Hacker Busted for ‘Evil Twin’ Wi-Fi! ๐Ÿ‘ฌ๐Ÿป

Jul 04 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that thinks even if Anonymous, Lazarus, and Fancy Bear teamed up they couldnโ€™t hack the Tories out of the thrashing they are about to receive ๐Ÿ‘€๐Ÿ—ณ๏ธ๐Ÿ’€ #GeneralElection2024

Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿ‘ƒ๐Ÿผ Something smells WiFi! Scammer creates fake inflight WiFi โœˆ๏ธ

  • ๐Ÿ•ต๐Ÿปโ€โ™‚๏ธ MerkSpy spyware tool delivered via Microsoft MSHTML flaw ๐Ÿž

  • ๐Ÿ‘จ๐Ÿปโ€๐Ÿ’ป New Intel CPU vulnerability 'Indirector' exposes sensitive data ๐Ÿ—ƒ๏ธ

Scammer: It wasnโ€™t me; it was my evil twin! ๐Ÿ‘€๐Ÿ˜ณ๐Ÿ˜ฌ

๐Ÿšจ Hacker Busted for 'Evil Twin' Wi-Fi! ๐Ÿ‘ฌ๐Ÿป

Australian authorities arrested a man for using a portable Wi-Fi device to set up scam networks on flights, stealing data from unsuspecting passengers. Here's the scoop:

โœˆ๏ธ In-Flight Data Theft

During a domestic flight, airline employees noticed a suspicious Wi-Fi network. Upon landing in Perth, police found a 42-year-old man from West Australia with a mobile access device, laptop, and mobile phone in his carry-on luggage.

๐Ÿ•ต๏ธโ€โ™‚๏ธ Sneaky Tactics

The man allegedly used these devices to create fake Wi-Fi access points mid-flight, tricking passengers into logging on and entering personal information such as email addresses and social media credentials. The investigation revealed similar cybercrimes at airports in Melbourne, Adelaide, and other locations.

๐Ÿ”’ Safety Tips from Authorities

Andrea Colman, an Australian AFP cybercrime detective inspector, advises that you shouldn't have to enter personal details to connect to free Wi-Fi networks. To protect yourself, install a reputable VPN on your devices to encrypt your data. Colman also suggests disabling Wi-Fi on mobile devices in public to prevent automatic connections to malicious hotspots.

"When using a public network, disable file sharing, don't do anything sensitive like banking, and change your device settings to 'forget network' once you're done," Colman added.

๐Ÿ‘ฎ๐Ÿป Facing Charges

The suspect now faces nine separate cybercrime charges. Travellers are urged to stay vigilant and cautious when using public Wi-Fi.

Stay safe and secure! ๐Ÿ›ก๏ธ

Microsoft will Merk you, bro still! ๐Ÿ––๐Ÿฟ๐Ÿ”ช๐Ÿ’ธ

๐Ÿšจย Exploiting MSHTML for MerkSpy! ๐Ÿ•ต๐Ÿปโ€โ™‚๏ธ

Unknown threat actors have been exploiting a patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy. Here's the scoop:

๐ŸŒ Targeting Canada, India, Poland, and the U.S.

Fortinet FortiGuard Labs researcher Cara Lin reports that MerkSpy is designed to stealthily monitor user activities, capture sensitive information, and establish persistence on compromised systems.

๐Ÿ“„ The Attack Chain

The attack begins with a Microsoft Word document disguised as a job description for a software engineer. Opening the file exploits CVE-2021-40444, a high-severity flaw in MSHTML, allowing remote code execution without user interaction. This vulnerability was patched by Microsoft in September 2021.

๐Ÿ‘จ๐Ÿปโ€๐Ÿซ Execution Steps

The malicious document downloads an HTML file ("olerender.html") from a remote server. This file executes embedded shellcode after checking the operating system version. "Olerender.html" uses 'VirtualProtect' to modify memory permissions, ensuring the shellcode is securely written into memory. 'CreateThread' then executes the shellcode, which downloads and runs the next payload from the attackerโ€™s server.

๐Ÿš€ MerkSpy Deployment

The shellcode downloads a file deceptively named "GoogleUpdate," which harbors an injector payload. This payload evades detection by security software and loads MerkSpy into memory. MerkSpy establishes persistence through Windows Registry changes, launching automatically at system startup. It captures sensitive information, monitors user activities, and exfiltrates data to the attackers' servers.

๐Ÿ’พ Data Exfiltration

MerkSpy captures screenshots, keystrokes, login credentials stored in Google Chrome, and data from the MetaMask browser extension. This information is transmitted to "45.89.53[.]46/google/update[.]php."

โš ๏ธ Related Threats

Symantec detailed a smishing campaign targeting U.S. users with fake SMS messages from Apple. These messages trick users into clicking on bogus credential-harvesting pages. The malicious website uses a CAPTCHA for perceived legitimacy before directing users to an outdated iCloud login template.

Stay vigilant and secure! ๐Ÿ›ก๏ธ

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

Stay ahead of the curve with Presspool.ai! ๐Ÿš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." ๐Ÿค“๐Ÿ’ก Thatโ€™s us, alright! ๐Ÿคต How about you? Visionary AI executive, much? ๐Ÿ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business ๐Ÿค–๐Ÿ‘ฉโ€๐Ÿ’ป๐ŸŒ

Rest assured, the process is very straightforward.

You simply:

๐Ÿ†• Sign Up & Create Campaign

๐Ÿ“Š Define your audience, budget, and message to captivate your audience.

๐Ÿš€ Launch your campaign, as Presspoolโ€™s AI matches it with ideal newsletter audiences for optimal reach and conversions. ๐ŸŽฏ

๐Ÿ•ต๏ธ Finally, you leverage real-time analytics to track performance and refine future strategies. ๐Ÿ“ˆ Elevate your marketing game and stay informed with Presspool.ai! ๐ŸŒŸ Simples! ๐Ÿฆฆ

Presspool.aiย ๐Ÿ“ฐ๐ŸŠ๐Ÿค– may just have what you need to succeed. And if the product isnโ€™t for you, the newsletter alone is a gamechanger. And we know newsletters ๐Ÿ˜‰

Itโ€™s hard to process, we knowโ€ฆ ๐Ÿ˜‰๐Ÿ˜๐Ÿคญ

๐Ÿšจ New Side-Channel Attack on Intel CPUs! ๐Ÿง 

Modern Intel CPUs, including Raptor Lake and Alder Lake, are vulnerable to a new side-channel attack called Indirector. Here's the scoop, yโ€™all!

๐Ÿ› ๏ธ Vulnerability Exploited

Researchers Luyi Li, Hosein Yavarzadeh, and Dean Tullsen discovered the Indirector attack. It leverages flaws in the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB) to bypass existing defences, compromising CPU security.

๐Ÿ” How It Works

The IBP predicts target addresses of indirect branches, which are control flow instructions calculated at runtime. This attack targets the IBP to execute Branch Target Injection (BTI) attacks, also known as Spectre v2 (CVE-2017-5715), leading to unauthorised information disclosure via a side-channel.

๐Ÿงฉ Custom Tool: iBranch Locator

The researchers used iBranch Locator to find indirect branches, then performed precise IBP and BTP injections for speculative execution. These high-resolution attacks hijack the control flow of victim programs, causing jumps to arbitrary locations and leaking secrets.

๐Ÿค” Severity and Response

Yavarzadeh emphasised that Indirector attacks are more severe than previous attacks like Pathfinder, which targeted the Conditional Branch Predictor. Indirector reverse engineers IBP and BTB to create highly targeted attacks.

Intel, informed of the findings in February 2024, stated that existing mitigations like IBRS, eIBRS, and BHI are effective against this new research, and no new guidance is required. To counteract, it's recommended to use the Indirect Branch Predictor Barrier (IBPB) more aggressively and enhance the Branch Prediction Unit (BPU) with complex tags, encryption, and randomization.

๐Ÿฆพ Similar Issues in Arm CPUs

Arm CPUs also face a speculative execution attack called TIKTAG, targeting the Memory Tagging Extension (MTE). This attack can leak data with over a 95% success rate in less than four seconds. Researchers identified new TikTag gadgets capable of leaking MTE tags from arbitrary memory addresses.

Arm responded by noting that MTE offers limited deterministic defences and broader probabilistic defences but isn't foolproof against skilled adversaries.

Stay vigilant and secure! ๐Ÿ›ก๏ธ

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles