Issue 56 - Week of Mar 14th

1.       US warns against Android apps that secretly listen in on your TV habits: An Indian firm called SilverPush uses a technology called 'Audio Beacon Technology', which uses inaudible audio waves in TV Ads to track TV habits and link it with the mobile user and his/her social-media activity. This technology is available as a SDK, which Android app developers embed in their apps. The US has told 12 Android app developers to declare their use of this technology, as failing to let customers know - violates the FTC Act. The technology runs silently in the background with or without the app being active.

2.       Bangladesh Bank chief throws in the towel after cyber-attack: The head of the Bangladeshi central bank has resigned following the devastating cyber-attack in which a group of hackers managed to steal at least $80 million from Bangladesh's New York-based Federal Reserve account. The criminals infected the Bangladesh Bank's computer systems with surveillance-based malware, and after watching transactions and learning how the banks operated for a few weeks, decided to strike. It was only thanks to a spelling mistake in one of the requests that bank officials became suspicious, querying the transfers and blocking others in the list. If no-one had noticed, the criminals could have gotten away with up to $1 billion.

3.       Lenovo start page pushed Angler: Another webpage (startpage[.]lenovo[.]com) joins the long list of pages/sites that have been compromised to silently redirect traffic to pages that install the infamous Angler exploit kit - which subsequently leads to delivery of TeslaCrypt ransomware. Last week it was Burrp[.]com and week before it was www[.]missmalini[.]com.

4.       Pwn2Own 2016- Chrome, Edge, and Safari hacked: Pwn2Own is a computer hacking contest held annually, contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive a cash prize and other goodies. This year too -major browsers fell, security flaws in Google Chrome, Microsoft Edge, and Apple Safari were all successfully exploited. A total of $460,000 was awarded for 21 vulnerabilities across the three browsers as well as Windows, OS X, and Flash. Last year’s total was $557,500.

5.       Apple Fires Back At FBI Court Order: In a legal brief filed last week, Apple said the US founding fathers "would be appalled" by the Department of Justice (DOJ)'s order last month that Apple help bypass security encryptions built into the iPhone. The two sides will meet before a magistrate judge this Tuesday (March 22). Look for the ruling to be appealed, possibly all the way to the Supreme Court.

6.       Anonymous says it's hacking Trump: The 'Hacktivist' collective group Anonymous claimed to have leaked personal details of the controversial US presidential candidate Donald Trump, including his Mobile Phone Number and Social Security Number (SSN). The group posted a video condemning Trump. In response, a Trump representative sought the arrest of the people responsible for attempting to illegally hack accounts and telephone information.

7.       Android Trojan infiltrates mobile firmware: An Android Trojan which displays unwanted ads and installs nuisance software on mobile devices has been discovered in the firmware of smartphones and in popular Android applications. The adware, dubbed Gmobi, has infected the firmware of at least 40 low-end smartphone models and is present in a number of applications provided by well-known companies. Gmobi is packaged as a tailored program in software development kits (SDKs) for Google's Android platform and it is able to "remotely update the operating system, collect information, display notifications (including advertising ones), and make mobile payments.

8.       Hackers can Silently Install Malware in Non-Jailbroken iOS Devices: A new strain of malware designed for the iPhone and iPad poses a major risk to hundreds of millions of devices, because it can infect non-jailbroken devices without the user's knowledge. The Trojan - dubbed as AceDeceiver, installs itself on iOS devices without enterprise certificates and exploits design flaws in Apple's digital rights management (DRM) protection mechanism called FairPlay. Attackers purchase an app from App Store, intercept and save the authorization code. They then developed fake iTunes which tricks iOS devices to believe the app was purchased by victim and thus installs potentially malicious apps without the user’s knowledge.

9.       3 reasons why the Tax refund fraud thrives: A popular scam—where criminals filed fake income-tax returns to collect fraudulent refunds is on the rise in 2016 as well. It largely thrives as 1) Almost all tax returns are now online, 2.) Widespread leakage of personal information, 3.) Low risk of getting caught or being prosecuted for the crime. Storage firm Seagate Technologies and social media firm Snapchat are among the companies that recently announced that their employees had inadvertently given fraudsters W-2 (Form 16) information of their workers.

10.   Flipkart CEO Binny Bansal’s email ‘spoofed’, attempt to steal $80,000: The email account of Binny Bansal, CEO of e-commerce giant, Flipkart has reportedly been ‘spoofed’ and an attempt made to steal $80,000 using his email address. The incident took place two weeks back, when a seemingly official mail (Typosquatting) went from Bansal to the company’s CFO Sanjay Baweja asking him to transfer $80,000. The crime-in-progress was stopped after Baweja, noting the oddity of the request checked with Bansal in person. Flipkart said an official complaint has been lodged with the police. Police sources said that the spoof mails originated from Hong Kong and Canada using a server in Russia.