A scammer who defrauded elderly American computer users by tricking them into believing that their computers had suffered a cyber-attack will be spending the next three years in federal prison.
Himanshu Asri, of Delhi, India, took part in a five-year telemarketing scheme that conned around 2,000 computer users, most of whom were seniors.
The 34-year-old fraudster operated the call center in India that played an integral part in the Tech Fraud deception.
Under the scheme, Asri arranged for fraudulent pop-up advertisements to appear on computer users’ screens. The ads falsely claimed that malware had been detected on the computer and advised the user to call a phone number for assistance to remove it.
Users who called the number for help spoke to operators at Asri’s call center and at other call centers based in India. Those operators had been coached to reiterate the lie that malware had been found on the callers’ computers.
Users were offered fictitious computer protection services that would remove the non-existent malware for an exorbitant price.
Those who fell prey to the scam paid on average $482 for computer protection service or assistance that they didn't need and didn't receive. In some cases, victims were defrauded of amounts exceeding $1,000.
A spokesperson for the US Attorney's Office for the District of Rhode Island said: "From call data obtained for a three-month period, it was estimated that over five years Asri’s scheme led approximately 6,500 people to view Asri’s deceptive pop-up ads and encounter call center operators who made the Tech Fraud pitch. It is estimated that 1,950 of those people fell prey to the Tech Fraud."
Asri and his co-conspirators tricked their victims into handing over at least $940,995.74. Had all their fraudulent attempts been successful, it's estimated that the fraudsters' illegal activity could have defrauded victims out of approximately $3,133,000.
Asri was arrested at the beginning of 2020. On December 3, he pleaded guilty to wire fraud.
On Thursday, the scammer was sentenced in US District Court in Providence to three years in federal prison followed by a period of supervised release.
American multinational technology company Microsoft says that the threat group behind the Microsoft and SolarWinds hack has launched a massive new phishing campaign targeting government agencies, NGOs and think tanks.
Last year, an advanced persistent threat (APT) group exploited vulnerabilities in Microsoft and SolarWinds programs to carry out a supply-chain attack that trojanized SolarWinds' Orion business software updates to distribute malware. Nine US federal agencies and over 100 companies were targeted.
According to Microsoft, Russian-based APT group Nobelium was not only behind that attack but is now running a phishing campaign that has already targeted thousands of email accounts around the world.
"This week we observed cyber-attacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations," wrote Microsoft's vice president of customer security and trust, Tom Burt, in a blog post published on Thursday.
"This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations."
Burt said that organizations in at least 24 different countries were impacted, with the majority of victims located in the United States.
At least one in four of the organizations targeted are involved in international development, humanitarian, and human rights work.
"These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts," wrote Burt.
Nobelium launched the phishing campaign by gaining access to the Constant Contact account of USAID.
"From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone," wrote Burt.
"This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network."
Digital Shadows threat researcher Stefano De Blasi said that Nobelium's alleged malicious activity exemplified how targeted phishing campaigns still constitute a serious threat against institutions of any kind.
He added: "This campaign is the latest testament to this group's objective of collecting sensitive and highly valuable information from Western organizations operating in the government and external affairs field."
A new charity initiative, which aims to raise money for two organizations that help tackle online child abuse and cybercrime respectively, has been announced by a group of cybersecurity professionals based in the UK and US.
Infostep 2021 will see 25 volunteers from the Infostep Challenge group of cyber pros walk a total of 19,000 miles , equivalent to a mammoth 42,212,000 steps, over the next six months. This will primarily look to raise funds for the Innocent Lives Foundation, which works with law enforcement to identify sexual predators targeting children online and The Cyber Helpline, which offers free, confidential advice and support service for individuals who have fallen victim to cybercrime.
The Infostep volunteers also hope to use some of the money raised to provide resources for people looking to start a career in cybersecurity.
The challenge originated when Tom Quinn, group IT security services manager for National Express, set a personal post-lockdown goal of walking 70,000 steps per week, which he revealed in a post on LinkedIn. Upon seeing the post, an old colleague of his, Amy Stokes-Waters, who is senior account manager for Cognisys, then reached out to try and get involvement from the wider infosec community. She explained: “I think everyone has had a bit of a lethargic few months. The weather is getting warmer, we’re allowed to get out and about a bit more, and if we can raise money while we’re at it, why not? This really is the infosec community at its finest!”
Commenting on the initiative, Innocent Lives Foundation ambassador and CISO of Ramsey Quantitative Systems, Jonathan Younie, said: “Ultimately, the goal of the Innocent Lives Foundation is to make the world safer for kids. Our team of volunteer technology specialists use OSINT (Open Source Intelligence) to identify predators who target children on the Internet, specifically to generate and distribute CSAM (Child Sexual Abuse Material). We work to provide law enforcement with the information they need to bring these predators to justice, so each dollar raised is used to assist law enforcement in unmasking child predators on the internet.”
Nikki Webb, head of marketing for The Cyber Helpline and global channel manager for Custodian 360, outlined: “Our vision is to ensure the UK is a place where cyber-criminals do not win and our mission is to ensure everyone in the UK has immediate access to expert, cybersecurity help when they need it. Infostep 2021 is an amazing initiative and we are so grateful to be chosen as recipients of some of the funds raised.”
Infostep Challenge added that they are welcoming support from any organization which would like to get involved in the endeavor in some capacity, either through funding or resource donation. Additionally, any individuals who would like to join in with their own personal challenge can follow along using the hashtag #infosteps2021.
As well as Stokes-Waters, Quinn, Webb and Younie, the infosecurity professionals who are taking part in the challenge are the following: Dan Conn, senior software engineer for Mimecast; Scott Winchester, owner of Hax_Shax; Sean Atkinson, director of security assurance at Secarma; Regina Bluman, security analyst at Algolia; Sarah Armstrong-Smith, chief security advisor at Microsoft; Tash Norris, head of cyber security at Moonpig; Paul Taylor, cyber consultancy at ITC Secure; Ryan Surry, director at Intaso; Siân Salmons, trainee cyber security consultant at CAPSLOCK; Cytisus E., senior security engineer at Macys; Lisa Forte, partner at Red Goat Cyber Security; Natasha Harley, co-founder at cyberxperts; Rosie Anderson, head of sales at Honeypot Digital; Rob Croxford, network security consultant; Phillip L., head of sector at ITC Secure; Adrian Tayor, transformation consultant at Deloitte UK; Rob Newby, founder at Procordr; Ste Watts, group head of cyber security operations at Aldermore Bank; Lorna Armitage, co-founder at CAPSLOCK; Dan Komenda, trainee cyber security consultant at CAPSLOCK; Laura Wellstead, co-founder of cyberxperts, Alex Martin, senior business development manager at Cognisys, and Peter Jones, owner at CyberBadger.
The National Cyber Security Centre (NCSC) has warned British internet users to protect their streaming accounts ahead of a summer of sport.
The GCHQ offshoot warned that such accounts can hold a trove of valuable personal and financial information for threat actors to harvest and use to make fraudulent payments or launch follow-on phishing, smishing and vishing scams.
“The UEFA Champions League final will kick off a great British summer of sport and those enjoying it online should be able to do so securely. If accounts aren't secure, it's really easy for criminals to access them and then proceed to target people with scam texts and emails,” said NCSC director of policy, Nicola Hudson.
“To help stay protected from this, we would urge people to visit cyberaware.gov.uk for advice on securing accounts and devices and the NCSC’s website for dealing with scam emails and texts.”
The NCSC urged internet users to change their passwords to a strong credential in order to mitigate the risk of credential stuffing, and to pay special care to their email log-ins — if these are hijacked, attackers could reset and change their other passwords. On the Cyber Aware site, it's also recommended to switch on two-factor authentication.
It also asked users to switch on automatic updates for all apps to address the risk of streaming software being exploited by cyber-criminals.
The past year has seen a spike in the use of streaming services as employees and students were forced to stay home under government-mandated lockdowns.
However, that’s also presented an opportunity for threat actors: in less than a week last April Mimecast said it detected the registration of over 700 suspicious domains designed to impersonate the Netflix brand.
Nearly three-quarters of security operations (SecOps) leaders say their home lives are being impacted by the stresses of alert overload, according to a new global study from Trend Micro.
The security vendor polled over 2300 cybersecurity decision-makers that run Security Operations Centers (SOCs) or SecOps from within their IT security function, to compile its report, Security Operations on the Back Foot.
It revealed the inadequacy of current tooling to help them prioritize alerts generated from multiple security controls across the organization.
Over half (51%) said their team is being overwhelmed by the volume of alerts and 55% admitted that they aren’t confident in their ability to prioritize and respond to them. On average, respondents said they’re spending over a quarter (27%) of their time dealing with false positives.
This is taking its toll emotionally: 70% claimed they feel so stressed outside of work that they’re unable to switch off or relax, and are irritable with friends and family.
In the SOC or IT security department, many admitted to turning off alerts (43%), walking away from their computer (43%), hoping another team member will step in (50%), or ignoring alerts entirely (40%).
"We're used to cybersecurity being described in terms of people, process and technology. All too often, though, people are portrayed as a vulnerability rather than an asset, and technical defenses are prioritized over human resilience,” argued cybersecurity researcher Victoria Baines.
“It's high time we renewed our investment in our human security assets. That means looking after our colleagues and teams, and ensuring they have tools that allow them to focus on what humans do best."
The figures chime with research from Sumo Logic last year which revealed that 99% of organizations are experiencing high volumes of alerts which cause issues for SecOps teams. A further 83% admitted this leads to alert fatigue for staff.
Nearly three-quarters (72%) of cybersecurity professionals are concerned about supply chain risks to their organization following high-profile incidents like the SolarWinds campaign, according to a new poll.
Run by the Infosecurity Europe trade show, which is owned by the same company as Infosecurity Magazine, the poll received over 2500 responses on Twitter last week.
Nearly two-fifths (38%) said they were “very” concerned about the potential risks from third parties, whilst 34% claimed they were “somewhat” concerned.
They’re right to be: 28% admitted to having no processes in place to control data flows to and from third parties and a fifth (20%) didn’t even know if such measures had been implemented.
Even though more than half (52%) of respondents claimed to have processes in place, only a third (35%) said they actually enforce policy in this area.
Separate research from earlier this month revealed that almost half (44%) of North American organizations have suffered a breach via a third party over the past 12 months.
Even more (51%) said their organization is not assessing the security and privacy practices of suppliers before allowing them to access sensitive data.
Maxine Holt, senior research director at Omdia, argued that discovery must be the first step in assessing supplier risk.
“Which organizations do you have relationships with? What’s the nature of the relationship; do they handle PII on your behalf? Then prioritize accordingly,” she explained.
“Request compliance information, and details of cyber-risk insurance and accreditations. You also need to know where your data is and what it’s doing, and third-parties must be able to ensure that data transfers are consistent with what has been agreed.”
Experts have argued in the past that accurate risk assessments are often out of reach for organizations as there’s too much reliance on trust and manual, spreadsheet-based approaches to provide assurance.
Infosecurity Europe 2021 will run 13-15 July 2021 at London Olympia, with selected talks and discussions to be made available online. The show will also be running a virtual conference from 8-10 June 2021.
A hacker who launched a long-running cyber-attack against a New Hampshire police department has been sent to prison for a year and a day.
Wayne Kenney Jr. broke into the computer systems of the Farnum Center, the Auburn Police Department (APD) and several department employees in 2015 after receiving a suspended sentence for heroin possession.
The Farnum Center is an addiction treatment center based in Manchester, New Hampshire, and it is where 31-year-old Hooksett resident Kenney was sent for drug treatment in early 2015.
After gaining access to the Center's systems on July 1, Kenney re-routed a drug helpline 1-800 telephone number to an adult entertainment business. He also doctored the Center's portal so that users who logged in were greeted with a link to a video that showed heroin being injected.
"The defendant's reprehensible actions caused significant harm to entities that seek to help the public," said Acting US Attorney John Farley in a statement.
"By disabling access to drug and alcohol treatment information, the defendant cruelly impeded innocent people from getting help for their substance abuse problems. His actions also harmed innocent public servants in Auburn."
After hacking into the APD's computer system, Kenney deleted some files and installed malware that prompted pop-up messages to appear on the department's computers. The messages prayed for the death of Kenney's arresting officer.
He also took over email and social media accounts belonging to APD employees and defaced them with pornography.
The attacks against the APD were carried out from February to July 2015 using a keyboard stroke logger, computer viruses and phishing emails. Kenney's lawyer said that the hacker was going through personal problems when the crimes took place.
"You can't hide in the shadows of the internet and hack into computers and impede others from accessing emergency substance abuse treatment services and get away with it," said Joseph Bonavolonta, special agent in charge of the FBI Boston Division.
Key government cybersecurity and counterintelligence officials told the news source that if the gang has actually stopped operating, it could soon be back to its old and highly lucrative tricks under a different alias.
Research published last week by London-based blockchain analytics firm Elliptic appears to show that DarkSide extorted more than $90m in Bitcoin before supposedly halting its illegal activities.
Federal experts also warned that certain countries were turning a blind eye to the cyber-criminal activity emanating from within their borders.
In an interview with CNBC's Eamon Javers on Wednesday, Assistant Attorney General of the Department of Justice’s National Security Division John Demers said that the Colonial Pipeline attack highlighted the issue of "nation-states serving as safe havens for criminal cyber-actors."
Demers said that "nation-states aren’t doing their part to investigate and root out hacking activity happening within their borders." He went on to suggest that DarkSide, far from going dark, could be "just off renaming themselves."
“Groups like that will come back,” he added. “Probably DarkSide itself, those actors that comprise that group, will be back if they’re not already out there in other forms operating as we’re talking.”
Acting Director of the National Counterintelligence and Security Center Michael Orlando concurred with Demers' viewpoint.
Speaking in the same interview, Orlando said: "We do know that countries like Russia and China, Iran and others certainly create safe havens for criminal hackers as long as they don’t conduct attacks against them.
"But that’s a challenge for us that we’re going to have to work through as we figure out how to counter ransomware attacks."
KnowBe4's James McQuiggan told Infosecurity Magazine: "With the recent DarkSide group going dark after what appears to be a loss of their electronic infrastructure, it seems they are working on regrouping their efforts."
He added: “Individually, cyber-criminals still need to live and make money, so they take their skills and expertise to another group and give themselves a new name and start all over.”
Canada's primary postal operator, Canada Post, confirmed Wednesday that it has suffered a data breach.
The security incident occurred following a cyber-attack on one of the Crown corporation's suppliers, Commport Communications, which provides electronic data interchange solutions.
Commport Communications was hired by the postal service to manage the shipping manifest data of its large parcel business' customers.
Following the cyber-attack, Canada Post has informed 44 of its commercial customers that data belonging to more than 950,000 customers has been compromised.
Commport Communications notified Canada Post that manifest data stored in its systems had been exposed in a malware attack on May 19.
“Shipping manifests are used to fulfill customer orders. They typically include sender and receiver contact information that you would find on shipping labels, such as the names and addresses of the business sending the item and the customer receiving it,” said Canada Post on Wednesday in a press release.
The corporation said that exposed information dates from July 2016 to March 2019 and that most of it (97%) contains the name and address of the receiving customer. The customer's email address and/or phone number were included in 3% of the compromised data.
Canada Post said that a detailed forensic investigation into the data breach had not turned up any evidence of financial information's being compromised.
“We are now working closely with Commport Communications and have engaged external cybersecurity experts to fully investigate and take action,” Canada Post said.
Though the breach hit Canada Post customers via an attack on a supplier, the corporation said they “sincerely regret the inconvenience this will cause our valued customers" and have notified the Office of the Privacy Commissioner.
“Canada Post respects customer privacy and takes matters of cybersecurity very seriously,” said the corporation.
The postal operator added that it will “incorporate any learnings into our efforts, including the involvement of suppliers, to enhance our cybersecurity approach which is becoming an increasingly sophisticated issue."
Last November, Commport Communications notified Innovapost, the IT subsidiary of Canada Post, of a potential ransomware issue. An investigation found no evidence to suggest any customer data had been compromised.
Security researchers have discovered a new Chinese phishing campaign targeting the ethnic minority Uyghur group with emails impersonating the United Nations and others.
Check Point and Kaspersky teamed up to lift the lid on the attacks, which spoof not only the UN Human Rights Council (UNHRC) but also a fake human rights organization called TCAHF, targeting Uyghurs applying for grants.
As well as emailed documents from the ‘UNHRC’ designed to trick individuals into installing a Windows backdoor, the researchers discovered a phishing website branded with the details of the fake human rights organization.
This aims to convince victims into downloading a .NET backdoor, by disguising it as a ‘security scanner,’ which is necessary to install due to the sensitive nature of the information needed for a grant application.
Most of the website’s content is apparently copied from a legitimate Open Society Foundations site.
Kaspersky and Check Point have discovered only a handful of victims in Pakistan and China, where around 12 million Uyghurs live in the north-west Xinjiang region. Reports suggest the authorities there have erected concentration camps in a ghoulish state-sanctioned scheme involving forced sterilisations and mass ‘re-education.’
Amidst an international furore and mutterings of countries boycotting the Beijing Winter Olympics in 2022, it has become a serious geopolitical issue for China’s leaders.
The research teams assigned the activity to a Chinese-speaking threat actor with low to medium confidence. They found excerpts of the code in malicious macros used in the attacks which were identical to VBA code appearing in multiple Chinese forums, and which may have been copied direct from there.
“These attacks clearly utilize the theme of the UNHRC to trick its targets into downloading malicious malware. We believe that these cyber-attacks are motivated by espionage, with the end-game of the operation being the installation of a backdoor into the computers of high-profile targets in the Uyghur community,” explained Check Point’s head of threat intelligence, Lotem Finkelsteen.
“The attacks are designed to fingerprint infected devices, including all of its running programs. From what we can tell, these attacks are ongoing, and new infrastructure is being created for what looks like future attacks.”
The volume of compromised records globally has increased on average by 224% each year since 2017, according to new findings shared by Imperva.
In light of the GDPR’s third anniversary this week, the data security firm crunched statistics on thousands of breaches over the past few years to better understand the evolving risk to businesses.
There were more records reported as compromised in January 2021 alone (878 million) than for the whole of 2017 (826 million).
Alongside the increase in this figure over the past four years, there’s been a 34% rise in the number of reported breaches over the period, and a 131% increase in average number of compromised records per incident, said Imperva security researcher, Ofir Shaty.
“We are living in a digitization era in which more services are consumed on a daily basis, with the majority of them online. More businesses are migrating to the cloud which makes them more vulnerable if not done carefully. The amount of data that is out there is enormous, and it is increasing every year,” he said.
“Information security adoption is slower than the adoption of digital services that make profit from the addiction to and consumption of the same online services. The increasing number of breaches every year is a result of this gap.”
Imperva is predicting that this year will see around 1500 data breach incidents and 40 billion records compromised.
These aren’t all the result of malicious third parties stealing information from victim organizations.
Misconfiguration of cloud services has also driven a spike in data leaks. Of the 100 biggest incidents over the past decade, Imperva claimed 42% came from Elasticsearch servers, a quarter (25%) from AWS S3 buckets and 17% from MongoDB deployments.
Tools like Shodan and open source apps like LeakLocker are making the discovery of such leaks increasingly easy, Shaty warned.
“The security of an organization is only as strong as the weakest link in the security chain. Many times, the ‘walls’ that protect databases have cracks that allow attackers to put their hands on sensitive data,” he concluded.
“In many cases, better architecture and cross-organization security practices would do the trick, but those practices are not easy to implement and control. We suggest that organizations implement security for the databases they manage, not just the applications and networks that surround them.”
Most US victims of pandemic-related identity fraud in 2020 still have not had their issues resolved, and a third (33%) claim they didn’t have enough money to buy food or pay for utilities last year as a result, according to a new report.
The Identity Theft Resource Center (ITRC) based its new 2021 Consumer Aftermath Report on interviews with 427 identity crime victims who contacted the non-profit before and during the crisis.
The FTC claimed that it received twice as many identity theft reports last year versus 2019, with those related to unemployment benefits hitting over 390,000 versus just 13,000 in 2019.
Three-quarters (75%) of these and other COVID-related fraud issues have yet to be resolved, according to the ITRC.
The impact has been catastrophic for many households: a quarter (24%) said they were denied unemployment benefits because someone applied using their identity; 40% were unable to pay routine monthly bills; and many went hungry.
Some 14% said they were evicted for non-payment of rent, and 8% have even considered suicide.
The challenges of resolving identity fraud go back long before the pandemic. Nearly two-fifths (37%) of pre-pandemic victims said their issues from 2019 have still not been sorted out as of May 2021.
Overall, while most victims lose less than $500, a fifth (21%) claimed to have been defrauded by over $20,000.
“While we have all adjusted to masks and social distancing during the COVID-19 pandemic, for victims of identity fraud, the pandemic has created an entirely new set of risks,” said John Breyault, National Consumers League vice president of public policy, telecommunications and fraud and an ITRC Board Member.
“It might be tempting to focus only on the considerable harm that identity fraud does to consumers. However, we shouldn’t lose sight of the costs to businesses due to lost productivity and lower morale as employees manage their recovery and to taxpayers as fraudsters raid unemployment insurance funds.”
A public relations agency in the UK has allegedly offered social media influencers money to portray the Covid-19 vaccine created by Pfizer-BioNTech as highly dangerous.
Fazze allegedly offered to pay French and German bloggers, influencers and YouTubers to tell their followers that the vaccine had caused hundreds of deaths.
Over 285 million doses of COVID-19 vaccines were administered in the United States from December 14, 2020, through May 24, 2021. During this time, the CDC's Vaccine Adverse Event Reporting System (VAERS) received 4,863 reports of death (0.0017%) among people who received a COVID-19 vaccine.
On its website, Fazze describes itself as a “marketplace that connects bloggers and advertisers.” The Guardian reports that Fazze claimed to be headquartered at 5 Percy Street in London but is not registered at this address.
It is alleged that Fazze contacted several French health and science YouTubers last week, asking them to share the false claim that the Pfizer vaccine is three times more deadly than the COVID-19 vaccine developed by AstraZeneca.
The influencers were instructed to present the lie as their own independent view. They were also told to publish links on Instagram, TikTok or YouTube to reports in French newspaper Le Monde, on Reddit and on the Ethical Hacker website that Fazze said contained data substantiating this claim.
The Reddit and Ethical Hacker articles have been removed from the sites, and the piece in Le Monde contains no information about mortality rates associated with either vaccine.
It is alleged that Fazze told the influencers to tell their followers that the dangers of the Pfizer vaccine were being ignored by mainstream media, and to question the wisdom of governments who purchased it.
Mirko Drotschmann, a German YouTuber and podcaster with 1.5 million subscribers, and Léo Grasset, a French science YouTuber with nearly 1.2 million subscribers, both said that they had been approached and asked to disparage the vaccine.
Both influencers shared screenshots of emails they had received. The missive sent to Drotschmann states: "I am engaged in an information campaign regarding the Covid-19 vaccine. The data leak showed a significant number of deaths after the Pfizer vaccination. We would like to invite you to share this information link..."
A gang of Nigerian cyber-criminals has shared a step-by-step guide detailing how to commit unemployment identity fraud in the Lone Star State, according to CBS News.
Organized cybercrime group Scattered Canary is already suspected of making millions defrauding the states of Hawaii, Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington and Wyoming.
Now the gang has allegedly circulated a 13-page tutorial explaining how to successfully defraud the Texas Workforce Commission website.
Evidence shared with the news channel's CBS 11 I-Team appears to show this highly detailed guide being shared online in a closed group chat that took place between multiple gang members.
With the help of an insider, private cybersecurity firm Agari managed to obtain a copy of the document from a WhatsApp group chat.
Former FBI agent Crane Hassold, who is now employed as Agari's director of threat research, said: “For these cyber-criminals it’s all about information flow.”
“The tutorial shows how to apply for unemployment benefits and even introduces some of the red flags if you enter things a certain way.”
Texas has lost more than $893m to fraudulent unemployment benefits since the start of the global COVID-19 pandemic. The Texas Workforce Commission said it has been targeted by scammers from all over the world.
Hassold said Scattered Canary are exploiting a feature in Gmail to speed up their fraudulent activity.
Because Google ignores periods in Gmail addresses, slight variations of a single email address can be used to file multiple fraudulent claims without raising the suspicion of state unemployment systems.
For example, three claims filed using the addresses [email protected], [email protected],” and “[email protected]” appear to belong to three separate individuals but are all attached to the same email account.
“Essentially it allows their communication flow to be much more efficient,” said Hassold.
“Instead of having to go to dozens of different email accounts to look at what’s going on, it’s all coming to one centralized location.”
Scattered Canary is suspected of funneling the money it nets through fraudulent claims offshore by using it to purchase prepaid Green Dot cards. The cards are registered using the same identities stolen when committing the unemployment fraud.
Before the cards are delivered via the mail, the gang goes online and drains the money from the account.
Nearly two dozen Americans have been indicted in connection with a card-cloning scam that targeted a national retail chain headquartered in Chicago, Illinois.
In 2016 and 2017, a malicious software program was installed on multiple computers belonging to the unnamed retailer, which sold clothing, electronics, toys, furniture and home decor.
This malware allowed a co-conspirator to capture the data of more than three million credit cards, debit cards and gift cards that were used in-store at 400 of the retailer's branches.
Data stolen using the card-skimming software was then sold by the co-conspirator to another individual for $4m in Bitcoin. The money was transferred over the course of approximately 66 transactions.
This next link in the criminal chain offered the stolen information for sale on two different websites to over 3,000 users.
An indictment unsealed May 25 in the Northern District of Illinois accuses 22 individuals from nine different states of purchasing that data. Most of the defendants are in their late 20s or early 30s and reside in California or New York state.
It is alleged that the defendants used the data they purchased to buy items at businesses across America, including gas stations, hotels and restaurants. The illegal activity allegedly occurred between August 2016 and July 2020. At least 80 people living in Illinois were victimized as a result.
All but two of the defendants named in the indictment were arrested this month and have entered the federal court system. The defendants who remain at large are believed to have moved overseas.
The Department of Justice said that the investigation into the card-skimming scam remains ongoing.
Typically, the defendants are accused of purchasing the payment card data of between 1,000 and 2,000 skimmed cards. However, one defendant, 35-year-old Barry Shi of Rosemead, California, allegedly bought the data of at least 18,742 payment cards, including at least 13,249 that were used at the Chicago retailer's stores, in exchange for around $507,273 in Bitcoin.
Wire fraud is punishable by up to 20 years in federal prison, while aggravated identity theft carries a mandatory, consecutive prison sentence of two years.
NHS patient data in England will be shared with third parties for research and planning purposes, fueling concerns about privacy and security, it has been reported today.
The Financial Times revealed that NHS Digital, which runs the health service’s IT systems, will create a database containing the medical records of around 55 million patients in England who are registered with a GP clinic. This includes sensitive data on mental and sexual health, criminal records and abuse.
This information will subsequently be made available to academic and commercial third parties involved in research and planning, although no details on the types of organizations that will have access have been provided.
The initiative follows suggestions that the UK’s response to the COVID-19 pandemic was hampered by lack of data sharing and access, including in a report published this year by the House of Commons Science and Technology Committee.
Patients will need to fill in a form and take it to their GP to opt out of the scheme by June 23, otherwise their historical records will become a permanent and irreversible part of the new data set. Any patients who opt out after this date will prevent any future data becoming part of the new system.
The idea for a database of this kind was first set out by UK Health Secretary Matt Hancock in April, and explained in blogs on the NHS website. This emphasized that patients will not be directly identified in the data set.
The plans have received significant criticism from privacy campaigners. The Financial Times cited a letter from Foxglove, a campaign group for digital rights, to the Department of Health and Social Care, questioning the legality of the proposals under current data protection legislation. Rosa Curling, a solicitor at the organization who penned the letter, wrote that “very few members of the public will be aware that the new processing is imminent, directly affecting their personal medical data.”
Cybersecurity experts have also warned that the database will be a tempting target for cyber-criminals. George Papamargaritis, MSS director at Obrela Security Industries, commented: “It is not surprising that the NHS is facing backlash in response to this move. Sharing medical data with third parties is very risky as there is no way to be sure they will have the proper security tools in place to keep the data safe. While it looks like the NHS has plans to anonymize patient data, this is not a 100% guarantee of security protection.”
David Sygula, senior cybersecurity analyst at CybelAngel, said: “This move from the NHS provides some strong benefits from an academic research standpoint. An initiative like this could have been useful in better controlling the magnitude of the pandemic, and all research work that goes with it.
“However, data collection on this scale is creating a new set of risks for individuals, where their Personal Health Information (PHI) is exposed to third-party data breaches. The extent of the unsecured database problem is growing. It's not simply an NHS issue, but the NHS' third, fourth or further removed parties too, and how they will ensure the data is securely handled by all suppliers involved. These security policies and processes absolutely need to be planned well in advance and details shared with both third parties and individuals.
“Several mechanisms must be put in place, starting with the anonymization of data, as data leaks will inevitably happen. Security researchers, attackers, and rogue states have all put in place processes to identify unsecured databases and will rapidly find leaked information. That's the default assumption we should start with. It's about making sure patients are not personally exposed in case of a breach, while setting up the appropriate monitoring tools to look for exposed data among the supply chain.”
NHS England previously tried to store all GP patient information in a central database back in 2013 in a project called Care.data, which was subsequently abandoned in 2016 due to privacy concerns.
There were over 2300 data breach incidents reported by just 22 of the UK’s police forces in 2020, according to new Freedom of Information data.
VPNoverview requested information from the UK’s 45 police forces and received responses from 31.
All told, the results revealed a national average of 299 data breaches per police station over the period dating from 2016 to the first four months of 2021.
This included a combination of human error — for example, staff emailing sensitive information to the wrong recipient — and malicious third-party attacks.
There was no breakdown in the report indicating which accounted for the majority of cases. However, separate FoI data from 23 forces obtained in 2019 revealed that 237 officers and staff members were disciplined, six resigned during investigations and 11 were sacked for computer misuse offenses over the previous two years.
Many of these involved accessing police databases unlawfully to search for individuals.
The VPNoverview study did reveal the best and worst offenders of the past four years. Lancashire Constabulary topped the list of forces suffering most incidents over the period (1300), followed by nearby Cheshire Constabulary (1193), Sussex Police force (980) and the Police Service of Northern Ireland (928).
Five forces reported fewer than 10 incidents from 2016-21 while London’s Metropolitan Police and Dorset Police claimed to have suffered no breaches in over four years.
Sussex Police has already recorded 62 data breach incidents so far in 2021, followed by West Midlands Police (37), North Wales (24) and Wiltshire Constabulary (12).
A Big Brother Watch study from 2016 found that UK police suffered more than 2300 breach incidents over the previous four years as a result of insiders abusing their position.
A year previously, South Wales Police was fined £160,000 after it misplaced unencrypted DVDs containing a highly sensitive video recording of an interview with a sex abuse victim.
Bose has told regulators that a sophisticated ransomware attack back in March led to unauthorized access of personal information on current and former employees.
The US audio tech giant told the New Hampshire Office of the Attorney General that it first detected the ransomware back on March 7 2021. However, nearly two months later, on April 29, it found that human resources files were accessed.
“The personal information contained in these files include name, Social Security Number, and compensation-related information,” it continued.
“The forensics evidence at our disposal demonstrates that the threat actor interacted with a limited set of folders within these files. However, we do not have evidence to confirm that the data contained in these files was successfully exfiltrated, but we are also unable to confirm that it was not.”
The firm said it had engaged third-party experts to scour the dark web for this data, to check if it is being actively used by cyber-criminals, and is also working with the FBI.
“Bose has not received any indication through May 19, 2021 its monitoring activities or from impacted employees that the data discussed herein has been unlawfully disseminated, sold, or otherwise disclosed,” it added.
Only a small number of staff were affected and the firm is not thought to have paid the ransom.
However, it disclosed to the regulator a long list of remedial actions taken by its security team to mitigate the risk of a worse attack in the future.
This included: enhanced anti-malware, logging and monitoring; blocking of malicious IPs linked to the threat actor; changing passwords for all end users; and changing access keys for all service accounts.
Robert Golloday, EMEA and APAC director at Illusive, praised Bose for its transparency.
“Kudos for not paying a ransom and for having the appropriate backups in place. With that said, the time to put in controls for early detection and prevention of lateral movement is before these attacks occur, not after,” he added.
“It’s another unfortunate example of an ever-widening criminal enterprise."
Privacy groups are celebrating after winning an eight-year battle to prove the UK government’s mass surveillance regime violated human rights.
A ruling by the top court of the European Court of Human Rights yesterday noted that the regime first exposed by Edward Snowden in 2013 violated rights to privacy and freedom of expression.
Three main issues were highlighted by the judges: that bulk interception was authorized by the secretary of state and not an independent party; categories of search terms related to the type of comms to be extracted weren’t included in the warrant application; and that identifiers linked to individuals were not subject to prior authorization.
However, the European court fell short of ruling that bulk interception of communications is illegal in and of itself, claiming instead that stronger safeguards should have been put in place.
The judgement by the Grand Chamber goes further than the European Court of Human Rights’ 2018 ruling, by adding a new requirement of prior independent or judicial authorization for bulk interception of communications, Privacy International argued.
“Today the court reiterated that intelligence agencies cannot act on their own, in secret and in the absence of authorization and supervision by independent authorities,” noted the group’s acting legal director, Ilia Siatista.
“They must be accountable because their capabilities to access personal data about each and every one of us — even if we’re not suspected of any wrongdoing - pose serious risks in a democratic society.”
The case combined three separate challenges from 16 groups and individuals and challenged three different UK surveillance programs: the bulk interception of communications; intelligence sharing; and obtaining communications data from service providers.
The groups argued that the metadata collected by UK digital spy agency GCHQ could reveal intimate secrets of individuals’ personal lives, including where they go, who they contact and which internet sites they visit and when.
The UK government has said its new regime, brought in with the controversial 2016 Investigatory Powers Act or “Snooper’s Charter,” has added safeguards to the process.
This could have implications for the UK’s much-needed data adequacy decision from the EU. The European Parliament last week sent back the Commission’s draft decision on data protection, asking for better protection for EU citizens from UK mass surveillance.
The United States Department of Homeland Security (DHS) is to issue its first ever set of cybersecurity regulations for pipelines, according to The Washington Post.
The news comes in the wake of a recent ransomware attack on the Colonial Pipeline that knocked operational systems offline for five days, triggering panic buying that led to fuel shortages in the Southeast.
Last week, Colonial Pipeline paid a ransom of $4.4m to cyber-criminal gang DarkSide to regain control of its systems and data.
According to the Post, a senior DHS official has said that a security directive will be issued this week requiring pipeline companies to report cybersecurity incidents to federal authorities. The directive will come from the Transportation Security Administration, a DHS unit.
This directive will be followed by a meatier set of regulations in a couple of weeks’ time. These rules are expected to lay out in more detail what pipeline operators must do to protect their systems from cyber-attacks.
Post-breach behavior will also be regulated, with companies who succumb to a cyber-attack ordered to adhere to a set of best practices.
These mandatory regulations will replace the voluntary cybersecurity guidelines issued previously by the DHS.
John Bambenek, threat intelligence advisor at Netenrich, said that the US government's "shutting the stable door after the horse has bolted" approach to cybersecurity regulation may not be the best way to protect critical infrastructure.
"Notification to the federal government of cyber-attacks is less significant than whatever protective regulations they issue, but the facts are, we have thousands of pages of policies, regulations, and studies on security for the federal government and they still get breached. A regulatory approach based on preventing the last incident is always going to be lacking in terms of preventing the future incidents," he told Infosecurity Magazine.
Lookout's Hank Schless took a more positive view of the regulations' potential impact.
He told Infosecurity Magazine: "Implementing new regulations could be very effective in the battle against cyber-criminals so long as organizations actually take action to align with them. It takes time and resources to align with new regulations, but this should at least serve as motivation for similar companies to get the ball rolling."