ICYMI: Adult Friend Finder breach, Android woes & leaky Bluetooth

This week's ICYMI looks at an embarrassing data breach at Adult Friend Finder, new problems with Android, and how you can track devices with Bluetooth Low Energy (BLE).

ICYMI: Adult Friend Finder breach, Android woes & leaky Bluetooth
ICYMI: Adult Friend Finder breach, Android woes & leaky Bluetooth

Adult Friend Finder breach exposes millions of users

Up to 3.5 million Adult Friend Finder.com (AFF) users were faced with the exposure of their private browsing habits from a data breach, which apparently resulted from a dispute between AFF's parent company and a disgruntled contractor.

Bev Robb, a malware and dark web researcher uncovered the leaked data on the darkweb this week, which she says was posted there by a hacker going by the handle of 'ROR[RG]'.

The hacker posted 15 spreadsheets of information containing personal data stolen from the adult site's database, and his motivation was apparently revenge for money owed to “his guy” – approximately US$ 248,000 (£163,000). Combined with a ransom demand for US$ 100,000 (£66,000), this amounts to US$348,000 (£229,000) in financial losses to the company.

However, the losses to users of the site are potentially far greater. The hacker claims to have details of more than 3.5 million users ranging from email addresses and first names to last names, physical addresses, age, sex, birth date and sexual preferences.

Google 'Master Cookie' remains after Android factory reset

Millions of Android smartphones 'may not properly sanitise' internal SD card and data partitions, leading to residual data staying on 'wiped' devices

A new May 2015 report emanating from the University of Cambridge's computer laboratory security group has aired doubts over the effectiveness of the ‘Factory Reset' function in smartphones shipping with the Android operating system.

University of Cambridge professor of security engineering Ross Anderson and student associate Laurent Simon write in the white paper ‘Security Analysis of Android Factory Resets' the assertion that, “With hundreds of millions of devices expected to be traded by 2018, flaws in smartphone sanitisation functions could be a serious problem.”

The pair studied the implementation of Factory Reset on a total of 21 Android smartphones from five vendors running Android versions v2.3.x to v4.3. According to the Cambridge researchers, the factory reset function on most Android phones doesn't work properly and more than 340 million phones are vulnerable.

Leaky Bluetooth smartphones & wearables can be tracked from 100m away

Researchers at Context Information Security have discovered that smartphones, tablets, iBeacons, fitness trackers and other wearable devices using embedded Bluetooth Low Energy (BLE) could potentially be tracked from 100m away.

In a presentation at Context's OASIS conference in South Bank, London last week, senior researcher Scott Lester talked through how the firm was able, via its own Android app, to monitor and record Bluetooth Low Energy (BLE) signals transmitted by most mobile phones, wearables and even beacons.

“This is a new technology, many of the apps are relatively new, and they enable devices to work pretty differently…but they are broadcasting information almost constantly,” said Lester during the presentation.

New POS malware from Russia targets retailers

Retailers are being attacked by new point-of-sale malware, sent from Russia, that uses phishing emails based on fake job enquiries to infiltrate companies.

The wide-scale campaign began last week, according to a blog by security firm FireEye.

FireEye has dubbed the new malware ‘NitlovePOS' and says it can steal full payment card details. It sends the exfiltrated data back to a single IP address in St Petersburg, Russia.

The attack is based on indiscriminate spam messages sent from hijacked Yahoo! mail accounts that pretend to be enquiries about jobs and internships.

The emails attach a fake CV, which claims to be a ‘protected document' to look more authentic. But when the victim opens it, they get the NitlovePOS malware instead,

FireEye believes the attackers then cherry-pick any retailers or similar victims they find among those downloading the initial malware.

They send their selected targets a “wide variety” of malware, including the ‘pos.exe' file which FireEye believes targets point-of-sale machines.

Novel malvertising attack leads to drive-by ransomware

A new malvertising attack, constructed around the Magnitude exploit kit, is using a novel technique to push users to sites where they can be attacked with a drive-by download.

Zscaler researchers explained on the corporate blog that it has seen a large number of sites, dressed up as search engines, that lead to malicious content including sites hosting the Magnitude Exploit Kit.

The biggest offender, it said, comes from click2.systemaffiliate.com operated by ad network Sunlight Media, and Zscaler provides many examples to back up its claim.

The Malvertising networks lead to redirector domains which send the user on to the target site using 302 cushioning, a new technique for redirecting traffic to avoid intruder detection and prevention systems.

At the target site, Magnitude delivers both a malicious Flash payload and a highly obfuscated JavaScript payload using the MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow exploit.

In another new development, according to Zscaler, the attackers are postponing delivery of the malware payload in favour of serving a shellcode payload instead. The shellcode uses urlmon.dll to fetch a list of predefined URLs, one of which delivers CryptoWall 3.0.

Zscaler described it as a “highly profitable ransomware payload”. The perpetrators demand payment in Bitcoins via the Tor Anonymiser.

Sign up to our newsletters