Magecart, the payment-card–skimming malware, has taken another victim, Kitronik, a leading supplier of electronic project kits in the UK. According to recent news from The Register, the company was the latest victim of Magecart’s global payment-card–skimming malware.
Kitronik suffered a data breach that may have exposed names, email addresses, card numbers, expiry dates, CVV security codes and postal addresses. The Register reported having seen an email written by Geoff Hampson, resident electronics expert for Kitronik, in which he told customers that the malware had been discovered.
"Anyone that has followed the news in recent months will be aware of the malicious software ‘Magecart’ that has been recording customer’s key presses on such high profile websites as British Airways and Ticketmaster. The malicious software records key presses at the checkout stage, to capture sensitive details. From some point early in August until mid-September the same malicious software has been present on the Kitronik website," Hampson wrote.
It is believed that the details were swiped at the checkout stage, and Hampson added that customer accounts established prior to August would not have been impacted, though he was not able to confirm how many customers might have been affected.
“Payment-card–skimming malware continues to be a security challenge for retailers around the globe,” said Rich Campagna, CMO, Bitglass. “British Airways, Newegg, and now Kitronik have all been victims of Magecart’s malware, highlighting the need for security solutions which monitor for vulnerabilities and threats, across all devices and applications, in real time.
With these capabilities, retailers can be proactive in detecting and thwarting breaches before they happen, ensuring that their customers’ sensitive information is protected.”
Magecart is a known malware that has proven successful in attacking other major companies very recently, and Kitronik had protections in place to monitor fraud. In his email to customers, Hampson noted, “Although we have a mechanism in place to alert us if the code on the website changes, this attack was very sophisticated and bypassed that code by making changes to the website database.”
Cyber-criminals could sell someone’s complete digital life – including social media accounts, banking details, app data, gaming accounts and even remote access to servers or desktops – for less than $50 on the dark web, according to a new study from Kaspersky Lab.
The research is based on an investigation of dark web markets, revealing that the price paid for a single breached account is even lower – at about $1 each. Many criminals sell accounts in bulk and some even offer a “lifetime warranty,” so if an account a buyer has purchased stops working, they receive a new one for free.
Although the resale value of stolen data is low, cyber-criminals can still use it in many ways, from stealing money to committing crimes under the disguise of someone else’s identity.
What started as an inquiry into how much our lives are worth, David Jacoby, senior security researcher at Kaspersky Lab, set out to understand the dollar value placed on our stolen data. Jacoby not only considered our personal possessions but also factored in the private information we share on social media, our medical history and even aspects of our childhood. The research found that our identities can be stolen for mere pittance.
In largely rudimentary but effective attacks, hackers are stealing data from popular services like Uber, Netflix and Spotify.
Credit: Kaspersky Lab
In one dark web forum, Jacoby found a Swedish passport for sale to the tune of $4000, and the vendor was reportedly offering up passports for almost every country in Europe. Even utility bills and fake invoices were up for grabs.
“It is clear that data hacking is a major threat to us all at both an individual and societal level, because stolen data can be used for many nefarious activities,” said Jacoby in a press release.
“Fortunately, there are steps that we can take to prevent this, such as using cybersecurity software and being aware of how much data we are giving away for free – particularly on publicly available social media profiles.”
When a registered voter in the state of Georgia discovered a major vulnerability in the state’s My Voter Page, he brought it directly to the attention of lawyer David Cross, partner at Morrison & Foerster, who represented the Curling plaintiffs in the recent Georgia election security lawsuit. Cross said he alerted the FBI and Georgia Secretary of State Brian Kemp and his legal team.
What has ensued since then, according to Cross, is not an investigation into the vulnerabilities that threaten voter integrity or an effort to contact the reporting voter whose information was provided.
“From everything we’ve seen, instead of investigate, Kemp decided to politicize the issue and claim hacking by the Democratic Party,” Cross said, adding that the voter who brought the vulnerability to his attention is not affiliated with the Democratic Party.
The registered voter, whose name was not disclosed, went onto Georgia’s My Voter Page to look up his own information, said Cross. When he tried to update his information, he realized he was able to pull his information back but the system never confirmed that it was being pulled back.
“When he looked at the query, he noticed that he could potentially pull back any information just by changing the voter identification number. He didn’t confirm that,” said Cross, but brought the information to Morrison & Foerster, who brought it to the FBI and Kemp.
“We expected they would investigate, but as of this morning, the vulnerability is still there and they still had not contacted this voter. That’s the starting point for any investigation, but they are not doing that,” Cross said.
While Kemp has launched an investigation into the Democratic Party, alleging that it attempted to hack the voter system, the reported vulnerabilities remain unfixed, which Cross said is the real issue.
“Georgia voters need to check their voter registration information before tomorrow because right now there are potentially thousands of voters who could show up to vote tomorrow and not be able to because their information has been changed,” Cross said.
On Sunday’s State of the Union with Jake Tapper, Stacey Abrams, Democratic candidate for governor in Georgia, said of Kemp’s allegations, “This is a desperate attempt on the part of my opponent to distract people from the fact that two different federal judges found him derelict of his duties and have forced him to allow absentee ballots to be counted and those who are being held captive by the exact map system to be allowed to vote.
“He is desperate to turn the conversation away from his failures, from his refusal to honor his commitments and from the fact that he is part of a nationwide system of voter suppression that will not work in this election.”
Under-fire credit agency Equifax has turned to competitor Experian to extend credit monitoring to customers affected by a major breach in 2017, although this will mean sharing even more information with the third-party unless they opt-out.
The news came in an email Equifax is sending those who enrolled on its TrustedID Premier service following the catastrophic breach of 148 million users last year.
The firm is now offering a further year of credit monitoring via Experian’s IDnotify service.
Experian is already using Equifax customers’ names, addresses, dates of birth and Social Security numbers in order to provide file monitoring as part of TrustedID Premier. However, the new deal will involve the company also getting hold of their phone numbers and email addresses, unless they opt-out.
“Experian will only use the information Equifax is sharing to confirm your identity and securely enroll you in the Experian product, and will not use it for marketing or solicitation,” the note reads, according to Krebs on Security.
However, some may feel uneasy about sharing yet more information with a third-party — especially one which itself has suffered a major data breach in the past. Around 15 million US consumers had their details exposed in a 2015 incident.
Paul Bischoff, privacy advocate with Comparitech, argued that the decision to share this contact info “mainly serves the credit bureaus and not breach victims.”
“Without consent, Equifax unilaterally made a decision to share contact info of people who signed up for its TrustedID program — many of whom registered out of fear of consequences from Equifax's own catastrophe,” he added. “If TrustedID users take no action, their personal information is shared with a third party and they receive no benefit. Users must either affirmatively opt-out of the data sharing or enroll in Experian's similar credit monitoring program, IDnotify.”
What’s more, credit monitoring will not help those affected by the Equifax breach prevent identity theft taking place. Instead, it only notifies once a fraudster has already stolen one’s identity, according to experts.
“A better solution would be to put a credit freeze on your credit report, but doing so cuts into the credit bureaus' bottom lines,” said Bischoff. “A credit freeze blocks creditors from viewing your credit report, a service that creditors pay credit bureaus for.”
A flawed online communications system developed by the CIA was exposed to Google’s web crawlers, ultimately leading to the execution of dozens of spies, according to a new report.
The unnamed platform was cracked by Iranian intelligence after a tip-off by a double agent revealed the website they used to communicate with their CIA handlers. Google searches allowed them to locate other secret CIA websites and, from there, start to pick apart the entire spy network, according to Yahoo News.
This all started in 2009 after Tehran went looking for US moles following the announcement by the Obama administration of the discovery of a secret underground enrichment facility.
However, the impact was felt globally, most probably after Iran shared its intelligence with China, a move which ultimately led to an estimated 30 CIA spies being executed by Beijing and the collapse of its network there.
This “catastrophic” chain of events led to 70% of the CIA’s spy network potentially exposed to compromise at one point between 2009-13, according to the report.
The after-effects are apparently still being felt today.
The problem stemmed from over-confidence among US officials in the use of the platform in hostile states like Iran and China where rigorous state monitoring makes it difficult to communicate in secret.
“It was never meant to be used long term for people to talk to sources,” said one former official. “The issue was that it was working well for too long, with too many people. But it was an elementary system.”
Another issue highlighted by the report was the lack of accountability for the failure in the intelligence services, and the sacking of a whistleblower who first brought the problem out into the open back in 2011.
“Our biggest insider threat is our own institution,” remarked a former official.
Malicious browser extensions could be behind a compromise of at least 81,000 Facebook accounts which were put up for sale on the dark web, according to reports.
Those behind the attack told the BBC Russian Service that they had access to 120 million accounts, although this has been branded “unlikely” by Digital Shadows, whose researchers were called in to investigate.
In fact, the seller, “FBSaler,” provided a total dataset to reporters of around 257,000 profiles. Just 81,000 are certain to have been compromised, as private messages were included. The remaining 176,000 may have simply had profile information like names, addresses, contact numbers, and interests taken because accounts were left wide open by users.
The accounts are not thought to be linked to the Cambridge Analytica scandal, or the more recent breach of 30 million accounts which occurred after attackers obtained access tokens.
“The method used to obtain the accounts remains unconfirmed, though Facebook believe malicious browser extensions could have been used. Facebook have still not been definitive about this, though it said it had contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores,” said Digital Shadows.
“A rogue survey application as used by Kogan is known to have worked in the past; however, account takeovers achieved through credential harvesters, for example, are also a possibility. While a variety of separate breaches may have been used to compile the dataset, it is more likely a single approach was used given the consistency of the data in the dump.”
The largest number of profiles (30%) are Ukrainian, followed by Russia (9%), although users from the US, UK and Brazil are also said to be represented.
“Regardless of attribution, motives and the method of collection, the exposure of private messages where people share information they would not usually post publicly on their Facebook feeds is a potentially worrying development,” the firm warned. “Sensitive information may be used for extortion of identity fraud, while it’s not unheard of for individuals to share financial information such as banking details over private messages.”
The accounts were originally for sale for around $0.10 each on the BlackHat SEO forum, although the report claimed the advert has since been taken down, according to the BBC.
Iran’s critical infrastructure and strategic networks were attacked with what is reportedly a more sophisticated variant of the decade-old Stuxnet attack, according to Reuters. Iran’s head of civil defense agency, Gholamreza Jalali, told reporters that the newly discovered next-generation of Stuxnet that was trying to enter the systems consisted of several parts.
At a live press conference on October 28, Iran’s Supreme Leader Ayatollah Ali Khamenei said, “In the face of sophisticated methods used by enemies’ in their onslaught, the passive defense must be totally vigilant and serious.”
Reports from The Times of Israel raise questions about the attacker’s motivation, noting that news of the attack came hours after Israel said its intelligence agency, Mossad, had thwarted an Iranian murder plot in Denmark.
While no one is pointing the finger of blame in any direction just yet, “the ‘new Stuxnet’ attack is the latest indicator of the cyber-war that many governments are actively engaged in,” said Broderick Perelli-Harris, senior director of professional services at Venafi. “The details are still patchy, but it seems that Israeli intelligence relied on an old attack blueprint here.
“In the initial Stuxnet attack, the US and Israeli governments used stolen machine identities to infect Iranian nuclear centrifuges with the virus. Now, over 22 million pieces of malware use that blueprint to attack organizations and states alike across the world – all the signs point to the same method being used again here. It’s easy for organizations and governments to ignore when it’s used against an adversarial state, but the blueprint remains ‘in the wild’ for cyber-criminals to exploit.”
Given that cyber-weapons are prone to boundless proliferation, Perelli-Harris warned that this new Stuxnet variant should serve as a reminder that governments need to think very carefully when they are creating cyber-arms so that they do not escalate the problem. Once in the wild, they are impossible to control.
As is evidenced by the new generation of Stuxnet, cyber-arms can escalate into more violent, advanced and sophisticated variants. “Considering that subsequent variations on Stuxnet, namely Flame, Duqu, Stars, Shamoon and Nitro Zeus all had different payload delivery methods from their grandparent, it’s entirely plausible that the new generation of Stuxnet does also and that it will continue to evolve,” said Lewis Henderson, vice president of product marketing at Glasswall Solutions.
“With operators of critical national infrastructure unable to progress and update their operational technology at the same pace as their IT counterparts, there are known gaps and weaknesses that simply aren’t getting plugged. We can only hope news of this new version of Stuxnet has reached the highest level of decision making – because we’ve already seen what happens when you use old technology to fight a new adversary.”
Researchers found two vulnerabilities that could impact popular wireless access points and compromise enterprise networks if exploited, according to TechCrunch.
The pair of bugs were reportedly found in chips built by Texas Instruments. Networking device makers such as Aruba, Cisco and Meraki commonly build the Bluetooth Low Energy chips into their line-up of enterprise wireless access points. While the two bugs are distinctly different from each other in the range of models they target, researchers said that both could allow an attacker to take over an access point and break into an enterprise network or jump over the virtual walls that separate networks, according toTechCrunch.
“As the researchers point out, the vulnerability is not in the protocol but rather in the way the protocol has been implemented on the affected chipsets,” said Nick Murison, managing consultant, Synopsys Inc. “This underscores the importance for vendors to test that their implementations not only adhere to the protocol specification but also respond in a secure manner when presented with malformed traffic.”
Taking proactive steps throughout the entire development life cycle can thwart these types of bugs, minimizing their ability to survive all the way through to production, Murison said. “Using static code analysis during development can identify unsafe use of buffers, integer overflows and many other similar types of issues. Unit and integration test suites can be written to not only execute positive functional tests but also perform negative and boundary testing.
“Most companies that do any significant level of software development these days will be leveraging continuous integration pipelines to automatically build and test software from a quality perspective; such pipelines can easily be adapted to also include security-specific testing, such as static analysis and fuzzing.”
Developers also need to understand the repercussions of such implementation bugs, which should come from enterprise training that begins in at the design phase, according to Murison. “As part of the design phase, companies should also be looking at threat modeling or architecture risk analysis to identify potential security weak spots, and look for opportunities to make the overall solution secure by design.”
A new Consumer Data Protection Act was proposed on October 31 by Senator Ron Wyden from Oregon. The senator has long been an advocate of cybersecurity and privacy issues, and his new bill proposes strict penalties – including fines and prison time – for companies that violate consumer privacy, according to a press release.
The draft proposes amending the Federal Trade Commission Act to hold entities that use, store and share personal information more responsible for the data they collect and would apply to companies with more than $50 million in revenue and personal information on more than 1 million people. The act excludes data brokers or commercial entities that, “as a substantial part of their business, collects, assembles or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information.”
Presumably, small to medium-sized businesses (SMBs) would fall outside the scope of this legislation, and Colin Bastable, CEO of Lucy Security, said that would bode well for SMBs. “These are the businesses that struggle to afford advanced security technology. They lack the people and the skills to defend their customers’ confidential data from hackers. Therefore, in addition to legislation, we must encourage all organizations, employees and consumers to prepare for the inevitability of successful attacks – teach, train and test, continuously."
This newest proposed legislation adds to the growing collection of data privacy acts already pending on Capitol Hill, including another Consumer Data Protection Act (this one introduced in 2017 by Sen. Robert Menendez), the Data Breach Prevention and Compensation Act (DBPCA), CLOUD Act and the ENCRYPT Act.
“Recent events like the Equifax data breach, Cambridge Analytica, Facebook and more have fueled the fire and will enable these to gather substantial support on both sides of the aisle as cybersecurity and data privacy issues remain front and center to everyone’s constituent needs,” said Pravin Kothari, CEO of CipherCloud.
“The congestion on Capitol Hill will tell you that these bills will likely be rolled up as one, most likely before they leave the Senate. Legislation is likely to be omnibus and then will replace the myriad of conflicting state efforts to provide similar legislation.”
Certainly data privacy has gained broad-level awareness, and Brian Vecci, technical evangelist at Varonis, said that even if Sen. Wyden's proposed privacy bill doesn’t become law right away, it’s clear that the tide is shifting in favor of privacy.
“Companies may really be forced to think of their data like their dollars and could face penalties if information is mishandled and exposed as part of a breach. Privacy is becoming top of mind for consumers and voters, and companies that have taken steps to meet the obligations of other privacy frameworks like the GDPR are clearly going to be ahead of everyone else.”
The Information Commissioner's Office (ICO) has been in action again, this time fining two nuisance call companies who tried to sell home security services specifically to individuals who’d opted out.
The UK’s privacy watchdog issued the fines under the Privacy and Electronic Communications Regulations (PECR), which governs nuisance marketing. The maximum penalty possible is £500,000.
Individuals who sign-up to the Telephone Preference Service (TPS) do so to avoid unsolicited marketing calls.
However, ACT Response of Middlesbrough was behind 496,455 marketing calls to TPS subscribers and was fined £140,000, while Secure Home Systems (SHS) of Bilston, West Midlands, was fined £80,000 for making calls to 84,347 TPS-registered numbers.
The ICO claimed the latter used call lists bought from third parties without screening them first. Interestingly, the two companies called individuals “live” rather than using automated systems. The script used by ACT Response even asked people whether they were registered with the TPS, according to the ICO.
The two garnered hundreds of complaints to the watchdog, with SHS calls dating as far back as two years.
“These fines should set alarm bells ringing and deter marketing companies across all sectors that are contacting people without their consent. It is a company’s responsibility to make sure that it has valid consent to make these calls,” said ICO group enforcement manager, Andy Curry.
“The TPS is there for a reason – to protect people’s privacy and ensure that marketing companies obey the law. Marketing companies failing to take the basic step of checking TPS can expect robust enforcement.”
However, the directors behind these firms often try to escape punishment by declaring bankruptcy, only to set up new businesses. That’s why a leading consumer rights group campaigned in August for government action.
According to Which? the government agreed two years ago that from spring 2017, directors of firms responsible for nuisance calls could each be fined up to £500,000 by the ICO if they breached the PECR. Yet so far it has failed to introduce such measures.
Radisson Hotel Group has become the latest big brand in the sector to suffer a data breach, after admitting that a "small percentage" of loyalty club members had their personal information accessed by an unauthorized person.
The notification statement is worded in such a way as to hint that the attacker may have gained access first to staff accounts, which in turn exposed the customer data.
“Upon identifying this issue Radisson Rewards immediately revoked access to the unauthorized person(s). All impacted member accounts have been secured and flagged to monitor for any potential unauthorized behavior,” it noted.
Although the breach didn’t affect credit card or password information, it did expose Radisson Rewards member names, addresses, email address, and in some cases, company names, phone numbers, Radisson Rewards member numbers and frequent flyer numbers.
That could be useful for “specific, low incidence, criminal use cases” according to Ross Rustici, senior director of intelligence services at Cybereason.
“Unlike a large-scale credit card breach, the most likely way this information is to be monetized is through enhancing a pattern of like analysis on particular individuals, either high net worth or people with specific access to something,” he continued. “This type of information is far more useful for an intelligence targeting package than for large-scale monetization."
Given that the chain operates under numerous brands with 1400 hotels all over the world, the GDPR is likely to come into play here.
That could spell trouble, given the firm said it identified the incident on October 1, almost a month before notifying.
“Like the British Airways hack earlier this year, each major company that suffers an incident is going to be a test bed for how stringently GDPR gets enforced and what the private sector can actually expect from the regulations,” said Rustici.
The perils of SIM swap fraud have been highlighted again after an undercover film crew revealed O2 and Vodafone employees apparently handing over replacement cards without carrying out proper identity checks.
Secret filming showed two Vodafone staff failing to follow strict security policies to check the identity of the person requesting the replacement SIM card in-store, according to The BBC’s Watchdog Live.
Meanwhile, O2 staff failed to check photo ID, which is policy for all monthly contract SIMs. The firm told the program that it also sends an authorization code to any Pay As You Go customers alerting them if someone is trying to use their number, but this was not received during the filming.
SIM swap fraud is sometimes used by scammers to spend large sums on premium rate numbers they run, but increasingly it can also be used to intercept two-factor authentication codes sent by banks so that customers can ‘securely’ access their accounts.
It’s made more prevalent not only if telco store employees fail to carry out the proper checks, but also thanks to the large volume of identity data on the dark web which fraudsters can use to impersonate legitimate customers.
“From a financial institution standpoint, many have already started to make the switch to mobile PUSH notifications, which are inherently more secure than SMS. Mobile PUSH notifications have the added benefit of being able to be protected with application shielding technology and give banks a stronger interface for doing business with their customers,” explained Will LaSala, director of security solutions at OneSpan.
“Consumers should check to see if their bank already offers a mobile app and then enable PUSH two-factor authentication as soon as possible while disabling SMS two-factor authentication. SMS is a good method for notifying users of account notifications, such as account modifications and transactions, but it should not be used to allow privileged access.”
SIM swap fraud could also come as a result of malicious insiders working with criminal gangs.
In August, a US entrepreneur and cryptocurrency investor filed a $223m lawsuit against AT&T after a store employee allegedly facilitated SIM swap fraud, allowing criminals to transfer millions from his bank account.
Emails continue to be cyber-criminals' vector of choice for distributing malware and phishing, according to a report released today by Proofpoint.
The Quarterly Threat Report Q3 2018 found that the frequency of email fraud attacks and the number of individuals targeted per organization are continuing to rise. Credential-stealing banking Trojans comprised 94% of malicious payloads, and the number of malicious URLs grew, making it a more common attack vector than malicious attachments.
Emails attempting to steal corporate credentials increased over 300% between the second and third quarters of 2018.
In addition, the research indicated that social media platforms have done an excellent job of combating phishing links, resulting in a 90% decrease in attacks year-over-year. However, phishing attempts that leverage social-media-support fraud, which relies on fake customer service accounts to fool people into handing over their personal data, reached its highest level ever in September.
The report also noted that this type of angler phishing increased 486% year-over-year.
While banking Trojans made up 46% of all malicious payloads, a whopping 90% of those were Emotet and Panda Banker (also known as Zeus Panda). Emotet was consistently used in large, almost daily campaigns by an actor researchers have identified as TA542.
Though ransomware has someone dissipated, dropping 10% points from Q2 and comprising only 1% of the overall malicious messages, the report warned that it might not be forgotten just yet.
“We observed a return of ransomware, albeit at much lower levels than we saw in 2017. However, this spike appeared to be a ‘testing of the waters’ since ransomware message volumes dropped. This suggests that ransomware campaigns did not generate sufficient returns for threat actors to continue distributing them at scale,” the report said.
In place of ransomware, attackers have shifted to downloaders and stealers, which accounted for 48% of all malicious payloads in Q3. Researchers identified three new downloaders, suggesting a trend towards the distribution of small-footprint malware that is a bit more stealthy and able to do more reconnaissance.
While there was a reduction in the number of spoofed sender identities - a significant 68% drop - an average of 27 people were targeted per attack, representing a 96% increase in target victims year over year. The report indicated that attacks continue to have success exploiting the human factor.
According to a new report published by Vectra, there is a key distinction between attacks that probe IT networks for information about critical infrastructure and those attacks that actually target industrial control systems (ICSs). The 2018 Spotlight Report on Energy and Utilities found that most cyber-attacks against energy and utilities firms occur and succeed inside enterprise IT networks, not in the critical infrastructure.
Given these findings, detecting hidden threat behaviors inside enterprise IT networks before attackers have a chance to spy, spread and steal becomes all the more critical, according to the report. Attackers are taking their time and carefully orchestrating attack campaigns so that they occur over the course of several months.
Analyzing specific attacker behaviors in recent campaigns used to steal vital ICS information, the report found that “in multiple instances, threat actors accessed workstations and servers on a corporate network that contained data output from the ICS inside energy generation facilities. This involved suspicious admin and suspicious Kerberos account behaviors.”
Often lasting several months, these slow, quiet reconnaissance missions involve observing operator behaviors and building a unique plan of attack. Remote attackers typically gain a foothold in energy and utilities networks by staging malware and spear-phishing to steal administrative credentials, the study found. Once inside, they use administrative connections and protocols to perform reconnaissance and spread laterally in search of confidential data about industrial control systems.
“The covert abuse of administrative credentials provides attackers with unconstrained access to critical infrastructure systems and data,” said David Monahan, managing research director of security and risk management at Enterprise Management Associates. “This is one of the most crucial risk areas in the cyber-attack life cycle.”
The report, based on observations and data from the 2018 Black Hat Conference Edition of the Attacker Behavior Industry Report, also found that during the command-and-control phase of attack, 194 malicious external remote access behaviors were detected per 10,000 host devices and workloads. Also in every 10,000 host devices and workloads, 314 lateral movement attack behaviors were detected. And during the final stage of the attack life cycle, the exfiltration phase, 293 data smuggler behaviors were detected per 10,000 host devices and workloads.
Using consumer data stolen in data breaches and made available on the dark web, cyber-criminals have launched a sextortion phishing campaign, according to research from Barracuda Networks.
In this month's Threat Spotlight, researchers detail the sextortion scam in which attackers prey on victims by using stolen passwords, threatening that they have a compromising video that will be shared with the victim’s contacts unless the user pays in Bitcoin.
The campaign started in July, and Barracuda Labs said it remains ongoing. Researchers found roughly 24,000 emails reported by customers around the globe since September. The emails reportedly use the stolen password as the subject line, though some might precede it with “your password is.”
Preying on human fear, the attackers know the impact that such a subject will have at the mere suggestion that their account has been hacked. According to the research findings, the email goes on to claim that the user's computer was infected with a remote access Trojan (RAT) from a pornography website. The claim is that all of the explicit videos the user has been watching have been recorded.
“The email also claims that the user’s contacts from email and social networking have been gathered and that unless a sum of money is paid (in Bitcoin, of course), the video of the user watching porn will be sent to those contacts. We also saw examples of the attackers emailing the same address multiple times to up the scare tactics, an approach they are likely taking with most if not all of their intended victims,” wrote Jonathan Tanner in the Threat Spotlight.
Credit: Barracuda Networks
While the attacker does have a legitimate password, which researchers said was likely from a list made public in 2016 of more than 500 million leaked passwords, there is no video, nor has any infection been found on victim computers.
“Whether or not the user has visited any pornographic websites is something only they know, but given that these emails are largely targeting business emails it's unlikely they're doing so on their work computer. For obvious reasons, we didn't send out a survey asking as much, but it seems safe to assume, and thus the other claims in the email must also be false,” Tanner wrote.
Researchers have warned that the SamSam ransomware strain continues to be a major threat to organizations, with 67 targets on the receiving end of attacks this year, according to Symantec.
The security giant claimed that most targets in 2018 have been located in the US, with healthcare accounting for the largest number of attacks, around 24%.
“Why healthcare was a particular focus remains unknown,” it explained. “The attackers may believe that healthcare organizations are easier to infect. Or they may believe that these organizations are more likely to pay the ransom.”
At least one US government organization involved in administering elections was also hit, which is concerning news ahead of the mid-terms next week.
A small number of remaining attacks targeted organizations in Portugal, France, Australia, Ireland and Israel.
A Symantec spokesperson confirmed to Infosecurity that it was not possible to determine how many of the listed attacks were successful, as in some cases "we saw less than a handful of computers infected with SamSam tools, which could suggest failed attacks."
However, SamSam is known to be particularly dangerous as it is typically manually operated, rather than being used in fire-and-forget automated campaigns.
This means those behind it go to greater lengths to hide its activity, encrypting as many machines possible on a network before demanding the ransom.
Its highly targeted nature means attackers often first obtain account credentials on the dark web to access an organization’s remote desktop protocols, and then use tools to elevate privileges and gain domain access rights.
They’ve also been observed using legitimate Windows tools like PsExec and PSInfo to “live off the land” and hide from AV tools, as well as publicly available hacking tools like mimikatz to steal passwords to spread to other servers.
“These tactics are frequently used by espionage groups in order to maintain a low profile on the target’s network. By making their activity appear like legitimate processes, they hope to hide in plain sight,” explained Symantec.
“For example, in one attack that took place in February 2018, more than 48 hours passed between the first evidence of intrusion and the eventual encryption of hundreds of computers in the targeted organization.”
SamSam was responsible for a major attack on the City of Atlanta earlier this year, which is slated to cost $10m to clean up, plus a Colorado Department of Transport outage which also ran into the millions.
Eurostar has forced a password reset for customers after revealing that an undisclosed number of them may have had their accounts accessed by a malicious third party.
It’s unclear whether all Eurostar customers were required to change their passwords or just those affected.
The note sent to customers warned that the train operator had detected an “unauthorized automated attempt” to log-in to some accounts between October 15 and 19.
“Please be reassured that your credit card or payment details haven’t been compromised as we never store such information on eurostar.com accounts,” it continued.
“We’d recommend that you reset your Eurostar password and check for anything unusual on your account. We’d also recommend updating your login details on other websites where you use the same password.”
Ilia Kolochenko, CEO of High-Tech Bridge, warned users to monitor incoming emails, instant messages and phone calls for suspected phishing attempts potentially using the account information accessed by the hackers.
“If personal data was stolen, it can be leveraged in eye-catching spear-phishing attacks, password reuse and identity theft scam,” he explained.
James Romer, chief security architect at SecureAuth, claimed the incident highlights how a reliance on username/password combinations can leave organizations and their customers exposed.
“The transport industry seems to be increasingly under attack from cyber-criminals, who are looking to access the vast amount of highly valuable customer data — including passport details and payment information — held within these organizations,” he added.
“Bad actors can easily purchase stolen credentials on the dark web, which can then be used to attempt to gain access to a secure network. By utilizing advanced techniques such as automation, more accounts can be easily targeted, increasing their chances of success.”
There have been more cyber-attacks against football’s organizing bodies globally and in Europe, with resulting leaks from FIFA expected to be published by the media on Friday, according to reports.
The World Cup organizer confirmed to reporters this week that it had suffered a breach in March, with the European Investigative Collaborations collective of media companies expected to go public with new revelations tomorrow, according to AP.
FIFA released a short statement claiming that it “condemns any attempts to compromise the confidentiality, integrity and availability of data in any organization using unlawful practices.”
It’s not thought that the attack was orchestrated by Russian actors as per the 2016 raid on FIFA which the US Department of Justice recently indicted seven intelligence officers for.
Instead, it’s being linked to the Football Leaks hacktivist group, which has over the past two years sought to expose corruption and illegality in the beautiful game. Its work has in the past led to revelations of tax evasion by leading players in Spain, and details of an NDA signed between Ronaldo’s lawyers and a Las Vegas woman who accused him of sexually assaulting her in 2009.
Although there are no details as yet on how FIFA was breached, European football governing body UEFA officials have been targeted in a phishing campaign, according to reports.
It’s not known if the two incidents are related and the organization hasn’t yet found any evidence of unauthorized intrusion.
Security experts used the news to reiterate the importance of anti-phishing protection, although it’s still not clear how FIFA’s hackers penetrated the organization.
“The best way organizations and individuals can help avoid future attacks is through education programs, understanding the risks and consequences of clicking unknown links and attachments is a critical defense against phishing type attacks,” explained Tripwire EMEA technical director, Paul Edon.
“Regardless of whether you believe the email to be legitimate or not, never click on inbuilt links. Always open your own web browser and log in to your account on the official website. If there is a legitimate requirement for you to update or re-enter information, it should be referenced within your specific account instance.”
Ross Rustici, senior director of intelligence services at Cybereason, put the incident into perspective.
“With the outcome of the bidding for the 2018, 2022, and 2026 World Cups being as contentious as they were, I'm sure football fans across the world will have some interesting gossip to read if the leaks become public,” he argued. “However, at the end of the day, that is likely all this hack is."
In his keynote speech at the Securing the Enterprise 2018 conference in Cambridge, MA, BT Security president Mark Hughes said that when it comes to the threats enterprises and government are facing, the global network is telling us that old strategies don’t work.
In the face of ongoing cyber-attacks, mounting privacy concerns and daily data breach announcements, the current cybersecurity technologies fall short, according to Howard Shrobe, associate director, cybersecurity at MIT Computer Science & Artificial Intelligence Lab (CSAIL), and principal research scientist, MIT CSAIL. In order to effectively move forward in the direction of "where we need to go," the industry needs to develop a more formalized approach that combines design and analysis methods.
“Our approach is based on three key elements,” Shrobe said. “Collaborating closely with industry for input to shape real-world applications and drive impact. Leveraging the breadth and depth of CSAIL security researchers to approach the problem from a multi-disciplinary perspective. And creating a test-bed for our industry partners to implement and test our tools, as well as have our researchers test tools developed by our partners.”
To enable security transformation, enterprises should first assess their structure, said Hughes. “Put the team responsible for delivering change at the forefront of your strategy.” Given that there are lots of threats, those threats turn into risks, which have a very tangible bottom-line impact.
“Those risks are changing rapidly, so much so that in a matter of weeks, the risk profile changes. Using known, well-understood risks and putting those into a cyber context is extremely useful,” Hughes said.
Given that the risks are changing all the time, one key to building an effective security strategy is adaptability. “Prepare to constantly evolve,” Hughes said, but it’s also important to realize that there is no endpoint or perfect solution. When organizations realize that protecting everything all the time is ineffective, many turn to red teaming, which Hughes said yields interesting outcomes that allow organizations to assess and then prepare to evolve.
The next step in enabling security transformation requires internal engagement so that you are building knowledge and advocacy of security at all levels of your organization, said Hughes. From there, the company is well positioned to understand its risk and take the necessary steps to fully assess its security landscape and prioritize and protect the areas that would be most impactful in the event of a security incident.
In a panel focused on securing the enterprise at a conference by the same name hosted by MIT CSAIL and BT Security, moderator Michael Siegel, principal research scientist, management science at MIT Sloan School of Management, talked with panel members about whether their organizations are secure.
“Rather than going out and doing some big review, we started with red teams,” said CIO and CSO of the Commonwealth of Massachusetts, Dennis McDermitt. “That was a revelatory experience. We continue to do them over and over again. We have done eight of them now, and that has really informed our answer to the question of whether we are secure or not.”
As a practitioner and vendor in the space, Debby Briggs, CSO, NETSCOUT, said, “I’m relatively secure, but it gets back to how do you quantify that. Sometimes it’s a challenge from a security perspective when you look at people, process and technology to determine how to have one message that meets everyone’s needs.”
In response to Briggs, Siegel posed to the panel the question of how to approach quantifying whether the organization is secure with the board. "I often find myself in the boardroom,” said Kathy Orner, VP, chief risk officer at Carlson Wagonlit Travel. “The number-one thing with board of directors is to educate them. Security is new to them, and the acronyms we use are foreign to them, even something like an IP address.
“We bring in experts from the outside and inside and give them briefings. I would encourage boards to listen, to speak to the experts in their group, and to really try to understand the basics,” said Orner.
So what is the information that goes to the boards? McDermitt said the conversation needs to change. “Security is not a problem of risk transfer. Cybersecurity is akin to competition in a business. Cybersecurity is attack and defense, attack and defense, and it’s something they need to pursue actively.”
Yet some boards are having more risk-based conversations around cybersecurity. “The boards I have worked with are capable of seeing that it is a spectrum, so you can talk about how much risk are you willing to take. It’s an uncomfortable decision, but once you’ve had that conversation, it gets easier,” said Andrew Stanley, CISO, Mars.