Hey guys T-Mobile got hacked, PayPal gets hit by a massive credential stuffing attack, a new android malware that is an evolution of an existing banking malware, and a phone ad scheme that infected real apps. All this in this episode of Exploit Broker’s Hacking News Round up. You’re not going to want to miss this.
PayPal Accounts hit by Credential Stuffing Attack
So, let’s talk about PayPal for a second. It appears they were sending out data breach notifications but before you run out and check your account know that the issue happened back in December 2022. We are finding out more details now because PayPal distributed a security incident notice. We are getting more details and it’s important we discuss and figure out what happened. Did PayPal have some unknown zero day? A flaw in the configuration of some server? No. It appears it was a large Credential Stuffing Attack.
Simply put a credential stuffing attack involves hackers taking known passwords from data dumps on the internet and then use a brute force login tool to try to login to multiple websites with the leaked credentials. The brute force login tool pretends to be a web browser and will try logging into an account using passwords found for a known user. It relies heavily on a user reusing the same password for multiple things. Let’s say you use password 123, if you do please change it, but for this discussion let’s say you use password123 on website a,b,c,d and then there is a data breach and website a leaks your password. A credential stuffing attack would try to login to website b,c, or d with the password found on the internet. Hackers would use the information they got from the website a breach to login to the other websites.
You must keep all your passwords as unique as possible and try not to repeat the same password on multiple websites.
So now that we know a bit more about what happened, let’s talk about what PayPal did. As soon as PayPal found out about the hack, they began an investigation. They reset the password of affected users and setup enhanced security that required a password change on the next login. They also gave users a chance to get two years of Equifax and their identity monitor solution.
What did the hackers have access to? According to PayPal they could view your name, date of birth, social security number, address, and individual tax identification number. This was all between a window thought to be from December 6th to December 8 back in 2022. It also looks like almost 35,000 users were affected by the incident.
So, on the surface it sounds bad, and it is bad for anyone who is affected by the hack. On the plus side PayPal found the attack early on and was able to rule out a vulnerability on their side. The issue with bugs found on the application is they can take longer to fix and can generally affect a wider base of users. In this case a credential stuffing attack would be a result of hackers finding passwords on the internet and by chance it’s the same password on the targeted website. It’s important to change up passwords often and minimize, if not eliminate all together, reused passwords. It’s a good practice to use something like a password manager to help randomize passwords for all your accounts. However, make sure the master password is complex and not something you’ve used before.
Should you panic, stop using PayPal, and disconnect your internet and go offline forever? No. You need to look into a password manager, change out the most critical passwords you have, and rotate passwords out often. Hacking is becoming a more common place and it’s important to learn to navigate without fear.
The cell phone carrier T-Mobile just recently released notice about a security breach back in late November. T-Mobile filed a report with the Securities and Exchange Commission or SEC about a security incident involving 37 million of its customers. It appears hackers found their way into the network and stole addresses, phone numbers, and birth dates of the affected customers. According to the report the hackers were not able to steal passwords, pins, credit cards, social security numbers, or bank account information.
This only adds fuel to the flames for T-Mobile. For those who may not be aware I’ll recap what’s happened over the past few years.
Back in August 2018 hackers managed to use a vulnerable Application Programming Interface or API to steal details from about 2 million T-Mobile customers. Although they stated passwords, financial information, and social security numbers were not compromised they hackers did potentially steal name, billing zip code, phone number, account number, email address, and account type. That was the beginning of their troubles.
The following year in November 2019 they had another data breach. This time it appeared that roughly over 1 million pre-paid customers had their name, billing address, phone number, account number, rate, plan and calling feature information stolen.
Continuing down this timeline we find ourselves at March 2020. This time hackers were able to break into an employee’s email account and used it to steal customer account information. The hackers were able to get names, addresses, phone numbers, and rates. The hackers were not able to get financial information or Social Security Numbers.
The rest of 2020 looked quiet and then we get to 2021.
2021 had two T-Mobile hacking events. One in January 2021 and the other in August 2021. The January event did not expose names, physical or email addresses, financial data, credit card information, social security numbers, tax ids, passwords, or pins. The August event, however, is a different story.
The hacking event in August 2021, appeared to have been the worst. Hackers were able to steal names, driver license details, government identification numbers, social security numbers, dates of birth, prepaid customer pins, addresses, and phone numbers. The event was disclosed days after a hacker put the data up for sale on an underground forum.
Now back to our new and recent incident. Although financial and social security information was not stolen, they were able to steal addresses, phone numbers, and dates of birth. This means the impacted customers are now further opened to being targets of phishing campaigns, spam campaigns, and even more personal information is available so that identity theft becomes even easier for hackers to exploit.
This is a prime example of why you need to rotate passwords often, get identity monitoring, lock down your credit, and sign up for a service that notifies you if passwords, email, and any of your personal information is found on the dark web.
August 2018 Source: https://grahamcluley.com/hackers-t-mobile-data/
March 2020 source: https://www.theregister.com/2020/03/05/tmobile_breach/
January 2021 source: https://www.theregister.com/2020/03/05/tmobile_breach/
August 2021 source:
New Rat Can Take Over your Device
The Android banking malware world has two very dangerous families known primarily between Hydra and Octo. These two families of malware are dangerous because of their ability to perform a Device Take-Over or DTO. Once a device has been taken over by a hacker, they van view and interact with the screen. Hackers can exfiltrate data, manipulate apps and do anything that someone who has psychical access to the phone could do.
There is one other family of Android Banking Malware with comparable infection, ERMAC. ERMAC was being rented by its creator DukeEugene but the biggest different is it did not have the ability to do a device take over. ERMAC source code was sold, and several renamed variants popped up. Infections with the name MetaDroid and OWL were found by ThreatFabric.
The story however has taken a turn. Recently DukeEugene posted a new advertising for a brand-new banking malware known as Hook. Hook was touted as a new malware written from scratch. I’d assume this was to get bad actors interested in a new piece of tech that doesn’t have samples everywhere or to rebrand the product toward a new audience. The claim of being written from scratch, however, may be false as the team at ThreatFabric found that the malware shares a lot of the same source code as the original ERMAC.
So why am I bringing this up if it’s the same ERMAC malware that isn’t as powerful as Hydra and Octo? Hook has some shiny new upgrades that make it concerning. It can now communicate in Realtime and bidirectionally. To give context previously the malware would be using a polling method where it would periodically send messages to the server controlling it. This makes it hard to do anything quickly as changes would require waiting until the next time a poll occurred. The new Realtime communication known as WebSocket communication opens a remote connection and can keep it open until the control server is happy with the conversation. This coupled with its last addition make it a formable malware.
Hook can now use Virtual Network Computing or VNC to view the device remotely and abusing accessibility services to interact with UI elements. These two abilities, viewing and controlling the device, upgrade the malware to the same threat level as Hydra and Octo. Hook can now be considered a Device Take-Over capable malware. It can perform clicks, filling in text boxes, take screen shots, and more. It also can view and retrieve files on the victim device. If you have crypto or use WhatsApp you’ll want to be extra careful. Hook has the ability to extract seed phrases for wallets which would allow a hacker to create a copy of the wallet. Lastly, Hook has the ability to read and send messages from the popular messaging app WhatsApp. Hook is a new malware to be on the lookout for.
Malware, password hacking, and leaked data are only a portion of the cyber threats of the digital world we live in. If you want to stay up to date and learn about the threats lurking in the cyber shadows stay tuned. This has been Exploit Brokers; I’ll see you in the next one.