BPI Phising Attack

Last Friday, March 10, 2017 just a few minutes before I clocked out of work, I saw an email from BPI (Bank of the Philippine Islands) with the subject “Bank Account Fraud Prevention!”.

I’m a BPI customer and have been using their Online banking app and services for quite some time. With some of my private information compromised when the COMELEC election database has been hacked last year, I take messages like this seriously. However, before acting on it, I did some quick checks to see if it’s really legit.

Opened the email and it looked pretty legit:

BPI phising attack
A legit looking email which turned out to be a phising attack against BPI customers.

Looked into the details of the sender and how it was sent, it still looked pretty legit:

Looked like it really came from BPI. Then again, phishing attacks are smart nowadays and they can easily spoof the sender’s email address.

Phishing attack emails contain a link that will take you to a website or contain malicious code that will steal your information, in this case the email had a link where I am supposed to verify my personal information. However, upon hovering on the link, which again looks legit, Chrome has revealed a completely different link:

At this point, the best thing to do for most is to just mark the email as spam or phising attack. Before that, I went further to confirm that this is a phishing attack. I opened the link and it did bring me to a site that looked exactly like BPI Online:

The link brings you to a legit looking-BPI site, but looking closely at the URI, and you know it’s a fake BPI site.

So there you have it. Always be cautious of emails like this. Double-check if it really came from your bank and if you can’t tell if it is legit or not, best thing to do is ignore the email, do not click any link it contains and call your bank first to confirm with them the information it contains. They would also give advise on how to secure your account.

Be smart. Be cautious. Stay safe everyone!

How bad is the COMELEC data breach?

Back in March 27, 2016 hackers under the banner, Anonymous Philippines hacked into the website of the Commission on Elections defaced it to demonstrate how weak the poll body’s online security measures are. A few days later, another group of hackers LulzSec Pilipinas made available online the entire database of COMELEC – 338GB in size containing information of more than 55 million voters.

COMELEC Chair Andres Bautista said that no confidential information was leaked. COMELEC has downplayed the scale of the data breach to allay fears that it could compromise the results of the 2016 elections. While a valid concern and the election results were untainted, it brushed aside the other equally great risk for the millions of registered voters whose personal identifiable information has been compromised.

The newly established National Privacy Commission has just finished its investigation of the data breach and had made public the types of personal data that has been made available to anyone online including criminals:

“The voter database in the Precinct Finder application contained each voter’s complete name, date of birth, gender, civil status, address, precinct number, birthplace, disability, voter identification number, voter registration record number, reason for deletion/deactivation, registration date, and update time.”

“The voter database in the Precinct Finder application contained information on each voter’s verified name, date of birth, gender, civil status, post of registration, passport information, with number and expiry date, taxpayer identification number, e-mail address, mailing address, spouse’ name, the complete names of the voter’s mother and father, the voter’s addresses in the Philippines and abroad, post or country of registration, old registration information, Philippine representative’s complete name, citizenship, registration assistor, profession, sector, height and weight, identifying marks, biometrics description, voting history, mode of voting, and other textual reference information for the voter registration system.” the decision further reads, depicting how much personal data are now most likely in the hands of criminal elements as a result of the COMELEC data breach.

Here’s a rundown of the personal identifiable information that has been leaked:

  • voter’s verified name
  • date of birth
  • gender
  • civil status
  • post of registration
  • precinct number
  • birthplace
  • disability
  • voter identification number
  • voter registration record number
  • reason for deletion/deactivation
  • registration date and update time
  • passport information with number and expiry date
  • taxpayer identification number
  • e-mail address
  • mailing address
  • spouse’ name
  • complete names of the voter’s mother and father
  • voter’s addresses in the Philippines and abroad
  • post or country of registration
  • old registration information
  • Philippine representative’s complete name
  • citizenship
  • registration assistor
  • profession
  • sector
  • height and weight
  • identifying marks
  • biometrics description
  • voting history
  • mode of voting
  • other textual reference information for the voter registration system

To criminals who is into identity theft, use of forged documents and IDs, impersonation, blackmail and harassment, the COMELEC data leak is a gold mine.
If you’re a registered voter, you are vulnerable to hacking of your social media and other online accounts, identity theft which would compromise your bank accounts, utilities, academic or professional records, etc it could even be used to manipulate the next elections.

The NPC is just right in recommending the filing of criminal charges against COMELEC Chair Andres Bautista as he is liable for this catastrophic violation of Republic Act No 10173 or the Data Privacy Act of 2012.

I don’t know how else to say it, but this has really got me scared.

Android Malware: Gooligan – Is your phone infected?

You may have heard or read about it online, a malware has been found to have infected more than 1 Million Android devices and that number goes up by as much as 13,000 devices per day. This was reported by tech security firm Check Point:

Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.

Gooligan is a new variant of the Android malware campaign found by our researchers in the SnapPea app last year.

The malware has spread through 3rd-party Android app stores for a number of reasons: less stringent security measures compared to Google’s Play Store, free versions of paid apps are usually found in these 3rd-party app stores and majority of the apps are available for free.

Gooligan malware is part of an online campaign to steal Google account tokens that can be used for other nefarious deeds aside from the obvious stealing of one’s Google account. Check out the infographic below to see the big picture:

How gooligan campaign works
Image by Check Point

They have an online tool that lets you check whether or not your Google account has been compromised which means your device has been infected by the Gooligan malware or not. I checked out my primary Google account and was glad that it is still remains intact.

They also have a list of apps that have been confirmed to carry the Gooligan malware. So check it out and your device’s list of installed apps to see if you’re phone has been infected or not. The most effective way to protect your phone is simple: do not download apps from 3rd-party app stores. Avoid side-loading apps or manually installing apps on your device specially if you’re unsure of where it came from. And even if you’re on the Google Play Store, do some research first before downloading an app.

Google is already aware of this issue and have taken steps to combat this malware.

Read Check Point’s report on the Gooligan malware for more information. Be safe. Be smart.

How to check if your Gmail is hacked

If you are worried about the recent leak of around 5 million Gmail user names and passwords on the internet and would like to check if yours was included, check out the following website:

https://isleaked.com

Just enter your Gmail address and it will tell you if it’s part of the database of hacked accounts. Don’t worry, the website is legit. I used it and was relieved to find out that none of my Gmail accounts were hacked.

If yours was, change your password now and even activate Google’s two-factor verification to make your account more secure.

Google has responded that the leak was not due to a successful attack that compromised their servers or network. Rather the database was a collection of Gmail accounts that were obtained through phishing, malware, or other means. So again, be careful with what email you open, link that you click and website that you provide your email address and other personal information to. Lastly, make it a habit to change your passwords every now and then and avoid using the same password across your online accounts. If you’re Facbook account gets hacked, all your other accounts will be hacked too.

Gmail logo is owned by Google, Inc.

5 tools to reveal shortened URLs

While doing my own investigation into the suspicious messages that spread via Facebook chat, I stumbled upon a couple of tools that reveal the real URL encoded within the shortened links so common nowadays.

Curious for more, I did some more Googling and have come up with this list of websites or online services that do just that, reveal the long URL behind those fancy and shortened URLs.

RealURL.org

RealURL

Real-url.org doesn’t only reveal what’s behind shortened links, it also monitors such links on Twitter and reports on what’s trending. It also offers an API for developers to tap in to this service.

RevealURL

RealURL

As the name says, RevealURL.com offers a simple and straightforward interface to let you reveal the long url behind the shortened one. An API is coming soon.

Untiny

Untiny

Untiny.com is also another service that offers a simple UI in expanding shortened links. However, they also offer a set of Add-ons that works on Macs, Linux, a host of popular instant messaging platforms like GTalk, Windows Live Messenger and most browsers like IE, Firefox, Chrome and Opera.

just follow their Quick use guide and you’d be able to reveal the long links without the need to visit untiny.com every time you need to expand a shortened link.

Long URL

LongURL

LongURL.org is also another service that decodes shortened links. It has a very simple interface and the major bonus it has going for it is its support for a wide range of URL shortening services it can work with. 333 URL shortening services in fact!

On top of that, it offers a Firefox extension or a Greasemonkey script to install on your browser for convenience.

URL Sniffer

URLSniffer

URL sniffer takes a different approach to revealing long urls behind shortened ones. Instead of visiting their site and providing the shortened link, it offers a bookmarklet that once added to your bookmarks bar, all you have to do is click on it whenever you see shortened links on the page you are browsing and presto! The real links would be revealed right on the page itself.

It works well with Mozilla Firefox, Google Chrome and Safari, while its functionality is limited in Internet Explorer.

Shortened URLs are fancy and useful for sharing neat stuff we find on the web, but evildoers are now taking advantage of this to spam, scam and infect our PCs with malware.

It’s now wiser to check out those shortened URLs before actually clicking on them, even if it were shared by your friends or contacts.

This is not a definitive nor exhaustive list of online tools for revealing the long URLs hidden behind shortened links. If you have more tools that weren’t mentioned please share them in the comments below.