Info Security
Missing Toddler Chat Group Banned
A partial settlement has been reached in a cyber-bullying case brought by the parents of a missing toddler against the operator of a chat group set up to discuss the fate of their son.
Dylan Ehler was three years old when he vanished from the backyard of his grandmother's home in Truro, Nova Scotia, at around 1:15 pm on May 6, 2020. Searches for the missing child were called off after two weeks, and his whereabouts remain a mystery.
The only trace of the toddler discovered to date were his rubber boots, which were located roughly 150 meters apart along Lepper Brook.
In online discussions of the case, Ehler's parents, Jason Ehler and Ashley Brown, have been variously accused without evidence of involvement in the boy's disappearance and of murdering their son.
In February, Ehler's parents decided to take April Diane Moulton and Tom Hurley, also known as Tom Hubley, to court, arguing that the accusations and insults posted on a Facebook page administered by the pair constitute cyber-bullying.
The page, which was called "Dylan Ehler Open for Discussions" or "Dylan Ehler Open for Suggestions," at one point had over 17,000 members.
"It's been horrific quite frankly," said the parents' lawyer, Allison Harris. "They're dealing with looking for their son, and this has taken away from that.
"Every time they go online, they get these kinds of messages, and some of this has spilled over into the community, and that's impacting them as well."
In an order signed late last month in Nova Scotia Supreme Court, Moulton was prohibited from re-opening the now closed Facebook page about Dylan and from starting another one like it. Moulton is also banned from making any further public posts about the missing child or his parents.
Hurley was offered a similar agreement to the one accepted by Moulton but has not accepted it. He reportedly said that since he lives in the same small town as Ehler's parents, he cannot agree to a ban on seeing them.
The parties are due to meet face to face in court on August 3 for a hearing.
White House Issues Open Letter on Ransomware
The White House has sent an open letter to companies in the United States entreating them to urgently act against the threat of ransomware.
Corporate executives and business leaders received a memo on Thursday morning from Anne Neuberger, the National Security Council's top cyber official. In the missive, Neuberger underscored the sweeping danger of ransomware to the private sector.
"All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location," wrote Neuberger. "We urge you to take ransomware crime seriously and ensure your corporate cyber defense match the threat."
Neuberger, who is deputy national security adviser for cyber and emerging technology, called for swift action from corporations and businesses, which she stated have "a distinct and key responsibility” when it comes to America's cybersecurity.
“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” wrote Neuberger in the letter dated Wednesday. “But there are immediate steps you can take to protect yourself, as well as your customers and the broader economy.”
She added that the impact of ransomware upon a company was directly linked to that company's attitude toward the threat.
“The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively,” wrote Neuberger.
The letter follows a recent string of ransomware attacks on American companies. Last month's cyber-assault on the Colonial Pipeline was followed by attacks on global meat supplier JBS and on ferry service the Steamship Authority of Massachusetts.
A threat group known as both REvil and Sodinokibi, believed to have ties with Russia, has been blamed for the cyber-attacks on the Colonial Pipeline and JBS.
"More than any other threat, non-technical executives are familiar with ransomware by name and are already looking for solutions," commented John Bambenek, threat intelligence advisor at Netenrich. "A letter from a White House official isn’t going to change the game in the slightest."
Fujifilm Shuts Down Servers to Investigate Possible Ransomware Attack
Fujifilm is investigating a potential ransomware attack that resulted in the company closing down part of its network.
The company is investigating "possible unauthorized access" to its server, it said in a statement.
The company first noticed the "possibility" of a ransomware attack on June 1 and took swift action to discontinue all compromised systems.
"We are currently working to determine the extent and the scale of the issue," it said on its website, and that it "apologises to its customers and business partners for the inconvenience this has caused.
"For some entities, this affects all forms of communications, including emails and incoming calls, which come through the company's network systems," said the company.
In an earlier statement, Fujifilm confirmed that the cyber-attack is preventing the company from accepting and processing orders.
Japanese organizations have experienced other notable breaches in recent months. In March, Yamabiko, a Tokyo-headquartered manufacturer of power tools and agricultural and industrial machinery, was apparently added to the data leak site used by the Babuk group.
In May, a subsidiary of Japanese tech giant Toshiba admitted to suffering a cybersecurity breach, reportedly caused by the DarkSide ransomware gang.
Ransomware hackers have gone after larger targets in 2021. This month saw a ransomware attack on the world’s largest meat processing company and May saw a sophisticated ransomware attack on Bose, which resulted in the unauthorized access of personal information on current and former employees.
Mandiant to Re-Emerge After $1.2 Billion FireEye Sale
FireEye has agreed to sell its FireEye Products business and brand name to a private equity firm in a deal that will see the Mandiant business it bought several years ago become a standalone company again.
The $1.2 billion all-cash sale to a consortium led by Symphony Technology Group (STG) is expected to close by the end of Q4 2021.
It will see STG acquire FireEye’s network, email, endpoint and cloud security products — alongside its related security management and orchestration platform.
After its acquisition by FireEye in 2014, Mandiant and founder Kevin Mandia were instrumental in expanding the new company’s focus from web, email and data center security to threat intelligence and incident response services.
Over the intervening years, the company has been busy dealing with the aftermath of countless breaches at big-name firms and government organizations.
FireEye’s work investigating an audacious attack on its own systems uncovered the infamous SolarWinds attacks, which subsequently found that at least nine US government agencies were compromised.
FireEye CEO, Kevin Mandia, argued that the separation of the two businesses again would enable the high-growth Mandiant to thrive.
“After closing, we will be able to concentrate exclusively on scaling our intelligence and frontline expertise through the Mandiant Advantage platform, while the FireEye Products business will be able to prioritize investment on its cloud-first security product portfolio,” he added.
“STG’s focus on fueling innovative market leaders in software and cybersecurity makes them an ideal partner for FireEye Products. We look forward to our relationship and collaboration on threat intelligence and expertise.”
William Chisholm, managing partner at STG, argued that FireEye’s cloud-first XDR platform would play a mission-critical role for current and prospective customers.
“We believe that there is enormous untapped opportunity for the business that we are excited to crystallize by leveraging our significant security software sector experience and our market leading carve-out expertise,” he said.
The private equity firm in March agreed to buy McAfee’s enterprise business for $4 billion.
Secureworks Appoints Wendy Thomas as CEO as Michael Cote Announces Retirement
Cybersecurity firm Secureworks has announced the appointment of Wendy Thomas as its next president and CEO. Thomas will take up the reigns from current CEO Michael Cote from September 3, 2021, when he will retire following nearly 20 years at the company.
Thomas, who is currently president of customer success at Secureworks, has more than 25 years’ experience in strategic and functional leadership roles across multiple organizations, including FirstData, Bell South and Internap Network Services.
During her career at Secureworks, which began in 2008 in its finance team, she has worked alongside Cote to successfully conclude a number of high profile business transactions, such as the acquisition of Verisign’s Managed Security Services (MSS) business and DNS and the company’s acquisition by Dell Technologies back in 2011. Prior to becoming president of customer success at Secureworks, she was its chief product officer, where she led the development of numerous solutions, such as its first security analytics product, Secureworks TaegisTM XDR.
Commenting on her appointment, Thomas said: “I know that I speak for everyone at Secureworks in thanking Mike for his leadership and tireless dedication to the company. I appreciate the support of Mike and the Board, and I am proud to work with an exceptional team that is focused on taking decisive actions to transform cybersecurity.”
Cote will leave the organization after almost 20 years, having joined in February 2002 as chairman, president and CEO. Since that time, Secureworks has grown from generating less than $1m in annual revenue to in excess of $550m, with a global presence in over 60 countries.
Cote stated: “Wendy is a proven and respected leader who has been the driving force of our company’s transformation. Her deep knowledge of our business has made her a valued strategic partner for many years, and throughout her tenure she has delivered strong operating results and innovative solutions through a relentless commitment to our customers, our purpose, and our people. I am confident she will lead Secureworks well into the future and I am proud to have her succeed me. I know she will make an outstanding CEO.”
Ransomware Disrupts Largest Ferry Service in Massachusetts
Ransomware actors have disrupted the largest ferry service operating out of Massachusetts, disrupting passengers and commercial traffic.
The Steamship Authority, which runs to Martha's Vineyard and Nantucket, revealed on Twitter that the attack struck early on Wednesday morning, local time.
The outage meant that customers were unable to book or change vehicle reservations online or by phone. However, existing bookings would be honored, and rescheduling or cancellation fees waived, it said.
“There is no impact to the safety of vessel operations, as the issue does not affect radar or GPS functionality. Scheduled trips to both islands continue to operate, although customers may experience some delays during the ticketing process,” the firm said.
“If traveling with the Authority today, cash is preferred for all transactions. The availability of credit card systems to process vehicle and passenger tickets, as well as parking lot fees, is limited.”
In an update late last night, the Steamship Authority said it expected the disruption to continue throughout Thursday June 3. The firm's website was also down at the time of writing.
“The Steamship Authority continues to work with our team internally, as well as with local, state, and federal officials externally, to address today’s ransomware incident. At this point, we are unable to release or confirm specific details of what occurred,” it said.
Although the target for this attack is relatively minor compared to the recent incidents at Colonial Pipeline and JBS, it proves that no organization is safe from ransomware.
Charles Herring, CTO of WitFoo, argued that poor cyber-hygiene and a lack of coordination between law enforcement and private organizations had enabled cyber-criminals to get ahead in this particular arms race.
“The outer layer of the broken system is that national security and intelligence agencies need access to data collected by law enforcement to inform military and diplomatic strategy and campaigns,” he added.
“We are quickly learning that safely sharing information, while protecting liberties and privacy, is as important to thwarting evolving cybercrime as it was in combating terrorism after 9/11.”
Three-Quarters of Security Leaders Report Increase in Cyber-Attacks in Past Year
More than three-quarters (76%) of security leaders have reported an increase in cyber-attacks over the past 12 months, according to VMware’s Global Security Insights Report 2021.
The report also found that the volume of attempts rose by a significant 52% across all affected organizations, emphasizing how accelerated digitization during the COVID-19 pandemic has expanded the attack surface. Indeed, over three-quarters (78%) of those experiencing a cyber-attack pointed to the rise in remote working as the reason for the increase in volume.
Additionally, four out of five (81%) of the 3542 CIOs, CTOs and CISOs surveyed for the research revealed they had suffered a breach in the past 12 months, with 82% of incidents considered material. Despite this, it appears there may be some complacency on the part of many security leaders: only 56% said they fear a material breach in the coming year, while just 41% have updated their security policies and approaches to tackle the extra risks to their organization.
The vast majority (79%) of security leaders noted that attacks have become more sophisticated in the past year, and the leading causes of breaches were reported to be third-party apps (14%) and ransomware (14%). Applications and workloads were seen as the most vulnerable points on the data journey, and 63% of respondents said there is a need for greater visibility over data and apps to pre-emptively detect attacks.
Encouragingly, close to two-thirds (61%) of security leaders agreed they need to adapt their security in light of the expanded attack surface. Securing the cloud looks to be a particular priority, with almost all (98%) respondents either already use, or are planning to shift to, a cloud-first security strategy.
Commenting on the findings, Rick McElroy, principal cybersecurity strategist, VMware said: “The race to adopt cloud technology since the start of the pandemic has created a once-in-a-generation chance for business leaders to rethink their approach to cybersecurity.
“Legacy security systems are no longer sufficient. Organizations need protection that extends beyond endpoints to workloads to better secure data and applications. As attacker sophistication and security threats become more prevalent, we must empower defenders to detect and stop attacks, as well as implement security stacks built for a cloud-first world.”
FBI: REvil Ransomware Group Behind JBS Attack
The FBI has attributed a major ransomware attack on the world’s largest meat processing company to a notorious group believed to be Russian in origin.
In a brief statement, the Feds blamed REvil (aka Sodinokibi) for the attack on Sao Paolo-headquartered JBS.
“We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable. Our private sector partnerships are essential to responding quickly when a cyber intrusion occurs and providing support to victims affected by our cyber-adversaries,” read the statement.
“A cyber-attack on one is an attack on us all. We encourage any entity that is the victim of a cyberattack to immediately notify the FBI through one of our 56 field offices.”
The FBI said it would be working to bring the REvil group to justice for the hack on JBS.
REvil is one of the most prolific and successful groups around today, having targeted organizations as diverse as Apple, Jack Daniels, Travelex and even a law firm linked to Donald Trump.
The ransomware variant was responsible for over 14% of attacks in Q1 2021, remaining at the top of the global list, according to Coveware.
However, it operates as most do today via an affiliate model, so it’s unclear who actually used the malware to attack JBS.
There’s still no word from the meat processing giant on any of its public-facing websites about the attack.
Although, as Infosecurity reported on Tuesday, it appears to have impacted the firm’s servers supporting its North American and Australian operations, which could have significant knock-on effects for the meat supply chain in those regions.
Ronnen Brunner, VP of EMEA at ExtraHop, argued that food supplies could be considered critical national infrastructure.
“Businesses can't be protected all the time, but these attacks succeed due to outdated systems and because many organizations still rely on perimeter defence and signature detection tools. This means once the attacker is inside the network, that organization is completely vulnerable,” he added.
“Businesses must learn from the downfall of others. Visibility is crucial for detecting ransomware quick enough to respond before it's too late."
Sextortion Lands Inmate in Federal Prison
An inmate of the South Carolina Department of Corrections (SCDC) has been sentenced to five years in federal prison for his role in a deadly sextortion scheme.
Wendell Wilkins, of Ridgeville, South Carolina, was serving a 12-year sentence for attempted armed robbery when he pleaded guilty to involvement in a cyber-scam to blackmail military members.
Prosecutors alleged 32-year-old Wilkins posed as young women and joined dating sites using smartphones smuggled into the correctional facility. He then allegedly contacted members of the US military, sending them sexually explicit images of young women that he had obtained from the internet.
Wilkins is accused of tricking the military members into sharing personal information and nude photographs of themselves with him by making them believe that they were communicating with a woman.
As part of the scam, Wilkins, and other SCDC inmates under his direction, then allegedly contacted each military member, purporting to be the father of the young woman with whom the member believed that they had been communicating.
The scammers then told the military members that the women they had been exchanging sexually explicit images with were underage and that, as a result, they were now in possession of Child Sexual Abuse Material (CSAM).
Posing as the fake women's fake fathers, the scammers threatened to have the military members arrested or dishonorably discharged unless they paid money, said prosecutors.
“In total, more than 300 military members throughout the United States were victims of the scheme, and the amount of loss exceeded $350,000," said Acting US Attorney Rhett DeHart. "Several military members committed suicide after falling victim to this extortion scheme.”
Wilkins pleaded guilty to money laundering for his role in the scheme and was sentenced to 66 months in federal prison and 36 months of supervised release to be served after he completes his current 12-year state prison sentence.
“This is another example of how dangerous it is for inmates to have illegal cell phones,” said South Carolina Department of Corrections director Bryan Stirling.
“States need the ability to jam cell phone signals inside prisons so we can keep inmates from continuing their illegal activities.”
Teen Crashes Florida School District’s Network
A teenage boy from Florida is facing felony charges after carrying out a cyber-attack that knocked 145 schools offline last spring.
The unnamed 17-year-old junior at St. Petersburg High School crashed the entire computer network of the Pinellas County School District in Florida by deploying a distributed denial-of-service (DDoS) attack. His actions caused all the schools in the district to lose internet access on March 22 and 23.
According to a search warrant from the St. Petersburg Police Department, the youth said he had become "fixated" on the idea of disrupting the district's digital peace after watching a video online that highlighted the vulnerability of school networks.
CI Security founder Michael Hamilton said: "What the student did was he brought down a distributed denial-of-service attack, which is not the same as breaking in and stealing things and changing grades. What it does, is it makes the whole network unavailable."
The teen, who has since been expelled from school, said that he immediately regretted his actions.
“By the time it was done, there was no way to undo it,” he said in an interview with the Tampa Bay Times.
“If I could go back, I wouldn’t do it again.”
The teen said he hopes to get his GED and have a career in cybersecurity. His mother said her son "was just pushing it to see how smart he could go with it."
“It wasn’t something that was malicious," she said, "it was just something like a video game to him in his head."
According to documents filed by the St. Petersburg police to get a search warrant for the teen’s phone, the school district’s director of network and telecommunications, Brian Doughty, told investigators that the attack was considered “critical” because it coincided with statewide testing.
Charter-Spectrum had provided the Pinellas County School District with distributed denial-of-services protection for years, said district spokesperson Isabel Mascareñas. However, the protection was not maintained when the district migrated to a new system in late 2020.
Mascareñas said that, following the attack, Charter-Spectrum has reactivated the protection and given Pinellas County School District a $23,000 credit.
Scripps Notifying 147K People of Data Breach
A California healthcare provider is informing more than 147,000 people that their personal data may have been exposed in a recent cyber-attack.
Scripps Health, which operates five acute-care hospitals in San Diego, among other facilities, took most of its network offline after detecting a ransomware infection at the beginning of May.
The San Diego–based nonprofit system suspended access to several applications, including MyScripps and scripps.org.
While the majority of Scripps' network has now been restored, the attack caused four weeks of disruption, with patient appointments' having to be canceled or rescheduled. Employees were forced to rely on offline documentation methods, and ambulances had to be diverted, causing a surge of patients at other local facilities.
After learning that Personal Identifiable Information (PII) was exposed in the attack, Scripps has begun the process of notifying 147,267 individuals that their information may have been compromised.
Data exposed includes health information, Social Security numbers, driver's license numbers, and financial information.
In a letter mailed to patients Tuesday, Scripps stated that an investigation into the security incident had determined that an unauthorized person had gained access to the healthcare provider's network and exfiltrated copies of some documents before deploying ransomware.
The company said: "Importantly, this incident did not result in unauthorized access to Scripps’ electronic medical record application, Epic. However, health information and personal financial information was acquired through other documents stored on our network."
Scripps said that while it had not found evidence that any of the exposed data had been used to commit fraud, it would be offering credit monitoring to some individuals affected by the attack.
“For the less than 2.5% of individuals whose Social Security number and/or driver’s license number were involved, we will be providing complimentary credit monitoring and identity protection support services," said the company.
The investigation into what documents were exposed is ongoing, and Scripps said the number of individuals whose data was breached could rise.
“We have kicked off an extensive manual review of those documents. This is a time-intensive process that will likely take several months, but we will notify affected individuals and entities as quickly as possible in accordance with applicable regulatory requirements,” the company said.
Banking Fraud up 159% as Transactions Hit Pre-Pandemic Volumes
Banking fraud attempts soared by 159% from the final three months of 2020 to Q1 2021 as scammers sought to hide their attack in legitimate online activity, according to Feedzai.
Data used in the firm’s Financial Crime Report Q2 2021 Edition includes 12 billion global transactions between January-March 2021.
The vast majority (93%) of banking fraud during the period, as always, was online. However, while telephone banking made up less than 1% of total transactions, Q1 2021 saw fraud attempts via this channel spike by a dramatic 728% from the previous quarter.
The primary tactics cyber-criminals used to defraud banks and their customers include account takeover (42%), followed by new account fraud (23%), impersonation (21%), purchase scams (15%) and phishing (7%).
Account takeover (ATO) is usually the result of a scammer getting hold of victims’ online banking log-ins, while account openings can be done with real, synthetic or a blend of the two identities. Impersonation typically involves a fraudster pretending to be a figure of authority in order to access the victim’s bank account.
Overall, card-not-present (CNP) — dominated by online and mobile channels — accounted for 83% of all fraud attempts despite making up just 18% of card transactions. Part of that may be due to the roll-out of EMV cards, which has made in-person fraud using cloned cards more difficult.
That may also be responsible for the drop in POS malware designed to harvest card data from card magstripes as they are entered by customers at restaurants and convenience stores. This was particularly prevalent in the US.
Feedzai linked the increase in fraud to a broader surge in transaction volumes globally — and especially in the US, where generous government stimulus funding has put more money in consumers’ pockets.
Transaction volumes for all regions are now greater than pre-pandemic levels, it said.
“As vaccines become more widespread, we expect the behavioral changes taking place in the US today — namely more travel and a consumer base that more closely resembles a pre-pandemic world — to be mirrored in other countries,” the report argued.
“But that also means the high levels of fraud will only continue to grow. Consumers aren’t the only ones betting on recovery. Fraudsters are too.”
Critical Zero-Day in WordPress Plugin Under Active Attack
Security researchers have warned of a critical new zero-day vulnerability in a WordPress plugin actively exploited in the wild.
The Fancy Product Designer plugin is installed on over 17,000 sites, allowing users to upload images and PDF files to products, according to experts at security vendor Wordfence.
“We initiated contact with the plugin’s developer the same day and received a response within 24 hours. We sent over the full disclosure the same day we received a response, on June 01 2021,” explained threat analyst Ram Gall.
“Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected.”
The file upload vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.8. Although the Fancy Product Designer plugin has some checks to block malicious file uploads, attackers can easily bypass the checks. In theory, an attacker could upload executable PHP files to any site with the plugin installed, Gall warned.
“This effectively makes it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover,” he added.
Wordfence issued a new rule to its paid firewall product on Monday, with subsequent updates to its free version on June 30 to protect customers from the attacks.
However, users were urged to uninstall the plugin for the time being.
“As this is a critical zero-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to completely uninstall Fancy Product Designer, if possible, until a patched version is available,” concluded Gall.
Battle for the Galaxy: 6 Million Gamers Hit by Data Leak
A Chinese game developer has accidentally leaked nearly six million player profiles for the popular title Battle for the Galaxy after misconfiguring a cloud database, Infosecurity has learned.
AMT Games, which has produced a string of mobile and social titles with tens of millions of downloads between them, exposed 1.5TB of data via an Elasticsearch server.
A research team at reviews site WizCase found the trove, which contained 5.9 million player profiles, two million transactions, and 587,000 feedback messages.
Profiles typically feature player IDs, usernames, country, total money spent on the game, and Facebook, Apple or Google account data if the user linked these with their game account.
Feedback messages contain account IDs, feedback ratings and users' email addresses. At the same time, transaction data includes price, item purchased, time of purchase, payment provider, and sometimes buyer IP addresses, according to WizCase.
The firm warned exposed users that their data might have been picked up by opportunistic cyber-criminals searching for misconfigured databases. Data on how much money individuals have spent on the site could enable fraudsters to target the biggest spenders, it added.
WizCase warned that "it is common for unethical hackers and criminals on the internet to use personal data to create trustworthy phishing emails. The more information they possess, the more believable these emails look."
It went on add that confidential information such as email addresses and user issues with the service could enable bad actors to "pose as game support and direct users to malicious websites where their credit card details can be stolen."
The firm urged gamers to input the minimum amount of personal information possible when purchasing or setting up an account and parents not to lend children their credit cards.
WizCase said it reached out to AMT Games with news of the data breach but did not receive a response. The company later disabled access to the database.
Rhode Islander Charged with Phishing Political Candidates
A woman from Rhode Island has been charged with impersonating Microsoft to steal personal information from political candidates and their campaign staff.
Cranston resident Diana Lebeau allegedly sent phishing emails to approximately 22 members of the campaign staff of a candidate for political office in or around January 2020.
In the emails, the 21-year-old allegedly posed as either the campaign’s managers or one of the campaign’s co-chairs. Recipients were directed to enter their account login details into an attached spreadsheet, or to click on a link that took them to a Google Form that requested the same credentials.
Lebeau is further accused of sending several phishing emails to the political candidate’s spouse and to colleagues at the spouse’s workplace. In these emails, Lebeau allegedly impersonated Microsoft’s Security Team or an employee of the workplace’s technology helpdesk.
Recipients were asked to add their account credentials to spreadsheets attached to the emails or were asked to enter sensitive data on a website spoofing that of the spouse’s employer.
In March 2020, Lebeau allegedly launched another phishing campaign targeting a different candidate for political office. Lebeau is accused of impersonating the candidate’s cable and internet provider over email to steal the candidate’s account credentials.
She is further accused of impersonating this candidate in online chats with the same cable and internet provider, as a ruse to reset and obtain the candidate’s account password.
According to the charging document, Lebeau's alleged actions were not motivated by financial or political aims and were not carried out to benefit any foreign government, instrumentality, or agent.
Lebeau has been charged with attempted unauthorized access to a protected computer. If convicted, she could be sentenced to up to one year in prison, be placed under supervised release for up to 12 months and be fined up to $100,000.
"The best first-line defense against an attack like this is training," commented Lookout's Hank Schless.
"Be sure to constantly run security training and include mobile in those sessions. Simple steps like always checking the sender’s reply-to address or asking IT before replying to a message could save your organization from being the victim of the next big data breach."
US Convicts “King of Fraud”
A Russian cyber-criminal has been convicted of running a sophisticated digital advertising scam that defrauded American companies out of millions of dollars.
Aleksandr Zhukov used infrastructure spread around the world to trick companies including the New York Times and Comcast into thinking that they were paying for legitimate digital advertising. In reality, Zhukov and his co-conspirators were using coding and domain spoofing to fraudulently obtain revenue.
Zhukov and his co-perpetrators made it appear as though they ran legitimate companies that placed ads in front of real human internet users browsing genuine internet web pages. However, the evidence at trial established that Zhukov and his accomplices faked both the users and the web pages.
Computers they controlled were programmed to load advertisements on spoofed web pages via an automated program. The con defrauded American brands, ad platforms and others in the US digital advertising industry out of more than $7m.
Victims of the scam included household names the New York Post, Nestle Purina, and Time Warner Cable, and the Texas Scottish Rite Hospital for Children.
Zhukov carried out his digital advertising fraud scheme between September 2014 and December 2016 through a purported advertising network named Media Methane.
Media Methane arranged with advertising networks to receive payments in return for placing ad tags on websites. Instead of placing the tags on real publishers’ websites, Media Methane rented more than 2,000 computer servers housed in commercial datacenters in Texas and the Netherlands and used those datacenter servers to load ads on fabricated websites, spoofing over 6,000 domains.
"The defendants programmed the datacenter servers to simulate the internet activity of human internet users: browsing the internet through a fake browser, using a fake mouse to move around and scroll down a web page, starting and stopping a video player midway, and falsely appearing to be signed into Facebook," said the Department of Justice.
When discussing the scheme with one of his co-conspirators, Zhukov referred to himself as the "king of fraud."
Zhukov was arrested in Bulgaria in November 2018 and extradited to the United States in January 2019. On May 28, 2021, after a three-week trial, a federal jury in Brooklyn convicted Zhukov of wire fraud conspiracy, wire fraud, money laundering conspiracy, and money laundering.
Model Sues Law Firm Over Data Breach
A fashion model is suing Baltimore-based law firm Goldberg Segalla for allegedly exposing her personal data when filing records in a different data breach lawsuit.
Stephanie Hoffman claims the firm leaked her information twice on the Public Access to Court Electronic Records (PACER) service, which provides electronic public access to federal court records.
Goldberg Segalla is representing Hoffman's former modeling agency, Major Model Management Inc (MMMI), in an ongoing proposed class-action lawsuit concerning an alleged data breach.
That suit, which was also brought by Hoffman, accuses MMMI of failing to adhere to state laws, industry standards and best practices when collecting and storing the personal information of the models it contracted with.
MMMI is seeking to dismiss Hoffman's lawsuit. In a filing made on February 4, the agency argued that Hoffman either waived her claims in her contract, or that state law does not apply in this case.
Connecticut resident Hoffman, who won Model of the Year at the International Modeling & Talent Association (IMTA) in New York and has modeled multiple times at New York Fashion Week, claims Goldberg Segalla exposed her data in a December 3 filing relating to the MMMI suit.
The plaintiff alleges that her Social Security number, birth date, passport information, home address, cell number, email address and signature were shared by the law firm without redactions in Manhattan federal court.
The filing was sealed by US District Judge Laura Taylor Swain on December 3, but Hoffman claims that Goldberg Segalla re-filed the exhibit later that day and only partially redacted her Social Security number and birth date.
In an eight-page complaint filed in New York County Supreme Court, Hoffman claims her data was exposed until January 29, when the court was asked to seal the partially redacted filing.
Hoffman claims in the suit that she "has been placed at an imminent, immediate, and continuing increased risk of harm from fraud and identity theft."
The model said that she has been told by prospective employers and third-party credit institutions that her Social Security number "is being used for fraudulent criminal activity."
Microsoft Convenes Asia Pacific Info-Sharing Council
Microsoft has launched a new public-private initiative across south-east Asia designed to improve cyber-threat response and share best practices across the region.
The Asia Pacific Public Sector Cyber Security Executive Council will bring together policymakers from government agencies alongside tech and industry leaders.
As of today, participating governments include Brunei, Indonesia, Korea, Malaysia, the Philippines, Singapore and Thailand.
Microsoft said the council would build on existing efforts to improve cybersecurity partnerships in the region, such as through the Asia-Pacific Economic Cooperation (APEC), the Association of Southeast Asian Nations (ASEAN) and the Global Forum on Cyber Expertise (GFCE).
Government members of the council will join a forum run by Microsoft with other industry advisors.
“The aim of the forum is to share best practices, learn from Microsoft security certification trainings, dedicated workshops, and hands-on lab sessions, with a goal of driving improvements to the digital skills of the workforce to reduce the talent gap in cybersecurity across the participating nations,” Microsoft noted.
“The members of the Asia Pacific Public Sector Cyber Security Executive Council will share experiences and knowledge relating to cyber-threats and will work to drive greater collaboration and cooperation between countries.”
The council will meet virtually every quarter to exchange information on cyber-threats and security solutions continually.
Such efforts have struggled in the past given APAC’s tremendous cultural, religious and economic diversity. Nevertheless, countries such as Singapore and Korea tend to be reasonably advanced in their cybersecurity capabilities.
According to Microsoft, APAC organizations experience 1.6 times more malware and 1.7 times more ransomware than their counterparts in the rest of the world.
However, some pan-regional initiatives have been a success. Interpol announced last week that it managed to seize $83 million headed for the bank accounts of cyber-criminals.
Meat Processing Giant JBS Pulls IT Plug After Cyber-Attack
The world’s largest meat processor has been forced to cut critical servers after an organized cyber-attack on its IT systems.
Sao Paolo-headquartered JBS said in a statement today that its US division detected the attack on Sunday. The attack purportedly affected some of the servers used to power its North American and Australian IT systems.
“The company took immediate action, suspending all affected systems, notifying authorities and activating the company’s global network of IT professionals and third-party experts to resolve the situation,” JBS added.
“The company’s backup servers were not affected, and it is actively working with an incident response firm to restore its systems as soon as possible.”
JBS said that the attackers did not steal any customer, supplier or employee data, but warned that getting systems back on track will take time — which in turn could “delay certain transactions with customers and suppliers.”
Disruption is already occurring in Australia, with reports suggesting that beef and lamb kills across the country were cancelled. Operationally, IT systems play a vital role in managing the continuous movement of cattle from onboarding to slaughter.
It’s unclear exactly what kind of cyber-attack affected the company. Still, ransomware would be a prime suspect, given the need to take servers offline and the possibility of data theft.
With global revenue exceeding $50 billion last year, JBS is a candidate for extortion by the growing group of ransomware-as-a-service (RaaS) affiliates targeting large multi-nationals with sophisticated multi-stage attacks.
Scott Nicholson, co-CEO at cybersecurity consultancy Bridewell Consulting, argued that the cost of disruption to the firm would be significant, even if no data was stolen.
“This should act as a reminder to all companies of the importance of cybersecurity and protecting digital infrastructure,” he added.
“Even the largest corporations are susceptible to attacks, so there’s no room for complacency. All organizations must take steps to protect their systems and ultimately customer data, or risk putting their reputation and customer safety at risk.”
Interpol Seizes $83 Million Headed for Online Scammers
Global police have concluded a months-long campaign in which they seized $83 million in funds headed for the bank accounts of cyber-criminals and scammers.
Interpol said that 40 officers from across APAC participated in the HAECHI-I operation over a six-month period. It focused specifically on investment fraud, romance scams, money laundering associated with illegal online gambling, online sextortion and voice phishing (vishing).
All have become major money-makers for threat actors of late. Romance and investment fraud were the number two and three earners last year, leading to combined losses of nearly $937 million, according to the FBI. Extortion ($71 million) and phishing and its variants ($51 million) were also high-up on the list.
Interpol claimed late last week that nearly two-thirds (64%) of the 1400 cases opened as part of HAECHI-I have been solved, with many others ongoing.
Some 585 individuals were arrested and over 1,600 global bank accounts frozen as part of the operation.
Interpol highlighted two particularly successful investigations: one involving a business email compromise (BEC) attempt when scammers impersonated a Korean company’s trading partner requesting payments amounting to nearly $7 million. Half of these were intercepted and frozen, the policing group said.
In another case, an organized crime gang ran a classic “pump-and-dump” scheme by buying up cheap stocks, promoting them on social media to drive the price up and then selling them. Interpol claimed its rapid response led to the freezing of the fraudulent trading accounts and recovery of most victims’ money.
“The key factors in intercepting illicit money transfers are speed and international cooperation,” said Amur Chandra, brigadier general of the Indonesian National Police and secretary of Indonesia’s Interpol National Central Bureau.
“The faster victims notify law enforcement, the faster we can liaise with Interpol and law enforcement in the relevant countries to recover their funds and put these criminals behind bars.”
HAECHI-I is the first in a three-year project to disrupt online financial crime, backed by the Korean government and featuring the participation of Cambodia, China, Indonesia, Korea, Laos, The Philippines, Singapore, Thailand, and Vietnam.