Over 300 electronic devices have gone missing from the heart of government over the past two years, according to new research from Parliament Street.
The think tank sent Freedom of Information (FOI) requests to the Prime Minister’s Office, the Privy Council, the Equalities Office and the offices of the leaders of the House of Commons and the House of Lords.
In response, they revealed that 89 devices had disappeared in 2018 and 163 last year, an 83% year-on-year increase. So far this year, 64 items have been lost despite many employees working from home due to COVID-19 lockdowns in central government.
Stav Pischits, CEO of security consultancy Cynance, argued that cyber-criminals can be incredibly persistent in going after high value targets like government data.
“With an increasingly remote workforce due to the COVID-19 outbreak, it’s absolutely essential that government departments take the necessary steps to ensure all devices are correctly secured,” he added.
“Even though these devices were encrypted, hackers can find new ways to break through systems to access confidential files, which could be lethal in the wrong hands. So, ensuring robust encryption and cybersecurity measures at all times is essential.”
This is just the latest in a long line of FOI-related research highlighting the persistent challenge of government-owned mobile devices going missing.
In July 2019 an FOI request from MobileIron revealed that 508 devices and laptops had gone missing from eight departments over the previous year. In the Ministry of Justice alone laptop losses soared 400% from 2016-2019, with 201 going missing in the 2018/19 period, according to Apricorn research.
In February this year, another report, this time from global communications company Viasat, claimed that over 2000 mobile devices had gone missing from central government departments over the previous year, many of them unencrypted. The higher number may be explained by the fact that 27 departments responded to this study.
A California man has been put behind bars for his role in an identity theft scheme that victimized thousands of US veterans and service members.
Trorice Crawford pleaded guilty on December 5 last year to one count of conspiracy to launder monetary instruments. The 32-year-old San Diego resident admitted conspiring with US citizen Robert Wayne Boling Jr. and others to steal millions of dollars between May 2017 and July 2019.
Crawford hired at least 30 people to act as money mules, paying them to receive funds stolen from current and former military personnel into their bank accounts.
Unauthorized transfers from victims’ accounts ranged from $8,000 to $13,000 on average, with Crawford keeping a cut from each transaction. Crawford also oversaw the transmission of stolen funds to Boling and others in the Philippines via international money remittance services.
A federal judge in San Antonio yesterday sentenced Crawford to 46 months in federal prison. Chief US District Judge Orlando Garcia ordered Crawford to pay $103,700 in restitution and be placed on a three-year period of supervised release after completing his prison term.
Crawford’s co-defendant, Frederick Brown, pleaded guilty to charges in connection with the identity theft scheme in October 2019 and will be sentenced on September 17. The 38-year-old used his former position as a civilian medical records administrator for the US Army to steal the personal identifying information (PII) of thousands of military members.
Brown admitted using his cell phone to capture members’ names, Social Security numbers, DOD ID numbers, dates of birth, and contact information while being logged into the Armed Forces Health Longitudinal Technology Application.
The Las Vegas resident further confessed to handing over the stolen PII to Boling and his Philippines-based co-defendants, Australian Allan Albert Kerr and South Korean Jongmin Seok, so that they could use it to access Department of Defense and Veterans Affairs benefits sites and steal millions of dollars.
As asserted in the federal grand jury indictment, Boling, Kerr, and Seok used the stolen data to compromise a Department of Defense portal designed to enable military members to access benefits information online.
The trio are charged with multiple counts of conspiracy, wire fraud, and aggravated identity theft. Measures are being taken to extradite them from the Philippines to Texas.
A platform created by the SANS Institute to teach core cybersecurity skills is now available to students and young adults across the Middle East and Africa.
CyberStart Game provides a gamified learning experience that can be used in the classroom or accessed at home. This 100% online learning platform is designed to teach complex security concepts while promoting self-guided exploration and investigation over traditional learning tropes.
Users can access over 200 different challenges via the platform, working through each one at a pace dictated by their own schedule and ability. The platform was thoughtfully established with built-in clues, tips, and video hints to assist students when they get stuck and to help them complete the challenge.
CyberStart Game was created by SANS Institute CTO James Lyne, who based each challenge on historical real-world cyber-attacks, security breaches, and other cybersecurity scenarios.
SANS Institute has opened up the platform to students and young adults in Africa and the Middle East as part of an ongoing emphasis on online learning and because of the heightened level of cybersecurity threat triggered by the current global health pandemic.
Ned Baltagi, Managing Director, Middle East & Africa at SANS Institute, said: “Global communities and their families including school- and university-going students are now in a shelter-at-home position. On the flip side, threat actors are increasing their activities, using advanced social engineering phishing techniques to lure online workers to malicious sites and possible ransomware attacks.”
Baltagi believes that through playing CyberStart, youngsters can acquire valuable cyber-self-defense skills that will help protect them while online.
“At this stage, CyberStart Game is the most appropriate and suitable platform to build awareness of cyber security skills for young adults, who may encounter these threats as they move to the next level of their career or device usage,” he said.
SANS Institute is offering CyberStart Game Education and Enterprise packages that include flexible access for students and teachers. No prior cybersecurity expertise is required to play the game or teach others how to play it.
“We will help schools, universities and organizations in the Middle East and Africa to find the right option for them,” said Baltagi.
A hobby farmer on the hunt for a vegetable-eating critter has discovered a flaw in a popular outdoor home security camera.
Midwesterner Jason Kent purchased a Kasa camera to help identify whatever creature it was that had been eating his cucumber plants. In addition to uncovering the antics of a groundhog, Kent was alarmed to discover an account takeover (ATO)/credential stuffing vulnerability in the security device.
Kent said: “Upon installation I realized the mobile application was connecting directly over the network to the camera, and if I wasn’t on the network, I still could see the images from my camera on the mobile app. As a security professional, this concerned me.”
Kent, who is hacker-in-residence at Cequence Security, said the cybersecurity flaw he found in the device could allow a bad actor to spy on a user's home and change the camera’s settings.
“This API vulnerability makes it easier for a cyber-criminal to take over someone’s Kasa camera account and then use that access to change passwords, modify camera settings, view private security footage or use it to surreptitiously snoop on a user’s home,” he said.
Through further investigation, Kent discovered that although the Kasa’s mobile application uses SSL, the SSL certificate wasn’t pinned. This made it “easy to open it up and look at the transactions.”
“I also found that the authentication is simply BASE64 encoded username:password being passed under SSL,” said Kent.
“Security best practices dictate that the application should hash under the SSL rather than encoding and reiterated the value of pinning the certificate.”
Of equal concern to Kent was the finding that the authentication to the web platform was giving “very verbose” API error messages included phrases such as “password incorrect.” Kent posits that this could leave users who set up their username as their email address vulnerable to cyber-attack.
Kent reported his concerns to TP-LINK, parent company of the Kasa brand, in March 2020. On June 15, the company said that the vulnerability he found would be fixed. At time of publication, the flaw had still not been remedied.
UK businesses have been slow to move to the cloud because of concerns over data loss and compliance breaches, according to the 2020 UK Veritas Databerg Report. It showed that just 47% of corporate data is currently stored in the cloud, despite IT decision makers believing 43% would be held in the cloud within 12 months during the last Databerg report back in 2015.
The study revealed that the current fears regarding data loss and compliance breaches has replaced other reservations organizations had regarding cloud adoption in 2015; whilst 77% highlighted security as a challenge to cloud adoption in 2015, this has fallen to 59% today. In addition, concerns over the unpredictability of the cloud fell from 49% in 2015 to 21% in 2020.
Another finding from the report was that just 19% of enterprise data is regarded as usable and business critical, whereas 28% is redundant, obsolete or trivial (ROT). Additionally, 53% is considered dark, i.e. stored without knowledge of what it is or its value.
Jasmit Sagoo, UK & Ireland CTO at Veritas Technologies, commented: “Businesses have negotiated the cloud challenges of 2015, but old fears are being replaced by new ones – and these need to be overcome if companies are going to meet their transformational goals. Concerns around cloud security and unpredictability may have been resolved, but they have been replaced by fear of data loss and compliance breaches, 55% and 54% respectively. This is understandable, given the wider data challenges that organizations often have, many of which can be exacerbated by a multi-cloud strategy.”
Nevertheless, the IT decision makers surveyed expect cloud adoption to increase well above the current rate within the next year, predicting that 64% of enterprise data will be stored in the cloud over the coming 12 months.
A key driver of cloud adoption is to reduce IT costs, according to the report, cited by 66% of businesses.
Google has updated its advertising policy to effectively ban stalkerware from its pages.
The tech giant announced the move in an update to its Enabling Dishonest Behavior policy. Although it didn’t mention the category by its more commonly known name, the firm said it will “prohibit the promotion of products or services that are marketed or targeted with the express purpose of tracking or monitoring another person or their activities without their authorization.”
Stalkerware is a type of monitoring tool downloaded secretly to a victim’s device, where it spies on their communications, location, photos and web browsing.
It’s commonly marketed by developers as a way for parents to monitor their children, or for adults to check whether their partners are having an affair. In reality, it is all-too-often used by domestic abusers, stalkers and violent ex-partners.
Google made it clear that the new policy doesn’t apply to “private investigation services” or tools designed to help parents monitor underage children.
The advertising ban will apply to the following:
“Spyware and technology used for intimate partner surveillance including but not limited to spyware/malware that can be used to monitor texts, phone calls, or browsing history; GPS trackers specifically marketed to spy or track someone without their consent; promotion of surveillance equipment (cameras, audio recorders, dash cams, nanny cams) marketed with the express purpose of spying.”
Figures released by Kaspersky in March this year to coincide with International Women’s Day revealed that the number of victims targeted by stalkerware jumped 91% in the UK from 2018 to 2019, while the global figure was 67%.
Although the AV vendor detected 67,500 cases worldwide over the period, this is likely to be just the tip of the iceberg.
In fact, Avast research has revealed a sharp rise in downloads following COVID-19 lockdowns. It claimed that installations of stalking apps in the UK rose 81% from March, versus January and February figures.
The new Google policy will come into force on August 11.
Zoom is scrambling to fix another zero-day vulnerability in its Windows client, this time potentially leading to arbitrary remote code execution.
Acros Security CEO, Mitja Kolsek, revealed the news in a blog post, claiming that the researcher who found the bug didn’t disclose to the vendor or a third-party broker, “but would not object to us reporting it to Zoom.”
“We analyzed the issue and determined it to be only exploitable on Windows 7 and older Windows systems. While Microsoft's official support for Windows 7 has ended this January, there are still millions of home and corporate users out there prolonging its life with Microsoft's Extended Security Updates or with 0patch,” he explained.
“We then documented the issue along with several attack scenarios, and reported it to Zoom earlier today along with a working proof of concept and recommendations for fixing. Should a bug bounty be awarded by Zoom, it shall be waived in favor of a charity of researcher's choice.”
Acros Security’s 0patch offering provides “micropatches” to running processes without the need for administrators to restart these processes.
The firm has decided to provide these patches for free to anyone that downloads the 0patch Agent. These will automatically become obsolete as soon as Zoom releases an update to fix the vulnerability, it said.
There are no technical details of the zero-day available at present.
Zoom has been on a hiring spree of late in a bid to ramp up its security credentials. Most recently it announced Salesforce SVP of security operations, Jason Lee, as its new CISO.
The video conferencing firm has also signed-up former Facebook CSO Alex Stamos as an advisor, Luta Security as a new partner to help rebuild its bug bounty program, John Hopkins cryptography expert Matthew Green, former Google privacy technology lead, Lea Kissner, and cybersecurity consultancy NCC Group.
UK pubs and restaurants are exposing their customers to the risk of phishing attacks as consumers head back to the bar after a long period of lockdown, according to Proofpoint.
The security vendor analyzed the co.uk and .com domains of 50 of the top 88 most popular dining brands in the country, to check whether they’ve implemented the strongest level of DMARC (Domain-based Message Authentication, Reporting & Conformance) protection.
It found that 98% had not – in fact 70% had no published DMARC record at all, leaving their customers wide open to phishing.
Just 2% of pub and dining brands had the strongest policy (“p=reject”) in place.
While not a silver bullet, DMARC can help to limit the impact of spam and phishing, but malicious emails will only be prevented from reaching customers’ inboxes if p=reject is set. The weakest setting is p=none, which will allow brands to monitor activity but means phishing emails are still sent to users. The next level up, p=quarantine, will mean suspicious messages are sent to the receiver’s junk folder.
Pub- and restaurant-goers are particularly exposed at present as establishments are requiring many users to book online before they arrive, and/or to provide their details for contact tracing purposes.
This means customers will be primed to expect communications from these brands, something cyber-criminals could leverage to their advantage.
The Prime Minister announced the re-opening of these businesses from July 4 after several months under lockdown.
“We have seen during the pandemic that cyber-criminals don’t hesitate to prey on society’s anxiety around COVID-19 to target individuals and businesses. In times of fear and uncertainty, individuals are much more susceptible to these kinds of attacks, particularly if a fraudulent email looks like it has come from a genuine domain,” said Adenike Cosgrove, cybersecurity strategist, international, at Proofpoint.
“We recommend that people take steps to make sure that they don’t click on anything suspicious, even if it appears to come from an official source, and instead take steps to contact establishments if they aren’t sure.”
New research has found that the British public are in favor of increased regulation and more accountability in the field of Artificial Intelligence (AI).
An independent survey of 2,000 adults in the UK by AI firm Fountech.ai discovered that 64% of respondents would like to see the introduction of additional regulation to make artificial intelligence safer.
Concern over the safety of AI varied according to age, with younger respondents adopting a more relaxed attitude. While 73% of those aged over 55 supported the introduction of extra guidelines to improve safety standards, only 53% of those aged between 18 and 34 concurred.
Britons also wanted to see companies take more accountability, with 72% of people believing that companies that develop AI should be held responsible for any mistakes that the technology makes. At 81%, those aged over 55 were the most likely to hold this view, while at 60%, millennials were the least likely to agree.
The research, which was published today, revealed that Brits have high expectations regarding AI's performance and capabilities. The view held by 61% of respondents was that AI should not be making any mistakes when making decisions or performing an analysis.
While positive assumptions may prevail regarding the might of the technology's functional prowess, more than two-thirds of those surveyed felt that AI should be kept under the watchful eye of mankind. The survey found that 69% think that a human being should always be monitoring and checking decisions made by AI.
Again, the more seasoned respondents were typically more in favor of human monitoring, with 77% of over-55s stating that AI's decisions should be checked and monitored.
While William Shakespeare observed that "to err is human," machines can also get things wrong. When questioned about the chances of AI making a miscalculation, researchers found that 45% of survey respondents said it is harder to forgive errors that are made by machines than it is to forgive mistakes made by humans.
This result concerning the ability to forgive—described as divine by the bard—was similar across the various age demographics surveyed.
Nikolas Kairinos, founder of Fountech.ai, said: "While lawmakers may need to refine responsibility for AI’s actions as the technology advances, over-regulating AI risks impeding the potential for innovation with AI systems that promise to transform our lives for the better.”
A teenager from San Diego has been fatally shot after confronting cyber-bullies who targeted her sister online.
The life of 19-year-old Janessa Del Valle was tragically cut short on July 4 as America celebrated its national Independence Day.
The young woman from Bonita was killed while attempting to stop bullies from using the internet to body-shame her 13-year-old sibling.
Del Valle's mother said that her daughters were expecting to meet with a couple of girls they believed to be responsible for the bullying when they left the family’s apartment together on Saturday.
“When they met up, they thought they were meeting two girls, but they ended up meeting a carload of four people,” Del Valle's mother said.
Deputies said that the confrontation escalated into a fight in which Janessa was fatally shot.
Del Valle’s mother said that after shooting Janessa, the attackers then turned on her 13-year-old sister.
The attack took place in a parking lot at the 5100 block of Cedarwood Road in Bonita just steps from the Del Valle family’s home.
Janessa was a former high school athlete who had been studying at San Diego City College at the time of her death. Her mother said cyber-bullying was an issue that could impact any child.
“If you have children, and you see your children getting bullied, you need to do something about it—don’t think it’s innocent or it’s going to go away,” Del Valle's mother said.
A search is now underway for Janessa's killer(s), and the San Diego Sheriff’s Department is asking for any witnesses to call in tips.
A suspected ransomware attack has caused the temporary closure of an Alabama county’s computer network.
Chilton County implemented a shutdown after being targeted by a suspected ransomware attack on the morning of July 7. County Commission Chairman Joseph Parnell announced the incident on the social media network Facebook.
“The incident has caused a temporary disruption to the County’s computer records systems including the tag office and probate court records,” wrote Parnell.
“Persons needing services provided by our various departments should check with the clerks in the particular department before coming to the courthouse to ensure that needed records are accessible.”
As a result of the attack, local records required by the courthouse in the performance of its regular services have been rendered unavailable.
In a phone interview with the Clanton Advertiser, Parnell said an investigation was underway to determine the severity of the cyber-incident. The county servers and computers in several departments have been closed in a bid to limit the spread of any malware infection that may have occurred.
“Our databases and computers are shut down while the cyber guys are trying to figure out if and what the extent was of the intrusion,” said Parnell.
The chairman said that until the severity of the attack had been diagnosed, the county was assuming the worst.
Parnell said: “It could be very minor, and it could be very serious, but we have to treat this like it is extremely serious until we know otherwise.”
A cyber-attack was suspected when the county’s computers started behaving in a way that was out of character. Parnell said that Chilton’s employees noticed “their computers were not functioning normally. They were sluggish, and some of their applications looked different.”
Employees reported the discrepancies to the local IT team, which then shut down the county’s internal network.
“We have a cyber-policy in place and have hired a firm of professional IT people out of New York that is going to come in and assess the system,” Parnell said.
The cyber-branch of the FBI and the Alabama Attorney General’s Office have been notified of the incident.
Just 5% of Brits are able to recognize all scam emails and texts, a study from Computer Disposals Limited has found.
Scam emails purporting to be from Facebook were shown to be most likely to trick people. Additionally, participants found it harder to spot scams via SMS messages compared to emails.
For the study, Computer Disposals created a quiz comprised of genuine recreated messages and emails from organizations including the UK government, Amazon, Disney Plus and Netflix alongside scam texts and emails that included the exact tactics being used by hackers to gain access to users’ accounts and personal details. They then asked 1000 individuals to try and distinguish between those that were genuine or fake.
The findings are especially concerning in light of a rise in phishing attacks during the COVID-19 pandemic, as cyber-criminals play on people’s economic and health fears during the crisis.
The respondents were observed to be naturally suspicious of all communications, however, with just 44% able to identify the genuine messages and emails.
Ben Griffin, director of Computer Disposals Limited, commented: “Over the past decade, cybercrime has risen to become a major risk for all of us – individuals and companies alike. As we live more and more of our lives online, phishing scams have become one of the most prevalent types of security breaches, especially as we use multiple devices interchangeably.
“Our data shows that only 5% of the British public are able to consistently identity phishing scam emails and texts, highlighting both how sophisticated and convincing these messages have become, as well as the need for us to constantly remain alert – especially so when we are spending more time at home. Vigilance is the key to remaining secure: safeguard your passwords, install recommended software updates and always treat messages with links or requesting information with due suspicion – even if they appear legitimate.”
Security professionals are struggling to effectively manage high volumes of security alerts.
According to the 2020 State of SecOps and Automation Report, a study conducted by Dimensional Research on behalf of Sumo Logic, managing the sheer volume of security alerts poses a significant problem for IT security professionals.
Its research of 427 qualified security individuals found 70 had faced more than double the volume of security alerts in the past five years, whilst 99% stated high volumes of alerts were causing problems for IT security teams.
This led 83% to say their security staff had experienced alert fatigue.
“Today’s security operations teams are faced with constant threats of security breaches that can lead to severe fallout including losing customers, diminished brand reputation and reduced revenue,” said Diane Hagglund, principal for Dimensional Research.
“To effectively minimize risk and bridge the gap, many companies rely on automated solutions that provide real-time analysis of security alerts. These findings highlight the challenges SOC teams are facing in a cloud-centric world, but more importantly why enterprises are aggressively looking to cloud-native alternatives for security analytics and operations.”
Although automated security alert processing can help to mitigate this issue, it is still a work in progress for most security teams.
Speaking to Infosecurity, Virtually Informed CISO Sarb Sembhi said, in the last 20 years, technology has been about “collecting and giving you alerts” and until AI came along, there was little in the way of a solution to deal with alerts and to be able to see all alerts in a single view.
“The cause of this is so many different technologies that come into the security estate and give you an alert and tell you something is wrong and somebody has done something, and there is not a single view,” he said. “What you need is a single sense to tell you what the course of action should be.”
He concluded that there is an issue of seeing so many alerts and an analyst having a “so what” attitude, but even if one of a million alerts is dangerous “you cannot become complacent.”
People in the UK are being targeted by a new phishing scam designed to trick victims into handing over details of their HSBC bank account.
The scam, discovered by litigation specialists Griffin Law, begins with a bogus text message that claims to be from the banking and finance giant informing the receiver that a new payment has been made through the HSBC app on their phone.
The user is then told that, if they are not responsible for the payment, they should visit the site “Security.hsbc.confirm-systems.com” to validate their bank account, before being directed to a fake landing page which asks for their username and password, followed by a series of verification steps.
The fraudulent site, which uses official HSBC branding, then asks for specific account details and personal data of the individual.
Griffin Law claimed that almost 50 people have come forward to say they have received the text message so far, with some able to identify the scam due to the fact they do not have a HSBC app installed on their phone. Thankfully, thus far, there have been no current reports of the scam being successful, according to Griffin Law.
Chris Ross, SVP, Barracuda Networks, said: “This is the latest in a long line of increasingly sophisticated phishing scams, designed to trick the victim into handing over their personal financial details.
“Increasingly, we are seeing examples of cyber-criminals using the branding of major banks to create realistic-looking fake websites, in order to extract personal financial information.”
When it comes to tackling the problem, all companies and users must remain vigilant of such scams, he added.
“SMS messages are often used by criminals to catch workers off-guard, using their personal mobile number. Ensuring security awareness within the workforce is critical, and it’s important that all employees are trained about how these schemes operate as well as how SMS messages can be exploited as part of a wider phishing scheme designed to steal company funds and data.”
Attackers are creating fake links for the video-sharing application TikTok, which contain malware to capture user’s data.
According to Money Control, police in India have issued a warning about TikTok links, after links were sent through WhatsApp and SMS.
The attackers promote a ‘professional’ version of TikTok to Indian users, after the application was banned in the country earlier this year.
Christoph Hebeisen, director of security intelligence at Lookout, said: “When legitimate, popular channels to acquire a popular app are blocked for whatever reason, it presents an opportunity for malicious actors to lure victims by promising a way around the restriction.
“The removal of the TikTok app from both Google Play and the Apple App Store in India has created a similar situation. Users should limit their risk by only installing apps from the official app stores and using mobile security as an added layer of protection.”
The message was first spotted by Times of India and it read: “Enjoy Tiktok video and create creative videos once again. Now TikTok is only available in (TikTok Pro) then download from below.” This message has a link to download the TikTok Pro APK file.
After downloading, the app icon appears as the TikTok app and asks for permissions to functions including camera, image gallery and microphone. After you provide these permissions, the app doesn’t function and simply stays on your phone.
Chris Hauk, consumer privacy champion at Pixel Privacy, said phishing attacks like these will continue to prove to be fruitful until users are educated on the risks of clicking links in text messages, WhatsApp messages and emails. “When users are looking to download apps like TikTok they will find that legitimate sources of the apps will not ask for personal or financial information before allowing them to download a free app,” he said.
“As for myself, I would also be concerned as to what TikTok does with my data after I install the app, as it has been found to spy on the clipboard on iOS devices.”
The privacy regulators of the UK and Australia have announced a joint investigation into controversial facial recognition firm Clearview AI.
“The Office of the Australian Information Commissioner (OAIC) and the UK’s Information Commissioner’s Office (ICO) have opened a joint investigation into the personal information handling practices of Clearview AI Inc., focusing on the company’s use of ‘scraped’ data and biometrics of individuals,” a brief statement read.
“The investigation highlights the importance of enforcement cooperation in protecting the personal information of Australian and UK citizens in a globalized data environment.”
The Manhattan-based software firm leapt to notoriety early this year after a New York Times report claimed that the startup had scraped as many as three billion images from social media sites to add to its database.
That makes it a useful resource for police and intelligence agencies, which can query images they capture against the database. The FBI’s own trove of images is said to contain little more than 600 million.
The report claimed that over 600 law enforcement agencies have started using Clearview AI in the past year alone.
The ICO and OAIC won’t comment while the investigation is taking place, and it’s unclear when they’ll finally report their findings.
Still, the practice of data scraping for such intrusive purposes raises many serious privacy questions, especially under the GDPR, where informed consent usually needs to be given by a data subject for any company to use their personal information, including images.
Clearview AI was in the news more recently, when an unauthorized intruder reportedly stole the firm’s entire client list, the number of user accounts those companies had set up, and the number of searches they’d carried out.
The firm is no longer operating in Canada after privacy authorities there began investigations into its practices.
Security researchers are warning of a new phishing campaign that uses malicious emails from legitimate SurveyMonkey domains in a bid to bypass security filters.
The phishing emails in question are sent from a real SurveyMonkey domain but crucially have a different reply-to domain, according to Abnormal Security.
“Within the body of the email is a hidden redirect link appearing as the text ‘Navigate to access statement’ with a brief message ‘Please do not forward this email as its survey link is unique to you’” it explained.
“Clicking on the link redirects to a site hosted on a Microsoft form submission page. This form asks the user to enter their Office 365 email and password. If the user is not vigilant and provides their credentials, the user account would be compromised.”
The attack is effective for several reasons: its use of a legitimate SurveyMonkey email sender, the concealing of the phishing site URL and the description of the email as unique to every user.
“Users may be primed to think that the login page is there to validate that their responses are from the legitimate recipient of the email. Thus, the behavior isn’t unexpected,” argued Abnormal Security.
David Pickett, senior cybersecurity analyst at ZIX, explained that attacks like these are increasingly common: he claimed that the vendor blocked around 590,000 phishing emails abusing legitimate services like SurveyMonkey in the past week alone.
“Credential phishing using legitimate survey forms is a favorite attack vector by quite a few different groups over the past two years,” he added.
“We track these ‘living off the land’ attacks and have found that the most often abused legitimate forms/survey providers in order from greatest to least volume are Google, Microsoft, SurveyGizmo and HubSpot.”
German police have seized servers belonging to an activist group in a presumed bid to shut down the recent BlueLeaks exposure of US police records dating back decades.
Emma Best of WikiLeaks-like organization Distributed Denial of Secrets (DDoSecrets) confirmed the news this week on Twitter.
“We have received official confirmation that #DDoSecrets’ primary public download server was seized by German authorities (Department of Public Prosecution Zwickau file number AZ 210 AR 396/20). We are working to obtain additional information, but presume it is re #BlueLeaks,” she explained.
“The server was used ONLY to distribute data to the public. It had no contact with sources and was involved in nothing more than enlightening the public through journalistic publishing.”
The raid will raise questions over why an international police operation was launched to seize the leaked data, although there are reports that it may have exposed sensitive personal data.
There are also concerns that the data could endanger lives, if it is used by organized crime groups to unmask undercover police officers and witnesses. It could also damage the reputations of suspects who were arrested but subsequently released without charge.
The 269GB trove contains police and FBI reports, bulletins, guides and other materials on over 200 police departments, fusion centers and other training and support resources.
According to reports, the data, dating back to 1996, was stolen after a hacker targeted Netsential, a supply chain company used by fusion centers, law enforcement and other government agencies across the United States.
They apparently used a compromised user account and the firm’s web platform upload feature to introduce malicious content, enabling the exfiltration.
Last month, Twitter banned DDoSecrets from its platform and labelled tweets linking to the leaks as potentially harmful. WikiLeaks, which published material said to have unduly influenced the last US Presidential election, remains on the social network.
A number of inactive websites have been compromised and are redirecting visitors to unwanted URLs, many of which are malicious. This is according to a new study by Kaspersky, which uncovered over 1000 inactive domains that send users to second-hand pages as a way for fraudsters to make money or even infect their device.
Inactive domains are sometimes purchased by a service before being put up for sale on an auction site. Visitors to the inactive website should then be redirected to the auction stub; however, fraudsters are often substituting these stubs for malicious links.
Kaspersky researchers discovered that there were about 1000 websites for sale on one of the world’s biggest auction platforms, and these redirected visitors to over 2500 unwanted URLs. Many of these download the Shlayer Trojan, which installs adware on infected devices and is distributed by webpages with malicious content.
Of these websites, 89% were redirects to ad-related pages while 11% were to malicious sites, which either contained a malicious code or prompted users to install malware or download infected MS Office or PDF documents.
It is believed fraudsters are being paid to drive traffic to both the legitimate advertising pages and malicious sites, which is the motivation for the scheme.
Dmitry Kondratyev, junior malware analyst at Kaspersky, commented: “The domains that have these redirects were — at one point — legitimate resources, perhaps those the users frequently visited in the past. There is no way of knowing whether or not they are now transferring visitors to pages that download malware. Adding to the challenge is that whether or not you land on a malicious site varies: if one day, you access the site from Russia, nothing will happen. However, if you then try to access it with a VPN, you might be sent to a page that downloads Shlayer.
“In general, malvertising schemes like these are complex, making them difficult to fully uncover, so your best defense is to have a comprehensive security solution on your device.”
Anti-fraud company Sift has discovered a Russian fraud ring using ecommerce marketplaces to verify stolen credit cards.
Criminals trade thousands of stolen credit card numbers every day, but verifying them is a challenge. They must ensure that the cards are still valid without raising issuers' suspicions. In its Q2 2020 Digital Trust & Safety Index, Sift uncovered a Russian group nicknamed Bargain Bear that takes a novel approach to the problem.
After buying stolen credit card data on the dark web, Bargain Bear's members created multiple fake product listings with a $99 price point. They then colluded, haggling down each other's listings. Eventually the "negotiation" would price the fake product at $1, which is the standard amount used to test the validity of a credit card.
At this point one fake user would "buy" the reduced-price item from the fake seller using a stolen credit card, verifying that it was usable. They could then use the cards for higher-value purchases.
Colluding like this enabled the fraudsters to test the card while looking legitimate, dodging automated systems that look for suspicious payment patterns. However, Sift said that after noticing the group's scam it reconfigured its service to spot similar practices. One giveaway might have been the fact that the criminals registered the fake buyers and sellers from the same IP addresses.
Bargain Bear demonstrates how fake content can facilitate payment fraud. This has been a particular problem during the COVID-19 crisis, it said. Sift gathered data from over 34,000 sites and apps using the service, along with a survey of over 1,000 consumers conducted last month by research company Dynata.
It found a 109% year-on-year increase in content fraud in the first half of 2020, which it says was connected to the uncertainty and disruption caused by the pandemic. The company blocked the highest number of fraudulent content attempts across all verticals between January and May this year, with an especially big spike between April 4 and April 11.
The online ticketing and event business was hit the hardest even as it saw record drops in event volume. According to Sift's research, 11.2% of user-generated content related to events and ticketing posted across its customers' websites was fake, designed to extort money from victims.
The company's fraud experts believe that scammers were trying to exploit home-bound consumers in need of entertainment with fake streaming concerts and other virtual events.