E-challan Scam Alert

E-Challan Scam Alert!

Category: Generic

E-Challan Scam Alert!

Posted on by CyberiumX

In today’s digital age, numerous fraudulent schemes have developed. Traffic violations, similar to various aspects of online services, have turned into a means for scammers. Unscrupulous individuals trick non-guilty users into falling for a contemporary type of trickery called phishing. They are informed about alleged traffic violations through alerts and, once they click a link or download an application, the scammers use this opportunity to rob their bank accounts and disappear without a trace.
The Ministry of Electronics & Information Technology (MeitY) issued a caution through its Information Security Awareness (ISEA) initiative regarding the rise in fraud cases linked to the e-challan scam. Increasing public awareness is essential for tackling this danger.

What is an E-Challan Scam?

The E-challan scam involves a digital assault aimed at individuals who think they have gotten or suspect they have gotten a ticket for a traffic violation that has been sent electronically. Scammers use different strategies to trick individuals into revealing personal information or giving away money.
An online e-challan scam recently duped a 43-year-old man from Thane Bhosale, a driver of an auto-rickshaw, got a text stating he had committed a traffic offence and directed him to make the payment using the Vahan Parivahan app. Once the app was installed, Bhosale started getting multiple OTPs on his phone. He swiftly removed the app from his device. Even though he acted quickly, his account had already been subject to unauthorized transactions totaling Rs 50,000.
Here, cybercriminals operate a fake traffic police electronic challenge system, targeting people who either ignore or quickly scan through the e-challan. To tackle this problem, the government started a cyber security awareness initiative a few months back to inform the public about online scams.
Here is all the information you should have regarding this recently surfaced e-challan scam.

How does this Scam work?

The method used in this scam involves tricking people into clicking on a harmful link to settle their traffic challan. To make the scam appear legitimate, the fake message is carefully crafted to seem authentic. The deceptive message will read something like this – “Your Challan No. is … for vehicle number… having challan amount as Rs 500. For online payment of e-challan visit https://echallanparivahan.in/ you can also contact RTO office for disposal of challan, Regards, RTO.”

If you click on this payment link to settle the e-challan, you will end up paying cyber criminals instead of the police in an attempt to clear the traffic e-challan.

How to avoid traffic E-Challan Scam?

The scammers have copied the design from traffic authorities accurately, making the message appear real at first glance. However, with close examination, the scam can be identified.

When verifying an e-challan message, assess three factors to distinguish between its authenticity and deceitfulness.

Initially, verify if the vehicle number provided matches your vehicle number. You can confirm this information by checking the number plate of the vehicle or the blue book provided by the Regional Transport Office (RTO).

Next, make sure that the e-challan number is valid. You can verify the genuineness of the challan number by accessing the e-challan website at https://echallan.parivahan.gov.in/index/accused-challan.

Also, the fraudulent message includes a payment link that leads to https://echallanparivahan.in. Scammers frequently utilize links that closely mimic official ones, making them easy to miss at first glance.

Nevertheless, it is crucial to point out that government websites consistently feature the suffix ‘.gov.in‘, like https://echallan.parivahan.gov.in/. Hence, always choose to click on links with a ‘.gov.in‘ domain address for verification purposes.

challan

Source: echallanparivahan website

Few more tips to prevent E-Challan Scams

Additionally, observe how cyber scammers compose their fraudulent messages. For instance, a snippet from such a message might say, “you can also contact the RTO office to settle the challan.” Cyber scammers take advantage of people’s hesitance to follow through with such tasks. Few individuals would willingly visit the RTO office to inquire about the challan details, as it involves taking time off from work or business and spending a significant part of the day there.

If the challan amount were higher, it might motivate individuals to take action, and this is a vulnerability that cyber scammers exploit. Therefore, do not hastily make payments upon receiving such messages.

Be careful and avoid clicking on any links that look suspicious. To confirm the e-challan, input your vehicle number and driving license number on the e-challan website. Moreover, if the fine amount is significant, it is advisable to personally go to the RTO office to confirm the challan information.

From time to time, alerts are released by the government regarding current scams. An example is the recent occurrence of Aadhaar-enabled Payment System (AePS) scams impacting numerous people. In reaction, NPCI has directed banks to create a transparent system for individuals to manage AePS transactions from their savings accounts.

Conclusion

To sum up, the increase in online scam attempts highlights the need for awareness and care when engaging online. To shield yourself from these scams, confirm the genuine nature of online notice by examining the vehicle number, and the official website’s domain (.gov.in), and avoid clicking on questionable links. If uncertain, go to the official site or reach out to the appropriate officials. Being knowledgeable and careful is essential in protecting yourself from online scams aimed at people who are unaware.

Follow us for more Cyber updates.

Team CyberiumX

Certified Ethical Hacker (CEHv13) Practical Exam

Posted on by CyberiumX

Hello Folks!

In this blog post, we’ll discuss about Certified Ethical Hacker (CEHv13) Practical exam. We will focus on essential tools, techniques, and strategies to help you successfully navigate the practical exam. After reading this blog, you won’t need additional resources. We’ll provide comprehensive explanations to ensure clarity on every aspect.

Let’s initiate the process to begin the 6-hour exam. Once your exam environment is fully set up, proceed with the following steps:

  • Use Nmap to find all the live devices in different subnets.
  • Write down the IP addresses of the devices that are turned on.
  • Then, use Nmap again to find out which services and ports are open on each device.
  • You can also use Nmap to figure out what operating system each device is using.
  • Note down these details next to the corresponding IP addresses.
  • Once you have this information, you can start working on the questions given to you for the exam and use this information when required.
  • Now let’s discuss the topics and required tools with commands that you should know for the exam.

Important topics and tools for the CEHv13 practical exam

1. Scanning using Nmap
  • Host discovery
  • nmap -PS -sn 192.168.0.0/24
  • nmap -PR -sn 192.168.0.0/24
  • TCP Port scanning
  • nmap -sS 192.168.0.10
  • nmap -sT 192.168.0.10
  • nmap -p21,22,80 192.168.0.10
  • nmap -p- -sS 192.168.0.10
  • UDP Port scanning
  • nmap -sU 192.168.0.10
  • Service version detection
  • nmap -sV 192.168.0.10
  • Operating System detection
  • nmap -O 192.168.0.10
  • Vulnerability scanning using scripts
  • nmap -sC 192.168.0.10 (We can use this for getting FQDN)
  • nmap –script=smb-enum-* -p21 192.168.0.10
2. Enumeration
  • Hydra tool for Brute-forcing
  • hydra -L username.txt -P password.txt 192.168.0.10 <Protocol_Name> -t 10
  • hydra -L username.txt -P password.txt 192.168.0.10 -s <Port_number> <Protocol_Name>
  • hydra -l username -P password.txt 192.168.0.10 -s <Port_number> <Protocol_Name>
  • FTP Enumeration
  • Brute-forcing Credentials using Hydra
  • To connect to FTP server-> ftp 192.168.0.10
  • To download files from the FTP server-> get flag.txt
  • To upload files to the FTP server-> put file.txt
  • SMB Enumeration
  • Brute-forcing Credentials using Hydra
  • nmap -p 445 –script=smb-enum-shares 192.168.0.10
  • nmap -p 445 –script=smb-enum-users –script-args smbusername=username,smbpassword=password 192.168.0.10
  • nmap -p 445 –script=smb-enum-groups –script-args smbusername=username,smbpassword=password 192.168.0.10
  • To list shares available on the SMB server using anonymous user-> smbclient -L //192.168.0.10
  • To list shares available on the SMB server using anonymous user-> smbclient //192.168.0.10/sharename
  • To list shares available on the SMB server using a username-> smbclient -L //192.168.0.10 -U username
  • To connect to any share of SMB server using a username-> smbclient //192.168.0.10/sharename -U username
  • To download files from the FTP server-> get flag.txt
  • To upload files to the FTP server-> put file.txt
  • RDP Enumeration
  • Brute-forcing credentials using Hydra
  • Metasploit Framework module to identify RDP service running on which machine- auxiliary/scanner/rdp/rdp_scanner
  • To access the windows machine-> xfreerdp /u:username /p:password /v:192.168.0.10:3389
  • SSH Enumeration
  • Brute-forcing Credentials using Hydra
  • To access the machine using SSH protocol-> ssh username@192.168.0.10 -p 22
3. Vulnerability Assessment
  • Nessus
  • On Windows, open the browser and type https://localhost:8834
  • Login to Nessus using default credentials- admin:password
  • New Scan > Basic Network Scan

1. Nessus scan templates

  • Provide name and target IP address then finally save and launch the scan.
4. Sniffing/Packet Analysis using Wireshark
  • Filters
  • http.request.method==post
  • http.request.method==get
  • Stream– To see the whole conversation
  • Right-click the request and then select Follow > TCP Stream
  • Red will be the request that we sent to the server and Blue will be the response we receive from the server.
  • We can toggle between different streams using the Stream option followed by a number in the right-hand bottom of the window.
  • Extracting Files from the packet capture
  • Go to File > Export Objects > Select a protocol using which the file was transferred (HTTP).
  • Now sort the results and try to get some file types we can save on our machine.
  • Finding Comments
  • pkt_comment contains “searchString”
  • To find DoS/DDoS attack (sort by packets in IPv4 based on the number of Packets transferred)
  • Statistics > Conversations > IPv4 > Packets
  • Sort the results by Bytes/Packets
  • Checking communications of IoT devices
  • Search MQTT on the Wireshark filter.
5. Steganography
  • OpenStego– Used to hide and extract data behind images.
  • Select Extract -> Choose the image -> Provide an Output file -> Provide the password

2. OpenStego

  • Snow– Used to hide and extract data behind a txt file in the form of whitespaces.
  • To hide the data in txt file-> .\SNOW.EXE -C -m “Hello! Welcome to CyberiumX.” -p “passwd123” ‘.\cyberiumx.txt’ file.txt
  • To extract the hidden data from txt file-> .\SNOW.EXE -C -p “passwd123” file.txt cyberiumx.txt
  • Covert_tcp– Used to hide and extract data in TCP headers
  • To compile covert_tcp.c file-> cc -o covert_tcp covert_tcp.c
  • Sender machine-> ./covert_tcp -source <IP> -dest <IP> -source_port <port> -dest_port <port> -file <txt file name>
  • Eg-> ./covert_tcp -source 192.168.0.10 -dest 192.168.0.20 -source_port 9999 -dest_port 8888 -file source.txt
  • Receiver machine-> ./covert_tcp -source <IP> -source_port <port> -server -file <txt file name>
  • Eg-> ./covert_tcp -source 192.168.0.10 -source_port 8888 -server -file destination.txt
6. Web Application attacks
  • SQL Injection using SQLmap
  • To enumerate database names-> sqlmap –url http://192.168.0.10/?id=2 –dbs
  • Save the GET/POST request in a file from Burp Suite. Right-click on the request > Save item > Select location and save the file (req.txt).
  • To list database name-> sqlmap -r req.txt –dbs
  • To list tables of single database-> sqlmap -r req.txt -D <database name> –tables
  • To list all columns of a database table-> sqlmap -r req.txt -D <database name> -T <table name> –columns
  • To dump the data from database’s table-> sqlmap -r req.txt –D <database name> -T <table name> –dump
  • WordPress website enumeration using wpscan
  • To enumerate username from WordPress websites-> wpscan –url http://192.168.0.10 –enumerate u
  • To Brute-force password of user-> wpscan –url http://192.168.0.10 -U username -P password.txt
  • Directory Bursting using Gobuster
  • gobuster dir -u http://192.168.0.10 -w /usr/share/wordlists/dirb/common.txt -x txt -t 40
7. Android attacks
  • ADB (Android Debug Bridge) tool
  • To connect with Android device-> adb connect 192.168.0.10:5555
  • To list the connected devices running in the same network-> adb devices
  • To get the shell of the remote device-> adb shell
  • In a separate Linux shell, use the following command to upload a file on an Android device-> adb push demo.txt /sdcard/Download
  • To download a file from an Android device-> adb pull /sdcard/Download/contacts.vcf .
8. Cryptography
  • sha384sum tool
  • sha384sum file.txt
  • Online websites to crack non-salted hashes
  • CrackStation (https://crackstation.net/)
  • Hashes (https://hashes.com/en/decrypt/hash)
  • BCTextEncoder– To encode/decode the data
  • Paste the encoded text -> Click on Decode -> Provide the password

3.

 

  • Veracrypt– To encrypt/decrypt files in/from partitions.
  • Select the file that has the hidden file system -> Select any drive letter -> Click Mount -> Provide the password
  • It will create a new drive where we will find the hidden content.

4. Veracrypt

 

9. Privilege Escalation
  • Insecure file/directory permission
  • To find the file containing the flag value-> find / -type f -name flag.txt 2>/dev/null
  • Run the ls -l command on the file to check the permission
  • Sudo Privileges
  • Command to check sudo privileges-> sudo -l
  • If you get any binary after running the above command then search the binary on GTFOBins (https://gtfobins.github.io/)
10. Wireless Attacks
  • Wi-Fi password cracking of WPA/WPA2/WPA3
  • aircrack-ng -w password.txt hashfile.cap
11. Malware Attacks:
  • Remote Access Trojan
  • From the Nmap result, look for default malware ports like 5552 (njRAT), 5110 (ProRAT), 6703 (Theef), and 9871 (Theef).
  • Now to connect with these ports, we require any one of the above-mentioned RAT software which you will find on the Windows machine.
  • Malware Analysis
  • Use DIE (Detect It Easy) and IDA pro tool to get the Entry point address of the malicious file.
  • Use DIE tool to get the version and hash of different components of the malicious file.

CEHv13 Practical Questions

Let’s explore the types of questions that might be presented in the CEH practical exam. Please keep in mind that while these questions are indicative, the actual exam may have different questions. However, having a good grasp of the tools and techniques outlined above will greatly enhance your chances of success.

  • Extract sensitive files hidden in an image file.
  • Get the severity score of a vulnerability.
  • Get remote access on an Android device and download files.
  • Brute-force SMB & FTP credentials and access them to download files.
  • Perform Nmap scan to identify web servers
  • Find FQDN of Domain Controller (Remember the machine on which you will find LDAP port open will be the Domain Controller).
  • Access the Linux machine using SSH and perform privilege escalation to read root files.
  • Access the volume encrypted by VeraCrypt.
  • Use BCTextEncoder to decode the flag.
  • Crack the hash.
  • Perform Malware analysis
  • From packet capture, identify a device IP that performed a DoS/DDoS attack and identify the packet size of any specific message.
  • Crack the password of the wireless network.
  • Access the machine using RAT.
  • Perform SQL injection to access database entries
  • Access sensitive files hosted on Web servers.

That covers everything required for participating in the CEH practical exam. We trust that the blog provided valuable information, and we extend our best wishes for your certification exam.

If you want to appear in Certified in Cybersecurity certification by (ISC)2 then you can visit our blog where we discussed how you can register and book your free slot for the CC exam and what you need to prepare for the CC exam.

Happy Pentesting!
Team CyberiumX

Cyber Crime Against Women

Posted on by CyberiumX

The incidences of cyber crime has risen due to underreporting and the difficulty in detecting and substantiating such crimes. Unlike traditional monitoring, investigation, or auditing methods, cyber crime operates beyond conventional means and necessitates specialized understanding to address its complexities.

Women are disproportionately affected by cyber crime, enduring mental and emotional distress as a result. Many women experience feelings of distress, humiliation, and depression due to these crimes, which present significant challenges in terms of resolution and mitigation.

What is Cybercrime?

Cyber crime refers to illicit activities carried out via the internet and digital devices with the aim of intruding into others’ private spaces and causing distress through objectionable content and misconduct.

With internet usage becoming commonplace for educational, social, entertainment, and professional needs in today’s digital era, women are actively participating in online platforms for work or education and frequently engaging with social media.

While many individuals utilize the internet and digital platforms for educational and recreational purposes, there are individuals who exploit these tools to harass and intimidate online users, particularly women. Such criminal behavior falls under the category of cybercrime, as it occurs within the realm of cyberspace.

Cyber Crime Against Women

In the digital age, women are disproportionately targeted by malicious online activities that inflict severe psychological and emotional harm. Blackmail, threats, cyberpornography, and the dissemination of explicit sexual content are among the prevalent cyber crimes targeting women. Additionally, women are frequently subjected to stalking, bullying, defamation, image manipulation, and the creation of fraudulent profiles.

Cyber violence employs computer technology to breach women’s personal information and utilize the internet for harassment and exploitation. Women are increasingly vulnerable targets due to their tendency to trust others and their lack of awareness regarding potential consequences.

Cyber Crime

Types of Cybercrime Targeting Women

Cyber crime against women involves the use of computer networks or mobile phones to make derogatory comments about women based on their gender and sexual orientation and to engage in activities that violate the privacy and dignity of women and cause them distress.

The various forms of cyber crimes against women are outlined as follows:

Cyber Defamation : This type of activity involves blackmailing and exposing the victim’s personal information or altered images. This type of activity often involves blackmailing and soliciting sexual favors for the victim.

Cyber Hacking: These women fall victim to cyber hacking when they are asked to click on unauthorised URLs or download unauthorised apps that disclose all their personal data on their phones. The hackers use these data for illegal money transactions and other illegal activities.

Cyber Stalking:It involves trying to get in touch with women on social media platforms for no good reason, posting threatening messages on a chat room, and harassing the victims by sending them inappropriate emails and text messages to cause mental distress

Cyber Bullying: Cyberbullying is a form of online harassment and bullying that targets a victim through the use of a digital platform. It involves the posting of harmful and offensive content, images, or videos, as well as rape and death threats.

Cyber Grooming: In this case, a man establishes an online relationship with a woman and tries to pressurise her for undue favors or sexual favors.

Pornography: This type of crime involves posting altered images of victims on social media and using them for sexual exploitation, sometimes even demanding money to take them down.

Impact of Cyber Crime on Women

Cyber crime can have a wide-reaching and impactful effect on women, impacting their physical, mental, and emotional health. Here are some of the most significant effects:

Emotional Distress and Psychological Trauma: Women who are victims of cybercrime, such as online harassment, cyberbullying, or revenge porn, often experience significant emotional distress and psychological trauma. The invasion of privacy, violation of personal boundaries, and public humiliation can lead to feelings of fear, shame, anxiety, and depression.

Damage to Reputation and Social Standing: Cyber crime can tarnish a woman’s reputation and social standing, especially if sensitive or compromising information is exposed online. This can have long-lasting consequences on personal relationships, career opportunities, and social acceptance within communities.

Financial Loss and Economic Harm: Women may suffer financial loss and economic harm due to cyber crimes such as identity theft, online fraud, or phishing scams. Cybercriminals may target women for financial exploitation, draining bank accounts, stealing personal information, or defrauding them through deceptive schemes, leading to financial instability and hardship.

Impact on Personal and Professional Relationships: Cyber crime can strain personal and professional relationships for women. Victims may experience difficulties trusting others, fear of further victimization, and social withdrawal due to the fear of judgment or stigma associated with being targeted online.

Physical Safety Concerns: In cases of cyberstalking, intimate partner violence, or online harassment escalating into real-world threats, women may face significant concerns for their physical safety and well-being. Cybercriminals may use technology to track, monitor, or harass women in their daily lives, creating a constant sense of fear and vulnerability.

Barriers to Seeking Help and Support: Women who experience cyber crime may encounter barriers to seeking help and support, including fear of retaliation, shame, or disbelief from others. Limited access to resources and support services specifically tailored to address cyber victimization can further exacerbate their isolation and distress.

Loss of Privacy and Control: Cyber crime can strip women of their sense of privacy and control over their personal information and online presence. The unauthorized dissemination of private or intimate content, such as revenge porn, can leave women feeling violated and powerless, with lasting implications for their sense of autonomy and self-worth.

Addressing the impact of cyber crime on women requires a comprehensive approach that encompasses legal protections, technological safeguards, support services, and public awareness campaigns. Empowering women with knowledge about online safety, promoting digital literacy, and fostering a supportive environment for victims to seek help and recovery are essential steps in mitigating the impact of cyber victimization.

Protective Measures Against Cyber Crimes

  • Monitor irrelevant or fraudulent messages and emails.
  • Refrain from responding to emails soliciting personal information.
  • Avoid accessing fraudulent websites or apps requesting personal details.
  • Safeguard your email address and password.
  • Utilize strong and secure passwords, updating them regularly.
  • Exercise caution and refrain from clicking on unrecognized URLs or downloading unknown apps.
  • Stay informed about cyber laws and policies to remain up-to-date on potential risks and protections.

Legal Frameworks Against Cyber Crime

Every individual utilizing cyberspace is bound by universal laws governing its use. Cyber laws address legal matters stemming from networked computer technology and digital platforms. These regulations serve to safeguard victims of cybercrimes and aid them in addressing their concerns and seeking justice.

The Indian Penal Code (IPC), 1860, outlines specific punishable offenses under Section 354, which are as follows:

Section 354A: Engaging in the demand for sexual favors, displaying objectionable pictures against a woman’s consent, making sexual remarks, or engaging in sexual harassment can result in imprisonment of up to 3 years along with fines.

Section 354C: Photographing or publishing pictures of a woman engaged in a private act without her consent may lead to imprisonment ranging from 3 to 7 years.

Section 354D: Contacting a woman online and sending irrelevant emails/messages despite the woman’s clear disinterest can result in imprisonment for 5 years along with fines.

The Information Technology Act of 2000 includes provisions for penalties under the following sections:

Section 66C: Committing cyber hacking with the intent to steal identities is a punishable offense, carrying a prison sentence of 3 years and fines up to Rs. 1 lakh.

Section 66E: Addresses the offense of capturing, publishing, or transmitting pictures of women in circumstances that invade privacy, resulting in a 3-year imprisonment.

Section 67A: Prohibits the publication and transmission of sexually explicit content, punishable by imprisonment ranging from 5 to 7 years.

The Cyber Crime Prevention Act of 2012 aims to prevent and prosecute individuals engaged in cyber crimes that compromise the privacy, confidentiality, and integrity of information through computer-related criminal activities.

The Indecent Representation of Women (Prohibition) Act governs and forbids the indecent portrayal of women across various media platforms, including audio-visual media, electronic content, and distribution of material on the Internet, aiming to regulate the depiction of women online.

The Cyber Crime Prevention against Women and Children (CCPWC) scheme is implemented to devise effective strategies for addressing cyber crimes targeting women and children in India. It facilitates cybercrime victims in lodging complaints through an online reporting platform.

Furthermore, the platform furnishes information about law enforcement and regulatory agencies at both local and national levels. The CCPWC also conducts awareness programs, starting from schools, as a proactive measure to combat cyber crimes.

Conclusion

As our society increasingly relies on technology, instances of cyber violence are becoming more prevalent, particularly targeting women who are often perceived as vulnerable. Legislation must take proactive steps to combat this trend by imposing stringent penalties on offenders. Additionally, addressing cyber crimes against women requires a concerted effort to raise awareness and enhance understanding of cyber practices, privacy protection measures, and legal safeguards. By fostering greater awareness and knowledge in these areas, we can work towards creating a safer digital environment for everyone, regardless of gender.

Stay Safe!!

Team CyberiumX

Get Started Into Bug Bounty 

Posted on by CyberiumX

A bug bounty is a monetary reward to ethical hackers for successfully discovering and reporting a vulnerability or bug to the application’s owner. Bug bounty programs enable companies to continuously enhance the security of their systems by harnessing the expertise of the hacker community.

The bug bounty process typically commences with asset owners creating programs that offer rewards, such as money or recognition, to individuals who uncover and report security flaws. This practice holds immense significance in cybersecurity as it assists organizations in identifying and fixing security weaknesses before malicious actors exploit them. Here are key reasons emphasizing the importance of bug bounty initiatives:

  • Discovery of Vulnerabilities: Bug bounty hunting plays a crucial role in pinpointing security vulnerabilities that might have been overlooked during development and testing. Identifying these vulnerabilities enables organizations to address them proactively, reducing the risk of potential data breaches or security incidents.
  • Strengthening Security Measures: Embracing proactive bug bounty programs empowers organizations to bolster their entire security framework by discovering and addressing vulnerabilities. This not only helps prevent potential attacks but also safeguards the organization’s reputation in the long run.
  • Building Collaborative Partnerships: Bug bounty initiatives foster opportunities for organizations to forge relationships with security experts and the broader cybersecurity community. Collaborating with bug hunters provides valuable insights into potential threats, enabling joint efforts to create effective solutions.
  • Cost-Effective Security Practices: Proactively identifying and resolving security vulnerabilities through bug bounty programs leads to significant cost savings for organizations. Not only does preventing data breaches and incidents mitigate financial losses, but it also sustains the organization’s credibility and financial stability.

Bug Bounty Programs

A bug bounty program is a rewarding initiative provided by various websites, software creators, and companies. It enables individuals to earn acknowledgment and compensation for identifying bugs, particularly those related to security vulnerabilities and exploits.

Such programs enable developers to detect and fix bugs before they become known to the public, thereby thwarting widespread abuse and data breaches. Many organizations, such as Mozilla, Facebook, Yahoo!, Google, Reddit, Square, and Microsoft have adopted bug bounty programs.

These programs protect systems and provide ethical hackers with an opportunity to explore their capabilities.

How does it work?

When companies launch bounty programs, they must first define the scope of the program and the budget associated with it. The scope defines the types of systems that ethical hackers can test, as well as the procedures for conducting those tests. For example, some organizations limit the domains that ethical hackers can test in, or they mandate that the testing must not interfere with day-to-day operations. This allows security testing to take place without compromising the company’s overall effectiveness, efficiency, and financial performance.

Competitive bug bounties send a message to the hacker community that companies are serious about disclosing vulnerabilities and keeping their security up to date. Bug bounties are based on the severity of the vulnerabilities, with rewards increasing based on their impact.

However, money is not the only factor driving hackers to build their reputations. Other features, such as leaderboards that reward hackers for their findings, also play a role.

Once a hacker finds a bug, he or she submits a disclosure report that details the nature of the bug, its effect on the application, and its severity. The report also includes important steps and details to help developers replicate and validate the bug. Once developers review and validate the bug, they pay the hacker the bug bounty. 

The bug bounty varies depending on the severity of the bug and the company’s policies. Bug reports are prioritized based on the severity and developers work hard to resolve the bug. They then retest the bug to make sure it’s fixed successfully.

Depending on the severity, the bug bounty can range from a couple of thousand to a million dollars, depending on the impact of the bug.

What are Bug Bounty Platforms?

Bug bounty platforms play a crucial role in cybersecurity by acting as middlemen between organizations seeking to enhance their security posture and a community of security researchers interested in identifying vulnerabilities. These platforms offer a structured framework for bug bounty programs, simplifying the process of reporting, verifying, and rewarding security findings. Several well-known bug bounty platforms exist: 

  • HackerOne: Renowned for its extensive network of ethical hackers, HackerOne facilitates vulnerability disclosure and bug bounty programs. It serves as a platform where organizations can engage with ethical hackers to identify security issues. 
  • Bugcrowd: Another notable platform, Bugcrowd allows organizations to set up bug bounty programs and collaborate with security researchers to discover and address vulnerabilities in their systems or applications. 
  • Synack: Synack specializes in crowdsourced security testing, employing a combination of human expertise and machine intelligence to conduct continuous and effective security assessments for organizations. 
  • Intigriti: Operating primarily in Europe, Intigriti connects organizations with a global community of Ethical Hackers to strengthen their cybersecurity defenses through bug bounty programs. 
  • YesWeHack: This platform offers bug bounty and vulnerability coordination services, enabling organizations to partner with security researchers and ethical hackers to identify and address security flaws in their systems. 

Bug bounty platforms typically provide a secure and controlled environment for submitting bugs, assessing their severity, and validating reported vulnerabilities. They also offer guidance on responsible disclosure and ensure that organizations receive structured reports of identified vulnerabilities for swift resolution. Moreover, these platforms often manage the distribution of rewards and facilitate communication channels between organizations and security researchers, fostering collaboration for improved cybersecurity.

How to start into Bug Bounty? 

Starting in bug bounty hunting requires a combination of knowledge, skills, and a strategic approach. Below is a detailed guide on how to begin your bug bounty journey:

Bug Bounty

1. Educational Foundation

a. Learn the Basics:

  • Familiarize yourself with fundamental web technologies (HTML, CSS, JavaScript), networking concepts, and common security vulnerabilities.
  • Study the OWASP Top Ten to understand prevalent web application security risks.

b. Gain Technical Skills:

  • Develop proficiency in using tools such as Burp Suite, OWASP ZAP, Nmap, and Wireshark.
  • Understand how to use programming languages like Python, JavaScript, or PHP, as it will be valuable for scripting and automation.

c. Explore Platforms and Resources:

  • Enroll in online courses, such as those on platforms like Udemy, Coursera, or Pluralsight, that cover ethical hacking and web security.
  • Read books and documentation related to web security and ethical hacking.

2. Setup Your Environment

a. Install Necessary Tools:

  • Set up a virtual lab environment for practicing without risking real systems.
  • Install and configure tools like Burp Suite, OWASP ZAP, a proxy server, and a virtual machine platform like VirtualBox.

b. Build Practical Experience:

  • Practice on intentionally vulnerable platforms like OWASP WebGoat and DVWA (Damn Vulnerable Web Application).
  • Experiment with various tools and techniques in your lab environment.

3. Understand Bug Bounty Platforms

a. Explore Bug Bounty Platforms:

  • Familiarize yourself with popular bug bounty platforms like HackerOne, Bugcrowd, and Synack.
  • Understand the rules, scope, and rewards of different programs.

b. Choose Programs Wisely:

  • Start with programs that have a broader scope and clear guidelines for beginners.
  • Look for programs that align with your interests and expertise.

4. Conduct Reconnaissance

a. Identify Your Target:

  • Choose a target within the scope of a bug bounty program. It could be a website, web application, or API.
  • Use tools like Shodan, Sublist3r, and Google Dorks to gather information about the target.

b. Map Out Attack Surfaces:

  • Identify subdomains, IP addresses, and other attack surfaces using reconnaissance tools.
  • Understand the architecture and technologies used by the target.

5. Bug Hunting Techniques

a. Common Vulnerabilities:

  • Focus on common vulnerabilities like Cross-Site Scripting (XSS), SQL Injection, Cross-Site Request Forgery (CSRF), and more.
  • Understand how to identify and exploit these vulnerabilities.

b. Stay Updated:

  • Keep yourself informed about the latest security vulnerabilities, tools, and techniques by following blogs, forums, and social media accounts of security researchers.

6. Reporting and Communication

a. Responsible Disclosure:

  • Understand the responsible disclosure process and adhere to the rules of bug bounty programs.
  • Report vulnerabilities promptly and ethically.

b. Effective Communication:

  • Clearly articulate the details of the reported bug, including steps to reproduce and potential impact.
  • Maintain professional and respectful communication with program owners.

7 .Continuous Learning

a. Expand Your Knowledge:

  • Stay curious and continue learning about new technologies and emerging security threats.
  • Pursue advanced certifications such as OSCP (Offensive Security Certified Professional) for a deeper understanding of penetration testing.

b. Networking:

  • Engage with the bug bounty community by participating in forums, attending conferences, and connecting with other ethical hackers.
  • Learn from experienced researchers and share your experiences with the community.

8. Legal and Ethical Considerations

a. Understand Legal Implications:

  • Familiarize yourself with the legal aspects of bug bounty hunting in your jurisdiction.
  • Adhere to ethical guidelines and respect the rules set by bug bounty programs.

b. Responsible Conduct:

  • Ensure that your testing activities are within the scope defined by the program.
  • Avoid causing harm to systems and data that are outside the agreed-upon scope.

9. Celebrate Success and Learn from Failures

a. Document Success Stories:

  • Keep a record of successful bug submissions, including write-ups and details of your findings.
  • Share your experiences through blog posts or on social media.

b. Learn from Failures:

  • Not every attempt will result in a successful bug discovery. Learn from failures, adapt your strategies, and persist in your efforts.

By following these steps and maintaining a commitment to learning and ethical behavior, you can embark on a successful bug bounty hunting journey. Remember that bug bounty hunting is a continuous process of improvement, and each discovery contributes to your growth as a security professional.

Bug Bounty Best Practices

  • Master Automation: Utilize scripts and automation tools to streamline your testing process.
  • Understand Business Logic: Think like an attacker and understand the business logic behind applications.
  • Learn to Read Code: Develop the ability to review and understand code for better vulnerability identification.
  • Explore Mobile Security: Extend your skills to identify vulnerabilities in mobile applications.
  • Test for Logic Flaws: Go beyond common vulnerabilities and explore logical flaws in applications.
  • Practice Responsible Full Disclosure: Respect disclosure timelines and communicate responsibly with vendors.
  • Engage with the Community: Participate actively in bug bounty forums, discussions, and collaboration.
  • Focus on High Impact: Prioritize findings with significant security implications for the target.

Conclusion

In conclusion, bug bounty programs serve as crucial pillars in bolstering the cybersecurity stance of contemporary organizations. They harness the expertise of ethical hackers and security researchers to proactively detect and address vulnerabilities, thwarting potential exploitation by malicious entities. These initiatives not only strengthen security measures but also cultivate a culture of ongoing enhancement and awareness against evolving threats through collaborative endeavors. Additionally, bug bounty platforms facilitate efficient communication and cooperation between organizations and the cybersecurity community, expediting the process of reporting and resolving security issues. By adhering to best practices and upholding ethical standards, individuals can engage in bug bounty hunting, contributing significantly to safeguarding digital assets and maintaining trust in the digital realm.

Stay Safe !!

Team CyberiumX

Strategies To Crack CC Exam- ISC2

Posted on by CyberiumX

Hello Folks!
In this blog, we will be understanding the process of achieving Certified in Cybersecurity Certification by (ISC)2. We will be providing all the resources you need to clear this exam and become a part of the (ISC)2 community.

In our previous blog on ‘Free Certified in Cybersecurity Certification by (ISC)2’ we discussed the enrollment process for this free certificate offered by (ISC)2 to promote Cybersecurity throughout the world. You can check out the blog to know everything about this certification exam.

Before moving forward, let us assure you that encountering posts where individuals share their exam failures should not demotivate you. The exam is manageable, and there’s no need to worry excessively. However, it is crucial to engage with a variety of learning resources to grasp the concepts thoroughly. During the exam, a majority of the questions appeared easier compared to the post-assessment questions. Remember, success is attainable with diligent preparation and a commitment to understanding the core concepts. Stay with us until the conclusion of this blog, and we guarantee your success in passing the exam.

Resources for CC exam of (ISC)2

Pre-requisites for CC exam

Before beginning with the CC certification course, it is recommended to have a basic understanding of Hardware and Networking as this course will not cover these concepts. You can check out the playlists for CompTIA 220-1101 A+ Training Course and CompTIA Security+ SY0-601 Training Course available on Professor Messer YouTube channel.
Please make sure you understand the following concepts:

  • Master the OSI Model, including the number of layers, the protocols/devices associated with each layer, and the terminology used for data at different layers (bits, frames, packets, segments). Additionally, familiarize yourself with TCP/IP.
  • Acquire comprehensive knowledge about various network devices, such as routers, switches, SIEM, VLAN, VPN, DMZ, NAT, firewalls, IPS/IDS, NIDS/HIDS, and client-server configurations. Understand the distinctions between IPv4 and IPv6.

ISC2 Self-Paced Training for CC

You can get free self-paced training and assessments for the Certified in Cybersecurity course on the (ISC)2 website using which you can prepare for this exam. You can check the course details for Self-Paced Online Training. But this free training is not enough to clear the exam. We will discuss some other resources later in this blog but first let’s understand how we can apply for this free training in the following steps:

1. Visit Online Self-Paced Training where you need to click on ‘Register Now’ under SELF-PACED + EXAM (U.S. $0)

0. register now

2. Now, click on the ‘sign in’ which will then ask you for your credentials. After logging in, you might be asked to submit your details for the (ISC)2 candidate application form if not filled out earlier while registering with (ISC)2.

0.1 need to fill information

3. After providing all the details, you will be registered as (ISC)2 candidate. Now, you will have access to Exclusive Benefits and discounts offered by (ISC)2.

4. Click on Official ISC2 Online Self-Paced Training for Certified in Cybersecurity (CC). You will be redirected to details of the free training. Click on the ‘Enroll in free training’ button.

5. You will find your Shopping Cart in which the self-paced training is added for $0. Click on ‘Checkout’ to enroll for this training.

3. Shopping cart for free training

6. After enrollment, you can finally access your (ISC)2 Course Dashboard where you will find your Official ISC2 CC Online Self-Paced Training.

Begin by engaging in the pre-assessment, proceed with the self-paced training, and then solve the post-assessment. Repeat the post-assessment until you grasp the majority of the concepts. Some of these questions may appear in your exam, so ensure thorough understanding. Enhance your learning by taking handwritten notes, as this helps in memory retention.

Resources available on other platforms.

GitHub- On our Official GitHub repository, you can find the Book for CC certification exam, chapter-wise summary notes, official flashcards, and access to sample questions with some other resources. These resources will help you to clear the certification exam.

YouTube- On YouTube, you can watch playlists of Prabh Nair and CyberSecurity channels. These playlists will provide you with detailed explanations of concepts asked in the CC exam.

LinkedIn- You can refer to Mike Chapels Notes whose Cert Prep: ISC2 Certified in Cybersecurity (CC) course is available on LinkedIn. These notes will be useful for your revision of the topics. Ensure to generate your notes, as they will prove to be more beneficial.

Udemy- If you guys want to go for some paid Udemy courses then you must check out Thor Pedersen’s Udemy course and Paulo Carrieria & Andree Miranda Udemy practice exams. These courses will provide you with a deep understanding of this certification exam and also will help you with practice questions that might appear in your exam.

This concludes with all the essential resources needed to successfully clear the Certified in Cybersecurity certification exam. Please schedule your exam with enough time for preparation and practice. Also, remember to tackle the multiple-choice questions (MCQs) in the final 1-2 weeks before the exam to understand the question patterns and difficulty levels.

If you have any questions or concerns, feel free to leave a comment, and we’ll respond to you. CyberiumX wishes you the best of luck with your exam.

Regards,
Team CyberiumX

Courier Scam Alert! New in the Market

Posted on by CyberiumX

The digital transformation in India has marked substantial advancements and enhanced convenience in our daily lives; however, it has come at a price. The surge in connectivity and access to digital platforms has also paved the way for emerging online scams.

An alarming new fraudulent scheme is spreading through metropolitan areas, causing financial distress for unsuspecting individuals in India. Scammers, posing as customs officials, have managed to deceive people out of large sums of money through a clever ploy known as the ‘Courier Scam‘. This growing threat includes the impersonation of police officers or NCRB agents, falsely accusing victims of engaging in unlawful parcel activities. Targeting predominantly individuals aged 35 to 50, this scam has resulted in hundreds of reported cases this year, causing substantial financial hardships.

Residents have been cautioned by the police to stay vigilant against a recent surge in cyber fraud. In this deceptive trend, unsuspecting individuals are manipulated by callers who falsely assert that their parcel has been seized by authorities due to the presence of illegal items. The callers, posing as courier company personnel or even “customs officers”, induce a sense of urgency, demanding immediate payment to resolve the alleged issue and avoid prosecution. Once the payment is made, the fraudulent callers disappear.

Courier Scam

How the Courier Scam Works

Within the complex framework of the courier scam, culprits assume the identity of customs officials and reach out to their targets via phone. They make unfounded claims about the victim’s participation in the dispatch or receipt of parcels containing illicit substances. Masquerading as police officers, these scammers instill a sense of impending arrest, pressuring victims to resolve fabricated charges by providing monetary compensation. Employing psychological tactics, they extract personal identification and banking information, frequently demanding Aadhaar details and bank particulars.

Another method of operation starts with a missed call. When recipients call back, they are guided to an automated voice message presenting itself as a courier company’s helpline. The caller, pretending to be a Mumbai police officer, alleges the detection of illegal drugs in a parcel sent to the victim’s address and proceeds to extort payments through blackmail.

Real-life Incident

Arun Kumar, a 40-year-old executive, fell prey to a scam after receiving a call from an unknown number claiming to be a FedEx representative on November 8. The caller alleged that a parcel addressed to Arun, intended for Thailand, was returned by FedEx due to a false address and containing illegal items. Shockingly, the caller detailed the parcel’s contents, including passports, credit cards, cash, clothes, and a drug called MDMA. Feeling alarmed at the misuse of his identity, Arun was coerced into filing an immediate complaint with the Mumbai Cyber Crime Wing.

The situation escalated as the caller connected Arun to a person claiming to be the DCP of Cyber Crime, Mumbai. This individual instructed Arun to use Skype to record the conversation, seemingly from the Mumbai Cyber Crime Police. In a suspicious turn, Arun was asked to move to a separate room for the discussion. The scam took a financial toll when the caller requested Arun to transfer ₹62.99 lakh to a specified bank account, emphasizing secrecy until the RTGS transfer was completed. Despite assurances of a refund, Arun realized he had been duped when the scammers did not answer his calls on Skype, and all evidence was deleted.

Warnings Against These Rising Scam

The incidence of courier scams is increasing, prompting authorities to issue warnings and advice heightened vigilance against fraudulent calls. Banks and law enforcement are actively investigating these cases, along with other prevalent cyber frauds such as Aadhaar Enabled Payment Services fraud, WhatsApp sextortion, and online job scams.

Scammers focus on individuals with high incomes, asserting that they can “digitally arrest” the victim, alleging a warrant due to contraband in a parcel. They may even send a fake warrant on WhatsApp. Initially, some fraudsters gather login credentials for bank accounts, mutual funds, or fixed deposits without immediately seeking money. Subsequently, they instruct the victim to install Skype, intensifying fear before extracting money.

In alternate scenarios, the scammer utilized the KYC details acquired from the victim to secure immediate pre-approved loans. Subsequently, the victim was coerced into transferring the approved loan amount to the fraudster’s accounts. In the past year, Cyber Crime units in Tamil Nadu received over 650 complaints related to courier fraud. An investigation is underway to trace the suspects operating across various states. Police recommend individuals harassed by cyber fraud calls to report suspicious phone numbers on the National Cyber Crime Reporting Portal.

Important Tips to Stay Safe

  1. Avoid disclosing personal information over the phone or email like OTPs, Aadhaar numbers, or bank details.
  2. Be cautious when handling unfamiliar calls from individuals claiming to be officials, and refrain from returning calls to suspicious contacts.
  3. Verify the caller’s legitimacy through official sources before disclosing any information.
  4. Avoid transferring money via wire or using gift cards for payment, as scammers often exploit these methods. Additionally, refrain from clicking on suspicious links to mitigate potential security threats.
  5. Report any scam attempts to the authorities promptly as it aids in identifying scammers and prevents further victimization.
  6. Act cautiously, gather information, and consult trusted individuals before engaging in transactions to minimize the risk of falling victim to scams.

If you believe you’ve fallen victim to a similar fraudulent scheme or have encountered suspicious activity, it is essential to act promptly. Take the following steps:
Report the incident by calling the Cyber Crime Toll-Free Helpline at 1930 or file a complaint at www.cybercrime.gov.in; get in touch with the relevant platform where the fraudulent activity occurred; and furnish them with all relevant details, including the scammer’s profile information, messages, and any evidence you’ve gathered.

In the ever-evolving landscape of the courier scam, staying well-informed and implementing preventive measures is crucial. Vigilance and awareness are the fundamental keys to protecting oneself from this expanding digital threat.

For those interested in staying informed about recent scams, we invite you to explore our latest articles on the Pig Butchering Scam and QR Codes Scam, featured on our website.

Stay Safe !!

Team CyberiumX

Zero-Day Vulnerability – Update Chrome Now!

Posted on by CyberiumX

Hello Folks!

A critical zero-day vulnerability has struck Google Chrome, a widely used web browser with millions of users worldwide. The vulnerability, identified as CVE-2024-0519, poses a significant threat to Google Chrome users as it has already been exploited in real-world scenarios.

The flaw resides in Chrome’s V8 JavaScript and WebAssembly engine, presenting a serious risk of security breaches, including unauthorized access to sensitive data. Essentially, CVE-2024-0519 is an out-of-bounds memory access vulnerability, allowing attackers to read portions of memory that should be restricted. This could result in severe consequences, such as acquiring sensitive data or circumventing security mechanisms like Address Space Layout Randomization (ASLR).

Impacts of CVE-2024-0519

The CVE-2024-0519 zero-day vulnerability in Google Chrome has several potential impacts, both for individual users and the broader cybersecurity landscape. Let’s look into some key impacts of this vulnerability:

  • Data Breach Risk: The vulnerability allows attackers to perform unauthorized memory access, potentially leading to the exposure of sensitive information. Attackers could exploit the flaw to access data beyond the memory buffer, increasing the risk of a data breach.
  • System Stability and Crash Risk: The out-of-bounds memory access issue may cause a system crash or segmentation fault, impacting the stability of affected systems.
  • Code Execution: The vulnerability could be exploited to execute arbitrary code on compromised devices, giving attackers control over the affected system.
  • Circumvention of Security Mechanisms: The flaw could be used to bypass security mechanisms such as ASLR (Address Space Layout Randomization), making it easier for attackers to exploit other vulnerabilities.

Google has released the patch for this vulnerability which you can check here.

How to confirm whether Chrome is updated or not?

Users are encouraged to promptly update their Chrome browsers to ensure they are using the latest version. This can be done using the following steps:

  1. Open your Google Chrome browser and go to Settings.
  2. In the left-hand bottom, you will find a button ‘About Chrome’, which will provide you with the current version of your Chrome application. Ensure it should be 120.0.6099.234 for Mac, 120.0.6099.224 for Linux, and 120.0.6099.224/225 for Windows Operating systems.
  3. If your current version of Chrome is less than the above-mentioned value, then you need to update your Chrome ASAP.1. google0day00
  4. To update Chrome to the latest version, you can search for updates on the search bar. 2.google0day0
  5. Under ‘Safety check’ you will find a button ‘Check now’. Just click on it to start the update process.
  6. The update process will take some time to complete and install the new updates, Chrome will ask you to relaunch the browser to complete the update process for which you have to click on the ‘Relaunch’ button.3.google0day2
  7. Now after Chrome is relaunched, we need to again go to Settings and click on the ‘About Chrome’ button. Now you will find that your version of Chrome has been updated to the latest version which was mentioned above in the 2nd step.4. google0day3

We hope that you guys have updated Chrome to the latest version. If you find any problems, please comment here and we’ll get back to you shortly.

Stay Safe !!
Team CyberiumX

Free Certified in Cybersecurity Certification by (ISC)2

Posted on by CyberiumX

Hello folks,
In this blog, we will be discussing one of the most popular certificates for beginners in the field of Cybersecurity. The name of the certification is Certified in Cybersecurity (CC) which is provided by (ISC)2 organization.
ISC2 is providing its free registration for Certified in Cybersecurity certification exam. This certification can help you to enter the Cybersecurity domain that has limitless opportunities throughout the world.
If you want to get this certification for no cost, please follow this blog which will help you to register as well as book an appointment to sit for this exam.

About (ISC)2

International Information System Security Certification Consortium, popularly known as (ISC)2, is an organization devoted to the field of cybersecurity. The organization’s motive is to strengthen the security of companies by promoting Cybersecurity and providing good certification courses to build knowledgeable and highly skilled cybersecurity professionals. The most popular certifications of (ISC)2 are Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), Certified Authorization Professional (CAP) and many more. Also, they have a beginner level certification recognized as Certified in Cybersecurity (CC) which will help you to provide the first step to advance your career in cybersecurity domain. This certification is available for free under a global initiative ‘One Million Certified in Cybersecurity’ taken by (ISC)2 organization.

Overview of Certified in Cybersecurity (CC) Certification

Certified in Cybersecurity course and exam is an entry level certification which will provide you skills and knowledge to begin your career in the cybersecurity domain. This certification requires no work experience. Upon successful completion, the certification serves as evidence of your skills, knowledge, and qualifications suitable for a junior or entry-level position in cybersecurity.
The CC exam will test your ability on the following five domains of cybersecurity:

  1. Security Principles
  2. Business Continuity, Disaster Recovery & Incident Response Concepts
  3. Access Controls Concepts
  4. Network Security
  5. Security Operations

Examination information for Certified in Cybersecurity certification

  1. Duration of Exam- 2 hours
  2. Number of MCQs- 100
  3. Passing Percentage- 70%
  4. Examination Center- Pearson VUE

The domain weightage is as follows:

  1. Security Principles- 26%
  2. Network Security- 24%
  3. Access Controls Concepts- 22%
  4. Security Operations- 18%
  5. Business Continuity, Disaster Recovery & Incident Response Concepts- 10%

You can read the PDF provided by (ISC)2 for more details.

Process of Registration

Now, let’s see how to register and become an (ICS)2 Candidate:
1. Visit the (ISC)2 website where you will find the Registration URL to create a new account.
2. On the registration page, you have to provide your details such as Name, Email and Strong Password.

1. Register

3. After creating your account, you will be redirected to Pearson VUE portal where you have to provide some other information such as Address, Phone number, Education details, Job related information, etc.

2. PearsonVUE

4. Your account will be created once your details are submitted. Now you will be redirected to the Dashboard of  ‘Pearson VUE’.

Process of Exam Scheduling

1. On the Pearson VUE Dashboard, click on View Exam button in order to schedule your CC exam.

3. vue dashboard

2. Select the Certified in Cybersecurity (CC) exam from the list.

4. Choose the exam name

3. Next step is to choose a suitable Language for the exam. You can choose English as your preferred language.
4. Next step is to confirm the exam selection. You can click on Next after confirming the exam that you have selected.
5. Now you have to read the Terms & Conditions of (ISC)2 exam. You can read the guidelines for the exam, reschedule and cancellation policies and then click on Next.
6. In the next step, you have to select an appropriate Pearson VUE Test Center. By default you will be provided with a list of test centers which are near to your home/office location that you have provided while registration. Select any one location where you want to schedule your exam.
7. Now you will be asked to select Date & Time for your exam. You can select a date after 2-3 months as per your convenience. You can click on ‘Explore more times’ to look for other available time for any specific date. Please make sure you have enough time to prepare for this exam. After selecting the Date & Time, you can click on Book this Appointment.

5. Exam date and time

8. Now you will be redirected to your cart where you will find the CC exam is added and the amount for this exam which should be USD 199 (excluding taxes). Please don’t worry as you have to apply for the free coupon for this exam on the checkout page. You can click on Proceed.
9. In the Payment and Billing page, you have an option to ‘Add Voucher or Promo Code’ where we can provide an available Voucher for a free exam. The current voucher as per 2024 year is ‘CC1M12312024’. This voucher is valid till 31 December 2024. Please make sure to search on social media platforms of (ISC)2 for the appropriate voucher as per your exam. Finally click on Apply.

6. Apply promocode

10. You will find that the cost of the exam is reduced to USD 0. Now click on Next.

7. Free

11. You will reach the final page where you can confirm your details and book your exam for free.
12. You will receive an Email from Pearson VUE for your exam schedule.

We hope that the procedure is clear to you guys and we extend our best wishes as you prepare for this exam. If you have any questions about the procedure or require assistance in preparing for the certification exam, feel free to leave a comment, and we will ensure you receive the necessary support.

Keep Learning !!
Team CyberiumX

Pig Butchering Scam – Growing Concern!

Posted on by CyberiumX

A Pig Butchering Scam, as its name suggests, involves gaining the victim’s trust before exploiting them. Scammers use fake profiles to establish a sense of trust, leveraging emotions like love and friendship. They then manipulate this trust to persuade individuals into sending money for purported job offers or high-return investments, ultimately swindling them. These scams transcend borders, exhibiting a vast global reach and impactful scale.

It is essentially a form of cyber fraud aimed at individuals through deceptive online communications, persuading them to engage in counterfeit investment schemes.

The strategy employed by these ‘pig butchers’ involves creating false identities to gain the confidence of targets. These scammers exploit the guise of ‘love and companionship’ to establish trust before enticing victims into sending funds for fictitious job opportunities or high-yield investments, ultimately absconding with the money. These fraudulent activities span globally, showcasing their extensive reach and impact.

How Does These Scams Work?

Fraudsters use deceptive profiles to deceive people into believing they are in a relationship. They use false love and friendship to gain the trust of people all over the world. These scams extend across borders, countries, and continents. The scale of these scams is mind-boggling, and it’s easy to see how they can affect people all around the world.

These scams become even more heartless due to the possibility that the scammers themselves might have been victims of a different scam. Numerous individuals are ensnared by deceptive offers for international jobs from unscrupulous organizations. Once they relocate, they find themselves trapped and coerced into deceiving people from India. This coercion involves establishing trust through social media platforms, often employing fake profiles portraying individuals of the opposite gender.

How it starts ?

The Pig Butchering scam, a tangled scheme of deception, progresses through 11 intricately planned stages, guiding victims along a perilous journey.

  1. Initiation: Fake social media profiles are created by fraudsters to hide their real identity behind a facade.
  2. Targeting: Scammers carefully select their victims from databases, use tailored strategies, and use the information they gather to target and exploit weak spots.
  3. Enticement: Intriguing content, compelling stories, or enticing photos serve as the initial bait, strategically designed to captivate victims..
  4. Building Trust: Scammers use conversation and skillful deception to create a false sense of trust, using emotions and creating fake relationships.
  5. Narrative Construction: They tell stories of wealth and success using crypto investments, and lure their victims with the promise of wealth and success.
  6. Initial Investment: They lure victims in, lure them into the trap, lure them into making small investments on fake platforms, and hide the fraud behind an illusion of legitimacy.
  7. Early Gains: They offer small profits to entice their victims, create a false sense of security and bolster their faith in the legitimacy of the scam, driving them further into the trap.
  8. Encouragement: Encouraging victims to increase their investments, the scammers offer collaboration and exaggerated returns, further embedding victims into the deceitful trap.
  9. Validation and Reinforcement: Consistent profits reinforce trust, cementing the illusion of a prosperous venture and intensifying the victim’s belief in the scam’s authenticity.
  10. Entanglement and Trapping: Utilizing fear of missing out (FOMO) tactics, scammers demand additional funds under various pretexts, trapping victims in a cycle of financial entrapment.
  11. Vanishing Act: Abruptly disappearing without a trace, scammers vanish, leaving behind shattered trust, immense financial losses, and a haunting realization of the scam’s devastating impact.

This complex process shows the intentional use of trust, emotion, and ambition, leaving victims in turmoil, dealing with overwhelming emotional pain and devastating financial loss.

How to safeguard yourself from ‘pig butchering scams’?

In an era of growing digital reliance, online scams like phishing, fake investments, and shopping frauds have surged, exploiting vulnerabilities in our digital interactions. A recent addition to these threats is the ‘Pig Butchering Scam.’ To shield yourself from such risks, here are key protective measures:

Vigilance in Messaging
Exercise caution when encountering unfamiliar messages on WhatsApp, social media platforms, and dating apps, refraining from responding to unknown contacts.

Caution with Downloads and Links
Be wary if prompted to download new applications or click on links, as this action may signify potential risks or threats.

Emotional Manipulation Awareness
Stay vigilant against emotional manipulation—these scams prey on hopes, fears, dreams, and greed. Take your time to assess before reacting.

Calm and Deliberate Responses
Maintain composure and avoid hurried reactions, as impulsive responses often contribute to falling victim to these fraudulent schemes.

Seeking Proper Guidance
When in doubt, seek guidance and support from the nearest police station or consider consulting a legal professional for assistance.

Cautionary Red Flags
Exercise caution if someone guarantees lucrative job opportunities, promises high returns, or requests monetary transactions from you.

Protection of Personal Information
Refrain from divulging sensitive personal data such as Aadhaar, passport details, or intricate financial specifics like bank and investment details to unknown sources.

Conclusion

In conclusion, safeguarding oneself against fraudulent schemes like the Pig Butchering scam requires a vigilant and cautious approach. By heeding these guidelines—being wary of unfamiliar messages, avoiding impulsive actions, staying alert to emotional manipulation, and safeguarding personal information—one can significantly reduce the risk of falling victim to such deceptive tactics. Seeking guidance from authorities or legal experts when uncertain and remaining composed during interactions with unknown entities further fortifies one’s defenses. Ultimately, staying informed, maintaining a critical mindset, and exercising prudence in online interactions serve as vital shields against these intricate and damaging scams, preserving both financial security and peace of mind.

Please check out our other blogs.

Stay Safe !!!

Team CyberiumX

QR Codes- A Gateway To Risk

Posted on by CyberiumX

Quick Response (QR) codes are among the most common tech-related codes used in business and marketing today. It has become increasingly popular due to its ability to be used in various contexts, such as grocery shopping, restaurant dining, airport gate location, event entry, television viewing, and even street shopping like vegetable or fruit vendors. These QR codes have become a convenient and efficient substitute for paper documents, enabling users to access information quickly and easily through their smartphones.

QR code attack

How Has It Become So Popular?

During the pandemic, the popularity of QR codes skyrocketed as businesses raced to develop contactless ways to do business, and it looks like they won’t be slowing down anytime soon. That’s why you need to be aware that these black and white checkerboards may look harmless, and most of the time they are, but they can also be used for nefarious purposes.

QR codes are an essential part of the contactless world. They make it easy to do everything from shopping to dining at restaurants with minimal physical contact. But their use also raises privacy and security concerns. QR codes are primarily used for convenience, providing a quick way to access data or complete transactions on your smartphone. But there is a downside to their use: misuse.

As these pixelated icons keep popping up in our daily lives, it’s important for us to be aware of them. Most of the time, QR codes are legit and harmless, but there are times when they can be used for bad reasons. Being aware of them can help reduce their associated risks, making the digital world safer for everyone.

How Hackers Exploit QR Codes

In recent years, people have become increasingly comfortable scanning QR codes with their phones to carry out various tasks, often without much consideration. Cybercriminals, who tend to follow trends, are capitalizing on the widespread use and casual acceptance of QR codes. They exploit this by employing different methods to steal money, personal information, or identity. These attacks, known as “quishing” are a form of social engineering where malicious actors deceive individuals using QR codes.
Quishing is the process of using a QR code on a mobile phone to deceive someone into clicking on a malicious website. The QR code then directs the victim to a malicious website that can be used to download malware or collect personal information.

QR code attacks

A prevalent quishing attack involves directing individuals to a counterfeit website, often resembling a trustworthy entity like a bank or an online store. On these deceptive sites, users are prompted to log in to access supposed additional information. However, this tactic represents just one facet of the various ways QR codes can be exploited for malicious purposes. 

It is crucial for users to exercise caution and be aware of the potential risks associated with scanning QR codes. These codes might also be used to execute different schemes, such as redirecting users to phishing websites, spreading malware, or even initiating unauthorized transactions. Therefore, before reaching for your phone and scanning a QR code. it is important to be aware that QR codes could also be used for the following purposes before you take out your phone and scan them:

Automatic Content Downloads: QR codes can automatically download various content, including photos, and documents, but also malicious software like malware, ransomware, and spyware, onto your devices.

Connection to Deceptive Wireless Networks: QR codes may contain Wi-Fi network information such as name (SSID), encryption details, or no encryption at all, along with passwords. Hackers can intercept data by tricking you into connecting to a rogue wireless network when scanned.

Initiating Phone Calls: Cybercriminals can create QR codes that make your phone call a seemingly legitimate business. Once dialed, these scammers may request personal or financial information, or add your number to a spam list for future unwanted calls.

Sending Emails or Text Messages: Scanned QR codes can compose emails or text messages without your knowledge, potentially adding your email address or phone number to spam lists or making you a target for phishing attacks.

Digital Payment Transactions: QR codes are used for digital payments through platforms like PayPal or Venmo. Scanning a malicious QR code can lead to unauthorized or fraudulent transactions, compromising financial security.

Best Practices To Mitigate QR Code Vulnerabilities

In our digital era, QR codes have become indispensable, yet their convenience should not overshadow the need for heightened awareness and proactive cybersecurity measures. Safeguarding against quishing attacks, individuals must remain vigilant. It is imperative to verify the authenticity of QR codes before scanning them, ensuring they originate from trusted sources. Implementing robust security protocols, regular system checks, and educating users about potential risks are vital steps. People can significantly reduce their vulnerability to quishing attacks by fostering awareness and encouraging cautious behavior. Following are the practices that every individual should consider to protect themselves from associated QR code risks:

Verify Web Address Authenticity:

Examine the web address after scanning the QR code to confirm that it corresponds to the desired website and is authentic. Monitor the URL for any errors or inconsistencies.

Exercise Caution with Personal Information:

If you’re using a QR code to access a website, be careful not to give out any personal or financial info like login info or financial info. Exercise caution to protect your personal and financial security.

Ensure Physical QR Code Integrity:

When scanning a QR code from a sign, window, or placard, make sure it hasn’t been tampered with. Examining its integrity ensures you are accessing authentic and trustworthy content.

Use Official App Stores for Downloads:

Do not download apps directly from QR codes. Instead, rely on your phone’s official app store for secure downloads. This reduces the risk of downloading malicious software onto your device.

Verify Payment Requests:

If prompted to complete a payment via a QR code, call the company directly to verify the request’s authenticity. Avoid making payments without confirming the legitimacy of the transaction.

Avoid QR Code Scanner App Downloads:

Avoid downloading apps that have their own QR code scanner, since it’s more likely that you’ll get malware. Most phones have QR codes built into their cameras, so you don’t have to worry about that.

Confirm QR Codes from Known Contacts:

If you get a QR Code from a friend or family member, contact them using a trusted phone number or e-mail address to verify the authenticity of the QR code. Verifying who the sender is can help protect you from scammers or phishing emails.

What Steps To Take If You Fall Victim To A QR Code Scam

If you’ve fallen victim to QR code fraud and suspect your bank account is compromised, we highly advise following these steps to minimize the impact:

Secure Your Finances:

Immediately contact your bank to temporarily block your account. Taking swift action prevents scammers from emptying your account and safeguards your funds from unauthorized access.

Conduct a Security Check:

Run a thorough virus scan on your device to ensure that the malicious URL hidden in the QR code did not introduce any malware. Identifying and removing potential threats is crucial to protecting your digital security.

Update Passwords:

If the QR code led you to a phishing website where you entered personal information and passwords, change these passwords promptly. Extend this action to any other accounts where you used the same passwords. Utilize strong, unique passwords for enhanced security across your accounts.

Report the Scam:

If the scam occurred on a website, online marketplace, or app, report the scammer’s username on the respective platform. Additionally, report the incident on a scam alert website, such as the Better Business Bureau’s site. This proactive step assists others in avoiding falling victim to the same deceitful tactics.

Pursue Legal Action:

Consider pressing charges against the criminals responsible for the scam. Reach out to your local police office or the national cybercrime report center to initiate legal proceedings. For European citizens, refer to Europol’s website for a list of platforms to report cybercrime. If you’re a US citizen, contact the IC3 (Internet Crime Complaint Center) to report the incident officially. Taking legal action contributes to deterring future scams and upholding online security standards.

Conclusion

In conclusion, the increasing comfort and prevalence of QR code usage have inadvertently created an avenue for cybercriminals to exploit and conduct quishing attacks. These deceptive practices underscore the importance of maintaining vigilance and security awareness while using QR codes to protect against potential threats and safeguard personal information and assets.

As QR codes continue to play a significant role in our daily activities, it’s essential to acknowledge the potential risks associated with their use. Cybercriminals are quick to adapt to the latest trends, and the rise of quishing attacks serves as a stark reminder of the need for heightened cybersecurity awareness. As users, it’s crucial to remain cautious and exercise due diligence when scanning QR codes, especially when they lead to unfamiliar websites or requests for personal information. By doing so, we can help safeguard our digital lives and ensure a safer and more secure QR code experience.

Please check out our other blogs.

Stay Safe !!!

Team CyberiumX