Yahoo Account Exploit Selling on Black Market

Yahoo Account Exploit Selling on Black Market

Yahoo is investigating the claims of a hacker who is selling an exploit that apparently hijacks Yahoo mail accounts.

The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a cross-site scripting (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users.

Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

Demonstrating an apparent flair for marketing, the hacker, under the alias “TheHell” also posted a video on YouTube, providing a demo for potential customers. He claims it works with all browsers and does not require a bypass of XSS filters in either Chrome or Internet Explorer. He also says the exploit will be sold only to trusted individuals who are not likely to turn it over to Yahoo, which would undoubtedly develop a patch that will foil the attack.

“TheHell” claims that his exploit attacks a “stored” XSS flaw. This type of attack injects a code that is permanently stored on targeted servers until it is found and deleted. The malicious code is then passed to the victim’s machine when that particular server is accessed for legitimate download.

A standard phishing attempt is used to access the user’s cookies, from which the attacker can access the person’s email, or take full control of the account.

As of Tuesday morning, Yahoo was in the process of trying to identify the infected URL. Once the identification is successful, the malicious portion of code will be deleted.

Shylock Banking Trojan Spreads via Skype

Shylock Banking Trojan Spreads via Skype

The home Trojan-banker known as Shylock has just been updated with new functions. According to the CSIS Security Group, during an investigation, researchers found that Shylock is now capable of spreading using the popular Voice over IP service and software application, Skype.

The program was discovered in 2011 that steals online banking credentials and other financial information from infected computers. Shylock, named after a character from Shakespeare’s “The Merchant of Venice”.

Shylock is active in only a few parts of the world. The epicenter of infections is primarily located in the UK.

The Skype replication is implemented with a plugin called “msg.gsm”. This plugin allows the code to spread through Skype and adds the following functionality:

– Sending messages and transferring files
– Clean messages and transfers from Skype history (using sql-lite access to Skype%smain.db )
– Bypass Skype warning/restriction for connecting to Skype (using “findwindow” and “postmessage”)
– Sends request to server: https://a[removed]s.su/tool/skype.php?action=…

Besides from utilizing Skype it will also spread through local shares and removable drives. Basically, the C&C functions allow the attacker to:

– Execute files
– Get cookies
– Inject HTTP into a website
– Setup VNC
– Spread through removable drives
– Uninstall
– Update C&C server list
– Upload files

Shylock is one of the most advanced Trojan-banker currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly.

As always for this type of Trojans antivirus detection is low.

Facebook Data Mining Tool Uncovers Your Life

You know you shouldn’t post potentially damaging data on Facebook, but more often that not, your friends don’t think twice about it, and this can impact you even more than you think. At the Hack In The Box conference in Kuala Lumpur, security consultants Keith Lee and Jonathan Werrett from SpiderLabs revealed how a simple tool can enable anyone to find a comprehensive amount of data on any user.

Keith Lee and Jonathan Werrett during their presentation

To get the information, they created the aptly named FBStalker. This tool reverse-engineers the Facebook Graph and can find information on almost anyone. You don’t have to be a friend with someone on the network – the only thing that FBStalker needs to work is for parts of your posts to be marked as public. The tool will find things based on photos you’ve been tagged in, the comments you’ve put on other people’s posts, the things that you like, etc.

If you are tagged in a photo, we can assume you know the people you’re in the photo with. If you comment on a post, FBStalker knows there’s an association. Most people have an open friends list and this gives the tool a variety of people to target for more information. By looking at their posts and your interactions with them, it’s possible to understand how some of those people are important in your life.

Even though many users don’t use the Check-In function, it’s still possible to determine their favorite places to hang-out based on the tagged photos and posts from their friends. Just imagine the level of detail you can achieve and how that can help you if you want to mount a targeted social engineering attack against the user.

The first thing that came to mind when I learned about this tool was to ask if it’s a violation of Facebook’s terms of service. Werrett was expecting the question, he says with a smile: “The tool is basically automating what the user can do in the browser. We’re not using any APIs or unofficial ways of interacting with the interface. We’re using Graph Search to build-up this profile.”

FBStalker goes also a step further and provides private information about the targeted user that might not be obvious to others. It allows you to analyze the time when the person is online and, with time you are able to guess their sleep patterns and active hours.

This type of tool works well if you haven’t locked down your profile, but it can still work even if you have, provided that your friends haven’t locked down their profiles. You know the old saying – the chain is only as strong as its weakest link. With Facebook’s recent announcement that they are removing a privacy feature and that every user is going to be discoverable by name, things are getting increasingly harder to hide.

Even if your account is locked down, you can’t mark your profile picture as private. Once you change it and people like the picture, the attacker can start building a view of your friends list.

What can you do to protect yourself? The authors have a few suggestions: turn off location tracking and tighten your Facebook privacy settings. However, with the social networking giant increasingly removing privacy options, you may have trouble staying hidden.

How to Hack Snapchat Account

Need to Hack Snapchat Account?
Here is a Snapchat Hack Guide with Detailed Instructions!

In this post you will learn how to hack Snapchat account so as to track activities such as text messages, photo and video sharing even though they get deleted after a specific time.

Snapchat is one of the most popular app downloaded in all major platform of smartphones. It includes media sharing, chatting platform and many more features. Since this app is common among teenagers and there comes the need to keep an eye on them.

How to Track Snapchat Activities

The simplest way to do this is by using a Snapchat Spy app that helps you in monitoring Snapchat in a way that you can keep your children away from harm. The following are some of the best spying apps on the market today:

1. mSpy

mSpy is a cell phone monitoring app which helps in spying on Snapchat by recording all the phone activities. This app supports the following Snapchat hacking features:

• Keep track of the flow of text, photo and video messages that is sent and received on the target phone.
• Pin point the exact location of the Snapchat user with GPS tracking.
• Also lets you monitor other popular IM apps like WhatsApp, Facebook, Line, Skype and many more.