Info Security
90% of UK Data Breaches Due to Human Error in 2019
Human error caused 90% of cyber data breaches in 2019, according to a CybSafe analysis of data from the UK Information Commissioner’s Office (ICO).
According to the cybersecurity awareness and data analysis firm, nine out of 10 of the 2376 cyber-breaches reported to the ICO last year were caused by mistakes made by end-users. This marked an increase from the previous two years, when respectively, 61% and 87% of cyber-breaches were ascribed to user error.
CybSafe cited phishing as the primary cause of breaches in 2019, accounting for 45% of all reports to the ICO. ‘Unauthorized access’ was the next most common cause of cyber-breaches in 2019, with reports relating to malware or ransomware, hardware/software misconfiguration and brute force password attacks also noted.
Oz Alashe, CEO of CybSafe, said: “As this analysis shows, it’s almost always human error that enables attackers to access encrypted channels and sensitive information. Staff can make a variety of mistakes that put their company’s data or systems at risk, often because they lack the knowledge or motivation to act securely, or simply because they accidentally slip up.”
However, Alashe was quick to argue that the statistics should not provoke a negative reaction.
“Employees of course pose a certain level of cyber-risk to their employers, as seen in our findings thus far. Nevertheless, people also have an important role to play in helping to protect the companies they work for, and human cyber-risk can almost always be significantly reduced by encouraging changes in staff cyber-awareness, behavior and culture.”
Microsoft: We Detect 77,000 Web Shells Each Month
Microsoft has warned that inadequate security on web applications and internet-facing servers is allowing hackers to use web shells in their tens of thousands each month to launch attacks.
Web shells are pieces of malicious code typically implanted onto web servers to execute commands, steal data and help hackers launch additional raids on the victim organization, such as watering hole attacks.
Microsoft claimed in a new blog this week that thanks to poor IT security hygiene, the use of these tools is rocketing: the tech giant detects around 77,000 each month on an average of 46,000 machines.
“Aside from exploiting vulnerabilities in web applications or web servers, attackers take advantage of other weaknesses in internet-facing servers. These include the lack of the latest security updates, anti-virus tools, network protection, proper security configuration and informed security monitoring,” it continued.
“Interestingly, we observed that attacks usually occur on weekends or during off-hours, when attacks are likely not immediately spotted and responded to.”
Multi-layered protection is needed to mitigate the threat of web shells, beginning with gaining visibility into internet-facing servers by monitoring web application directories for web script file writes, the firm advised.
Regular audits of web server logs, prompt patching, intrusion prevention to stop C&C communications, limiting privileged accounts and closing non-standard ports can also help, said Microsoft.
Ilia Kolochenko, founder & CEO of web security company ImmuniWeb, explained that web shells have existed for over a decade and are often automated by hackers, but finding them should not be difficult.
“Usually, once a web shell is uploaded, it is fairly simple to root the server by exploiting unpatched vulnerabilities or its insecure configuration,” he added.
“Detection of web shells is a fairly routine operation, moreover, such attacks are usually attributable to junior hackers unskilled or careless enough to upload a web shell without obfuscation and proper removal after backdooring the server.”
Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.
Twitter Confirms it Will Only Ban “Harmful” Deepfakes
Twitter has become the latest major social platform to articulate its deepfake policy, claiming it will remove “manipulated media” only if it causes harm.
In a blog post earlier this week, head of site integrity, Yoel Roth, and group product manager, Ashita Achuthan, explained that the site’s new policy was distilled from responses to its draft rule by academics, civil society and thousands of Twitter users.
The new rule is that if synthetic or manipulated content like deepfakes is deliberately intended to deceive users then it will be clearly labelled. If it’s also deemed likely to cause harm then it is “very likely” to be removed.
By harm, Twitter means threats to physical safety, the risk of mass violence or civil unrest, and threats to privacy or free expression of an individual or group. This includes voter suppression or intimidation, but it doesn’t mention attempts to influence voters in other ways.
Twitter said it “may” also remove manipulated content that causes harm but has not been shared in a manner intended to deceive.
The firm added that it might also show a warning to users before they retweet such content, reduce its visibility on Twitter and/or prevent it from being recommended, and provide a landing page with more context.
Twitter’s policy would, at first sight, appear more liberal than Facebook, which earlier this year effectively stated its intent to ban any deepfake content designed to mislead users, whether it’s harmful or not.
YouTube also recently reminded users that any deepfakes related to the upcoming US Presidential elections would be banned from the site.
The challenge for such platforms is that their attempts to police such content at present are largely reactive in nature, and that harm can still be done to candidates if a deepfake goes viral, even if it is subsequently removed and confirmed as a hoax.
Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.
FBI Issues Valentine Romance Scam Warning
With Valentine's Day just around the corner, the Federal Bureau of Investigation has warned Americans to be on the lookout for cyber-based romance scams.
The Richmond, Virginia, branch of the FBI said criminals used the most romantic day of the year as an opportunity to con victims out of their hard-earned cash or personal data. For these heartless cyber-villains, websites and apps intended to aid people in their quest to find love are nothing more than prime hunting grounds brimming with easily exploitable victims.
In a warning released on Monday, the FBI wrote: "Valentine’s Day and the days leading up to it can be exciting, but it can also lead to heartbreak, embarrassment, and financial loss.
"Well-rehearsed criminals search dating sites, apps, chat rooms, and other social media networking sites attempting to build 'relationships' for the sole purpose of getting your money or your personally identifiable information."
To help romance seekers stay safe, the FBI issued seven guidelines to follow when looking for love online.
Advice to "only use reputable, nationally-recognized dating websites," was accompanied with the important message that scammers may be using these sites as well.
Users were advised to perform a background check of their potential love match, using online search tools to verify photos and profiles and asking questions.
"Do not blindly believe the stories of severe life circumstances, tragedies, family deaths, injuries, or other hardships geared at keeping your interest and concern," warned the Bureau.
The FBI urged users never to provide their financial information, loan money, or allow their bank accounts to be used for transfers of funds.
Anyone who has formed a romantic connection via the internet and is planning to arrange a meeting in real life should make sure that they meet in a public place and that they tell a friend where they are going, whom they are meeting, and when they will be returning home. Any attempts to isolate a user from their family and friends should be avoided at all costs.
According to the FBI, victims may be hesitant to report being taken advantage of by a romance scammer due to embarrassment, shame, or humiliation.
"It's important to remember, romance scams can happen to anyone at any time," the FBI warned.
LexisNexis Risk Solutions to Acquire Emailage
LexisNexis Risk Solutions, part of RELX, is to acquire global provider of fraud prevention and risk management solutions, Emailage.
Under the terms of the deal, Emailage will become a part of the Business Services group of LexisNexis Risk Solutions.
News of the upcoming acquisition was announced yesterday, though details of the financial sums involved were not disclosed. The transaction is subject to customary conditions and regulatory consents and is expected to close in the first quarter of 2020.
LexisNexis Risk Solutions already has an established commercial partnership with Emailage to offer email risk assessment to customers around the world. The acquisition of Emailage is a key indicator of LexisNexis' commitment to augmenting organic growth with strategic acquisitions.
Founded in 2012 and based in the Phoenix metro area, with offices across the globe, Emailage helps organizations reduce online fraud by building multi-dimensional profiles associated with customer email addresses to render predictive risk scores.
Rick Trainor, CEO of LexisNexis Risk Solutions, Business Services, said the acquisition was a natural fit that would benefit customers.
"We are continuously evolving our fraud prevention and identity assessment solutions to help our customers fight fraud. Emailage's broad email and digital data attributes network, inquiry data and confirmed fraud feedback complement our deep expertise in contributory data management and linking technology," said Trainor.
"This strategic acquisition will expand our digital identity intelligence and fraud prevention services, providing our customers an even more comprehensive view into consumers for more predictive risk assessment."
CEO of Emailage Rei Carvalho said the planned transaction was a flattering compliment to what the 8-year-old company has achieved.
"LexisNexis Risk Solutions is laser-focused on providing its customers a 360-degree view into an identity, which aligns with our mission to help customers who seek fast, low-friction, global digital identity fraud solutions to combat fraud without sacrificing consumer experience," said Carvalho.
"We are thrilled to be recognized as a pioneer in email intelligence-based fraud risk scoring solutions and look forward to aligning our solutions to help organizations fight fraud on a more comprehensive level."
YouTube Issues Deepfake Ban Reminder
YouTube has issued a public reminder that deepfakes related to the 2020 US presidential election are banned from its video service.
The Google-owned company has said that it doesn't want its platform to be exploited as part of any deliberate attempts to mislead viewers regarding voting procedures or influence their choice of candidate.
A deepfake is altered video content that has been doctored to show something that didn't actually happen, and the results can be worryingly convincing.
Last year, YouTube became the first major social media platform to remove a deepfake video of Speaker of the United States House of Representatives Nancy Pelosi. The clip had been slowed down to make it appear that Pelosi was slurring her words, causing her to come across as almost drunk enough to start a conga line.
YouTube has also issued a reminder this week that "birther" videos, which cast doubt on the authenticity of a candidate's birth certificate to imply that they were born outside the United States, are banned.
Neither of these policies is new, but YouTube clarified its rules ahead of the now famously disastrous Iowa caucuses, which took place on Monday. Guidelines regarding this type of content were already in place back in 2016 ahead of the election campaign that saw President Donald Trump take office.
Restrictions have not been imposed on videos in which speech has been selectively clipped to appear out of context, though content of this nature can be as misleading and influential as any deepfake.
Facebook, which faced criticism last year for refusing to remove the unflattering Pelosi deepfake, announced a deepfake ban in January.
Robert Prigge, CEO of Jumio, highlighted the danger posed by deepfake videos and called for a technology-based solution to uncloaking falsified videos.
Prigge commented: "Deepfakes pose a serious threat to the digital economy and the evolution of digital identity because it’s far too easy to use AI to create realistic deepfakes—and they can be weaponized to commit fraud.
"To prevent deepfakes from becoming the next leading attack vector, advanced authentication methods, such as face-based authentication, must be able to detect and stop deepfakes in order to stay ahead of the rapidly evolving fraud curve."
Coronavirus Attacks Aim to Spread Malware Infection
Security experts are warning of new phishing campaigns designed to capitalize on global fears of the fast-spreading coronavirus.
Last week saw the first reported UK infections of the virus, known for now as 2019-nCoV, after it spread around the world from an epicenter in Wuhan, China. Concerns persist over whether the true extent of the virus, which is said to have a mortality rate of 2%, has been downplayed by Beijing.
True to form, cyber-criminals are looking to exploit the widespread hunger for news about the outbreak by using it as a phishing lure.
Mimecast has detected one such campaign, with emails titled “Singapore Specialist: Corona Virus Safety Measures.”
Of course, clicking on the link in the email will lead to a covert malware download.
“The sole intention of these threat actors is to play on the public’s genuine fear to increase the likelihood of users clicking on an attachment or link delivered in a malicious communication, to cause infection, or for monetary gain. This is a rational choice by criminals as research has shown that over 90% of compromises occur by email, and that over 90% of those breaches are primarily attributable to user error,” explained director of threat intelligence, Francis Gaffney.
“There are a number of simple steps you can take to minimize your risk, such as using a reliable AV solution and following safe cyber-hygiene practices such as strong password usage and never enabling macros in any attachments if you do open them. I urge everyone to be vigilant at this time in relation to any emails or electronic communications purporting to be in relation to the support of those affected by the coronavirus.”
Kaspersky has also sounded the alarm over coronavirus-themed attacks. It detected multiple malicious pdf, mp4 and docx files claiming to contain updates and information on how to stay safe from the virus.
Over 80% of UK Firms Don’t Have Specialist Cyber Insurance
More than 80% of UK businesses still don’t have cyber-related insurance despite widespread recognition of the risks associated with rising threat levels, according to Gallagher.
The insurer polled 1000 UK business leaders in organizations of various sizes, and nearly two-fifths (39%) cited cyber-attacks as one of their biggest concerns. However, 82% claimed not to have specialist insurance.
Gallagher argued that many firms may be buying catch-all policies which may not pay out in the event of a serious security breach, while others either underestimate cyber-threats or have too much confidence in their ability to defend against attacks.
It claimed that nearly half (46%) of respondents from mid-sized firms believe that cyber-attacks are “mainly an issue for bigger organizations.”
Of course, the stats show that, while sophisticated targeted attacks may only strike larger companies, firms of all sizes are regularly the subject of automated cyber-raids. ISP Beaming warned in January that the average UK firm was hit by over half a million attempts to compromise systems last year, a 152% increase on 2018.
Network device admin tools and IoT endpoints like connected security cameras and building control systems were most commonly targeted, followed by file sharing platforms.
Tom Draper, head of cyber at Gallagher, added that smaller firms may also be compromised in an attempt to reach higher value clients and partners.
“Clearly there are practical steps businesses can take to help protect against cyber-attacks, but unfortunately the risk remains significant and many businesses are leaving themselves exposed to financial and reputational damage if they do not consider having specialist insurance in place,” he argued.
“It is evident from our research that many bosses believe they are covered in the event of a cyber-attack, however traditional or off-the-shelf business insurance policies do not typically provide cover for cyber-related issues.”
Big-name organizations including Cadbury-owner Mondelez and law firm DLA Piper are currently involved in litigation with their insurers over failure to pay-out following the NotPetya ransomware worm of 2017, highlighting the importance of nailing down the small print in policy documents.
EKANS Ransomware Detected with ICS-Specific Functions
Security researchers are warning of a new ransomware strain containing functionality to target industrial control systems (ICS) — evidence that cyber-criminals are gearing up for more attacks on such environments.
Discovered in mid-December last year, EKANS joins just a handful of similar ICS-specific variants including Havex and CrashOverride, according to security vendor Dragos.
It’s described as relatively straightforward ransomware that encrypts files and displays a ransom note, but the malware differs from most in that it names ICS processes in a static “kill list.” In the past, ransomware that has impacted ICS environments, such as the LockerGaga shutdown of NorskHydro, has been IT-focused and only spread into such systems via enterprise mechanisms, Dragos explained.
Among the ICS products referenced in the code are: GE’s Proficy data historian, GE Fanuc licensing server services, Honeywell’s HMIWeb application and ThingWorx Industrial Connectivity Suite, as well as a range of other remote monitoring and licensing server offerings.
There’s no self-propagation mechanism included in the ransomware, instead it must be launched interactively or via a script once the threat actors behind it have achieved large-scale compromise of a victim organization, such as via Active Directory.
Although primitive, EKANS presents “specific and unique risks and cost-imposition scenarios for industrial environments,” warned Dragos.
“EKANS (and its likely predecessor MegaCortex) represent an adversary evolution to hold control system environments specifically at risk. As such, EKANS despite its limited functionality and nature represents a relatively new and deeply concerning evolution in ICS-targeting malware” the firm concluded.
“Whereas previously ICS-specific or ICS-related malware was solely the playground of state-sponsored entities, EKANS appears to indicate non-state elements pursuing financial gain are now involved in this space as well, even if only at a very primitive level.”
However, not all experts agree. Emsisoft threat analyst, Brett Callow, argued that the ransomware isn’t designed to target ICS environments specifically.
“The most likely reason for it stopping ICS processes is simply so that the files used by those processes can be encrypted. In-use files cannot be encrypted, which is why ransomware typically tries to stop a multitude of processes,” he explained.
“Additionally, there’s no reason to believe that EKANS was developed to target a specific company or industry. Nor is it running rampant: there have been a grand total of five submissions to ID Ransomware.”
Alleged Human Trafficker Accused of Faking Social Media to Contact Victim
A Kentucky resident charged with human trafficking and the online promotion of underage sex workers has been accused of creating fake social media profiles to contact victims and dissuade them from testifying against him.
Nigel Nicholas was first arrested in February 2018 and charged with two counts of human trafficking and one count of promoting two or more sex workers. According to arrest reports, the 53-year-old Louisville resident sold sex with underage teens, which was advertised on Backpage.com and other websites.
Backpage and its affiliated websites were seized in April 2018 as part of an enforcement action by the Federal Bureau of Investigation.
Nicholas allegedly worked in cahoots with a woman named Abigail Varney, profiting from the sale of the teenagers' bodies. He is said to have paid for a hotel room in which the transactions were carried out and for props that were used to make the notices advertising the teenagers more appealing.
The alleged human trafficker, who was out on bail, was arrested again on Friday in Louisville for using "deception and fraud to coerce the victim, offering both finances and property in exchange for a retraction of allegations," according to a news release.
Nicholas is accused of paying someone to come to Kentucky from Texas and help him put pressure on one of his alleged victims not to testify against him. The victim was allegedly offered an apartment, car, and money in return for keeping their mouth shut.
A further accusation now being waged against Nicholas is that he created fake social media pages to contact the victim.
Nicholas now faces an additional charge of tampering with a witness, a Class D felony. As a result of the new charge, $20,000 has been added to Nicholas' initial $10,000 bond.
In a statement released on Saturday, Attorney General Daniel Cameron said: "Our Cyber Crimes Unit is committed to partnering with local, state, and federal law enforcement to apprehend human trafficking criminals who attempt to intimidate and coerce witnesses.
"I am grateful to our hardworking investigators and law enforcement for their diligent work on this case."
Jefferson County Commonwealth Attorney Christie Foster, who is prosecuting the case, said more arrests are expected.
Racine Mayor Refuses to Pay Cyber-Ransom
The mayor of a Wisconsin city in the grips of a ransomware attack has said that any demands for a ransom payment will not be met.
Computer systems in the city of Racine were infected with ransomware on Friday morning. As a result, the city's website, email, voicemail, and payments systems have been knocked offline.
Citizens are being encouraged to conduct their business in person at City Hall during a recovery process that officials say could take over a week to complete.
"If you need to interact electronically, for all intents and purposes, this week we need you to go back to an older, more analog time," Racine Mayor Cory Mason said on Monday. "Come on into City Hall, say hello."
The city is yet to receive a ransom demand from whomever was behind the cyber-attack.
"While we have received this ransomware in our system, we have not received a specific ransomware request. And, if we did receive such a request, we would not pay it," said Mason.
The mayor added that Racine has a cyber-insurance policy, which should cover the city for most of the expenses incurred restoring computer services.
While over 700 city employees have been impacted by the cybersecurity incident, the city's library and emergency dispatch departments are continuing to operate as normal.
Racine Police reported being unable to process fee payments or provide copies of police or accident reports in a Facebook post.
State and federal agencies have been notified of the incident, and an investigation into how the attack occurred and who was behind it is currently under way.
Mason said: "We've been doing forensics on all of our systems citywide. For now, most systems are offline; this includes our website, email, and voicemail."
The mayor said the city was not aware of any sensitive data's having been exposed as a consequence of the ransomware attack.
"It appears that none of our backup data has been breached; that includes all personal identification information and files," said Mason.
Racine is the second Wisconsin city to suffer a ransomware attack in a week, after Oshkosh was hit last Tuesday in a similar incident. Neither city has so far received an actual ransom demand.
Democrats Deny Iowa Caucus App Hack
America's Democratic Party has said that cybersecurity issues are not responsible for the unprecedented delay in calculating the results of the 2020 Iowa caucuses.
Members of the Democratic and Republican parties gathered in precincts across the state yesterday to vote for their preferred candidates in the first major contest of the United States' presidential primary season.
While the Republican Party returned results last night naming President Donald Trump as their preferred presidential candidate, the results of the votes cast by Democratic Party members had still not been released as of 9:45 a.m. this morning Eastern Time (ET).
Technological failures of the Democratic Party's phone system and of an app introduced to aid the voting process are being blamed for the delay, which Iowa Democratic Party Communications Director Mandy McClure has said was definitely not caused by a cyber-attack.
McClure issued the following statement: "We found inconsistencies in the reporting of three sets of results. In addition to the tech systems being used to tabulate results, we are also using photos of results and a paper trail to validate all results match and ensure we have confidence and accuracy in the numbers we report.
"This is simply a reporting issue, the app did not go down, and this is not a hack or an intrusion. The underlying data and paper trail is found and will simply take time to further report the results."
Precinct chairs reportedly experienced difficulties when trying to download the app and when logging in to report voting results. Phone lines designed to act as a back-up were subsequently overrun, with some precinct chairs reporting waiting on hold for over an hour to report results.
The app was built by Shadow Inc., a small company based in Washington, DC, at a cost of $63,000. According to a report in the New York Times, the app had not been tested by end-users and precinct chairs had not received training on how to use it.
This morning, Biden campaign general counsel Dana Remus sent a letter to top Iowa Democratic Party officials demanding "full explanations and relevant information" for the "failed" systems the IDP deployed for the caucuses.
Remus wrote: "The app that was intended to relay Caucus results to the Party failed; the Party's back-up telephonic reporting system likewise failed. Now, we understand that Caucus Chairs are attempting to—and in many cases, failing to—report results telephonically to the Party. These acute failures are occurring statewide."
Police Warn of Physical IT Risk from Malicious Contractors
Organized crime groups are increasingly looking at ways to physically access IT infrastructure via insiders in contracting firms, police cyber-chiefs have warned.
Shelton Newsham, manager of the Yorkshire and Humber Regional Cyber Crime Team, reportedly told the SINET Global Cybersecurity Innovation Summit last week that gangs are placing their own people in cleaning companies, in order to target corporate networks.
“Exploitation of staff is a key area”, Newsham said, according to CBR.
“Organized crime groups are planting ‘sleepers’ in cleaning companies that a procurement team may look at bidding for. There’s no way of auditing their vetting. They’ll also using people in painting and decorating firms; anyone who has out-of-hours access to a building is fair game.”
Jake Moore, cybersecurity specialist at ESET, argued that both cyber and physical security are crucial to maximizing protection of corporate assets, but that it’s a difficult message to get through to the board, especially given the costs involved.
“The best way to realize a business’s own flaws is to conduct a basic penetration test that involves both physical and cyber-threat vectors, and this will easily highlight where those risks lie,” he added.
“It would be arrogant to think that your business does not have weaknesses, so it is best to test these out using red team professionals who will acknowledge any weak points that need addressing.”
The warnings from Yorkshire police echo those made at Infosecurity Europe last year, when Holly Grace Williams, technical director at Secarma, argued that physical intrusions too often go unreported by staff.
CISOs don’t just have to worry about cyber-criminal gangs exploiting physical access to target IT systems. Last year a former college student pleaded guilty to vandalizing computer equipment at his alma mater, the College of St. Rose in Albany, New York.
Vishwanath Akuthota used a “USB Killer” device he bought online to destroy IT kit with an electrical charge.
Twitter Fixes API Bug That Unmasked Users
Twitter has been forced to take action after discovering malicious actors taking advantage of an API bug to unmask users on the site by getting hold of their phone numbers.
The social network discovered the issue on Christmas Eve last year after detecting a user employing a large network of fake accounts to exploit an API which matches usernames to phone numbers. It’s specifically intended for new users to find people they may already know on the site — as long as they have enabled the “let people who have your phone number find you on Twitter” function and have a phone number associated with their account.
“During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case,” Twitter continued.
“While we identified accounts located in a wide range of countries engaging in these behaviors, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle.”
The bug may therefore have helped nation state intelligence services obtain the phone numbers of rights activists and others who use Twitter under pseudonyms. It would also have been useful to cyber-criminals for intelligence gathering on high value individuals, whose phone accounts may be useful to target in SIM swap operations.
Fortunately, the social site has now closed this vulnerability down.
“After our investigation, we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries. Additionally, we suspended any account we believe to have been exploiting this endpoint,” it confirmed.
Suffolk iCloud Voyeur Gets 32 Months Behind Bars
A Suffolk man has been jailed for several years after hacking the iCloud accounts of several women and sharing their intimate pictures online.
Tony Spencer, 38, of Victoria Hill, Eye, was sentenced at Basildon Crown Court late last week after admitting his guilt in September 2019 to these cases and secretly filming women and children getting changed in a Norfolk leisure center.
He received a 32-month jail term for nine counts of voyeurism, five counts of taking indecent photographs of a child and 12 counts of Computer Misuse Act offences.
Spencer was caught after a woman came to Essex police reporting that her iCloud account had been hacked and explicit photos of herself posted online. That set in motion an investigation which revealed multiple suspects across the region were hacking hundreds of victims in a similar manner.
Several searches of Spencer’s home in 2017 by the Essex Cyber Crime Team revealed computers containing the images belonging to 12 victims and software he used to access the accounts, presumably either to brute force or phish their passwords.
Detective sergeant Ian Collins of the cybercrime unit said the case highlights why computer users should switch on two-factor authentication (2FA) to protect their accounts.
“Spencer went to extreme lengths to obtain images of young women and children without permission for his own and others’ sexual gratification. His secret lifestyle went hidden for many years until we received just a single report that revealed much, much more,” he explained.
“He used his specialist knowledge to hack his unsuspecting victims’ accounts and then accessed their most intimate photographs for his own sexual purpose and that of others. Spencer was not able to access any accounts secured with 2FA as he would have needed the mobile phone of the victims at the same time.”
Spencer has also been placed on the Sex Offenders’ Register for life and was given a Sexual Harm Prevention Order for 10 years.
Nintendo Hacker Pleads Guilty to Downloading Child Porn
A California man could face up to 25 years in prison after pleading guilty to downloading child pornography and habitually hacking into the computer system of Japanese gaming giant Nintendo.
Ryan Hernandez was still a minor when, together with an associate, he used a phishing technique to steal the credentials of a Nintendo employee in 2016. The data stolen by the Palmdale resident, who is now 21, was used to gain access to and download confidential Nintendo files related to the company's consoles and games.
That stolen data, which included pre-release information about the anticipated Nintendo Switch console, was leaked to the public, sparking an investigation by the Federal Bureau of Investigation.
The FBI tracked Hernandez down to his parents' house in October 2017 and let him off with a warning, but it wasn't too long before the youngster threw away the second chance he was generously offered. Within nine months Hernandez was back to his old tricks, illegally accessing Nintendo servers and stealing confidential information.
Hernandez leaked the stolen information to others online via a chat forum he had christened "Ryan's Underground Hangout." There, the egotistical hacker discussed Nintendo products, shared confidential information he had stolen from people with actual talent, and highlighted possible Nintendo network vulnerabilities.
Far from displaying any guilt over his illicit activities, Hernandez brazenly boasted about his cyber-exploits on social media platforms, including Twitter and Discord.
Hernandez's malicious hacking spree was curtailed in June 2019 when FBI agents seized from his home the computers, hard drives, and circumvention devices he used to access pirated video games and software.
A search of the devices revealed thousands of confidential Nintendo files and a sickening insight into Hernandez's disturbing sexual predilections.
The US Department of Justice stated: "Forensic analysis of his devices also revealed that Hernandez had used the internet to collect more than one thousand videos and images of minors engaged in sexually explicit conduct, stored and sorted in a folder directory he labeled 'Bad Stuff.'"
In a US District Court in Seattle, Washington, on Friday, Hernandez pleaded guilty to computer fraud and abuse and to possession of child pornography. Hernandez, who will now be required to register as a sex offender, agreed to pay $259,323 in restitution to Nintendo.
Hernandez will be sentenced on April 21.
Cybersecurity Incident Mars Australian Freight Giant's Operations
A major Australian freight company is experiencing operational difficulties after a cybersecurity incident caused an IT system shutdown.
Toll Group announced that it had experienced a "cybersecurity incident" on Friday. The company shut down a number of IT systems at multiple sites across the country in a bid to resolve the issue.
"As a precautionary measure, in response to a cyber security incident on Friday, Toll deliberately shut down a number of systems across multiple sites and business units," said Toll Group in a statement.
"Toll IT teams are working closely with global cyber security experts to resolve the issue."
Customers have reported issues with tracking shipments, reporting that IT systems were down at Toll depots. Until the incident is resolved, Toll Group is recording receipts manually.
The MyToll website, where customers can usually track deliveries and book package collections, has been taken offline and is currently displaying a cybersecurity warning message.
The company said its first priority was to bring its customer-facing applications back online.
"Toll is making progress with our recovery activities to restore our systems and Toll customer-facing applications," stated the company.
"Our immediate focus is on bringing our systems back online in a controlled and secure manner. Business continuity plans have been activated to maintain customer service and operations."
No information has been released by Toll Group so far regarding the nature or severity of the cyber-incident. The details of how it occurred are currently also being kept under wraps.
Toll Group is often contracted to handle Australia's eBay deliveries. The freight company is also the carrier of choice for many of the country's cell phone companies when sending out new handsets and SIM cards.
Business Insider reported that Toll operations in Australia, India, and the Philippines had been affected by the incident.
No timeline has been given for when Toll Group's IT systems will be back up and running.
Toll Group operates a global express, freight forwarding, and logistics service from its base in Melbourne. The company, which was founded in 1888, was acquired by Japan Post in 2015.
British Charity Loses Over $1m in Domain Spoofing Scam
A British community housing charity was conned out of more than $1m in a domain spoofing and contractor impersonation scam.
Red Kite Community Housing announced on Tuesday that it had fallen victim to a cyber-scam in which criminals posed as genuine service providers to steal a staggering £932,000.
In a statement issued on January 28, Red Kite described the heavy financial loss as "absolutely galling."
The charity described how criminals not only spoofed the domain of a genuine contractor but also sent emails to Red Kite that appeared to be from contacts who had already won the charity's trust.
Detailing how the criminals got the better of the charity, Red Kite wrote: "What they managed to do was to expose a weakness using sophistication and human nature to carry out the theft of this money.
"In essence, they mimicked the domain and email details of known contacts that were providing services to Red Kite. Through this they managed to recreate an email thread that misled those who were copied into the email that it was a genuine follow up to an existing conversation."
Unfortunately, a payment verification process put in place to prevent fraudulent transactions proved ineffective when the error it flagged was not actioned.
Red Kite wrote: "We still had an additional safety net in place; a two-stage process to verify changes to payments and accounts which ordinarily would have caught this attempt.
"This, however, proved to be our weak point, with an error being made by the clear process not been actioned, resulting in a missed opportunity to shut the door before the money was taken. This is the part that upsets everyone involved."
The con was carried out in late August 2019 and is still under investigation by the police. As a result of the incident, Red Kite's governance rating has been downgraded by the Regulator of Social Housing (RSH).
In a regulatory judgement made public last week, the RSH wrote that Red Kite experienced "a significant financial loss as a result of a fraud due to a basic failure in its system of internal controls"—and urged them to make improvements.
Red Kite, which is based in the southeastern county of Buckinghamshire, owns and manages around 6,500 homes across the town of High Wycombe.
Thousands Raised for NSPCC’s Childline Service at White Hat Ball
An incredible £187,000 was raised for the NSPCC counselling service Childline at the White Hat Ball on Friday January 31 2020.
Over 650 guests attended the event, which was hosted by singer and TV personality Peter Andre, at the Royal Lancaster Hotel in London.
Guests, including members of the Infosecurity Magazine team, enjoyed a champagne reception and a three-course dinner, followed by entertainment including silent and live auctions where fantastic prizes were won such as an exclusive VIP Manchester United experience and painting ‘Bowie’ by Daniel Mernaugh.
Organized by a committee of dedicated volunteers from the information risk and security sector, the event is now in its 15th year.
Speaking at the event, Peter Andre said: “I’ve been supporting Childline for many, many years so I was honored to be asked to host the White Hat Ball and raise lots of money for a cause close to my heart. I love everything Dame Esther Rantzen stands for. Every child is worth fighting for, and I’m proud to have been a part of this evening to support that.”
The money raised from the Ball will help Childline continue to be there 24/7 for young people in need of support for a range of issues, including mental health and concerns about abuse and neglect. On average, a child contacts Childline every 25 seconds, with almost three-quarters of counselling sessions now taking place online.
Sarah Jeffery, NSPCC special events manager, said: “It was fantastic to see so many people gather at the White Hat Ball, raising vital funds for Childline.
“We know that Childline provides a vital lifeline for young people across the country and events like the White Hat Ball enable us to continue to provide this life-changing service.”
Missile Engineer Arrested After Taking Secret Info to China
The FBI has arrested a US defense contractor employee for allegedly taking classified information with him on a secret China trip.
Tucson-resident Wei Sun, 48, worked for Raytheon for over 10 years as an electrical engineer on the firm’s missile systems program. As such, the China-born US resident had access to technical data on highly regulated military technology which requires an export license to take out of the country.
However, he allegedly transported some of this data “knowingly and wilfully” on his work laptop on a December 2018 trip, despite being told by a manager that this would contravene company policy and federal law.
Whilst out of the country, he emailed Raytheon from his laptop and work account to resign, claiming he wanted to study and work overseas.
On returning, he admitted to security staff at the firm that he had taken information on Raytheon’s ballistic missile defense system abroad on his work laptop, but only to Singapore and the Philippines.
However, Sun’s story subsequently changed, as he admitted to travelling to China, Cambodia and Hong Kong — again with no attempt made to obtain an export license under the International Traffic in Arms Regulations (ITAR).
Sun was kicked out of the company after these interviews in January 2019 and arrested a year later for breaking the ITAR.
Reports suggest he was familiar with cutting-edge weapons systems of high strategic value to China, such as defense technology used to shoot down incoming missiles.
The US is clamping down on intelligence leaks of all types. Last week it emerged that a prominent Harvard academic had been arrested and charged with lying about his ties to China.
His case was published alongside news that a PLA officer and a second Chinese national were arrested after posing as students to steal sensitive research information.