Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Account Takeover. Show all posts

Critical npm Account Takeover Vulnerability Sold on Dark Web

 

A cybercriminal known as Alderson1337 has emerged on BreachForums, offering a critical exploit targeting npm accounts. This vulnerability poses a significant threat to npm, a crucial package manager for JavaScript managed by npm, Inc., a subsidiary of GitHub. Alderson1337 claims this exploit can enable attackers to hijack npm accounts linked to specific employees within organizations. 

The method involves embedding undetectable backdoors into npm packages used by these employees, potentially compromising numerous devices upon updates. This exploit could have widespread implications for organizational security. Instead of sharing a proof of concept (PoC) publicly, Alderson1337 has invited interested buyers to contact him privately, aiming to maintain the exploit’s confidentiality and exclusivity. If executed successfully, this npm exploit could inject backdoors into npm packages, leading to extensive device compromise. 

However, npm has not yet issued an official statement, leaving the claims unverified. The incident primarily impacts npm Inc., with npmjs.com being the related website. While the potential repercussions are global, the specific industry impact remains undefined. Account takeover (ATO) vulnerabilities represent severe risks where cybercriminals gain unauthorized access to online accounts by exploiting stolen credentials. These credentials are often obtained through social engineering, data breaches, or phishing attacks. 

Once acquired, attackers use automated bots to test these credentials across various platforms, including travel, retail, finance, eCommerce, and social media sites. Users’ reluctance to update passwords and reusing them across different platforms increase the risk of credential stuffing and brute force attacks. Such practices allow attackers to access accounts, potentially leading to identity theft, financial fraud, or misuse of personal information. To mitigate ATO attack risks, experts recommend adopting strong password management practices, including using unique, complex passwords for each account and enabling two-factor authentication (2FA) wherever possible. Regular monitoring for unauthorized account activities and promptly responding to suspicious login attempts are also crucial for maintaining account security. 

While Alderson1337’s claims await verification, this incident underscores the ongoing challenges posed by account takeover vulnerabilities in today’s interconnected digital landscape. Vigilance and collaboration across the cybersecurity community are essential to mitigating these threats and preserving the integrity of online platforms and services.

Security Experts Warn Social Media Users of Account Takeover

 

Anyone with a social media account has been warned that criminals are increasingly targeting common people and taking over their profiles. According to Action Fraud, the national fraud and cybercrime reporting service, there were 18,011 reports of social media and email hacking between August 2022 and July 2023.

In addition to stealing critical personal data from victims, fraudsters are also using the accounts for fraud - for example, there have been a dozen reports in the last two months regarding hacked social media accounts being used to promote fake Taylor Swift tickets. 

If the tickets appear to be sold by someone with a large number of friends on their profile and posts going back a long way, officials said, people are less likely to suspect it's a scam. Out of the 18,000 reports, 4,092 people reported they had been the victim of financial extortion or that fraud against the public had been committed using their accounts. 

There were two main categories of account takeovers in 49% of cases that Action Fraud received reports of: 

On-platform takeovers 

These take place entirely on the platform, via the messaging feature of the service. The suspect will dupe the victim into sharing or changing critical account information. This is primarily accomplished by the suspect already having access to one of the victims' friends' accounts. The fraudster will then message the victim, posing as a friend. 

The victim will think they are speaking with their friend and won't realise their friend's account has been hacked. After that, the criminal will ask the new victim to do something, like help "securing" their account, cast a vote in a competition, or possibly even extend a financial offer. 

Email hacking and phishing 

These types of account hacks frequently occur when victims unwittingly divulge their login information to fake websites after clicking on a link in an email they thought was legitimate. Once a fraudster has gained access to a victim's email account, they can use it to reset the password of any social media accounts linked to that email address. 

The scammer can easily access the email as a result of weak account security, such as a lack of 2-step verification, weak and re-used passwords, a leak of the victim's email on the dark web, or the actual expiration and purchase of the victim's custom web domain. 

"Social media applications are, without a doubt, the most widely used in the world, which presents a huge opportunity for criminals," stated Pauline Smith, Head of Action Fraud. Scammers have a large pool of potential victims to choose from because millions of people use social media and other apps on a daily basis. They frequently attempt to access people's online profiles in order to defraud others.

“Keep your accounts secure and set up 2-step verification. Under no circumstances should you ever share your 2-step verification codes with anyone, and if you think something doesn’t seem right, report the message and block the sender within the app itself. To make your accounts even more secure, and to provide an extra layer of protection, we would recommend that your email and social media passwords should be strong and different to all your other passwords,” Smith added.

Zenly Addressed the Risks of User Data Exposure and Account Takeover

 

Zenly, a social app from Snap that allows users to monitor the positions of friends and family on a live map, has two flaws that potentially imperil people being tracked. The issues are a user-data disclosure vulnerability and an account-takeover vulnerability, according to the Checkmarx Security Research Team.   

Zenly is a real-time location sharing software created in 2015 by Alexis Bonillo and Antoine Martin in Paris, France. Zenly's primary role is to share and monitor locations with friends. The software may communicate not only your current position, but also your mobile direction and speed. Zenly employs dependable, effective, and precise positioning technology to pinpoint the precise location of friends or family members. 

According to Checkmarx, the vulnerability exploits the "Add by Username" procedure, which begins by searching for a known username. Then, to view requests that occur during the username search, "an environment that permits intercepting and decoding network requests to get visibility into network activities" can be employed. 

“By observing the response of the request that was executed on the /UserPublicFriends endpoint, a list of friends can be seen, although it is not displayed on the user interface of the application,” according to the analysis. “This list contains every friend of the user, one of them is Bogus_CEO (bogus CEO of Zenly, for demonstration purposes). Note that the response also contains their username, which could in turn be used to repeat this process and obtain their friends list instead.” 

According to the researchers, after the target username has been found, the same interceptor may be used to retrieve the associated phone number via a view named "Add by Username," then clicking the "Add as Friend" button.

This vulnerability's mitigation strategy can be divided into two phases. The most serious consequences are from gaining access to a user's Personally Identifiable Information (PII) without their permission. This could be avoided by eliminating the target phone number field from the reply sent when a friend request is created. The second step in this mitigation recommendation is to effectively limit or shape the data supplied by the /UserPublicFriends endpoint when a username search is performed, rather than returning an entire list of the friends' usernames. 

According to Checkmarx, the second bug appears in the user-authentication flow. This authentication uses SMS messages carrying verification numbers to validate sessions. After sending the SMS message to the user, the app uses the session token and the SMS verification code to access the /SessionVerify endpoint. 

Both vulnerabilities have been fixed, and users should update their apps to the most recent version to avoid compromise, according to the company.

The Cat and Mouse Chase of Account Takeovers

Cequence Security Threat Research Team analyzed more than 21 billion applications transactions between June and December of 2021, API-based account registration and login transactions raised by 92 percent and around 850 million. It highlights the fact that hackers cherish APIs as developers do. The same database that shows account takeover (ATO) attacks on login APIs grew by 62 percent. An ATO causes an end-user to panic, with getting messages like “you have received a password reset notification from your favorite retailer/social media/financial institution because your account has been compromised.” 

If you are ever hit by an ATO, you will probably not want to conduct business with the organization that is associated with the account. This affects businesses by causing them to lose valuable customers and also hits the profit bottom lines due to loss in sales, brand damage, and infrastructure cost overruns. ATO techniques have evolved over credential stuffing, which is a high-volume, generally used technique. ATO now includes slow and low attacks having specific usernames and passwords. It follows a pattern, for instance, attacks on organizations and employees having some social presence (recommendations, reviews, etc.). 

For these people, ATOs have become a constant problem, the goal here is not to steal sensitive information, but to use these hijacked accounts for amplifying negative or positive information. The patterns observed in these attacks have been seen earlier in varying forms in different customer environments. Bots go silent for a while but return to cause more damage. Noticing these bot behaviors suggested that botters work together by sharing ideas, studying unsafe vectors (deprecated APIs), to prepare for the next attack. 

A robust defense system will require continuous monitoring, reviewing of all endpoints- mobile and Web API, cooperation between safety and peers. "ATO is a problem that more and more organizations are facing as threat actors want to steal gift cards, access one-click purchasing, and dominate hype-sales to buy and resell the inventory. As we have seen through this analysis, the pace and vigor are on the rise. All organizations that have an authenticated application should consider monitoring for ATO, and build mitigations to ensure their customer satisfaction remains high," writes Jason Kent for Threat Post.