Clean malware from wordpress website in 2019

These days a lot of WordPress websites are getting infected by malware, adware. What they basically do is that open they redirect the WordPress site to some random third party website which is full of ads or sometimes they spread a virus or other such malicious files to the visitors. This mostly happens because most of the times the creator of WordPress based websites are very beginner and they don't know much about security.

Last month a person reached out to me saying that his WordPress website is infected and asked me to help him out. When I checked the website I got to know that an attacker added few lines of codes on his website which redirects the visitors to some other website. You might be thinking what will the attacker gain by doing this.

Well, the attacker redirects the visitor to his malicious website which is full of ads and think if he redirects about 10,000 visitors per day, he will earn a good amount of money. So when this person gave me access to his website I first searched how the site got infected.

Here is how his website got infected :

He used a very week and known username and password so there is an attacker who runs scripts which automatically scans for WordPress based websites and try random password and if they get the access they automatically insert the code. Same this was happening in this case too. So I quickly removed the malicious codes and changed the password and things got alright.

If sometimes your WordPress website too gets infected by malware, here is how you can clean your website :

Scan your Website

This is a very important step. here you need to first scan your website to see if there is any backdoor, vulnerability that exists in your website. Scan your website to see if it redirects to some other website. Also, check if you are using the latest version of WordPress.

Backup your sites, files, and database

Always try to make a full site backup for at least once a month so that even if it becomes impossible to fix your website you can restore it back using the backup. You can backup your website files with FTP, cloud, etc. There are a lot of free plugins to do so.

Check the backup files

Things might get really tricky if your backup file itself contains the malware so always check if your backup is free from malware

Format WordPress files and folders

Login to your cPanel and go to the location where you have WordPress installed and delete all the WordPress files in your installation location. Mostly the WordPress files will be in the public_html folder.

Reinstall Wordpress

Get one-click Wordpress install option from your provider. Get an overview of installing WordPress in server. Fill the necessary information like admin name, password and click the " Install Wordpress" button

Change your WordPress login password

While installing you will be given an option to give a password. For better security, it is advisable to give a new password that you have not used so far on your website.

Reinstall themes and plugins

Download a fresh copy of the theme from the backup or you can use the default theme of WordPress. Once the theme is installed, you can install all the needed plugin once again.

Restore your WordPress files and database

Backups created by popular backup plugins like BackupBuddy and UpdraftPlus can be restored by using the same plugin. USe the plugin to restore the files and database

Scan Again

After all the above steps are done you will have the site up and running once again. Just to check if everything is alright, do a full site checkup to make sure that the site is completely free from malware The best tools to check for malware in WordPress are: Unmask Parasites, Sucuri Site Check, Norton Safe Web, etc.

Clear Google Warnings

After the above steps are done, your website will completely be free from malware. Now submit the blacklist removal request to Google to review your site. Navigate to the crawl tab in search console, Click the fetch as Google section and submit the website to index button below.

After following these steps your website should be completely free from malware in most of the cases. If it's not then contact your  service provider or get help from some professionals.

The Top 3 Reasons to Monitor a Cell Phone

Telephone booths were essential items in the early twentieth century because they facilitated long
distance communication. Then landlines became a reality in the latter years of this century.
Today, we have mobile devices. These devices help you talk to anyone in the globe at any time as
long as the other person accepts the call. Sadly, these devices are as harmful as they are helpful.
Kids are particularly vulnerable to the harm that results from misusing them. Therefore, tracking
mobile devices is critical in many instances. Here are the top 3 reasons to monitor a cell phone.

1. Protect Your Loved Ones from Cyber Bullying
Twenty-five percent of teenagers have experienced cyberbullying at some point in their lives. Statistics also show that most of this bullying occurs through mobile devices. Shielding them from this vice is critical because bullying devastates children emotionally. Sadly, protecting your kids from cyberbullies is a daunting task because kids are afraid to speak about it. Remember, only 10% of bullied teens report such incidents to their parents. Monitoring their cellular activity is an excellent way of helping them. More specifically, you will discover cases of harassment. Then you will talk to them about it in addition to dealing with the culprit. Protecting fellow adults from cyber bullies is also necessary in some cases.

2. Catch Unscrupulous People Including Predators
Unscrupulous people often use smartphones to harm or defraud their victims. Remember, these people rely on isolating their targets. Then they can manipulate them without their loved ones knowing about it. For example, imagine someone blackmailing your spouse over an embarrassing incident that occurred years ago. Another person can take advantage of an employee at your office convincing him or her to reveal sensitive information about your organization. Moreover, predators rely on the impressionable nature of children. That is how they lure them away from home. Did you know that 8% of teenagers have met someone they came across online? Monitoring cell phones would help you catch these unscrupulous people so that you can protect your spouse, employees, and kids.

3. Discovering the Truth about Events and Situations
People often lie about specific events and situations. Unfortunately, they fail to realize the impact of those lies on everyone involved. Usually, explaining to them why telling the truth is essential bears no fruit. The only recourse you have under such circumstances is monitoring their cellphones. Doing so is especially critical in cases where someone is suffering from depression, negative influence from peers, or addiction among other problems. You need to know what kind of websites this person is visiting. What plans does his peer group have? What kind of purchases is your child making? Relationships are worth monitoring as well. For example, is there an inappropriate workplace relationship that is happening under your nose? Is your daughter dating someone? What is his intention towards her? In this post, you will discover a highly specialized spy app that will enhance your monitoring capabilities.

List of must have security apps for your mobile [ 2018 ]

Mobile security is increasingly important. We all keep plenty of data on our phones, and some of that data is either personal or sensitive. From the credit card info that’s attached to your Amazon app, to the login data from your banking app, there stuff that we just don’t want other people to know. Or maybe your web browsing history isn’t quite as squeaky clean as it should be. Getting the right kind of security apps for your mobile is essential, but which ones should you choose?

What We’re Looking For.

We’re looking for apps that increase the security on your phone. Useful apps. We’ve dismissed anti-virus or malware apps from this list, since there are tons of them as well as plenty of resources telling you which are the best. So we’re looking at more specialised apps. In addition, a couple of our choices aren’t marketed as security apps as such, they simply have a side effect of increasing security. But if you’re looking to make your data secure, then these are the apps you should think about downloading.

Find My Device

We’re starting out with a no brainer here. Find My Device is by far one of the most useful security apps around. Originally using the name Android Device Manager, Find My Device is a simply little app that tracks your phone. That’s useful if you’ve lost your mobile, had it stolen, or simply can’t remember where it is. You just head to the Find My Device web page on your computer and you’ll get a little blip on a map telling you where your phone is.

But that’s not the real reason we’ve chosen Find My Device. Because the app also has extra features. It allows you to remotely lock your phone, so if you happen to have left it at the office no one can pick it up and get your data. It also allows you to remotely wipe your phone, so if it has been stolen you can erase all that personal data with the press of a button and thieves will never get hold of it. Find My Device is free, and is an absolute essential if you’ve got a mobile phone.

DuckDuckGo Privacy Browser

We all know how much data websites collect about us, and if that thought bothers you, then DuckDuckGo should be one of the first apps that you download. It’s a free, super secure web browser that doesn’t track your web history. It’s sort of like constantly browsing in incognito mode. Once you exit the app, it will no longer remember anything about your last web session. It’s a basic browser and doesn’t have many features other than privacy, but it’s great at what it does. It’s also free, though there are some (non-intrusive) ads.


Haven is a very unique addition to this list, but also a very cool one. Essentially, it lets you turn a secondary device into a security phone. You download Haven onto an old mobile that you no longer use and that mobile will become your security device (you will need a SIM card for certain notifications so your best bet is looking for a low cost rolling sim only deal). It will record sound through the phone’s microphone, it detects light (if someone opens a door, or opens your luggage, for example). And if you stick that secondary phone into your suitcase or handbag it will set off an alarm when that case or bag is moved. Okay, it’s pretty specialised, but it’s also free and could be a great addition for frequent travellers.


If you’re serious about security, then a password manager is a must, and LastPass is the grand-daddy of them all. It stores your individual passwords, so you don’t have to remember all of them (thus encouraging you to use different passwords for different sites, as well as longer, more complicated and therefore more secure passwords). It will also generate super secure passwords for you. It syncs across platforms, so it’ll work on your computer too. And it’s free. There’s a pro version available, but the free version should do everything that the average user needs. Having a password isn’t enough to ensure security. Having a password manager is.


A VPN isn’t just an excuse to be able to watch US Netflix from the UK, or to hide your illegal streaming activity. A good VPN will hide everything you do, from inputting a password into a site, to your web browser history. And ProtonVPN, despite being pretty new, is an excellent choice. It’s free, and has full encryption, so anything you do on your mobile whilst the VPN is switched on will be scrambled. The disadvantage here is that speeds on your phone will be a little slower with a VPN switched on, but that’s a small price to pay for complete privacy.

Resilio Sync

Resilio Sync is another fairly unique app. In basic terms, it allows you to create your own cloud storage system. Let’s say that someone sends you a sensitive document on your phone. You want to be able to back up that document, but you don’t want to send such sensitive info to your DropBox or G Drive account. Resilio Sync creates a cloud of storage on your home computer. So you can back up that document from your phone straight to your own PC without it going through the cloud first. Now that’s security. Resilio Sync is free.

Signal Private Messenger

Finally, if you want to send text messages in absolute privacy you actually have a few options. But with the drama surrounding Facebook, WhatsApp (owned by FB) might not be your first choice anymore. And that’s where Signal Private Messenger comes in. Complete end to end encryption of your messages, group messaging, the ability to have messages disappear after a certain amount of time, and absolutely zero data storing in the app, this is the king of private messaging. It’s free, and the only real downside is that you’ll have to persuade all your friends to download the app too.

Private Browsing - What Are The Benefits?

It is not entirely possible to use the Internet without leaving a digital footprint behind. However, private browsing can offer a lot of protection and keep you relatively safe. Web browsers are equipped with private browsing capabilities, e.g., Internet Explorer has an 'InPrivate' mode for secure browsing, and Google Chrome has 'InCognito' mode for private sessions. 

With private browsing, you can keep your search data and other information protected. Private browsing alone cannot provide you complete protection against data theft, but it is an effective measure you must take. 

What Is Private Browsing?

Data related to every website you visit is stored in your Internet browser's history, cache, and cookies. The browser remembers the URLs of the websites you visit and files you download. Cookies track your activity on different sites to provide you a better and faster user experience. 

It's all fine if you use a private computer and your data does not contain any valuable information. However, if you use a public computer and you are concerned about your data getting stolen, or you are uncomfortable knowing that your digital footprint is trackable and don't want to leave any breadcrumbs behind then use Private browser. 

If you use the browser's private mode, all the information is stored until your session completes. Once you close your private session, you don't leave any trail behind, and none of your data remains stored on the system. 

How To Stay Safe Online?

i. Good Digital Habits

Don't download anything or click anywhere if you are not sure about the website. Avoid downloading pirated content and software as they are often loaded with spyware and other malicious software. 

Avoid using public Wi-Fi network if it offers unfettered access to the network. If you connect to a genuine public Wi-Fi network, avoid exposing sensitive data such as banking passwords and login information. 

ii. SSL Certified Websites

SSL certificate provides secure connection for the exchange of information between browser and server. Make sure that you are dealing with URL of the website begins with 'HTTPS' instead of 'HTTP.' A green padlock icon in the address bar confirms that the site is SSL certified with SSL certificate like Positive SSL certificate.

SSL stands for 'Secure Sockets Layer', and it provides encrypted link between web broser and server to handle sensitive information, such as customer names, phone numbers, account numbers, credit card numbers, and more.

iii. Keep Your System Guarded And Updated 

Developers use updates to fix any security vulnerabilities. That's why it is important to keep your system updated. A good anti-virus program will keep your system protected from most potential attacks. 

Benefits Of Browsing Internet Privately

·         Privacy

When you use a shared computer and browse the internet in private mode, the websites you visit will never appear in the search history, no matter how many times you visit a website.

·         Minimize History

Whether it’s your work computer or personal computer, having as little personal data stored as possible is the best way to protect your information. It reduces the risk of your data getting stolen, and it saves space on your disk as well.

·         Security

Any cookies generated during a private browsing session gets automatically deleted when you close the window. If you are concerned about your accounts' security while signing in on a shared computer, a private browsing session can help you with that. Even if you forget to sign out of your account, the sign-in cookie will be deleted when you close the browsing session. With the deletion of the cookie, your account will be automatically signed out, and nobody could log into your account maliciously.

·         Testing

If you want to open a website you are not so sure about, but still, you want to give it a try, private browsing is the way to go.

·         Multiple Sessions 

Cookies are not shared between the normal window and a private browsing window. You can login to the second account on the same website without first signing out from your first account. For instance, if you are signed in with your Google account, and your friend wants to check his Gmail account, a private browsing session is a way to go.

·         eCommerce Tracking

Many websites use your search data and cookies to bring deals according to your needs. For instance, airline websites have data about your previous search history if you tried to check the price of a ticket. From the user data, they can find out which customer is highly likely to purchase a ticket. Sometimes, they offer higher discounts to new customers. You can check the price of the ticket using a private browser session to make sure that you are paying the minimum amount on your tickets. 

Same way, if you want an e-commerce platform to list your prices without accessing your data, you can use a private session. 

How To Enhance Privacy Further?

You can use TOR browser and a VPN connection from a reliable provider for enhanced privacy. Your browsing will still not be completely private, but these options can improve your privacy further. 

How To Browse the Internet Privately?

Chrome's Incognito Mode

1.      You can click the Google Chrome's 'Control Google Chrome Button' in the top-right corner with three dots and select 'new Incognito Window' for private browsing.
2.      Alternatively, you can press Ctrl+Shift+N to launch a new Incognito window.
3.      While right-clicking a link, you will see an option to open link in Incognito window.

Firefox's Private Mode

1.      Click the control button in the upper right corner and click 'New Private Window'.
2.      Alternatively, you can also press Ctrl+Shift+P to launch a private window. 

Microsoft's Edge's InPrivate Mode

1.      Click the '...' button in the top-right corner of the window and select new 'InPrivate Window'.
2.      Alternatively, you can also press Ctrl+Shift+P or Ctrl+Shift+N to launch a private window.


Browsing the Internet in private mode comes handy in many different scenarios. Private browsing prevents your data from getting saved and enhances your information security. It reduces the chances of data theft and offers you the privacy that you need if you are using a shared network.

Sarahah App Secretly Uploads your Entire Contact List

I'm sure most of you have used Saraha or atleast saw your friends sharing the 'Feedbacks' they received from this app/website. This app became viral in US and even in India in a very short time. Even if the app was to receive honest feedback from friends, people used it to abuse and bully other people.

I remember when the app was first released many people questioned why this app is asking for so many permissions ? An app requesting access to the user's phonebook is quite common if the app provides any feature that works with contacts, but what shocking is that, there is no such functionality in Sarahah is available right now.

Zachary Julian, a senior security analyst at Bishop Fox, discovered something serious about Sarahah. He found that the app is uploading private information from the phone to its server. Zachary tested the app on his Galaxy S5 running Android 5.1.1 and used BURP Suite to intercept traffic. He found that the app is uploading his private data.

He confirmed that the app transmits all of your email and phone contacts stored o Android phone. He also verified the same with iOS and found the same thing.

Here is a video demonstration by Zachary Julian

Sarahah uploading address book data from The Intercept on Vimeo.

As soon as the news broke out,  the creator of Sarahah, Zain al-Abidin Tawfiq, responded to the story by saying his app actually harvests and uploads the contacts from users to the company's servers for a feature that will be implemented at a later time.

All newer Android operating systems (starting with Android 6.0 Marshmallow) allows users to limit permissions for apps, users can limit permissions so that apps do not gain access to contacts or other information that doesn't have anything to do with the app's functioning.

So next time when you use such an app, have a look at the permissions that it is asking for.

Toka Poisa, A big security disaster ?




This is not a hacking attack. Yesterday ( 11/1/2017) government of assam launched an e-Wallet,, to enable the people of the state for hassle-free online transactions in local language.

I have found a serious security flaw in it yesterday itself ,which could be used to completely take over anyone's account. I reported it to Amtron through Special Branch of Police,  Assam as the email id that was mentioned in the official website ( ) was not working and i also tried to contact amtron from the email id that was provided in amtron's official website ( ) which too was surprising not working. 

The flaw is fixed now . Since the flaw is fixed I'm making a public disclosure here so that others in the community can learn from it . This is ethical hacking ( healthy and legal ). Please do not misunderstand it to be hacking attack. 

On 11th January 2017, Assam Government launched an e-wallet, to enable the people of the state for hassle-free online transactions in local language. The e-wallet is a joint venture developed by State's Assam Electronics Development Corporation Limited ( Amtron ), and ICICI Bank. Soon many news portals covered the news . So as a security researcher I too was curious to see how this platform works.

Since it involves money transaction I was sure that it will be secured one but i was mistaken. The security level of the platform was too poor. Anyone with a little knowledge of hacking could easily bypass its security features and misuse it. Such flaws can be considered if the app is in testing phase but the app was launched and made public which clearly indicates that they failed to recognise such basic flaws during their testing phase !

So here are the flaws : 

( I have reported the flaws and it has been fixed today )

Flaw 1 ( Serious )

Flaw name : Bypass OTP Verification while sign in

The best thing about the site is that there is no password verification, user needs to enter their phone number and an OTP is sent to their phone and once they enter the OTP, user can sign in.

Only one level of authentication is used which is OTP. So if an attacker bypass the otp he can have access to anyone's wallet and misuse it. Once he is inside , he can make payments , steal money etc.
While registering it does not ask the user to verify, which means an attacker can register anyone's number.

Now let us assume that an user have already created an account ,then an  attacker can  login to a specific user's account to make payments on his behalf or steal money etc.

Here is the Proof of concept 

This was possible because there is no limit set for the number of times an attacker can enter invalid otp due to which an attacker can easily brute force it and get full access to anyone's account and money.

Flaw 2 ( low impact )

Flaw name : Directory listing

There was a directory listing flaw in the website by which an attacker can see all the files that are in the directory . this flaw can be used to know about files that are inside the directory even if they are not mentioned anywhere in the site. So it gives a good idea about all the files that are hosted in the directory.

Flaw 3 ( medium)

There is no SSl certificates in the site. The site deals with money and transaction and yet it runs on http and not https. SSL Certificates provide secure, encrypted communications between a website and an internet browser. SSL stands for Secure Sockets Layer, the protocol which provides the encryption. SSL Certificates are typically installed on pages that require end-users to submit sensitive information over the internet like credit card details or passwords. But here in tokapoisa site there is no SSL which means that the connection is not secured and is unencrypted and anyone can perform a man in the middle attack and get sensitive information from it.  This is the first website i have seen which deals with money and dont have a SSL certificate.


Tokapoisa have launched an Android app which is not exactly an app because it is just an web viewer which displays the site. there is nothing special in the android app. When you open the app it just shows you the webpage thats all, which means anyone can create the exact same app. This can be dangerous because they have not yet launched it in any app store so if an attacker creates an app which displays the website inside the app no one can differentiate it with the original one and the attacker can take this advantage and add malicious codes in his version.

When I Found the flaw I first prepared a report on it and mailed it to the email ID that was provided in the tokapoisa website ( ) but the delivery failed as they have not configured the mail service.

Then I mailed it to the General Manager of Amtron (

30.94 million ( population of assam - 2012 ) could be at risk .

So I did my bit to secure the platform. Hope it benifits the people of assam.

Security Risk of Cashless Economy in India

8th November,2016 was a great date for the entire world. On the one hand, Us election results were announced and on the other hand Prime Minister of India, Shri Narendra Modi Announced Demonetization in the country ( India ). If you are not from India, you might be thinking what do I mean by it. Well on 8th November the prime minister of the country Announced that from 9th November Rs 500 and Rs 1000 notes will no longer be used as legal tender and all the citizens needs to deposit it in their bank. Soon after the announcement, there was a big rush in banks as  Millions of people went to Exchange Old Currency Notes.

Long queue in banks

But soon after the announcement the government of India started setting up various rules. One of the major rule was that the citizen could only withdraw Rs 2000 per day. This became a huge problem as Rs 2000 is not enough and also as everyone was depositing their money there was a scarcity of physical notes. Government launched rs 2000 notes but since no one had change so it was almost useless at that time.

The Solution ?

Many started using online transactions as there were no restrictions in it. many people started using Third party apps like PayTm and Mobiwik etc to make payments. Over the past week, digital payments have hit record transactions: PayTM said there was a 200 per cent increase in its mobile application downloads and a 250 per cent increase in overall transactions; MobiKwik said its user traffic and merchant queries increased by 200 per cent within a few days of the government’s announcement. Companies such as Oxigen and PayU have also seen a rise in their service usage.

Demonetization came as a good news for these apps. Soon after few days of Demonetization, Paytm went to almost all the shops and local business firms and made them join Paytm by which they can take money from customers via the app.

Now Even the government is focusing on cashless economy. Many banks have already come up with their apps by which customers can make transactions. here in India everyday we can see ads by government where they ask people to use these app based service so that the country can go full cashless.

But is this a good step ?

Well I don't know at this point of time how successful or useful it will be but are we ready for a full cashless economy here in India ?

Lets see the security aspect of cashless economy.

The Risk.

The first ATM in India was setup In the year 1987 but still most of the people don't know to use it due to which we see a lot of fraud done in ATMs.  The weakest security link in any transaction is not the technology system, but the user, and their lack of understanding of security issues. To get a sense of this, to withdraw money from ATM’s, some people were giving others their card and PIN numbers. 

Now imagine if we ask those people to switch to these mobile based apps all in just 1-2 months how will they do it ? Now since their is a limit in cash withdraw, people are forced to use these apps .

One of the biggest financial data breaches in India, exposed in late October, had compromised the financial data of over three million users and victimized major banking companies. The breach occurred when a network of Hitachi ATMs infected with malware enabled hackers to steal users’ login credentials and make illegal transactions. Following this, companies issued new cards and asked customers to limit their ATM usage to those operated by their banks. However, a few weeks after the breach, the demonetization announcement pushed people to do just the opposite — rush to withdraw money from just any functioning ATM. Till date, there has been no communication from banks or the Reserve Bank of India assuring the public that the infected ATMs have been taken out of service or fixed to prevent further breaches.

Now since all are new to this mobile transactions and use of apps, it have become easy for hackers and fraudsters to fool these people and take away their money . I'll give you a small example here.

One of the fast food joint near my home have started accepting PayTm payments. Earlier he use to take only cash but now he accepts paytm payments too. But here is the risk. He is not much educated and he don't know much about security. Now if a fraudster calls him up and says that he is from PayTm and say him to transfer 20% of his money to that number else his account will get deleted. I'm 100% sure that he will do it.

This is the problem that we are facing right now. People of the country lacks awareness. We must first aware them about how to use it, what are the risk only then we can start using it.

These are the Physical risk. Now lets come to technical risk.

Now since everyone is dependent on these app based payment systems, it has become a prime target of hackers. One flaw in these apps and all our money is gone. Also since users are now aware it become very easy to hack them.

Last year Popular Bollywood singer papon mahanta's Official Facebook page was hacked and i helped him get back the page. While working on it I got to know that the hacker actually sent him a phishing page and his social media manager thought it was a legitimate one and gave away his login details. 

Now think if his social media manager who deals with online stuffs most of the time failed to recognize it was a phishing page then how can you expect a normal guy to distinguish between a normal login page of these money based apps and phishing page ?

Also Recently we have seen in that a hacker group called "Legion" is hacking into all high profile people like Rahul Gandhi ( Vice-President of the Indian National Congress party ), Indian National Congress, Barkha Dutt ( Indian television journalist ), Ravish Kumar ( Indian television journalist ) etc. In one of their interview they have said that Indian banking systems can be easily hacked. So how can we be sure that the apps that all the banks launched in the last 1 month are secure. How safe are our money ?


Demonetization is a good step by the government but I think this is not the right time to go cashless. today we use apps likes Ola and Uber because we like it and not because we are forced to use it. Right now people are using these payment apps because they don't have any other choice.  I think Government should focus on how they can aware  people on how to use it, its security and benefits etc and let the people them self decide if they want to go cashless or not.

Beware! Hackers are using Facebook Messenger to Spread Locky Ransomware

Have you came across any Facebook Message with an image file of .SVG file format ? If not then you are lucky and if you received it then avoid clicking it.

If clicked, the file would eventually infect your PC with the nasty Locky Ransomware, a family of malware. In a short period of time, Locky has become one of the favorite ransomware tools of spammers. It usually spreads via spam emails with a disguised downloader.

This attack was first discovered by malware researcher Bart Blaze. Surprisingly, the malware manages to bypass Facebook’s file extension filter.

But Why SVG File Format ?

The answer is simple. SVG files have the ability to contain embedded content such as javascript which can be opened in the browser directly.

So hackers have added a JavaScript code inside the image file which redirects you to a malicious website mimicking YouTube.Then the site push a popup, asking you to download and install a certain codec extension in Google Chrome in order to view the video. The malicious extension used two names, Ubo and One.

Once installed, the extension gives the attackers ability to alter your data regarding websites they visit, as well as takes advantage of browser's access to your Facebook account in order to secretly message all your Facebook friends with the same SVG image file.

The worst thing here is that according to a malware researcher, the SVG file redirects to a malicious website which downloads a copy of Locky ransomeware on the victim's PC.
In case if you dont know what is a ransomeware. A  Ransomware is actually a  type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a good amount of money is paid to the attacker.

Locky ransomware is one of the most popular ransomware that locks all files on a victim's computer with RSA-2048 and AES-1024 encryption algorithms and unlocks them until the ransom is paid to attackers.

Remove the malicious extension immediately

If you are one of those who have already  installed one of the two malicious extensions, you can remove it by doing the following.

To remove the extension, just go to Menu → More Tools → Extensions and check for the extension and remove it.

Internet Safety program by Google and DSCI in Guwahati

Few days back I got invited by Google and Data Security Council of India for their Internet safety program which they organized in Radisson Blu, guwahati. It was first of a kind event here in Guwahati. Data Security Council of India (DSCI) is a not-for-profit organization set up by NASSCOM and is focused exclusively on data security, cyber security and privacy protection. 

There has been increasing attention to the MSME sector in the ‘Make-In-India’ initiative. There are 51 million SMEs in India. However, only 5 to 6 % of them are online. The country is witnessing a serious attempt to bring them online. It has been estimated that by 2017, 20 million of them would be online. Apart from online presence, these companies will be spending on IT products that include mobility, social media and cloud in order to increase their customer reach, manage customer relationships better, and ensure efficiency in operations. This drive to digitization is not immune from cyber security threats. Without due consideration to cyber security, the momentum of online and digitization would face serious hindrances. DSCI in partnership with Google India, hence, conceived a focused ‘Internet Safety Program’ for Micro, Small and Medium Enterprises (MSMEs).

Many people from both government sector and business sector were present in the event. The event started with the welcome Speech by Mr. Rahul Sharma, Senior Consultant DSCI where he discussed why cyber security is important for preople and companies.

Shri Mukesh Sahay, IPS DGP, Assam Police was the chief guest of the event. He discussed various cyber security threads that the state are facing and how police and government is taking steps in solving these issue. He also shared few case studies and how they face various challenges.

Mr. Abhas Tripathi, Strategist - Google India did a session on Internet Safety. He shoed how various organizations suffer when they are hacked and he also demonstrated how google is helping organizations to stay protected. we had a great question and answer session with him. where developers and startup founders clear their doubts regarding various security and development related queries.

Dr. K.K Dwivedi, IAS, IT Commissioner & secretary, Assam gave a talk on various steps that the govt is taking in the field of security in the region. He discussed few of his own experiences and also discussed various steps that the government is looking to.

We had a session on the topic Development in the field of Internet safety & cyber security. There were 4 panelist :

1. Mr. Diganta Barman, Senior technical Director ,NIC
2. Mr. Indrajeet Bhuyan ( Me )
3. Dr. Ferdous Ahmed, Asst. Professor, IIIT Guwahati
4. Mr. Nirmal Baishya, Addl. SP, CID

It was a very informative session. Mr. Diganta Barman talked about how NIC is trying to secure government sites and challenges that they face. I mainly spoke about the Barriers in Developments in the field of Cyber Security.

Most of the IT companies of the Assam and northeast like Zaloni, Zantrik etc, and technical institutes were present.Few people from NASSCOM including east region head Nirupam Chaudhuri was also present there. Also , I got a job Offer By NASSCOM.

It was a great learning experience. These days most of the cyber attacks are done mostly on tier 2,3 cities as here the people are not aware of the issue and they dont know how to  protect themselves  from these attacks. 

I believe it is a good step by Google and DSCI that they did not neglect the Northeaster part of the country. I hope many more such events take place in future too.

Here's how to stop Facebook from secretly listening your conversation

Facebook is  using people’s smartphones to listen to what they say. But don't worry, here is an easy solution to stop it

It seems like Facebook have decided to take their advertisement service to the next level. We are already familiar with news that says that Facebook now tracks you even if you don't have an account or even if you have logged out of your account. There's nowhere to hide across the web, especially from the marketing and advertising companies.

Sounds scary right ? Well there is more to it. Facebook now uses people's phone mic to listen to conversation. Yes you heard it right.

Professor Kelli Burns has accused the social networking giant of listening to mobile phone audio of users through one of its features that are only available in the US. Prof. Burns teaches Mass Communications at the University of South Florida and he has managed to open a Pandora’s Box by suggesting that Facebook app might have been prying over unsuspecting users.

Professor Burns has said that the tool appears to be using the audio it gathers not simply to help out users, but might be doing so to listen in to discussions and serve them with relevant advertising. She says that to test the feature, she discussed certain topics around the phone and then found that the site appeared to show relevant ads.

Prof. Burns also proved this by enabling microphone feature on her mobile phone and spoke that she would like to go on a safari: “I’m really interested in going on an African safari. I think it’d be wonderful to ride in one of those jeeps.

Within 60 seconds there appeared a post on her Facebook feed about a safari story, which was posted around three hours before.

But according to the social network’s spokesperson: “Facebook does not use microphone audio to inform advertising or News Feed stories in any way. Businesses are able to serve relevant ads based on people’s interests and other demographic information, but not through the audio collection.”

This feature was introduced in 2014, around two years back and it is being purported by Facebook that it never “always” listens to or stores “raw audio” at all, but it does listens.

Here is how you can stop facebook from listening via your phone's mic

You can easily turn off the microphone on your mobile phone and if you do so, Facebook won’t be able to turn it on even if it wanted to. 

If you use iPhone, turn off microphone by following this pattern:

Settings> Privacy> Microphone.

If you are an Android users , you need to do this:

Settings> Privacy> Facebook> Permissions.

Whatsapp Crash V2 - crashing PC browser and mobile app

Last year I together with my friend Sourav Kar made the world's smallest code which could crash whatsapp. In a video demonstration, we have showed that how a 2000 words (2kb in size) message in special character set can crash Whatsapp messenger app. Previous it was discovered that sending a huge message ( greater than 7mb in size) on Whatsapp could crash victim device and app immediately, but using this new exploit an  attacker only need to send a very small size (approx 2kb) message to the victim.

The main impact of the vulnerability was that the user who received the specially crafted message had to delete his/her whole conversation and start a fresh chat, because opening the message keeps on crashing WhatsApp unless the chat is deleted completely. The exploit risked more than 500 million users worldwide. We reported the flaw and it was fixed in the next update.

Read more about it here : Crash Your Friends' WhatsApp Remotely with Just a Message

This year I have found a flaw in whatsapp which can be used to crash whatsapp mobile app and whastapp Web ( which is the PC version of the same ).

Here are the details :

In whatsapp web, whatsapp allows 65500-6600 characters.But after typing about 4200-4400 smiley browser starts to slow down. but since the limit is not yet reached so whatsapp allows to go on inserting. so it crashes while we type and send and in mobile too when it receives it overflows the buffer and it crashes.

I have tested in the following

PC Browser - firefox, chrome
Android - marshmallow, lollipop, kitkat
Mobile -  Moto E gen 1 ( 1gb ram ), Asus zenfone 2 laser ( 2gb ram ), Oneplus two (4gb ram)

And it works perfectly well in the above.

I have tested in iphone too but in iphone it fails to crash but it freezes the app for a few seconds.

There are more than 1 billion android user who use whatstapp which means this flaw could affect 1 billion+ users.

Video Demosntration


Suppose an attacker have send an abusive message or is blackmailing a victim. now the victim cannot show the message as proof as once the victim receive the smiley ( shown in video ) the whole chat with the attacker would crash and the victim wont be able to open it. The victim will have to delete the entire chat with the attacker in order to use whastapp normally.

This can also use used to do a Denial of service in the browser and it freezes the browser and gives a 'not responding' error.

I have reported the flaw to whastapp . Lets hope they patch it in their next version

Facebook Will Now Notify You If government is Spying on You

Do you fear that  some suspicious activity is going on in  your Facebook account? Well, many of you would be aware of the fact that Facebook account hacking using phishing scams is on the rise these days. But the good news is that Facebook has just announced a very important thing about its platform. Now the social network will inform users if it believes that the account has been compromised by a government agency for snooping purpose.

Facebook now recommends users to turn ON "Login Approvals," so that their Facebook accounts can only be accessed using stronger two-factor authentication.

“The security of people’s accounts is paramount at Facebook, which is why we constantly monitor for potentially malicious activity and offer many options to proactively secure your account,” Facebook writes in an official blog.

But the important question that arises here is :

How exactly does the social network know that an account is being targeted by a government-sponsored hacker?

As of now Facebook has not disclosed how it would be able to differentiate between accounts compromised by a nation-state's hacker and smaller-scale attacker, saying that it has to "protect the integrity" of its methods and processes.

Facebook confirms that this notification does not indicate the whole social networking platform was compromised. It is only related to specific user’s account receiving notification.

Lets hope you never get this notification but in case you do, then take the matter seriously.

The Router You Owe May Be Vulnerable, Story Of The Fixed Router Backdoor!

2013 was the year, French hacker Eloi Vanderbeken was enjoying his Christmas and decided to tweak some of the performance settings. Funny thing happened was that "He forgot his own password!", so hacking his way in seemed more fun than that of resetting the router. *Clup*Clup*Boom*
Long story short, Vanderbeken found his way in.

He found that a service listening on port 32764 that could be instructed, without authentication, to dump the router's configuration and username and password!

Luckily, for you that port was listening on the internal side and not the internet side or the WAN side! that means, this backdoor exists so as so it's only accessible to users who are already on your network i.e. on your subnetwork, but still it's a giant security hole, For example: You tell me "Hey Hrishi! mind if you do some performance upgrades on my laptop?" I sit, I become evil, and I get into your router and mess with the settings, including opening up the backdoor on the internet interface so they can get back in later! That's how dangerous it was!

So, Vanderbeken reported it. Backdoor Patched! WoooLaa! NOT so soon.! As the main purpose of the backdoor was to actually help the management software of the router which many of you can access by typing your router's IP address into the URL bar. Vanderbeken soon found that the backdoor was still there! but turned off by default.

He tweaked more and found a way to re enable the backdoor by sending the router a so-called "magic ethernet packet". Read about Ethernet II type packets here.

this is a ethernet type II frame that i snapped from wikipedia.

Going theory! If you don't know mac-address, google it and the CRC is for data error recovery.
EtherTypes are 0800 for an IPv4 packet, 86DD for an IPv6 packet, 0806 for ARP (address resolution protocol), and 0842 for Wake-on-LAN(the magic packet).

Vanderbeken's router also listened for Wake-on-LAN's on etherType 8888.  What he did was very simple and easy, but resulted in a boom! router was sent an 8888-type packet containing the number
0x0201 (command identifier also very important for Cisco routers for resets), and the MD5 checksum of the string DGN1000, corresponding to his router's model number, this is a great example of thinking out of the box!

That little trick made the dead backdoor alive again! and He also discovered that sending a broadcast messages of type 8888 packet with command number 0x0200 makes the router reply, allowing an attacker on a LAN to find any exploitable routers.

Now How To be safe?

You know what, you can never be safe. Really. If you are thinking that I too will send packets on 8888 and detect the magic packet and block it. totally wrong. Because it varies with different firmwares and hardware, and the MD5 checksum may also differ.  

See if your router supports  an open source firmware such as DD-WRT or OpenWRT, They are great! These are linux based, and so many kind developers around the world are always ready to give you some hand. with patches form guy of 16 to a old master. 

So, go on tweak it, find something, use security measures. Don't worry, I won't drop on you. ;)

Any Suggestion/Question? Sure! on the comments!  

Tumblr asks users to change passwords to protect against ‘Heartbleed’ Virus

Social network Tumblr has asked its users to change their passwords in the emergence of a recent virus called Heartbleed, that has been exposing world's major websites to theft by hackers.

Tumblr said in a statement that the little lock icon (HTTPS) trusted by all to keep their passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.

This virus (Heartbleed), which represents one of the most serious global security flaws revealed in recent years, makes possible for hackers to retrieve code from websites that would give them access to other information, including user data and passwords.

Tumblr is trying hard to persuade users to take precautionary measures, the Website added that this might be a good day to call in sick and take some time to change passwords everywhere — especially high-security services like email, file storage, and banking, which may have been compromised by this virus.

While Tumblr claimed that it had taken measures to fix the security flaw, the company said that it had no proof to back its claim that its user data had been breached.