Create Home Directory for Existing Users in Linux

Create Home Directory for Existing Users in Linux

Looking for a way to create a home directory for the existing user? Well, here’s a quick guide for you.

But before that, let’s have a look at why there was no home directory for the user in the first place.

Reason why home directory was not created

So if you used the useradd command to add the new user in Linux, it won’t add the home directory by default.

And if you insist on using the useradd command to create the new user, you just have to append the -m option and it will create a home directory by default.

Create the home directory for existing user

When the existing user does not have a home directory and tries login with the su - option, it will get you the following error:

Create Home Directory for Existing Users in Linux

Which clearly states that there is no home directory.

The first step is to log out from the user that does not have the home directory using the given command:

exit

Now, all you need to do is append the mkhomedir_helper and the username with the useradd command:

sudo mkhomedir_helper username

My user is named as Abhiman so my command would look like this:

sudo mkhomedir_helper Abhiman

And it will create a home directory for the user. For me, it will be named as /home/Abhiman:

ls -al /home/username
Create Home Directory for Existing Users in Linux

And if you are using desktop environments such as GNOME, KDE, etc. you will need to reboot your system to have sub-directories such as Downloads, Documents, and so on.

Bonus: Creating new users with the home directory

I prefer the adduser command for the reason that it allows the proper creation of a new user in Linux.

The regular useradd command is also capable of creating a new user with the home directory in this fashion:

sudo useradd -m new_user

Wrapping Up

This was a quick tutorial on how you can create a home directory for the existing user.

I won’t recommend you to go with recreating the user (shown as a bonus tip) unless the user is recently made and you got to know that there is no home directory.

I hope you will find this helpful and if you have any queries, let me know in the comments.

Black Friday Deals for Linux Users are Now Live!

Black Friday Deals for Linux Users are Now Live!

Thanksgiving is around the corner. Happy Thanksgiving to folks in the USA.

It is also the time for Black Friday and Cyber Monday deals.

Take a look at the current deals and see if something interests you.

Do keep in mind that some deals are for a limited time only and they have been duly mentioned.

Most, if not all, services have a money-back policy. It helps in getting your money back if you don’t like the product or service. Please get those details before you decide to buy.

Some of the links here are affiliate links which means we may get a commission when you purchase at no additional cost to you.

pCloud

Swiss-based cloud storage service pCloud provides a native Linux client, backup options and a lucrative lifetime purchase option (you only pay once).

Offer: Up to 80% off

The deal ends on 30th November.

Black Friday Deals for Linux Users are Now Live!

Proton Mail and VPN

Swiss-based Proton is known for privacy-focused services. Their Black Friday offer is giving up to 40% off on various products.

Offer: Up to 40% off

The deal ends on 2nd December.

Proton Mail Black Friday sale | Up to 40% off secure email
Get up to 40% off Proton Mail subscriptions this Black Friday. Find great deals on our secure end-to-end encrypted email plans.
Black Friday Deals for Linux Users are Now Live!

🚧
If you don’t see links or images, please disable your ad blocker as it might be blocking some deals.

KodeKloud

An online platform to learn all the cutting-edge DevOps technologies like Docker, Kubernetes and Hashicorp. There is playgrounds for you to do hands-on, learning paths and preparations for certification exams.

Offer: Up to 55% off

The deal ends on 27th November.

Black Friday Deals for Linux Users are Now Live!

A Cloud Guru

Another portal specifically focused on teaching you cutting-edge DevOps technologies with hands-on playground labs.

Offer: Up to 50% off

The deal ends on 2nd December.

Homepage
SAVE 50% on our personal annual plans (Limited Time Only). Learn faster. Upskill your team faster. Transform now with course certifications, training, and real hands-on labs in AWS, Azure, Google Cloud, and beyond.
Black Friday Deals for Linux Users are Now Live!

Datacamp

Learn the data skills you need online at your own pace—from non-coding essentials to data science and machine learning.

Offer: Up to 65% off

The deal ends on 8th December.

Black Friday Deals for Linux Users are Now Live!Black Friday Deals for Linux Users are Now Live!

Internxt

Web3 based decentralized cloud storage service for privacy enthusiasts.

Offer: Up to 70% off

The deal ends on 5th December.

Black Friday Deals for Linux Users are Now Live!

Unlocator

VPN and Smart DNS service that lets you unlock streaming services like Netflix, Hulu, Peacock, etc.

Offer: Up to 60% off with coupon code BLACK2022

The deal ends on 28th November.

Frontpage
World class VPN and Smart DNS that allows you to remain private and access your favorite websites. Get a free trial. 30-days money back guarantee.
Black Friday Deals for Linux Users are Now Live!

Teachable

Teachable is perhaps the most popular learning management system for hosting your online courses.

Offer: Up to 35% off

The deal ends on 28th November.

Teachable Black Friday sale
Create and sell online courses and coaching with 35% off Teachable annual plans.
Black Friday Deals for Linux Users are Now Live!

SimpleLogin

Protect your email address. Send and receive emails anonymously.

Offer: $20 instead of $30 for the first year.

The deal ends on 28th November.

SimpleLogin | Open source anonymous email service
With email aliases , you can be anonymous online and protect your inbox against spams and phishing.
Black Friday Deals for Linux Users are Now Live!

Cloudways

Managed cloud hosting. Deploy multiple WordPress websites on a single server and cut down your hosting costs.

Offer: $20 instead of $30 for the first year.

The deal ends on 2nd December.

Black Friday Deals for Linux Users are Now Live!Black Friday Deals for Linux Users are Now Live!

Humble Bundle

Get DRM-free games for PC for free every month. Part of your purchase goes to charity.

Offer: Annual membership for $89 instead of $120 with code HOLIDAY12

The deal ends on 2nd December.

November 2022 Humble Choice
Get November 2022 Humble Choice and more when you subscribe for just $11.99 per month!
Black Friday Deals for Linux Users are Now Live!

Codecademy (starts 21st Nov)

Codecademy Pro offers exclusive courses plus the chance to build portfolio-ready projects and connect with other learners.

While there are only a few courses on Linux, there are plenty on Python and other languages.

Offer: 50% off

The deal starts on 21st November and ends on 2nd December.

Checkout | Codecademy
Codecademy is the easiest way to learn how to code. It’s interactive, fun, and you can do it with your friends.
Black Friday Deals for Linux Users are Now Live!

Plural Sight

Develop critical tech skills. Cut cycle times. Build happier, healthier tech teams. And transform your goals into gains. All with Pluralsight.

Offer: Upto 50% off

The deal ends on 2nd December.

Inoreader

An online feed reader to follow your favorite websites, save articles and more.

Offer: 6 months free on the annual plan

The deal ends on 30th November.

Inoreader – Take back control of your news feed
One place to keep up with all your information sources. With Inoreader, content comes to you, the minute it’s available. Follow RSS Feeds, Blogs, Podcasts, Twitter searches, Facebook pages, even Email Newsletters! Get unfiltered news feeds or filter them to your liking.
Black Friday Deals for Linux Users are Now Live!

Get $200 Credit on DigitalOcean Cloud Servers

DigitalOcean – The developer cloud
Helping millions of developers easily build, test, manage, and scale applications of any size – faster than ever before.
Black Friday Deals for Linux Users are Now Live!

Get started on DigitalOcean with a $200, 60-day credit for new users.

DigitalOcean is a cloud server hosting platform focused on developers and self-hosters.

You can get a Linux server of various configurations or use it to deploy a Kubernetes cluster or host your own App platform. Object storage and block storage are also available.

With its marketplace, you can deploy a new Linux server pre-configured with popular open source software like WordPress, Ghost, MongoDB and many more.

  • No time limit to getting the deal
  • Only valid for new user accounts
  • The entire $200 credit is valid for 60 days

Get $100 Credit for Linode Servers

Customer Referral Landing Page – $100
Cut Your Cloud Bills in Half Deploy more with Linux virtual machines, global infrastructure, and simple pricing. No surprise bills, no lock-in, and the
Black Friday Deals for Linux Users are Now Live!

Get started on Linode with a $100, 60-day credit for new users.

It’s pretty much the same as DigitalOcean. After all, Linode is a direct competitor of DigitalOcean.

Linode is also a cloud server hosting platform focused on developers and self-hosters.

You can get a Linux server of various configurations or use it to deploy a Kubernetes cluster or host your own App platform. Object storage and block storage are also available.

With its 1-click deployment marketplace, you can deploy a new Linux server pre-configured with popular open source software like WordPress, Ghost, MongoDB and many more.

With Linode Stackscripts, you can deploy a new Linux server with a custom configuration of your choice.

  • No time limit to get the deal
  • Only valid for new user accounts
  • The entire $100 credit is valid for 60 days

More deals?

We’ll be updating this page with more deals as they arrive and remove the old and expired ones.

If you know any other offers that could be of interest to Linux and DevOps users, do let us know.

Magniber Ransomware Uses JavaScript to Attack Individual Users

A recent analysis shows that Magniber ransomware has been targeting home users by masquerading as software updates.

Reports have shown a ransomware campaign isolated by HP Wolf Security in September 2022 saw Magniber ransomware spread. The malware is known as a single-client ransomware family that demands $2,500 from victims.

In previous news, Magniber was primarily spread through MSI and EXE files, but in September 2022 HP Wolf Security began seeing campaigns distributing the ransomware in JavaScript files.

“Some malware families, such as Vjw0rm and GootLoader, rely exclusively on JavaScript, but have done so for some time,” Patrick Schläpfer, malware analyst at HP Wolf Security, told Infosecurity. “Currently, we are also seeing more HTML smuggling, such as with Qakbot and IcedID. This technique also makes use of JavaScript to decode malicious content. The only difference is that the HTML file is executed in the context of the browser and therefore usually requires further user interaction”

Remarkably , HP Wolf Security said, the attackers used clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries.

It appears that with the UAC bypass, the malware deletes the infected system’s shadow copy files and disables backup and recovery features, preventing the victim from recovering their data using Windows tools.

Having recently described the ransomware campaign in a recent interview, HP Wolf noted that the infection chain starts with a web download from an attacker-controlled website.

In addition, the user is asked to download a ZIP file containing a JavaScript file that purports to be an important anti-virus or Windows 10 software update.

Furthermore, for Magniber to access and block files, it needs to be executed on a Windows account with administrator privileges – a level of access which is much more commonplace in personal systems.

“Consumers can protect themselves by following ‘least-privilege’ principles – only logging on with their administrator account when strictly needed, and creating another account for everyday use,” explained Schläpfer. “Users can also reduce risk by making sure updates are only installed from trusted sources, checking URLs to ensure official vendor websites are used, and backing up data regularly to minimize the impact of a potential data breach.”

To conclude, the company noted that this ransomware does not fall into the category of Big Game Hunting but can still cause significant damage.

“This is not a shift away from big game hunting, but rather demonstrates that not only enterprises are the focus of ransomware groups, but home users as well,” Schläpfer said.

The post Magniber Ransomware Uses JavaScript to Attack Individual Users appeared first on IT Security Guru.

New Microsoft Update To Let Office 365 Users Report Teams Phishing Messages

Earlier last week, Microsoft announced that they are working on updating Microsoft Defender for Office 365 to allow Microsoft Teams users to alert their organization’s security team of any dodgy messages they receive.

As of now, Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection or Office 365 ATP) protects organizations from malicious threats from email messages, links, and collaboration tools.

It appears that this in-development feature aims to allow admins to filter potentially dangerous messages targeting employees with malicious payloads or trying to redirect them to phishing websites.

“End users will be able to report suspicious Microsoft Teams messages as a security threat just like they do for emails – to help the organization to protect itself from attacks via Microsoft Teams,” Microsoft explains on the Microsoft 365 roadmap.

In addition, Redmond is also working on updating Defender for Office 365’s Submissions experience to categorize the user-reported messages into individual tabs for Phish, Spam (Junk), and so on, according to the users’ reports.

Whilst it’s expected that the upgraded submission feature, could reach general availability next month, the new user reporting capability is now in preview and will most likely roll out to standard multi-tenants until the end of January 2023 to desktop and web clients worldwide.

It seems that these new Defender for Office 365 capabilities build upon improvements announced in July 2021, allowing Microsoft Teams to automatically blocks phishing attempts.

This achievement was conducted by Microsoft extending Defender for Office 365 Safe Links protection to the Teams communication platform to help safeguard users from malicious URL-based phishing attacks.

In recent news, Microsoft explained that the “Safe Links in Defender for Office 365 scans URLs at the time of click to ensure that users are protected with the latest intelligence from Microsoft Defender.”

In efforts to speed up the process, Redmond also started rolling out Built-In Protection to Defender for Office 365 in November 2021, a new feature that automatically enables recommended settings and policies to ensure that all new and existing users get at least a basic level of protection.

The implementation of this new Built-In Protection has been designed to patch the gaps in enterprise protection coverage and is designed to improve the organization’s overall security posture by drastically reducing the risk of a breach.

It appears that this security upgrade targeted at all Office 365 customers was soon followed, in January 2022, by the addition of differentiated protection for priority enterprise accounts (i.e., critical accounts of high-profile employees such as executive-level managers, the ones who attackers most often target).

The post New Microsoft Update To Let Office 365 Users Report Teams Phishing Messages appeared first on IT Security Guru.

Android Banking Users Targeted With Fake Rewards Phishing Scam

Earlier today reports of an SMS-based phishing campaign were announced, targeting customers of Indian banks with information-stealing malware that masquerades as a rewards application.

According to the Microsoft 365 Defender Research Team, the messages contain links that redirect users to a sketchy website that triggers the download of the fake banking rewards app for ICICI Bank.

“The malware’s RAT capabilities allow the attacker to intercept important device notifications such as incoming messages, an apparent effort to catch two-factor authentication (2FA) messages often used by banking and financial institutions,” researchers Shivang Desai, Abhishek Pustakala, and Harshita Tripathi said.

In addition to this, the malware is equipped with the ability to steal SMSes, potentially enabling the attacker to swipe 2FA codes sent as text messages and gain unauthorized access to victim accounts.

Similarly to other social engineering attacks, familiar brand logos and names are used in the smishing message as well as the rogue app in a bid to give an illusion of legitimacy and trick the users into installing the apps.

The attacks are recognised as a continuation of an ongoing campaign that has distributed similar rewards-themed apps for other Indian banks such as the State Bank of India (SBI) and Axis Bank in the past.

Once the fraudulent app has been installed, it not only asks for extensive permissions, but also requests users to enter their credit/debit card information as part of a supposed sign-in process, while the trojan waits for further instructions from the attacker.

The app commands allow the malware to harvest system metadata, call logs, intercept phone calls, as well as steal credentials for email accounts such as Gmail, Outlook, and Yahoo.

“This malware’s continuing evolution highlights the need to protect mobile devices,” the researchers said. “Its wider SMS stealing capabilities might allow attackers to the stolen data to further steal from a user’s other banking apps.”

The post Android Banking Users Targeted With Fake Rewards Phishing Scam appeared first on IT Security Guru.

Zoom Systems Crash Left Users Helpless

Earlier this week, it was reported that the Zoom video conference platform was down and experienced an outage preventing users from logging in or joining meetings.

An incident posted on Zoom’s service status page, revealed that the company confirmed issues starting and joining meetings and video sessions.

“We are investigating reports of zoom.us being unavailable. Our teams are currently investigating the service-impacting event. Our engineers are investigating,” the company explained.

“We have identified the issue starting and joining meetings. We will continue to investigate and provide updates as we have them,” Zoom added in a subsequent update.

Based on report findings followed by Downdetector , this ongoing outage affected tens of thousands of users worldwide.

Zoom users of whom were impacted by this incident said they were having trouble joining conferences, signing in, and experiencing server connection errors.

“Sorry, the page you are looking for is currently unavailable. Please try again later,” message appeared on user’s screens when trying to access the service.

“If you are the system administrator of this resource then you should check the error log for details. Faithftully yours, nginx.”

The Zoom service provides a cloud-based communication platform that can be used for video conferencing, online meetings, and collaboration via mobile, desktop, and telephone systems and apps.

It has been reported that the platform has seen a quick increase of new monthly active users since the start of 2020 after the COVID pandemic forced millions of employees and students to work and learn from home.

Update September 15, 11:39 EDT: Zoom has made a statement to inform users that the issue preventing them from starting and joining Zoom Meetings is now fixed.

“We have resolved the issue causing users to be unable to start and join Zoom Meetings. We will continue to monitor and provide updates as we have them,” the company said.

The post Zoom Systems Crash Left Users Helpless appeared first on IT Security Guru.

Breach Exposes Users of Microleaves Proxy Service

Microleaves, a ten-year-old proxy service that lets customers route their web traffic through millions of Microsoft Windows computers, recently fixed a vulnerability in their website that exposed their entire user database. Microleaves claims its proxy software is installed with user consent, but data exposed in the breach shows the service has a lengthy history of being supplied with new proxies by affiliates incentivized to distribute the software any which way they can — such as by secretly bundling it with other titles.

The Microleaves proxy service, which is in the process of being rebranded to Shifter[.[io.

Launched in 2013, Microleaves is a service that allows customers to route their Internet traffic through PCs in virtually any country or city around the globe. Microleaves works by changing each customer’s Internet Protocol (IP) address every five to ten minutes.

The service, which accepts PayPal, Bitcoin and all major credit cards, is aimed primarily at enterprises engaged in repetitive, automated activity that often results in an IP address being temporarily blocked — such as data scraping, or mass-creating new accounts at some service online.

In response to a report about the data exposure from KrebsOnSecurity, Microleaves said it was grateful for being notified about a “very serious issue regarding our customer information.”

Abhishek Gupta is the PR and marketing manager for Microleaves, which he said in the process of being rebranded to “Shifter.io.” Gupta said the report qualified as a “medium” severity security issue in Shifter’s brand new bug bounty program (the site makes no mention of a bug bounty), which he said offers up to $2,000 for reporting data exposure issues like the one they just fixed. KrebsOnSecurity declined the offer and requested that Shifter donate the amount to the Electronic Frontier Foundation (EFF), a digital rights group.

From its inception nearly a decade ago, Microleaves has claimed to lease between 20-30 million IPs via its service at any time. Riley Kilmer, co-founder of the proxy-tracking service Spur.us, said that 20-30 million number might be accurate for Shifter if measured across a six-month time frame. Currently, Spur is tracking roughly a quarter-million proxies associated with Microleaves/Shifter each day, with a high rate of churn in IPs.

Early on, this rather large volume of IP addresses led many to speculate that Microleaves was just a botnet which was being resold as a commercial proxy service.

Proxy traffic related to top Microleaves users, as exposed by the website’s API.

The very first discussion thread started by the new user Microleaves on the forum BlackHatWorld in 2013 sought forum members who could help test and grow the proxy network. At the time, the Microleaves user said their proxy network had 150,000 IPs globally, and was growing quickly.

One of BlackHatWorld’s moderators asked the administrator of the forum to review the Microleaves post.

“User states has 150k proxies,” the forum skeptic wrote. “No seller on BHW has 150k working daily proxies none of us do. Which hints at a possible BOTNET. That’s the only way you will get 150k.”

Microleaves has long been classified by antivirus companies as adware or as a “potentially unwanted program” (PUP), the euphemism that antivirus companies use to describe executable files that get installed with ambiguous consent at best, and are often part of a bundle of software tied to some “free” download. Security vendor Kaspersky flags the Microleaves family of software as a trojan horse program that commandeers the user’s Internet connection as a proxy without notifying the user.

“While working, these Trojans pose as Microsoft Windows Update,” Kaspersky wrote.

In a February 2014 post to BlackHatWorld, Microleaves announced that its sister service — reverseproxies[.]com — was now offering an “Auto CAPTCHA Solving Service,” which automates the solving of those squiggly and sometimes frustrating puzzles that many websites use to distinguish bots from real visitors. The CAPTCHA service was offered as an add-on to the Microleaves proxy service, and ranged in price from $20 for a 2-day trial to $320 for solving up to 80 captchas simultaneously.

“We break normal Recaptcha with 60-90% success rate, recaptcha with blobs 30% success, and 500+ other captcha,” Microleaves wrote. “As you know all success rate on recaptcha depends very much on good proxies that are fresh and not spammed!”

WHO IS ACIDUT?

The exposed Microleaves user database shows that the first user created on the service — username “admin” — used the email address alex.iulian@aol.com. A search on that email address in Constella Intelligence, a service that tracks breached data, reveals it was used to create an account at the link shortening service bit.ly under the name Alexandru Florea, and the username “Acidut.” [Full disclosure: Constella is currently an advertiser on this website].

According to the cyber intelligence company Intel 471, a user named Acidut with the email address iulyan87_4u@gmail.com had an active presence on almost a dozen shadowy money-making and cybercrime forums from 2010 to 2017, including BlackHatWorld, Carder[.]pro, Hackforums, OpenSC, and CPAElites.

The user Microleaves (later “Shifter.io”) advertised on BlackHatWorld the sale of 31 million residential IPs for use as proxies, in late 2013. The same account continues to sell subscriptions to Shifter.io.

In a 2011 post on Hackforums, Acidut said they were building a botnet using an “exploit kit,” a set of browser exploits made to be stitched into hacked websites and foist malware on visitors. Acidut claimed their exploit kit was generating 3,000 to 5,000 new bots each day. OpenSC was hacked at one point, and its private messages show Acidut purchased a license from Exmanoize, the handle used by the creator of the Eleonore Exploit Kit.

By November 2013, Acidut was advertising the sale of “26 million SOCKS residential proxies.” In a March 2016 post to CPAElites, Acidut said they had a worthwhile offer for people involved in pay-per-install or “PPI” schemes, which match criminal gangs who pay for malware installs with enterprising hackers looking to sell access to compromised PCs and websites.

Because pay-per-install affiliate schemes rarely impose restrictions on how the software can be installed, such programs can be appealing for cybercriminals who already control large collections of hacked machines and/or compromised websites. Indeed, Acidut went a step further, adding that their program could be quietly and invisibly nested inside of other programs.

“For those of you who are doing PPI I have a global offer that you can bundle to your installer,” Acidut wrote. “I am looking for many installs for an app that will generate website visits. The installer has a silence version which you can use inside your installer. I am looking to buy as many daily installs as possible worldwide, except China.”

Asked about the source of their proxies in 2014, the Microleaves user responded that it was “something related to a PPI network. I can’t say more and I won’t get into details.”

Acidut authored a similar message on the forum BlackHatWorld in 2013, where they encouraged users to contact them on Skype at the username “nevo.julian.” That same Skype contact address was listed prominently on the Microleaves homepage up until about a week ago when KrebsOnSecurity first reached out to the company.

ONLINE[.]IO (NOW MERCIFULLY OFFLINE)

There is a Facebook profile for an Alexandru Iulian Florea from Constanta, Romania, whose username on the social media network is Acidut. Prior to KrebsOnSecurity alerting Shifter of its data breach, the Acidut profile page associated Florea with the websites microleaves.com, shrooms.io, leftclick[.]io, and online[.]io. Mr. Florea did not respond to multiple requests for comment, and his Facebook page no longer mentions these domains.

Leftclick and online[.]io emerged as subsidiaries of Microleaves between 2017 and 2018. According to a help wanted ad posted in 2018 for a developer position at online[.]io, the company’s services were brazenly pitched to investors as “a cybersecurity and privacy tool kit, offering extensive protection using advanced adblocking, anti-tracking systems, malware protection, and revolutionary VPN access based on residential IPs.”

A teaser from Irish Tech News.

“Online[.]io is developing the first fully decentralized peer-to-peer networking technology and revolutionizing the browsing experience by making it faster, ad free, more reliable, secure and non-trackable, thus freeing the Internet from annoying ads, malware, and trackers,” reads the rest of that help wanted ad.

Microleaves CEO Alexandru Florea gave an “interview” to the website Irishtechnews.ie in 2018, in which he explained how Online[.]io (OIO) was going to upend the online advertising and security industries with its initial coin offering (ICO). The word interview is in air quotes because the following statements by Florea deserved some serious pushback by the interviewer.

“Online[.]io solution, developed using the Ethereum blockchain, aims at disrupting the digital advertising market valued at more than $1 trillion USD,” Alexandru enthused. “By staking OIO tokens and implementing our solution, the website operators will be able to access a new non-invasive revenue stream, which capitalizes on time spent by users online.”

“At the same time, internet users who stake OIO tokens will have the opportunity to monetize on the time spent online by themselves and their peers on the World Wide Web,” he continued. “The time spent by users online will lead to ICE tokens being mined, which in turn can be used in the dedicated merchant system or traded on exchanges and consequently changed to fiat.”

Translation: If you install our proxy bot/CAPTCHA-solver/ad software on your computer — or as an exploit kit on your website — we’ll make millions hijacking ads and you will be rewarded with heaps of soon-to-be-worthless shitcoin. Oh, and all your security woes will disappear, too.

It’s unclear how many Internet users and websites willingly agreed to get bombarded with Online[.]io’s annoying ads and search hijackers — and to have their PC turned into a proxy or CAPTCHA-solving zombie for others. But that is exactly what multiple security companies said happened when users encountered online[.]io, which operated using the Microsoft Windows process name of “online-guardian.exe.”

Incredibly, Crunchbase says Online[.]io raised $6 million in funding for an initial coin offering in 2018, based on the plainly ludicrous claims made above. Since then, however, online[.]io seems to have gone…offline, for good.

SUPER TECH VENTURES?

Until this week, Shifter.io’s website also exposed information about its customer base and most active users, as well as how much money each client has paid over the lifetime of their subscription. The data indicates Shifter has earned more than $11.7 million in direct payments, although it’s unclear how far back in time those payment records go, or how complete they are.

The bulk of Shifter customers who spent more than $100,000 at the proxy service appear to be digital advertising companies, including some located in the United States. None of the several Shifter customers approached by KrebsOnSecurity agreed to be interviewed.

Shifter’s Gupta said he’d been with the company for three years, since the new owner took over the company and made the rebrand to Shifter.

“The company has been on the market for a long time, but operated under a different brand called Microleaves, until new ownership and management took over the company started a reorganization process that is still on-going,” Gupta said. “We are fully transparent. Mostly [our customers] work in the data scraping niche, this is why we actually developed more products in this zone and made a big shift towards APIs and integrated solutions in the past year.”

Ah yes, the same APIs and integrated solutions that were found exposed to the Internet and leaking all of Shifter’s customer information.

Gupta said the original founder of Microleaves was a man from India, who later sold the business to Florea. According to Gupta, the Romanian entrepreneur had multiple issues in trying to run the company, and then sold it three years ago to the current owner — Super Tech Ventures, a private equity company based in Taiwan.

“Our CEO is Wang Wei, he has been with the company since 3 years ago,” Gupta said. “Mr. Florea left the company two years ago after ending this transition period.”

Google and other search engines seem to know nothing about a Super Tech Ventures based in Taiwan. Incredibly, Shifter’s own PR person claimed that he, too, was in the dark on this subject.

“I would love to help, but I really don’t know much about the mother company,” Gupta said, essentially walking back his “fully transparent” statement. “I know they are a branch of the bigger group of asian investment firms focused on private equity in multiple industries.”

Adware and proxy software are often bundled together with “free” software utilities online, or with popular software titles that have been pirated and quietly fused with installers tied to various PPI affiliate schemes.

But just as often, these intrusive programs will include some type of notice — even if installed as part of a software bundle — that many users simply do not read and click “Next” to get on with installing whatever software they’re seeking to use. In these cases, selecting the “basic” or “default” settings while installing usually hides any per-program installation prompts, and assumes you agree to all of the bundled programs being installed. It’s always best to opt for the “custom” installation mode, which can give you a better idea of what is actually being installed, and can let you control certain aspects of the installation.

Either way, it’s best to start with the assumption that if a software or service online is “free,” that there is likely some component involved that allows the provider of that service to monetize your activity. As KrebsOnSecurity noted at the conclusion of last week’s story on a China-based proxy service called 911, the rule of thumb for transacting online is that if you’re not the paying customer, then you and/or your devices are probably the product that’s being sold to others.

Further reading on proxy services:

July 18, 2022: A Deep Dive Into the Residential Proxy Service ‘911’
June 28, 2022: The Link Between AWM Proxy & the Glupteba Botnet
June 22, 2022: Meet the Administrators of the RSOCKS Proxy Botnet
Sept. 1, 2021: 15-Year-Old Malware Proxy Network VIP72 Goes Dark
Aug. 19, 2019: The Rise of “Bulletproof” Residential Networks

Personal data of 69 million Neopets users exposed

The online pet website, Neopets, has confirmed it fell victim to a data breach, exposing the personal information of approximately 69 million users. The website’s source code was also stolen in the attack. Recently, Neopets launched NFTs, which are part of a plan to create an online Metaverse game, in which users can own, raise and play games with their virtual pets.

According to reports, the breach occurred on Tuesday and has since been attributed to a hacker known as ‘TarTaxX’, who began selling the source code and database on the dark web, charing approximately $94,000 in Bitcoin. The hacker has not revealed how they obtained access, however, they have confirmed that the data was not ransomed.

Tim Marley, VP Audit, Risk & Compliance at Cerberus Sentinel told the IT Security Guru that: “The failure to keep our stakeholder’s sensitive data confidential is coming with greater consequences for organizations in the United States.  Five states currently have privacy laws and another six have legislation at some stage of review.  At the end of the day, we shouldn’t need legislation to force us to examine the sensitive data in our possession and verify that we protect it at every stage of the data lifecycle.  We are the custodians of this data and owe it to our customers, clients, partners, and residents to verify that we always manage this information securely.  If we fail to do so, we stand to lose their trust and may incur significant financial and operational penalties as a result.”

Neopets members are strongly urged to change their passwords on any site with a similar or the same password as the one they used on the virtual game. Unfortunately, however, changing passwords on the Neopets site is not guaranteed to secure the account if hackers still have access to the servers, which in this instance holds true.

Marley continues: “I’m particularly concerned over the potential exposure of sensitive data for children under the age of 13.  While this site may not specifically cater to that age group, I believe it’s likely we’ll see a much greater consumption of these services by children.  If so, then we may see the FTC investigating under the Children’s Online Privacy Protection Rule (COPPA).”

Also commenting on the incident is Mike Varley, threat consultant at Adarma: “Responding to incidents such as these needs a finely tuned balance of speed along with remedial actions. Incident responders should be seeking to validate claims from the threat actor that they have “live” access to the database, that was reportedly confirmed by another user of the initial forum where the leak was posted. From there, responders will work backwards to identify both the point of initial access and any persistence mechanisms the actor may have installed.  Once identified, a remediation plan can be created that’ll involve multiple actions occurring simultaneously (or in rapid succession) designed to remove the adversary from the network, deny their access back into the environment, and monitor for any further resurgence in adversary activity.

He concluded that “lessons learned after the threat has been eradicated should be viewed by organisations as a way to improve, to build back better and a stark reminder to take the security of their environment, and their customers, very seriously by stopping history from repeating itself.”

According to a reddit user this is not the first data breach affecting the virtual pet world. As such, there is a Twitter account set up, which members can refer to for official updates from staff, and how to proceed if their data has been affected.

The post Personal data of 69 million Neopets users exposed appeared first on IT Security Guru.