Monday, August 13, 2018

WebRTC allows a website directly detects your host machine’s true IP address, circumventing VPNs

Unfortunately for VPN users, WebRTC allows a website (or other WebRTC services) to directly detect your host machines true IP address, regardless of whether you are using a proxy server or VPN.

Interestingly, only Internet Explorer browser did not leak this info natively. Edge, Chrome, Firefox and Opera did. 


Testing for WebRTC IP Leakage

Visit Roseler's https://diafygi.github.io/webrtc-ips/ to see if an local IP appears.


















https://ipleak.net/ is tool that detects whether your browser is vulnerable to a WebRTC leak.








How to Prevent WebRTC IP Leakage

Get uBlock Origin but you must configure to add the following; 


































Or you can install Google's official Chrome extension WebRTC Network Limiter, but must be configured to use last option "Use my proxy server". 

uBlock Origin available for all browsers including Edge browser; 





Saturday, August 11, 2018

PayPal Phishing Email - [Transaction Confirmation] - You've made a purchase from JohnLewis, Ltd. on 11/08/2018

For the record, this PayPal phishing email attempt that is recently going around and made it through span filters. What to do?  Report them, goto bottom of page for instructions.



FromPayPaI Confirmation

Subject
[Transaction Confirmation] You've made a purchase from JohnLewis, Ltd. on 11/08/2018

Keywords: Oakley OO9262 Men's Sliver Polarised Sunglasses, Blue




Account Management button goes to

https://t.co/XVzOpRcdGI?Allahuakbar expanded to https://komporgas.net/AllahItuAdil


http://urlexpander.net/ alerts that this link [Alert] - High risk that the target link / website is harmful and dangerous !

How to tell this is a Phishing email ?


  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the apple.com site then forget it.

  3. The best way is to look at message source, see below.

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (downarrow to top right)->Report Phishing 

Report Phishing URLs at Google now 

If you have recievied this email take further action now by click these links

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Report phishing emails to Apple 

Forward the email to abuse@icloud.com. This provides Apple's legal department and law enforcement with useful information to help prevent future phishing emails.


Report phishing emails to PayPal

“Phishing” is an illegal attempt to "fish" for your private, sensitive data. One of the most common phishing scams involves sending an email that fraudulently claims to be from a well-known company (like PayPal). If you believe you've received a phishing email, follow these steps right away:
  1. Forward the entire email to spoof@paypal.com.
  2. Do not alter the subject line or forward the message as an attachment.
  3. Delete the suspicious email from your inbox.

Friday, August 10, 2018

New Threat Actor Group DarkHydrus latest malware uses Excel macro to launch Powershell

Palo Alto Networks Unit 42 detecked a malware dubbed DarkHydrus which contained an attachments that contained malicious Excel Web Query files (.iqy).  .IQY files are simple text files containing a URL which are opened by default by Excel. 

Microsoft Excel natively opens .iqy files and will use the URL in the file to obtain remote data to include in the spreadsheets. By default, Excel does not allow the download of data from the remote server, but will ask for the user’s consent by presenting the dialog box in Figure 1:


Figure 1 Excel security notice for .iqy files



















By enabling this data connection, the user allows Excel to obtain content from the URL in the .iqy file. The contents within the releasenotes.txt file (SHA256:bf925f340920111b385078f3785f486fff1096fd0847b993892ff1ee3580fa9d)  contains the following formula that Excel will save to the A0 cell in the worksheet:


Source: https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/