11 high school students expelled for keylogging teachers’ computers

Corona del Mar sits on an idyllic part of the Orange County coastline.

A hacking scandal involving keyloggers and electronic grade-changing at a high school in Newport Beach, a well-to-do area of Southern California, has resulted in the expulsion of 11 students. The Orange County Register reported Wednesday that six of those students had already left the district, but five had been transferred to another local school.

“The Board’s action imposes discipline upon these students for the maximum allowed by the Education Code for what occurred at Corona del Mar High School,” Laura Boss, the Newport Mesa Unified School District spokesperson wrote in a statement on Wednesday.

US News and World Report ranked the high school in question as the 46th best within California.

Read 23 remaining paragraphs | Comments


Mass hack attack on Yahoo Mail accounts prompts password reset

Yahoo said it is resetting passwords for some of its e-mail users after discovering a coordinated effort to compromise accounts.

Attackers behind the cracking campaign used usernames and passwords that were probably collected from a compromised database belonging to an unidentified third party, according to Jay Rossiter, Yahoo senior vice president of platforms and personalization products, who wrote an advisory published Thursday. A large percentage of people use the same password to protect multiple Internet accounts, a practice that allows attackers holding credentials taken from one site to compromise accounts on other sites. There's no evidence the passwords used in the attack came from Yahoo Systems.

"Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts," Rossiter wrote. "The information sought in the attack seems to be names and e-mail addresses from the affected accounts' most recent sent e-mails."

Read 3 remaining paragraphs | Comments


Chat Friend Finder Apps on Google Play Leak Personal Information

Somewhat controversial websites or apps called chat friend finders, or ID BBS (Bulletin Board System) are spreading widely in Japan. They allow users of well-known communication services like LINE and Kakao Talk to make friends with others by publishing profiles and service IDs, yet without disclosing real phone numbers and email addresses. Such sites and apps are not officially supported by the service operators and are usually discouraged, due to the potential danger. It appears that some users are being involved in crimes caused by criminal “friends.”

McAfee Labs has recently found suspicious chat friend finder apps on Google Play that target Android device users. These apps allow users to register and publish their IDs for several well-known communication services but at the same time secretly leak personal information such as phone numbers and Google account names (Gmail addresses in most cases).

Figure.1: Chat friend finder apps on Google Play that leak personal information.

Some of these apps seem to mainly target Japanese users because they support a Japanese interface, as well as some other languages, and also support a Japanese-specific communication service like Mixi. On the other hand, we guess that the apps were created by Korean-speaking developer(s) because the Japanese is sometimes unnatural and we can see Korean chat messages. Plus, the common server used by all of these apps appears to be located in South Korea, according to its IP address.

The contents of the apps description page on Google Play look as if they were copied and pasted or reused from similar Japanese apps with slight modifications. For example, the page says users should accept the terms and conditions in the app’s dialog box at initial launch–yet there is no dialog box. We doubt these apps are carefully or securely designed.

Figure.2: An example of a dangerous chat friend finder app.

One of these apps allows users to publish their service IDs for LINE, Kakao, Mixi, and Skype as well as profile information like photograph, nickname, gender, and residential area. These pieces of information are disclosed to other users on the apps, enabling one to approach or to be approached by others. The apps also support chatting.

However, these apps secretly send users’ phone numbers, email addresses (Google account name), IMEI, and SIM serial numbers to a server managed by the app developer. Clearly, there is higher risk in storing personal information like phone numbers and email addresses in a form associated with various service IDs, public profile information, and chat contents than in storing that data separately. Once this data is leaked, malicious parties can approach specific users using their phone numbers or email addresses, and knowing the victims’ preferences or activities in various communication services.

The secretly collected personal information and its association with various IDs and user profile information are not disclosed to users. As always, there are risks that security vulnerabilities in the apps or their data management server could cause the information to leak to malicious third parties.

Figure.3: Chat friend candidate list and user profile registration screens.

At installation these apps request many kinds of permissions. These requests seem excessive for the functions of the apps. The dangerous information leak is related to only two requests: READ_PHONE_STATE and GET_ACCOUNTS. The remaining requests appear to be used by ad modules in the apps or may be unused.

Users should be very careful about permissions requested by Android apps, and also confirm that the app provider is trustworthy before providing any permissions.

Figure.4: These apps request many kinds of permissions.

Using chat ID BBS sites or apps, even without information leaks, is dangerous. These new apps will expose careless users to much higher risks of having their personal information associated with anonymous IDs and various messaging services. If users really want to use chat ID BBSs, we recommend that they visit simple websites rather than use apps to prevent unnecessary information leaks.

McAfee Mobile Security detects these suspicious apps as Android/ChatLeaker.F.

The post Chat Friend Finder Apps on Google Play Leak Personal Information appeared first on McAfee.

Twitter Spam Bots Target NFL and Miley Cyrus Fans

This week, fans of the Denver Broncos and Seattle Seahawks have been tweeting in anticipation of Super Bowl XLVIII, but many have been subjected to a torrent of spam from Twitter bots. Fans of pop star Miley Cyrus have also been plagued with an identical spam campaign using targeted keywords.

Last summer, we published a blog about a similar campaign that focused on the BET Awards and fans of Justin Bieber, One Direction, and Rihanna. The latest campaign follows the same blueprint with improvements.

The scam starts with Twitter users tweeting specific keywords which are monitored by spam bots on the service. The keywords could be about the Super Bowl, the Broncos, Seahawks, or individual players on the team, such as Denver Broncos quarterback Peyton Manning or Seattle Seahawks cornerback Richard Sherman. In the case of Miley Cyrus, mentions of her full name or her first name alone may receive a response from spam bots.

The response is a tweet with an attached photo that shows the targeted users’ Twitter handle in an effort to personalize the message.

NFL Miley Cyrus 1.png

Figure 1. Twitter spam bot replies using photo attachments that claim to offer prizes related to the NFL or Miley Cyrus

These spam bots do not tweet links or include links in their Twitter profiles’ biography section. Instead, they rely on users to manually type the URL found in the picture that was tweeted to them. This is an adaptive measure to ensure that antispam filters do not flag their accounts.

NFL Miley Cyrus 2.png

Figure 2. Scam websites ask users to verify Twitter usernames

Both of the sites that were mentioned in the photos follow the same template. The sites first request a user’s Twitter username, claiming that they need to check the username to confirm eligibility. After that, the site requests the user’s personal information, such as their full name, home and email address. and phone number.

NFL Miley Cyrus 3.png

Figure 3. Users asked to participate in a survey and download mobile apps

Before a user can proceed, the supposed sponsors claim that the user needs to complete a “special offer” in order to have a chance to win the prize. Typically, this leads to a survey, but since this scam is mobile-based, users are asked to install a mobile application, earning the scam operators money for each successful installation through affiliate programs. This incentivizes the scammers to aggressively spam users.

The rise in popularity of social networking services over the last few years has encouraged spammers and scammers to target these large pools of users discussing major events and public figures, similar to how marketers do. The question is, which event or public figure will be targeted next?