Most freelancing websites work in a similar way; the client can message you, or create an order without messaging you, and then they have to submit requirements in order for the order to begin. Security researchers at MalwareHunterTeam have discovered new malware that exploits this part of the process. Attackers will send a document as part of their requirements, naming it something that would raise no red flags, such as “my details” or “requirements”. This means in order for the seller to begin their work, they have to click on the document to view the requirements.

Saw an NG actor using @fiverr to spread.
And in this case, the poor girl opened the doc…
People, if you are opening files from random people, at least have an AV installed. And of course, don't enable macros… pic.twitter.com/nfC3ahmMUj

— MalwareHunterTeam (@malwrhunterteam) September 21, 2018

Once the malicious document has been clicked, the user will be encouraged to enable macros which work as a malware dropper. A dropper is a kind of Trojan that’s function is to install malware to target a system. If you are a freelancer and come across a message asking you to download macros after clicking on a document, we urge you not to. These attackers can often be quite committed to the cause, they have been known to be actively responding to messages encouraging sellers to enable the macros and how there’s nothing to worry about.

We recommend that if you are a professional using freelancing services, that you stay vigilant. Report any suspicious activity to the customer service teams, and make sure your anti-virus software is on and up to date, as this should flag up the malicious macros if your radar didn’t notice anything suspicious beforehand.

[stackCommerce layout=”2″ count=”5″ sort=”best_sellers”][/stackCommerce]

The post Be wary of attackers on freelancing sites appeared first on Hack Ware News.

The malicious variant was detected by security researchers in the source code of the MEGA.nz Chrome extension version 3.39.4, released early Tuesday (04Sep2018) as an update and this has triggered a major security alert from the company. In response, MEGA announced the serious breach has affected an unknown number of users.

On the 4th September 2018 at 14:30 UTC, an unknown attackеr uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore,

it stated in a statement.

The New Zealand company says that whenever a user installs or auto-updates to the trojanеd extension, it seeks for permissions unlike the official extension. And this includes the ability to read and change ALL data on sites that the user visits. Experienced users may quickly suspect malicious activities but a vast majority of people would not have understood the risks.

Plеase note that if you visitеd any site or madе use of another extеnsion that sends plain-text crеdentials through POST rеquests, either by dirеct form submission or through a background XMLHttpRеquest (XHR) process while the trojanеd extension was active, considеr that your crеdentials were compromised on thеse websites and/or applications,

the company warns.

MEGA states that Google engineers have already removed the extension from the Chrome Web Store, and also disabled the variant extension for existing users.

Four hours aftеr the breach occurred, the trojanеd extension was updatеd by MEGA with a clеan version (3.39.5), auto-updating affеcted installations. Google rеmoved the extеnsion from the Chrome wеbstore five hours after the brеach,

the company explained.

According to an analysis about detecting the source of the trojaned extension, it was found that the malicious extension was programed to steal user credentials on specific websites like Amazon, Live (Microsoft), Google (Webstore), GitHub, MyMonero and MyEtherWallet web wallet services, as well as IDEX crypto trading platform.

While user data for these websites were specifically targeted, MEGA states that this is something serious due to the trojaned extension attempting to steal information. It would record usernames, passwords and other online session credentials that hackers would need to impersonate users. If it’s a cryptocurrency website, the hacker would be able to extract the private keys required to access users’ funds. The extension was also found to be sending all collected data to a server hosted in Ukraine and located at http://www.megaopac.host.

This serious attack affects mainly those who had the auto-update MEGA Chrome extension enabled and had it installed at the time of the incident, or anyone who freshly installed v3.39.4 of the extension (and accepted permissions).

The attack was first discovered by a security researcher called SerHack, who immediately tweeted a warning that the v3.39.4 had been breached before other security experts quickly jumped in, analyzed the extension and reported their findings.

Confirmed that it also extracts private keys if you login to MyMonero and/or MyEtherWallet in a browser with the extension installed. https://t.co/fpVK11zZ9Z

— Ric “el pony esponjoso” (@fluffypony) September 4, 2018

The post Mega Chrome Extension Hacked, Laced with Data-Stealing Malware appeared first on Hack Ware News.

According to Cisco Talos research that discovered a new 3 stage module that injects ( JavaScript injection) malicious content into the web traffic as it passes via a network device:

“With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports,” said the article post.

List of newly identified routers models targeted by VPNFilter malware:

Asus: RT-AC66U, RT-N10, RT-N10E, RT-N10U, RT-N56U, and RT-N66U.
D-Link: DES-1210-08P, DIR-300, DIR-300A, DSR-250N, DSR-500N, DSR-1000, and DSR-1000N.
Huawei: HG8245.
Linksys: E1200, E2500, E3000 E3200, E4200, RV082, and WRVS4400N.
Mikrotik: CCR1009, CCR1016, CCR1036, CCR1072, CRS109, CRS112, CRS125, RB411, RB450, RB750, RB911, RB921, RB941, RB951, RB952, RB960, RB962, RB1100, RB1200, RB2011, RB3011, RB Groove, RB Omnitik, and STX5.
Netgear: DG834, DGN1000, DGN2200, DGN3500, FVS318N, MBRN3000, R6400, R7000, R8000, WNR1000, WNR2000, WNR2200, WNR4000, WNDR3700, WNDR4000, WNDR4300, WNDR4300-TN, and UTM50.
QNAP: TS251, TS439 Pro, and other QNAP NAS devices running QTS software.
P-Link: R600VPN, TL-WR741ND, and TL-WR841N.
Ubiquiti: NSM2 and PBE M5.
ZTE: ZXHN H108N.

The post Did you rebooted your router, due to VPNFilter malware? Don’t bother as it is a lot worse than we thought appeared first on Hack Ware News.