Issue 50

Fake Whatsapp in Play Store got 1 million downloads before being taken offline

The app was filled with ads and pulled in a second application to be installed too. It looked legitimate, having 'Whatsapp Inc. ' as its publisher but with an extra Unicode character at the end which renders as a space.


Attackers poison Google search results to deliver banking malware

Quite an impressive form of malware distribution. The attackers target very specific keyword searches like 'al rajhi bank working hours during ramadan', and make sure they are the first result. When clicked the visitor gets redirected and asked to download a Word document that brings in the Zeus banking trojan.


Tor releases patch to prevent IP leakage

The last thing you want when using Tor is for your IP to still be visible. On Mac and Linux there was an issue where just that happened. Users are urged to upgrade to the latest version.
And just so you know it when you see it: this one is apparently called the 'Tormoil' bug. Because all vulnerabilities need catchy names of course.


Amazon S3 introduces new encryption and security features

This is no doubt in response to the various s3 bucket leaks of late. The features include default encryption for buckets, clear warnings of making buckets public, and reports on the encryption status of all objects.


Mobile Pwn2Own: hackers pwn iPhone, Huawei, Galaxy and Pixel

The mobile version of Pwn2Own has been completed. $500,000 was rewarded to various teams for successfully exploiting a range of mobile devices. The vendors get 90 days to fix the issues before disclosure. A more detailed write-up of day one and two can be found on the blog of the organiser, Zero Day Initiative.


Google releases November security patches for Android

It includes fixes for the KRACK vulnerability and several bugs in the Media framework.


Well-crafted Netflix-themed phishing campaign making the rounds

It looks very convincing, telling the recipient to log in and re-activate their membership. While doing that it asks for personal information and their payment information.


Chrome to start blocking unwanted redirects

Very welcome news that Chrome will stop things like redirect-ads that pretend to be the video play button, unwarranted redirects from ads that weren't clicked, and more. Good for user experience and user security. The changes are expected early 2018.


Microsoft issues advisory on macro-less malware attacks

These malicious documents don't use macro's to pull in malware. Instead they make use of the Dynamic Data Exchange (DDE) feature, normally used to share data between applications. The user will get a "This document contains linked files. Do you want to update this document with the data from those files" pop-up. You can edit the registry to limit this capability to an extent, but mostly Microsoft advises to, well, not open suspicious documents.


Disgruntled employee hired three DDoS services to attack his former employer for a year

Fortunately he also made the mistake of taunting them through e-mail, which the FBI could get the IP address from, pointing to his home.


Sick of Twitter’s 140-character limit? These guys gave themselves 30,000

The article explains how two guys were able to abuse the URL-shortening and auto-display of the original link to send a tweet with 30,000 characters. Twitter has since patched the issue :)




Automated vulnerability scans of web applications in the SDLC

Integration of web application security in the SDLC has become really important. Businesses are pushing new code to production multiple times in a day, so it is vital that security flaws are identified at source. Listen to Paul’s Security Weekly podcast discussing this, scaling up web application security, time management for penetration testers and more.