Sunday, 6 November 2016
Two teenagers suspected of being members of the Lizard Squad and PoodleCorp hacking groups were arrested last month by law enforcement authorities in the United States and the Netherlands.
Zachary Buchta, of Fallston, Maryland, and Bradley Jan Willem van Rooy, of Leiden, the Netherlands, have been charged with conspiracy to cause damage to protected computers, which carries a maximum sentence of ten years in prison.
The suspects, both aged 19, have been accused by U.S. authorities of operating a service that allowed users to launch distributed denial-of-service (DDoS) attacks. They are also suspected of trafficking payment card information stolen from thousands of individuals.
The Lizard Squad and PoodleCorp are best known for massive DDoS attacks that disrupted the servers of several gaming companies, including the PlayStation Network, Xbox Live, EA and Blizzard. The Lizard Squad is also known for hacking the websites of companies such as Lenovo, Malaysia Airlines and Cox.
The FBI’s complaint also mentions two other individuals associated with Lizard Squad and PoodleCorp. They have not been named, but they use the online monikers “Chippyshell” and “AppleJ4ck.”
The complaint also shows that Buchta was linked by investigators to the @fbiarelosersaccount, which had discussed the DDoS attacks in private conversations with other members of LizardSquad, based on messages sent via Twitter. Records obtained by investigators from Twitter, AT&T and Sprint linked the Twitter account to a phone number associated with Buchta’s residence.
Records from Comcast showed that his IP often connected to an overseas VPN service that had been used to access the @fbiarelosers account and the websites operated by Lizard Squad and PoodleCorp. The FBI determined that Buchta’s Comcast account had accessed the @fbiarelosers account at the exact time when it had been used to discuss DDoS attacks.
Van Rooy, who is currently in custody in the Netherlands, did not even bother to hide his real IP address, which he used to access @UchihaLS and other Twitter accounts associated with the Lizard Squad. Subscriber records allowed law enforcement to link the IP to a residence in Leiden.
In private conversations with other Twitter users, @UchihaLS said he lived above a police station and claimed that even if they could trace him, they would simply “think it as a hoax.” These messages and a photograph shared by @UchihaLS linked van Rooy to the account.
The most interesting part of the finding, the security researchers say, was that the malware required user interaction during installation, meaning that the attacker needed physical access to the device to infect it, or extreme and effective social engineering.
Because the malware requires such interaction to be installed, the real-world threat level is relatively low for those who take reasonable security precautions regarding their mobile devices.
When running for the first time, the malware requests admin rights, asks for a license number, hides itself, and then asks root access (it can download a root exploit from the command and control (C&C) server if needed). Next, the spyware installs itself as a system package.
Once a device has been infected, the malicious app can be used to access the victim’s chats and messages (SMS, MMS, Facebook Messenger, Google Hangouts, Skype, Gmail, native email client, Viber, WhatsApp, etc.), can record audio (during calls or on the background), can access the pictures library, can take screenshots, and can collect contact lists, calendars, browser history, call logs, and more.
If it has C&C connectivity, the malware can monitor and transmit local files, including photos and videos, and can execute shell commands.
On the infected device, the app runs under the name of Google Services, using the package name “com.android.protect,” clearly masquerading the legitimate Google Play Services, the researchers note. The spyware communicates with the hxxps://api.andr0idservices.comserver, (which is hosted in Google Cloud) and downloads updates from the hard-coded URL hxxp://www.exaspy.com/a.apk.
In addition to hiding itself from the launcher on the infected devices (by disabling its main activity component), the app disables Samsung’s SPCM service and com.samsung.android.smcore package, which allows it to run in the background without Samsung’s service killing it. As mentioned above, it also installs itself as a system package to prevent removal by the user.
Not only does this spyware pose a significant risk to end users, but it can become an even greater risk to enterprises. It can be used to collect confidential company information such as financial, intellectual property, and product information; can stealthily record confidential meetings; can be used to blackmail a company into paying large sums of money to prevent leaking the information obtained.
“Mobile attacks used to require a special level of skill which made them more rare, but in today’s market it is easy for anyone to pay their way to being a threat. The Exaspy malware is just one of those packages that IT professionals need to defend against.” Skycure’s Elisha Eshed notes.
Disclaimer: Hackerinfoindia is publishing this list just for educational purposes and awareness about cyber security . We don’t promote ...
If you are a pentester, ethical hacker or work in the IT security information space then you obviously need tools to perform penetration ...
One of the largest Dark Web black markets is down. We have analyzed many times the popular black market where it was possible to buy ...