Spyware and malware continue to plague app stores, both on Android and iOS devices. Recently, Lisa Vaas of NakedSecurity, a blog by the cybersecurity company Sophos, reported about government spyware hidden within apps available on the Google Play store. This, as we suspected, is a fairly common occurrence within app stores. Research into the Google play store a few months ago turned up 18,000 applications that were bypassing the Advertising ID system and were collecting additional data from users’ smartphones that could not be blocked or reset. Google had already removed more than 700,000 bad applications from its Play store in 2018.

In this particular instance of spyware found on the Google Play Store, it’s reported to have originated from the Italian government, who allegedly purchased the application from a surveillance company. Luckily, there have only been a few dozen downloads of the app, all within Italy. For those interested, the app was named Exodus.

The Exodus malware works in stages. The first stage is a decoy, where the malware acts as a seemingly harmless application.  Instead, the app downloads and executes a malicious payload installing additional programs that run in the background of the device. Stage two handles the collection and exfiltration of user data.

We are grateful that applications like this continue to be caught, and luckily, before this one had the chance to be installed by a large number of people.

This also reinforces the lesson of being cautious about what applications you are downloading and installing on your electronic devices – as you cannot be too safe.

Email: sensei@senseient.com   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics/

A recent post from Security Affairs writer Pierluigi Paganini reports that a Romanian duo have been convicted of infecting approximately 400,000 computers, most of which were in the United States. The hackers used a type of malware that is designed to steal user credentials, financial data and personal information. The stolen information was then offered up for sale on the Dark Web. How did the pair actually infect 400,000 computers?

Phishing. It is reported that the two were able to spread the malware by sending fake emails designed to look like they were coming from legitimate businesses. Users thinking that they were receiving an email from their bank, government bodies such as the IRS or even from a commonly used antivirus software, Norton, would click the links within the email and download the malware that was attached. Once  installed, the malware was free to act on the infected system, by capturing credentials when users would login to websites such as Facebook, PayPal and eBay. Instead of going to a legitimate website, users were redirected to a site nearly identical created by the criminals.

Through the hard work of the FBI and cooperation with the Romanian National Police, the hackers were caught.  The pair have been found guilty of their crimes and are set to be sentenced in August.

*This is just a friendly reminder that phishing training and security awareness training is imperative for your employees.

To read the Department of Justice’s press release on this matter click here.

Email: sensei@senseient.com   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics/

As more mobile device users are focusing on their device’s security, they might be alarmed to learn that a popular tool used by law enforcement, military and intelligence, along with enterprise/corporate customers (yours included) is being listed for sale on eBay. The devices which utlize this tool have the ability to bypass certain phone passwords, encryption barriers, and recover deleted content from thousands of different mobile devices.

Cellebrite UFED’s (Universal Forensic Extraction Device) has begun appearing on eBay and has raised concern for some of the site’s shoppers. This tool is used to extract data from mobile devices and occasionally does so through security flaws found in the software running on a device. When purchased directly from Cellebrite, the terms of purchase do not allow clients to resell UFEDs. Further, the tool is not intended for public use and if the tool is not properly wiped, could contain valuable case data and people’s personal and private information.

One eBay merchant listing the device told Forbes that he had purchased it at an auction after he mistook it for a children’s tablet. Months later, the seller realized what the device truly was, and listed it for sale again online.

Since the units are able to bypass certain password-protected devices, it is best to keep your cell phones and tablets up-to-date with the prompt installation of regular software updates that address and fix security vulnerabilities as they become available – even if the update prompts are annoying.

Email: sensei@senseient.com   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics/

According to the BBC and the Harrogate Advertiser, Geoffrey George Crossland of Harrogate, UK has pleaded guilty to creating over 2,200,000 indecent photographs and videos of children between January 2011 and October 2018.

The raid and eventual criminal charges resulted from a tip from the CEOP (Child Exploitation and Online Protection Command) indicating that Crossland’s network Internet Protocol address had been associated with the distribution of possible child pornography. An investigation was eventually mounted by the North Yorkshire Police with a search warrant finally being executed on Crossland’s property in October of 2018. Once on the scene, it became clear to officers involved that the search and seizure would be much larger than anticipated as numerous electronic devices were uncovered, over one-hundred devices in total. Then, upon further inspection, an underground bunker complex pieced together with old shipping containers was found on the property as well. Additional materials were identified in the bunker including illegal guns and over 24,000 rounds of ammunition.

During the course of the investigation, over one-hundred plus electronic storage devices were forensically analyzed for possible contraband images and videos, with each of the identified files categorized. At the conclusion of the analysis, there were over 28,600 images and 5,800 videos identified as category A or “the most extreme category.” It was reported that Crossland “pleaded guilty to making 2,204,992 indecent photographs and videos of children.” He was sentenced to twelve years and eight months in jail, as well as being placed on the sex offender registry for ten years.

Luckily, most attorneys will never have to deal with a case involving 2.2 million contraband images and videos, illegal weapons and an underground bunker.

To read more about this story, see the links below:

https://www.bbc.com/news/uk-england-york-north-yorkshire-47523902

https://www.harrogateadvertiser.co.uk/news/how-harrogate-man-george-crossland-was-caught-with-2-2-million-indecent-images-of-children-and-a-cache-of-illegal-weapons-1-9643486

Email: sensei@senseient.com   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics/

According to The Northwest Arkansas Democrat Gazette, when Emily Hunt, a Student at the University of Arkansas, was arrested by campus police, they gave her very little explanation as to why she was being taken into custody. What little the police did say didn’t make much sense to the frightened student. They apparently only explained to her that it had something to do with a post she had made on Facebook that morning.

Earlier in the day, campus police received a report from another student, Nicolette Nottage, that Ms. Hunt had threatened her on Facebook. In an interview with Nottage, campus police unfortunately made little effort to investigate the validity of the threatening message, or that the threat had actually come from Hunt’s Facebook account. They took the message, which appeared on the classic blue Facebook background, at face value and within the hour were searching to apprehend Ms. Hunt for Terroristic Threatening and to issue an immediate suspension letter from the University.

By neglecting to gather information about the account that allegedly sent the message, police made a serious error.  In situations like this, contacting the social media service provider, like Facebook, for subscriber information and login details for the account in question, should have been one of the first steps to make.  Were there any public posts, what were the number of friends, and was there a cell phone number tied to the account? All of these questions and more could have possibly been determined even without contacting Facebook, depending on the account privacy settings.

Well, the truth eventually came out through the hard work and social media literacy displayed by Ms. Hunt and her attorney, which gave way to an eventual admission by Ms. Nottage herself to a University student-conduct official. Ms. Nottage admitted that Hunt had not sent the message, but rather she had created a fake profile using a photo of Hunt and sent the message to her own account. Criminal charges have since been filled against Ms. Nottage, along with a civil suit filed by Ms. Hunt.

There are countless cautionary tales of relying on social media as the sole source of evidence, given the ease in which it can be faked or spoofed. This is just another one of those cautionary tales and we have witnessed many others first hand, just like Ms. Hunt did.

Email: sensei@senseient.com   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics/

The world of digital forensics encompasses a lot of digital media and devices, including gaming devices and video game data. Laura French of Forensic Magazine recently wrote an article about Minecraft forensics (to read the full article click here). The article talks about the use of online video games as a way for cyber criminals to conduct malicious deeds, and the forensic artifacts that can be potentially recovered by digital forensic examiners.

A study of what data can be found from the popular video game Minecraft was conducted by a team of researchers from the University of Salford, Manchester Metropolitan University and others. The researchers focused on what data could be retrieved from four different areas; the server-side data, the client data, data from live memory, and the network traffic from a computer as a means to play the video game. We were not entirely surprised by the amount of data that the researchers were able to find.

Evidentiary data found from the server included; the name of the Minecraft server, player’s username, login timestamps, and the server’s IP address, the user’s typed chats, the client’s IP address, a list of previous users connected to the specific server (containing their usernames and a server assigned identification number, “User Unique Identification Numbers” (UUIDs), for the users connecting to the server).

Data from the client that was obtained included items such as UUIDs, user email address and display name, user account number, full chat logs, IP address connected to, port number, the server’s IP address and name.

An examination of live memory was conducted by the researchers and they were able to find server IP address, the message of the day, the last chat communication from the client, additional chat communications by the client and corresponding timestamps, the client IP address, and the username and password used to login to the server.

By analyzing network traffic, the researchers were able to retrieve chat messages from the client, the message of the day, gameplay information was encoded as observed by the researchers.

This article details the wealth of digital evidence that may exist no matter what users do online, including online gaming. The study shows promising results, and information that may be critical to cybercrime investigations. And we all can agree, cybercriminals are not going to stop using online gaming platforms as a mechanism for their illegal activity anytime soon.

Email: sensei@senseient.com   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics/

Recently, a woman and her co-defendant from St. Joseph, Michigan were charged with first-degree murder and thought that they had the perfect plan in place.

Kemia Hassel and her co-defendant, Jeremy Cullar, are alleged to have conspired to kill Kemia’s husband so that she could collect money from his life insurance policy. Money that she wouldn’t receive if they got a divorce. Sounds familiar, right? The two are alleged to have communicated their plans over the popular social media application, Snapchat.

Now if you aren’t familiar with Snapchat, it’s a very popular mobile messaging application that allows users to share photos, text, and video messages with one another. However, content sent using the app isn’t stored on the phone like text or multimedia messages are. Snapchat displays the content for the user to view and then, once viewed, it suddenly “disappears.” The app deletes the content unless it’s saved by the user or captured by a screenshot of the communication.

It’s not currently public what Snapchat data has been recovered from either the vendor or the cell phones during the investigation, but based on our experience, it wouldn’t be surprising if the users took screenshots or saved the Snaps of their nefarious plans. After all, how would they remember all of the minute details of their plan, if the plan self-destructed after viewing it only once?

The two have pleaded not guilty to the charges, but it’s reported that Ms. Hassel signed a statement that she spent months plotting to kill her husband. Ultimately, the data that can be pulled from the Snapchat app in a digital forensics investigation varies, and recoverability depends on such factors as the make and model of the phone and whether or not a user chooses to save the communication.

Check out the article at this link, and be on the lookout for more information about this trial as it’s slated to begin towards the end of April.

Email: sensei@senseient.com   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics/