vulnerabilities have been uncovered in Microsoft applications for macOS that an adversary could exploit to gain elevated privileges or access sensitive data by circumventing the operating system’s permissions-based model, which revolves around the Transparency, Consent, and Control (TCC) framework.
“If successful, the adversary could gain any privileges already granted to the affected
The Hacker News – Read More
Ex-Engineer Charged in Missouri for Failed $750,000 Bitcoin Extortion Attempt
/in General NewsA 57-year-old man from the U.S. state of Missouri has been arrested in connection with a failed data extortion campaign that targeted his former employer.
Daniel Rhyne of Kansas City, Missouri, has been charged with one count of extortion in relation to a threat to cause damage to a protected computer, one count of intentional damage to a protected computer, and one count of wire fraud.
He was
The Hacker News – Read More
Hacker Leaks Data of 390 Million Users from VK, a Russian Social Network
/in General NewsHacker ‘HikkI-Chan’ leaks personal data of over 390 million VK users on Breach Forums, including city, country, full…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
Cybersecurity Tips For Businesses Using Remote Workers
/in General NewsRemote work offers benefits like reduced costs and wider recruitment but also increases cybersecurity risks. To protect your…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
Tracelo Location Tracker Data Breach: 1.4 Million Users’ Data Dumped Online
/in General NewsTracelo, a smartphone geolocation tracker service, was breached on September 1, 2024, exposing data from both its customers…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
Owners of 1-Time Passcode Theft Service Plead Guilty
/in General NewsThree men in the United Kingdom have pleaded guilty to operating otp[.]agency, a once popular online service that helped attackers intercept the one-time passcodes (OTPs) that many websites require as a second authentication factor in addition to passwords.
Launched in November 2019, OTP Agency was a service for intercepting one-time passwords needed to log in to various websites. Scammers who had already stolen someone’s bank account credentials could enter the target’s phone number and name, and the service would initiate an automated phone call to the target that warned them about unauthorized activity on their account.
The call would prompt the target to enter a one-time passcode generated by their phone’s mobile app, and the code was then relayed to the scammer’s user panel at the OTP Agency website.
A statement published Aug. 30 by the U.K.’s National Crime Agency (NCA) said three men pleaded guilty to running OTP Agency: Callum Picari, 22, from Hornchurch, Essex; Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire; and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire.
KrebsOnSecurity profiled OTP Agency in a February 2021 story about arrests tied to another phishing-related service based in the U.K. Someone claiming to represent OTP Agency then posted several comments on the piece, wherein they claimed the story was libelous and that they were a legitimate anti-fraud service. However, the service’s Telegram channel clearly showed its proprietors had built OTP Agency with one purpose in mind: To help their customers take over online accounts.
Within hours of that publication, OTP Agency shuttered its website and announced it was closing up shop and purging its user database. The NCA said the February 2021 story prompted a panicked message exchange between Picari and Vijayanathan:
Picari said: bro we are in big trouble… U will get me bagged… Bro delete the chat
Vijayanathan: Are you sure
Picari: So much evidence in there
Vijayanathan: Are you 100% sure
Picari: It’s so incriminating…Take a look and search ‘fraud’…Just think of all the evidence…that we cba to find…in the OTP chat…they will find
Vijayanathan: Exactly so if we just shut EVERYTHING down
Picari: They went to our first ever msg…We look incriminating…if we shut down…I say delete the chat…Our chat is Fraud 100%
Vijayanathan : Everyone with a brain will tell you stop it here and move on
Picari: Just because we close it doesn’t mean we didn’t do it…But deleting our chat…Will f*^k their investigations…There’s nothing fraudulent on the site
Despite deleting its Telegram channel, OTP Agency evidently found it difficult to walk away from its customers (and/or the money). Instead of shutting down as Vijayanathan wisely advised, just a few days later OTP Agency was communicating with customers on a new Telegram channel, offering a new login page and assuring existing customers that their usernames, passwords and balances would remain the same.
OTP Agency, immediately after their initial shutdown, telling customers their existing logins will still work.
But that revival would be short-lived. The NCA said the site was taken offline less than a month later when the trio were arrested. NCA investigators said more than 12,500 people were targeted by OTP Agency users during the 18 month the service was active.
Picari was the owner, developer and main beneficiary of the service, and his personal information and ownership of OTP Agency was revealed in February 2020 in a “dox” posted to the now-defunct English-language cybercrime forum Raidforums. The NCA said it began investigating the service in June 2020.
The OTP Agency operators who pleaded guilty to running the service; Aza Siddeeque, Callum Picari, and Vijayasidhurshan Vijayanathan.
OTP Agency might be gone, but several other similar OTP interception services are still in operation and accepting new customers, including a long-running service KrebsOnSecurity profiled in September 2021 called SMSRanger. More on SMSRanger in an upcoming post.
Text messages, emails and phone calls warning recipients about potential fraud are some of the most common scam lures. If someone (or something) calls saying they’re from your bank, or asks you to provide any personal or financial information, do not respond. Just hang up, full stop.
If the call has you worried about the security and integrity of your account, check the account status online, or call your financial institution — ideally using a phone number that came from the bank’s Web site or from the back of your payment card.
Further reading: When in Doubt, Hang Up, Look Up, and Call Back
Krebs on Security – Read More