Skip to main content

Your babies online, Ako Ransomware and Sneaky Phishing Technique

Your babies online, Ako Ransomware and Sneaky Phishing Technique

Today is Thursday January 16th, 2020 and here are today’s most pressing cyber stories in under 5 minutes. 

Sneaky Phishing Technique now being used in more attacks 

There's been a large rise in cyber criminals using a particular phishing technique to trick workers into unwittingly installing malware, transferring money or handing over their login credentials.

In conversation-hijacking attacks, hackers infiltrate real business email threads by exploiting previously compromised credentials –perhaps purchased on dark web forums, stolen or accessed via brute force attacks – before inserting themselves into the conversation in the guise of one of the group.

The idea is that by using a real identity and by mimicking the language that person uses, the phishing attack will be viewed as coming from a trusted colleague and is thus much more likely to be successful.

Cyber criminals are leaning hard on this attack technique as a means of compromising businesses, according to new research from Barracuda Networks. Analysis of 500,000 emails showed that conversation hijacking rose by over 400% between July and November last year.

While conversation-hijacking attacks are still relatively rare, the personal nature means they're difficult to detect, are effective and potentially very costly to organizations that fall victim to campaigns.

For cyber criminals conducting conversation-hijacking attacks, the effort involved is much greater than simply spamming out phishing emails in the hope that a target clicks, but a successful attack can potentially be highly rewarding.

In most cases, the attackers won't directly use the compromised account to send the malicious phishing message – because the user could notice that their outbox contains an email that they didn't send. 

However, what conversation hijackers do instead is attempt to impersonate domains, using techniques like typo-squatting – when a URL is the same as the target company, save for one or two slightly altered changes. But by using a real name and a real email thread, the attackers are hoping that the intended target won't notice the domain is slightly different and that they'll follow the request that's coming from their supposed contact, perhaps a colleague, customer, partner or vendor. 

In some cases, it's been known for conversation hijackers to communicate with their intended victims for weeks in order to ensure trust is built up. At some point, the attacker will make their move and try to trick the victim into transferring money, sensitive information or potentially installing malware.

However, while conversation-hijacking attacks are more sophisticated than regular phishing attacks, they're not impossible to spot. Users should pay attention to the email address a message is coming from and be suspicious if the domain is slightly different compared to what they're used to seeing.

Users should also be wary of sudden demands for payments or transfers and, if there's doubt about the origin of the request, they should contact the person requesting it, either in person, by phone or by starting a new email to their known address.

Organizations can also protect their employees from these attacks by implementing two-factor authentication, because by adding this extra layer, even if login credentials are stolen, attackers can't use them to conduct further attacks. 

Ako Ransomware is using spam to infect its victims 

It has been discovered that the network-targeting Ako ransomware is being distributed through malicious spam attachments that pretend to be a requested agreement.

Last week we reported on the Ako Ransomware and how it was targeting companies with the intent to encrypt their entire network. At the time, it was not known how it was being distributed and when we asked the ransomware operators, they told us it was a "secret".

Since then, the ransomware identification site ID-Ransomware has seen an increasing amount of victims. Attached to these emails is a password-protected zip file named agreement.zip with the password '2020' being given in the email. The extracted archive will contain an executable renamed as agreement.scr that when executed will install the ransomware.

As spam is being used to spread the Ako Ransomware, everyone must be is trained on how to properly identify malicious email and not open any attachments without first confirming who and why they were sent.

This is especially true for email attachments that are in password-protected archives as they commonly used to avoid being detected by secure email gateways and antivirus software.

Our Babies are going through their First Data Breach 

A cute baby video is something we all enjoy, however video is one of what appear to be thousands of baby videos and images that are being left unsecured and exposed to the internet by Peekaboo Moments, a mobile app. That's because the app's developer, Bithouse Inc., has left an Elasticsearch database open on the internet, warns Dan Ehrlich, who runs Austin, Texas-based computer security consulting firm Twelve Security

"I've never seen a server so blatantly open," Ehrlich tells Information Security Media Group. "Everything about the server, the company's website and the iOS/Android app was both bizarrely done and grossly insecure."

The Peekaboo Moments database contains more than 70 million log files comprising more than 100 GB, with information appearing to date from March 2019, Ehrlich says. The logs record when someone uses the Peekaboo app and the specific action they took at a certain point in time, such as uploading data or content. Exposed data includes email addresses, detailed device data and often, links to photos and videos, all of which get stored on servers hosted by Singapore-based Alibaba Cloud. Ehrlich estimates that at least 800,000 email addresses are in the exposed data. 

The app also transmits sensitive data for babies. It has a growth tracker that allows people to record their baby's length and weight. It also has a field for a baby's birthdate. For some of the babies whose data is exposed, this is quite possibly their first data breach exposure. Another field shows that the app records location data in latitude and longitude to four decimal points, which is accurate to within about 30 feet of an individual's location. The data exposure alert comes despite Peekaboo Moments describing itself as a "secured space" and promising to safeguard the data and information it stores.

"We completely understand how these moments [are] important to you," the company writes on its