New Mirai botnet species ‘Okiru’ hunts for ARC-based kit


A new variant of the notorious Mirai malware is exploiting kit with ARC processors.

The nasty, dubbed Okiru, is the first capable of infecting devices running the ARC CPU, according to independent security researcher Odisseus.

RISC-based ARC embedded processors are used in a variety of internet-connected products including cars, mobiles, TVs, cameras and more. The discovery of malware capable of infecting such devices is troubling because of how much damage IoT botnets have caused in the past.

The Mirai botnet of 100,000 IoT devices wreaked havoc across the web in 2016 by taking down DNS services provide Dyn.

“There are likely more than 1.5 billion devices out there with ARC processors, enough to overwhelm the largest of networks,” warned Barry Shteiman, director of threat research at security vendor Exabeam.

Researchers at MalwareMustDie told El Reg: “The samples have been spotted in multiple places from several sources, some were spotted after infection, some are sitting in C2. For sure, ARC Linux devices are being targeted.

“The analysis of the code after decompilation shows the herders were preparing ARC binary specifically to target one particular Linux environment.”

MalwareMustDie said it was unable to give any estimate on how many devices had already been infected. ®

Minds Mastering Machines – Call for papers now open

Article source:

Canada charges chap alleged to run stolen data-mart Leakedsource


The Royal Canadian Mounted Police has announced it’s cuffed and charged a man for selling stolen identities and passwords at

The site listed more than three billion records – some including passwords – that had been stolen in various data breaches and let users buy that data. it also offered advice on new data breaches. Controversially, the site sold the data without first attempting to verify whether purchasers had a right to the records, all while masking the identity of its operators.

That practice earned the site rolling battles with the law that the Mounties (RCMP) revealed culminated in the December 22nd, 2017, arrest of a chap named Jordan Evan Bloom of Thornhill, Ontario.

Bloom appeared before Canadian courts on Monday, January 15th, charged with crimes including “Mischief to Data” for “selling stolen personal identities online through the website” Bloom’s efforts are alleged to have earned him C$247,000 (US$198,500, £144,000).

The Dutch national Police and the United States Federal Bureau of Investigation helped the Mounties (RCMP) to make the bust, with the Canadians saying the case could not have been cracked without international collaboration. is now offline. Similar sites like and do not charge for access to data. The first-mentioned site does offer a paid alert service that informs customers when their email addresses appear in troves of stolen data. ®

Minds Mastering Machines – Call for papers now open

Article source:

Netflix phishing campaign goes after your login, credit card, mugshot and ID


Thanks to John Shier for his help with this article.

Think of the big security stories of recent months.

Security holes like F**CKWIT and KRACK; a plethora of ransomware attacks ending in extortion; data breaches that were big, bigger or biggest

…there are plenty of candidates for the story that got the most attention.

In contrast, phishing attacks rarely make the news these days, even though (or perhaps precisely because) there are so many of them.

Somehow, phishing seems to have turned into an “obvious” problem that everyone is expected to have experienced, learned from, got the better of, and moved on.

But phishing is still big business for cybercriminals: in the last week alone, for example, SophosLabs intercepted phishing attacks that abused the brands of many financial institutions.

Organisations that had their brands hijacked in this way in the past few days include: eBay, PayPal, VISA, American Express, Bank of America, Chase, HSBC, National Australia Bank – and that’s just a random subset of the list, in one industry sector.

Protecting your brand against abuse by phishers is, sadly, as good as impossible, especially if your brand is well-known and widely advertised.

Every time you send out an email of your own, or publish a blog article, or pen a PR statement, or put a logo on your website, you provide raw material for cybercrooks to copy-and-paste to produce simulacrums of their own.

Ironically, the less original and inventive they try to be, the more legitimate they’ll look, and the less likely they’ll be to introduce spelling, grammar and visual mistakes that clue you in to the deception.

Most phishing attacks are angling for something you know but are supposed to keep to yourself, such as:

  • Usernames and passwords for existing accounts. With login credentials, the crooks can login themselves and take over.
  • Credit card numbers, expiry dates and CVV codes. Crooks can use these to spend your money on themselves, or sell the data on to someone else.
  • Personal information that you wouldn’t usually give out. Crooks can sell this on, or use it to open new accounts or take loans in your name.

Netflix brand hijack

Last week, a phishing campaign that hijacked the Netflix brand made big news.

Even if you back yourself to spot phishes from a mile away, it’s still worth reminding yourself from time to time what would go wrong if you were to make a mistake and click through.

So, we thought this one would be worth a quick “guided tour”, because the phish goes after all of the targets listed above: it tries to trick you into handing over your login details, your credit card data, your mugshot and your ID.

We’ve seen other people reporting different starting points for this phish, but here’s what we received to draw us in:

Note the simple trick, right there in the subject line, of not spelling out the brand-theft text “Netflix” exactly: the crooks wrote the X as the Greek letter chi, so that Netflix came out as Netfli𝛘.

Remember: never click login links or “update your account” links directly in emails, because you can’t easily tell where they lead.

Keep your own record of where your favourite login pages are, and find your own way to them, precisely to avoid tricks like what comes next:

Note that this fake website has an HTTPS padlock, which is a convincing start.

But a padlock doesn’t mean you can automatically trust a site.

In this case, the crooks hacked into a site that already had a valid HTTPS certificate, and then uploaded their phishing pages so they’d show up with an air of believability.

One one hand, the hacked site is “secure”, because it really does belong to the company that is named in the certificate; on the other hand, it’s not secure at all, because it’s serving up unauthorised content:

Having already handed over your username and password, the crooks also want your card details:

The crooks have added a grammatically incorrect sentence of their own at the top of the page that should tip you off, along with the incorrect URL:

You need to confirm your informations to be able to fix this problem and access to your account Netflix.

Ironically, the crooks didn’t need this sentence and could easily have left it out – so be sure to take advantage of anything that doesn’t look right, and treat it as a phishing warning sign.

Next, there’s a fake Verified by VISA page that does nothing but repeat back to you what you already entered, but does so in a way that add a veneer of legimitacy, to try to keep you on the hook:

The crooks want to reassure you at this point, because they don’t want you to bail; they’re going for the triple play by asking for your mugshot and ID:

And, finally, you’re redirected to the real Netflix login page…

…where you should have gone in the first place, unaided by any “helpful” links in any email.

What to do?

  • Never click on a login link or an account verification link in an email. If there is one, bail.
  • Check for the HTTPS padlock. If there isn’t one, bail.
  • But if there is a padlock, check the name of the site. If it’s not exactly what you expect, bail.
  • Don’t ignore telltales such as spelling and grammar errors. If it looks wrong, bail.
  • Guard your ID closely. If you’re asked for a selfie or ID when it isn’t absolutely necessary, bail.

Remember, if in doubt, DON’T GIVE IT OUT!

Article source:

Bad benchmarks bedevil boffins’ infosec efforts


A group of operating systems specialists believes sloppy benchmarking is harming security efforts, by making it hard to assess the likely performance impact of security countermeasures.

The researchers, a group of operating system specialists from the Netherlands and Australia, decided to take a look at the accuracy of security researchers’ systems benchmark. As they explain in this paper at arXiv, security papers are littered with so-called “benchmarking crimes”.

The Register spoke to Gernot Heiser, a long-time researcher in trustworthy systems at Australian research center Data61, a professor at the University of New South Wales and also co-founder of OK Labs, which developed one of the world’s first “provably secure” microkernels.

Heiser became interested in benchmarking because “I got annoyed by common deficiencies” in how security researchers validate system performance. His Dutch colleagues shared his irritation.

As Heiser explained to The Register, bad benchmarks are more than an irritant because for any security solution “you need to show two things – that the mechanism is effective, that it prevents certain classes of attacks; and that it’s useable, because it doesn’t impose an undue overhead.”

That makes “benchmark crimes” (a colourful rather than literal term) important, because they can make a promising fix unusable in the real world.

In their analysis of 50 papers published between 2010 and 2015 (in Usenix Security, as well as IEEE’s Security Privacy, the ACM’s CCS, and papers accepted by the NDSS symposium), the researchers say they identified 22 discrete “benchmarking crimes”, ranging from ignoring performance impacts altogether, “creative overhead accounting”, using misleading benchmarks, all the way through to presenting only relative numbers in a benchmark.

Most often, Heiser said, the crime is that “evaluation data is not complete enough … you look at the ‘cost’ of the mechanism in a scenario, without doing a thorough evaluation of the performance effects in a representative set of scenarios”.

Take, for example, a researcher running runs the SPEC suite on systems with and without their security solution. “The suite is designed to represent a broad class of use-cases” he said, but “SPEC only makes sense if you make all the individual programs to come up with the score”.

Cherry-picking SPEC results means they’re less effective: “you might pick predominantly CPU-intensive processes and ignore memory-intensive processes”, he said.

Heiser said the prevalence of benchmarking crimes is partly a symptom of the complexity of modern systems: authors might be sloppy or careless, but equally, they might have trouble understanding the implications of their own work.

“That takes a fair degree of expertise,” he said, such that even the people peer-reviewing papers don’t notice the problem.

“The upshot is that you get too optimistic a picture of what you can do against a particular attack.” ®

Minds Mastering Machines – Call for papers now open

Article source:

CIA: Russian Military Hackers Behind NotPetya Attack

Cyberattack last June aimed to disrupt Ukraine’s financial system.

The CIA has concluded that Russia’s GRU military spy arm waged the NotPetya data-wiping cyberattack on Ukraine in June of last year, according to a report late last week in The Washington Post. 

NotPetya was deployed to appear like ransomware while meanwhile destroying data from computers in banks, energy companies, and an airport in Ukraine. The malware spread via popular accounting software used in Ukraine called MeDoc, after an update server for the application was compromised and spread the malware during an automatic update. 

US intelligence officials told The Post that the CIA in November assessed “with high confidence” that the GRU was behind NotPetya. While most of the victimized machines were in Ukraine, the malware also spread to other nations including the US.

Read the full report here

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source:

More SCADA app vulnerabilities found


A big motivation for pulling software apart to find security flaws is the idealistic hope that developers will get the message and do a better job next time.

But what happens if they don’t?

It’s something that must have researchers at security consultancies IOActive Labs and Embedi pulling out their hair, assuming they have any left.

Two years ago, they jointly found 50 weaknesses in the security of 20 mobile apps used by a plethora of SCADA Industrial Control Systems (ICS) sectors covering things like power, water, and manufacturing.

Not good news exactly, but at least the problems were public domain and that meant they’d be fixed.

Now a follow-up test of 34 ICS apps from Google Play has found that far from improving, things have got worse – this time they found 147 security vulnerabilities in apps and backend systems designed for the same job.

Classifying them using OWASP’s Top Ten Mobile risk categories, 32 of the 34 lacked root or code protection, 20 had poor authorisation, 20 implemented insecure data storage, and 18 lacked obfuscation to protect code from reverse engineering.

Less frequent but still serious issues included poor-quality coding (12), insecure communication (11), insufficient cryptography (8), and insecure authentication (6).

In addition, the team noticed that seven apps exposed vulnerabilities on backend servers, for example SQL injection or cross-site scripting (XSS). And:

One of the reviewed applications had write permissions for the tables, allowing an attacker to tamper with station configurations and user statistics.

Overall, in the period between the two tests, researchers saw an average increase of 1.6 vulnerabilities per application.

Clearly, there’s a problem, but what is it?

Perhaps the app boom has lowered standards in a sector that rewards clever functions, performance and rapid development. If so, these apps simply manifest the same sorts of slapdash development that have affected other app sectors such as remote banking.

If that’s the case – and it’s hard not to imagine that it might be in at least some cases – it’s short-termism of the worst kind.

Say IOActive and Embedi:

The industry should start to pay attention to the security posture of its SCADA mobile applications, before it is too late.

The researchers have informed the affected vendors of the problems in the apps.

You can understand why so many ICS companies want to offer customers the ability to access monitoring and control using a mobile app. But on this evidence, it looks as if they are solving their problem today at the expense of creating a bigger one down the line for everyone.

Article source:

How to set up 2FA on your Facebook account


As Facebook continues to embed itself into the fabric of our social and online lives – or, perhaps it’s more correct to say, as we let Facebook continue to embed itself in our lives – it’s increasingly important that we keep our accounts safe from unauthorized use.

If you barely ever log in to Facebook, you might not be too concerned about what could happen if someone gets into your account. But with Facebook being the biggest social media network on the planet with more than two billion users, and even if not all of those users are active or tied to a real person, it is increasingly used as a service to prove we are who we claim to be.

Facebook is entrenching itself to be indelibly tied to our entire identity online: How often have you seen Facebook authentication offered as a way to post comments on websites, or to register or log in to an app or service?

For many Facebook users, if someone were to gain access to their account, this would go beyond a mere annoyance – that person could also have access to their accounts on other apps, access to all sorts of sensitive information about them, their families, friends, and coworkers. From a reputation perspective alone, there’s a lot of potential for real-life consequences.

That’s why it’s a very good idea to take the security of your Facebook account seriously, and thankfully Facebook has made it reasonably easy to manage. A complex, unique password for Facebook is a great starting point – and if you haven’t changed it in a long while, take a moment to do it – but we also encourage you to take the security of your account to the next level and enable two-factor authentication as well.

Two-factor authentication (2fA) isn’t just a good idea, it’s a great idea: Someone trying to log in to your account needs more than just your password (“something you know”), they also need access to a phone or device that you own (“something you have”). This extra layer of security is simple to set up – we’ll walk you through it below – and can provide great peace of mind.

How to set up 2FA on your Facebook account

You will need:
1) Access to your Facebook account via a computer.
2) A phone number that can receive Text Messages (SMS) OR a smartphone that can run the Facebook app.

The 2FA process will tie your Facebook account to your phone number as a method of proving who you are. If the idea of Facebook having your phone number makes you uneasy, you can still use 2FA with just a code generator app and a Universal 2nd Factor (U2F) security key like a Yubikey – but to use U2F you must also use a code generator app, which still requires a smartphone. So keep that in mind.

For the purposes of this walkthrough, we’ll assume you’re okay with tying your Facebook account to your phone number, as this makes setting up 2FA quite simple.

1) On your computer, log in to your Facebook account and click the drop down arrow at the top right of the page on the blue notification bar. (It’s to the right of the question mark.) Look at the bottom of the menu and hit “Settings,” and on the next screen hit “Security and Login” on the menu on the left.

2) Scroll down to the “Setting Up Extra Security” section, and you’ll see a “Use Two-Factor Authentication” header.

Click “Edit” and a whole submenu will expand. Let’s start at the top – you’ll see “Two-factor authentication is off.” Hit “Set up” to get started.

3) If you haven’t at any point told Facebook your mobile phone number, you will now be prompted to add either a phone OR a code generator and security key to proceed. As noted above, we’re going the phone route in this walkthrough. Hit “Set Up Second Factors.”

4) You’ll be back in the 2FA submenu. In the “Text message (SMS)” field, hit “add phone” and follow the prompts to confirm your phone number. By the end of the process, you’ll be asked to confirm that you want to set up 2FA for your account, with an additional option to not require a second factor (like an SMS code) for the next seven days to *disable* 2FA on your account.

Whichever option you choose, when you’re done, hit “Enable” and Facebook will helpfully notify you that 2FA is well and truly on:

That’s it! You’ve now enabled 2FA on your Facebook account. Next time you try to log in, after entering your password, Facebook will text you a 6 digit code that you’ll need to enter to complete the login process.

While you’re in the security menu, take a look at the other options here and enable as much as you feel comfortable with: “Get alerts for unrecognized logins” for example is a great idea, especially paired with 2FA. This means if someone tries to log in to your account and doesn’t enter the correct code, Facebook will helpfully let you know next time you successfully log in:

Combining the unrecognized logins with 2FA works like a canary in the coal mine, letting you know someone’s (unsuccessfully) trying to access your account, and that it’s time for you to change your password.

If you’d rather not get text messages every time you log in, you can go one step further and use the Facebook app’s built-in code generator or a third-party code generator app to get that 6 digit code to verify it’s you. If you opt to use the built-in code generator in the Facebook app, keep in mind that you need to be logged in to the Facebook app on your smartphone for it to work, so this verification method will only work in verifying a new device or browser. This isn’t likely to be an issue for most people, but if you tend to log in and out of your smartphone’s Facebook app, you’re better off using a third-party code generator app, like Google Authenticator.

Whichever method you use, you’ll need to be at a computer to set up your method of choice with your smartphone handy. Here’s what you need to do to get a code generator method set up:

  • For the Facebook in-app code generator, click “Set up” next to the “Code Generator” option in the Two-Factor Authentication submenu and follow the prompts.
  • For a third-party code generator app, click “third party app” in the Code Generator text option and follow the prompts.

Will you be enabling 2FA on your Facebook account, or have you already?

Article source:

Typosquatting and the risks of one wrong keystroke


It’s easy to do – you quickly type a URL you use every day, whether it’s Google or Facebook or Amazon, and in your haste, you accidentally swap, add, or delete a single letter and hit enter. Suddenly you’re not where you wanted to be, and often that new strange piece of the internet isn’t a 404 message, but rather an unexpected, and often sinister, website.

Or even stranger, a spoofed version of the site you wanted to visit in the first place.

Registering common misspellings of popular websites to catch users unaware is known as typosquatting, and it’s exactly what it sounds like – cybercriminals scoop up these frequently miss-spelt domain names, knowing that a some innocent users will end up on their page.

Typosquatting is so common that businesses often register common typos themselves to redirect users to the correct page. It’s a huge industry – over 80% of all possible one-character variants of Facebook, Google, and Apple are registered.

It’s easy to make jokes about typosquatting – the human error component can be amusing, and some of the satirical pages users stumble across are occasionally clever – but the risks posed by typosquatting are very real. NBC Nightly News recently highlighted the dangers of these typos and what you can do to avoid these malicious sites in a video featuring Sophos’ James Lyne.

But what really happens when someone makes their way to the wrong page? That depends on the intentions of the typosquatter. Sometimes it’s simply domain parking or domains for sale, or “related search” pages. Others are riskier to encounter, like competitions and surveys asking for personal information, or bait-and-switch sites. Others still truly are benign, like humor or satire sites or sites maintained by typosquatting researchers.

A while back, Naked Security’s Paul Ducklin misspelled Apple, Facebook, Google, Microsoft, Twitter, and Sophos in 2,249 ways to see what would happen – basically he let a computer miss-type URLs across the web to see what it uncovered. He found everything from outright fake pages to adult content and contests designed to capture personal information:

The full report goes into greater detail, but it’s worth highlighting few key takeaways. Most interestingly, typosquatting sites are not rife with malware, despite what one might expect.

The fact that the scammers registering these sites are using popular misspellings, and thus there is a finite number of URLs available for this sort of activity, means, oddly enough, reputation matters. If they’ve registered a common misspelling of Facebook, they can’t just up and move house to a new URL if the page develops a reputation.

In fact, cybercrime made up just under 3% of the findings. Pop-ups and ads were far more common (15%) while IT and hosting – pages offering to sell you interesting domain names – made up 12%.

But while the percentage is relatively low, the tricks used by typosquatters to trick users into giving away personal or financial information can be very effective. Spoofed sites might, for example, offer you a free product if you pay for shipping – capturing the credit card data for unsuspecting users.

Other common goals for typosquatting include a false warning that your computer has been infected, tricking the user into downloading a “fix” that is actually the malicious payload, or convincing the user to click on a link that infects their computer with malware.

Attackers don’t just target everyday users. A devious newer form of typosquatting was recently identified targeting developers installing Python packages from the PyPI (Python Package Index) repository.

Bad code was found hiding in plain sight using filenames that were easily mistaken for legitimate packages. This is an interesting case because the motive was unclear – the code was malicious but relatively benign. It was a warning shot to developers using other peoples’ code in their projects, and demonstrated a variation on a common online scam.

The best antidote to protect yourself against typosquatting is, alongside appropriate security software, awareness. Bookmark your regular sites, check your spelling on a URL before hitting enter and be skeptical when a site doesn’t feel right or asks you for information you need to protect.

Article source:

House votes for six more years of warrantless surveillance


If you’re a member of the US “intelligence community” – the FBI, CIA and NSA – this past Thursday was a great day for homeland security.

A majority vote in the US House of Representatives to renew Section 702 of the Foreign Intelligence Surveillance Act (FISA) for six years will, in their view, give them continued access to the indispensable tools they need to prevent major foreign terrorist attacks. Without them, they would be blinded to terrorist plots within the US, and US soldiers could be at much greater risk on foreign battlefields.

If you’re a privacy/civil liberties advocate, it was an unwelcomed win for Big Brother and a shameful, ominous day for everybody else – a reauthorization of warrantless spying on US citizens that amounts to a back door around the Fourth Amendment’s prohibition against unreasonable search and seizure.

According to a bipartisan “letter to colleagues” from four senators – Republicans Rand Paul (KY) and Michael Lee (R-UT); and Democrats Ron Wyden (OR) and Patrick Leahy (VT) – Section 702 in its present form…

…does nothing substantive to protect the Fourth Amendment rights of innocent Americans. This bill allows an end-run on the Constitution by permitting information collected without a warrant to be used against Americans in domestic criminal investigations.

Most of the debate over Section 702 is not about its stated intent, but about how it is interpreted. The provision allows the NSA to monitor the communications of foreigners located outside the country to gather what was the agency’s original mission: foreign intelligence. That goal gets general, bipartisan support.

But, as has been widely reported since the law was created in 2008, and as the revelations of former NSA contractor Edward Snowden documented, that collection has been both foreign and domestic. The communications of millions of Americans who were not specific targets have been “incidentally” included. And much of that data, critics say, has been made available to other intelligence agencies like the FBI and CIA.

That is what has prompted the intensity of debate over Section 702’s renewal that ramped up last fall.

Not that last week’s House vote makes it a done deal. The measure still has to come to a vote in the Senate, where a bipartisan coalition led by Paul and Wyden has threatened a filibuster.

The two are co-sponsors, along with a dozen other senators, of a bill titled the USA Rights Act, which would mandate reforms to 702, including a requirement for intelligence agencies to have a warrant before they can conduct even incidental surveillance of citizens.

The Senate will hold a procedural vote on 702 this week after it returns from a break, Senate Majority Leader Mitch McConnell said on Thursday.

So the debate continues, with splits in both parties. Some Republicans, like Paul, oppose it, and a few House Democrats joined the large majority of Republicans who supported renewal (the Republican majority is only 241-194).

Wyden took to the website of The Cyber Brief to label Section 702, “broad, unchecked government surveillance… at the expense of Americans’ personal liberty and constitutional rights…”

Among privacy advocates, the opposition is united. David Ruiz, a staff attorney at the Electronic Frontier Foundation (EFF), called the House vote “deeply disappointing.”

Because of these votes, broad NSA surveillance of the internet will likely continue, and the government will still have access to Americans’ emails, chat logs, and browsing history without a warrant. Because of these votes, this surveillance will continue to operate in a dark corner, routinely violating the Fourth Amendment and other core constitutional protections.

EFF and other organizations also condemned a majority vote to reject the House version of the USA Rights Act, which had 40 co-sponsors.

Privacy organizations including EFF, the Center for Democracy Technology, American Civil Liberties Union, Brennan Center for Justice, New America’s Open Technology Institute and Restore the Fourth have been arguing since Section 702 came into existence that, in the name of collecting foreign intelligence, it allows spying on “US persons” as well.

Among their complaints, they cited a Washington Post examination of 160,000 emails and instant messenger conversations collected under Section 702 between 2009 and 2012, and found that 90% of them were from online accounts not belonging to foreign surveillance targets. They said nearly half contained information belonging to US citizens or residents.

But, while acknowledging the “genuine and legitimate controversy” over whether there should be amendments to Section 702 that add privacy protections, Brookings Institute Fellows Benjamin Wittes (Governance) and Susan Hennessey (National Security Law), said the “general value” of the law is not “remotely controversial among serious people”, when you consider:

  • Information derived from 702 collection is the single largest contributor to the Presidential Daily Brief.
  • 702 information is used to protect US soldiers on the battlefield.
  • 702 information keeps US decision-makers apprised of the intentions of adversary nations.
  • 702 information helps federal agents detect and prevent terror attacks on US soil.

Paul, Lee, Wyden and Leahy contend they are simply trying to limit Section 702’s authority to its original purpose, and keep intelligence agencies and law enforcement from abusing it. The USA Rights Act, they wrote…

…(will) preserve the government’s ability to pursue terrorists abroad and protect the country from foreign threats while also making the necessary reforms to protect the Fourth Amendment rights of Americans here at home.

Article source:

Customers reporting credit card fraud after using OnePlus webstore


A large number of OnePlus customers claim to have been hit by fraudulent credit card transactions after making purchases on the phone company’s site. And they’re unhappy that the company has been slow to address the issue.

Dozens of fraud reports of unauthorised credit card use were posted through on the company’s support forum, and many more on Reddit. Some users were hit with unauthorised transactions before Christmas, but the majority report the transactions appearing over the past few days. Disturbingly, several posters note problems with their credit card after purchasing through PayPal. But were they linked to OnePlus?

In a holding statement, OnePlus said it was investigating, but didn’t confirm or deny that a breach had taken place. The Shenzhen firm’s webstore was initially built with Magento’s e-commerce software, old versions of which were vulnerable to cross-site scripting and remote code execution attacks, but OnePlus said that since 2014 the site has been rebuilt with custom code. The company denied that it “stored” user credit card details.

A security audit by Fidus reveals that OnePlus is currently conducting the transactions itself, rather than through an iFrame. This introduces a new attack vector – it means that the credit card details (including security code) pass through the OnePlus site.

“All payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted,” Fidus noted.

OnePlus is in hot water after acknowledging that some of its phones beamed data to Alibaba without the user’s knowledge or consent. Last year it admitted that detailed usage data was being sent back to the company, without knowledge or consent. This is a breach of basic data protection law in Europe. And a month later it acknowledged that an insecure diagnostic tool had been left on shipping devices. ®

Minds Mastering Machines – Call for papers now open

Article source: