Cyber Risk News

Brits Desire More Regulation of AI

Info Security - Thu, 07/09/2020 - 22:51
Brits Desire More Regulation of AI

New research has found that the British public are in favor of increased regulation and more accountability in the field of Artificial Intelligence (AI).

An independent survey of 2,000 adults in the UK by AI firm Fountech.ai discovered that 64% of respondents would like to see the introduction of additional regulation to make artificial intelligence safer.

Concern over the safety of AI varied according to age, with younger respondents adopting a more relaxed attitude. While 73% of those aged over 55 supported the introduction of extra guidelines to improve safety standards, only 53% of those aged between 18 and 34 concurred.

Britons also wanted to see companies take more accountability, with 72% of people believing that companies that develop AI should be held responsible for any mistakes that the technology makes. At 81%, those aged over 55 were the most likely to hold this view, while at 60%, millennials were the least likely to agree. 

The research, which was published today, revealed that Brits have high expectations regarding AI's performance and capabilities. The view held by 61% of respondents was that AI should not be making any mistakes when making decisions or performing an analysis.

While positive assumptions may prevail regarding the might of the technology's functional prowess, more than two-thirds of those surveyed felt that AI should be kept under the watchful eye of mankind. The survey found that 69% think that a human being should always be monitoring and checking decisions made by AI.  

Again, the more seasoned respondents were typically more in favor of human monitoring, with 77% of over-55s stating that AI's decisions should be checked and monitored. 

While William Shakespeare observed that "to err is human," machines can also get things wrong. When questioned about the chances of AI making a miscalculation, researchers found that 45% of survey respondents said it is harder to forgive errors that are made by machines than it is to forgive mistakes made by humans. 

This result concerning the ability to forgive—described as divine by the bard—was similar across the various age demographics surveyed. 

Nikolas Kairinos, founder of Fountech.ai, said: "While lawmakers may need to refine responsibility for AI’s actions as the technology advances, over-regulating AI risks impeding the potential for innovation with AI systems that promise to transform our lives for the better.”

Categories: Cyber Risk News

Teen Murdered After Confronting Cyber-Bullies

Info Security - Thu, 07/09/2020 - 17:30
Teen Murdered After Confronting Cyber-Bullies

A teenager from San Diego has been fatally shot after confronting cyber-bullies who targeted her sister online. 

The life of 19-year-old Janessa Del Valle was tragically cut short on July 4 as America celebrated its national Independence Day. 

The young woman from Bonita was killed while attempting to stop bullies from using the internet to body-shame her 13-year-old sibling. 

Del Valle's mother said that her daughters were expecting to meet with a couple of girls they believed to be responsible for the bullying when they left the family’s apartment together on Saturday. 

“When they met up, they thought they were meeting two girls, but they ended up meeting a carload of four people,” Del Valle's mother said.

Deputies said that the confrontation escalated into a fight in which Janessa was fatally shot. 

Del Valle’s mother said that after shooting Janessa, the attackers then turned on her 13-year-old sister.  

The attack took place in a parking lot at the 5100 block of Cedarwood Road in Bonita just steps from the Del Valle family’s home. 

Janessa was a former high school athlete who had been studying at San Diego City College at the time of her death. Her mother said cyber-bullying was an issue that could impact any child. 

“If you have children, and you see your children getting bullied, you need to do something about it—don’t think it’s innocent or it’s going to go away,” Del Valle's mother said

A search is now underway for Janessa's killer(s), and the San Diego Sheriff’s Department is asking for any witnesses to call in tips. 

Categories: Cyber Risk News

Cyber-Attack Downs Alabama County’s Network

Info Security - Thu, 07/09/2020 - 16:15
Cyber-Attack Downs Alabama County’s Network

A suspected ransomware attack has caused the temporary closure of an Alabama county’s computer network.

Chilton County implemented a shutdown after being targeted by a suspected ransomware attack on the morning of July 7. County Commission Chairman Joseph Parnell announced the incident on the social media network Facebook.

“The incident has caused a temporary disruption to the County’s computer records systems including the tag office and probate court records,” wrote Parnell. 

“Persons needing services provided by our various departments should check with the clerks in the particular department before coming to the courthouse to ensure that needed records are accessible.”

As a result of the attack, local records required by the courthouse in the performance of its regular services have been rendered unavailable. 

In a phone interview with the Clanton Advertiser, Parnell said an investigation was underway to determine the severity of the cyber-incident. The county servers and computers in several departments have been closed in a bid to limit the spread of any malware infection that may have occurred. 

“Our databases and computers are shut down while the cyber guys are trying to figure out if and what the extent was of the intrusion,” said Parnell.  

The chairman said that until the severity of the attack had been diagnosed, the county was assuming the worst.

Parnell said: “It could be very minor, and it could be very serious, but we have to treat this like it is extremely serious until we know otherwise.”

A cyber-attack was suspected when the county’s computers started behaving in a way that was out of character. Parnell said that Chilton’s employees noticed “their computers were not functioning normally. They were sluggish, and some of their applications looked different.”

Employees reported the discrepancies to the local IT team, which then shut down the county’s internal network.  

“We have a cyber-policy in place and have hired a firm of professional IT people out of New York that is going to come in and assess the system,” Parnell said.

The cyber-branch of the FBI and the Alabama Attorney General’s Office have been notified of the incident.

Categories: Cyber Risk News

95% of Brits Unable to Consistently Identify Phishing Messages

Info Security - Thu, 07/09/2020 - 15:00
95% of Brits Unable to Consistently Identify Phishing Messages

Just 5% of Brits are able to recognize all scam emails and texts, a study from Computer Disposals Limited has found.

Scam emails purporting to be from Facebook were shown to be most likely to trick people. Additionally, participants found it harder to spot scams via SMS messages compared to emails.

For the study, Computer Disposals created a quiz comprised of genuine recreated messages and emails from organizations including the UK government, Amazon, Disney Plus and Netflix alongside scam texts and emails that included the exact tactics being used by hackers to gain access to users’ accounts and personal details. They then asked 1000 individuals to try and distinguish between those that were genuine or fake.

The findings are especially concerning in light of a rise in phishing attacks during the COVID-19 pandemic, as cyber-criminals play on people’s economic and health fears during the crisis.

The respondents were observed to be naturally suspicious of all communications, however, with just 44% able to identify the genuine messages and emails.

Ben Griffin, director of Computer Disposals Limited, commented: “Over the past decade, cybercrime has risen to become a major risk for all of us – individuals and companies alike. As we live more and more of our lives online, phishing scams have become one of the most prevalent types of security breaches, especially as we use multiple devices interchangeably.

“Our data shows that only 5% of the British public are able to consistently identity phishing scam emails and texts, highlighting both how sophisticated and convincing these messages have become, as well as the need for us to constantly remain alert – especially so when we are spending more time at home. Vigilance is the key to remaining secure: safeguard your passwords, install recommended software updates and always treat messages with links or requesting information with due suspicion – even if they appear legitimate.”

Categories: Cyber Risk News

Alert Fatigue and Overload an Issue for Majority of Security Analysts

Info Security - Thu, 07/09/2020 - 14:01
Alert Fatigue and Overload an Issue for Majority of Security Analysts

Security professionals are struggling to effectively manage high volumes of security alerts.

According to the 2020 State of SecOps and Automation Report, a study conducted by Dimensional Research on behalf of Sumo Logic, managing the sheer volume of security alerts poses a significant problem for IT security professionals.

Its research of 427 qualified security individuals found 70 had faced more than double the volume of security alerts in the past five years, whilst 99% stated high volumes of alerts were causing problems for IT security teams.

This led 83% to say their security staff had experienced alert fatigue.

“Today’s security operations teams are faced with constant threats of security breaches that can lead to severe fallout including losing customers, diminished brand reputation and reduced revenue,” said Diane Hagglund, principal for Dimensional Research.

“To effectively minimize risk and bridge the gap, many companies rely on automated solutions that provide real-time analysis of security alerts. These findings highlight the challenges SOC teams are facing in a cloud-centric world, but more importantly why enterprises are aggressively looking to cloud-native alternatives for security analytics and operations.”

Although automated security alert processing can help to mitigate this issue, it is still a work in progress for most security teams.

Speaking to Infosecurity, Virtually Informed CISO Sarb Sembhi said, in the last 20 years, technology has been about “collecting and giving you alerts” and until AI came along, there was little in the way of a solution to deal with alerts and to be able to see all alerts in a single view.

“The cause of this is so many different technologies that come into the security estate and give you an alert and tell you something is wrong and somebody has done something, and there is not a single view,” he said. “What you need is a single sense to tell you what the course of action should be.”

He concluded that there is an issue of seeing so many alerts and an analyst having a “so what” attitude, but even if one of a million alerts is dangerous “you cannot become complacent.”

Categories: Cyber Risk News

HSBC SMS Phishing Scam Targets UK Victims

Info Security - Thu, 07/09/2020 - 13:00
HSBC SMS Phishing Scam Targets UK Victims

People in the UK are being targeted by a new phishing scam designed to trick victims into handing over details of their HSBC bank account.

The scam, discovered by litigation specialists Griffin Law, begins with a bogus text message that claims to be from the banking and finance giant informing the receiver that a new payment has been made through the HSBC app on their phone.

The user is then told that, if they are not responsible for the payment, they should visit the site “Security.hsbc.confirm-systems.com” to validate their bank account, before being directed to a fake landing page which asks for their username and password, followed by a series of verification steps.

The fraudulent site, which uses official HSBC branding, then asks for specific account details and personal data of the individual.

Griffin Law claimed that almost 50 people have come forward to say they have received the text message so far, with some able to identify the scam due to the fact they do not have a HSBC app installed on their phone. Thankfully, thus far, there have been no current reports of the scam being successful, according to Griffin Law.

Chris Ross, SVP, Barracuda Networks, said: “This is the latest in a long line of increasingly sophisticated phishing scams, designed to trick the victim into handing over their personal financial details.

“Increasingly, we are seeing examples of cyber-criminals using the branding of major banks to create realistic-looking fake websites, in order to extract personal financial information.”

When it comes to tackling the problem, all companies and users must remain vigilant of such scams, he added.

“SMS messages are often used by criminals to catch workers off-guard, using their personal mobile number. Ensuring security awareness within the workforce is critical, and it’s important that all employees are trained about how these schemes operate as well as how SMS messages can be exploited as part of a wider phishing scheme designed to steal company funds and data.”

Categories: Cyber Risk News

Fake TikTok App Targets Indian Users

Info Security - Thu, 07/09/2020 - 12:00
Fake TikTok App Targets Indian Users

Attackers are creating fake links for the video-sharing application TikTok, which contain malware to capture user’s data.

According to Money Control, police in India have issued a warning about TikTok links, after links were sent through WhatsApp and SMS.

The attackers promote a ‘professional’ version of TikTok to Indian users, after the application was banned in the country earlier this year.

Christoph Hebeisen, director of security intelligence at Lookout, said: “When legitimate, popular channels to acquire a popular app are blocked for whatever reason, it presents an opportunity for malicious actors to lure victims by promising a way around the restriction.

“The removal of the TikTok app from both Google Play and the Apple App Store in India has created a similar situation. Users should limit their risk by only installing apps from the official app stores and using mobile security as an added layer of protection.”

The message was first spotted by Times of India and it read: “Enjoy Tiktok video and create creative videos once again. Now TikTok is only available in (TikTok Pro) then download from below.” This message has a link to download the TikTok Pro APK file.

After downloading, the app icon appears as the TikTok app and asks for permissions to functions including camera, image gallery and microphone. After you provide these permissions, the app doesn’t function and simply stays on your phone.

Chris Hauk, consumer privacy champion at Pixel Privacy, said phishing attacks like these will continue to prove to be fruitful until users are educated on the risks of clicking links in text messages, WhatsApp messages and emails. “When users are looking to download apps like TikTok they will find that legitimate sources of the apps will not ask for personal or financial information before allowing them to download a free app,” he said.

“As for myself, I would also be concerned as to what TikTok does with my data after I install the app, as it has been found to spy on the clipboard on iOS devices.”

Categories: Cyber Risk News

Global Privacy Regulators Probe Facial Recognition Firm Clearview AI

Info Security - Thu, 07/09/2020 - 11:00
Global Privacy Regulators Probe Facial Recognition Firm Clearview AI

The privacy regulators of the UK and Australia have announced a joint investigation into controversial facial recognition firm Clearview AI.

“The Office of the Australian Information Commissioner (OAIC) and the UK’s Information Commissioner’s Office (ICO) have opened a joint investigation into the personal information handling practices of Clearview AI Inc., focusing on the company’s use of ‘scraped’ data and biometrics of individuals,” a brief statement read.

“The investigation highlights the importance of enforcement cooperation in protecting the personal information of Australian and UK citizens in a globalized data environment.”

The Manhattan-based software firm leapt to notoriety early this year after a New York Times report claimed that the startup had scraped as many as three billion images from social media sites to add to its database.

That makes it a useful resource for police and intelligence agencies, which can query images they capture against the database. The FBI’s own trove of images is said to contain little more than 600 million.

The report claimed that over 600 law enforcement agencies have started using Clearview AI in the past year alone.

The ICO and OAIC won’t comment while the investigation is taking place, and it’s unclear when they’ll finally report their findings.

Still, the practice of data scraping for such intrusive purposes raises many serious privacy questions, especially under the GDPR, where informed consent usually needs to be given by a data subject for any company to use their personal information, including images.

Clearview AI was in the news more recently, when an unauthorized intruder reportedly stole the firm’s entire client list, the number of user accounts those companies had set up, and the number of searches they’d carried out.

The firm is no longer operating in Canada after privacy authorities there began investigations into its practices.

Categories: Cyber Risk News

SurveyMonkey Phishers Go Hunting for Office 365 Credentials

Info Security - Thu, 07/09/2020 - 10:15
SurveyMonkey Phishers Go Hunting for Office 365 Credentials

Security researchers are warning of a new phishing campaign that uses malicious emails from legitimate SurveyMonkey domains in a bid to bypass security filters.

The phishing emails in question are sent from a real SurveyMonkey domain but crucially have a different reply-to domain, according to Abnormal Security.

“Within the body of the email is a hidden redirect link appearing as the text ‘Navigate to access statement’ with a brief message ‘Please do not forward this email as its survey link is unique to you’” it explained.

“Clicking on the link redirects to a site hosted on a Microsoft form submission page. This form asks the user to enter their Office 365 email and password. If the user is not vigilant and provides their credentials, the user account would be compromised.”

The attack is effective for several reasons: its use of a legitimate SurveyMonkey email sender, the concealing of the phishing site URL and the description of the email as unique to every user.

“Users may be primed to think that the login page is there to validate that their responses are from the legitimate recipient of the email. Thus, the behavior isn’t unexpected,” argued Abnormal Security.

David Pickett, senior cybersecurity analyst at ZIX, explained that attacks like these are increasingly common: he claimed that the vendor blocked around 590,000 phishing emails abusing legitimate services like SurveyMonkey in the past week alone.

“Credential phishing using legitimate survey forms is a favorite attack vector by quite a few different groups over the past two years,” he added.

“We track these ‘living off the land’ attacks and have found that the most often abused legitimate forms/survey providers in order from greatest to least volume are Google, Microsoft, SurveyGizmo and HubSpot.”

Categories: Cyber Risk News

German Police Seize BlueLeaks Server

Info Security - Thu, 07/09/2020 - 09:10
German Police Seize BlueLeaks Server

German police have seized servers belonging to an activist group in a presumed bid to shut down the recent BlueLeaks exposure of US police records dating back decades.

Emma Best of WikiLeaks-like organization Distributed Denial of Secrets (DDoSecrets) confirmed the news this week on Twitter.

“We have received official confirmation that #DDoSecrets’ primary public download server was seized by German authorities (Department of Public Prosecution Zwickau file number AZ 210 AR 396/20). We are working to obtain additional information, but presume it is re #BlueLeaks,” she explained.

“The server was used ONLY to distribute data to the public. It had no contact with sources and was involved in nothing more than enlightening the public through journalistic publishing.”

The raid will raise questions over why an international police operation was launched to seize the leaked data, although there are reports that it may have exposed sensitive personal data.

There are also concerns that the data could endanger lives, if it is used by organized crime groups to unmask undercover police officers and witnesses. It could also damage the reputations of suspects who were arrested but subsequently released without charge.

The 269GB trove contains police and FBI reports, bulletins, guides and other materials on over 200 police departments, fusion centers and other training and support resources.

According to reports, the data, dating back to 1996, was stolen after a hacker targeted Netsential, a supply chain company used by fusion centers, law enforcement and other government agencies across the United States.

They apparently used a compromised user account and the firm’s web platform upload feature to introduce malicious content, enabling the exfiltration.

Last month, Twitter banned DDoSecrets from its platform and labelled tweets linking to the leaks as potentially harmful. WikiLeaks, which published material said to have unduly influenced the last US Presidential election, remains on the social network.

Categories: Cyber Risk News

Fraudsters Conducting Malvertising Campaign Via Inactive Domains

Info Security - Thu, 07/09/2020 - 08:25
Fraudsters Conducting Malvertising Campaign Via Inactive Domains

A number of inactive websites have been compromised and are redirecting visitors to unwanted URLs, many of which are malicious. This is according to a new study by Kaspersky, which uncovered over 1000 inactive domains that send users to second-hand pages as a way for fraudsters to make money or even infect their device.

Inactive domains are sometimes purchased by a service before being put up for sale on an auction site. Visitors to the inactive website should then be redirected to the auction stub; however, fraudsters are often substituting these stubs for malicious links.

Kaspersky researchers discovered that there were about 1000 websites for sale on one of the world’s biggest auction platforms, and these redirected visitors to over 2500 unwanted URLs. Many of these download the Shlayer Trojan, which installs adware on infected devices and is distributed by webpages with malicious content.

Of these websites, 89% were redirects to ad-related pages while 11% were to malicious sites, which either contained a malicious code or prompted users to install malware or download infected MS Office or PDF documents.

It is believed fraudsters are being paid to drive traffic to both the legitimate advertising pages and malicious sites, which is the motivation for the scheme.

Dmitry Kondratyev, junior malware analyst at Kaspersky, commented: “The domains that have these redirects were — at one point — legitimate resources, perhaps those the users frequently visited in the past. There is no way of knowing whether or not they are now transferring visitors to pages that download malware. Adding to the challenge is that whether or not you land on a malicious site varies: if one day, you access the site from Russia, nothing will happen. However, if you then try to access it with a VPN, you might be sent to a page that downloads Shlayer.

“In general, malvertising schemes like these are complex, making them difficult to fully uncover, so your best defense is to have a comprehensive security solution on your device.”

Categories: Cyber Risk News

Russian Fraudsters Test Stolen Credit Cards Using Ecommerce Sites

Info Security - Wed, 07/08/2020 - 19:46
Russian Fraudsters Test Stolen Credit Cards Using Ecommerce Sites

Anti-fraud company Sift has discovered a Russian fraud ring using ecommerce marketplaces to verify stolen credit cards.

Criminals trade thousands of stolen credit card numbers every day, but verifying them is a challenge. They must ensure that the cards are still valid without raising issuers' suspicions. In its Q2 2020 Digital Trust & Safety Index, Sift uncovered a Russian group nicknamed Bargain Bear that takes a novel approach to the problem.

After buying stolen credit card data on the dark web, Bargain Bear's members created multiple fake product listings with a $99 price point. They then colluded, haggling down each other's listings. Eventually the "negotiation" would price the fake product at $1, which is the standard amount used to test the validity of a credit card.

At this point one fake user would "buy" the reduced-price item from the fake seller using a stolen credit card, verifying that it was usable. They could then use the cards for higher-value purchases.

Colluding like this enabled the fraudsters to test the card while looking legitimate, dodging automated systems that look for suspicious payment patterns. However, Sift said that after noticing the group's scam it reconfigured its service to spot similar practices. One giveaway might have been the fact that the criminals registered the fake buyers and sellers from the same IP addresses.

Bargain Bear demonstrates how fake content can facilitate payment fraud. This has been a particular problem during the COVID-19 crisis, it said. Sift gathered data from over 34,000 sites and apps using the service, along with a survey of over 1,000 consumers conducted last month by research company Dynata.

It found a 109% year-on-year increase in content fraud in the first half of 2020, which it says was connected to the uncertainty and disruption caused by the pandemic. The company blocked the highest number of fraudulent content attempts across all verticals between January and May this year, with an especially big spike between April 4 and April 11.

The online ticketing and event business was hit the hardest even as it saw record drops in event volume. According to Sift's research, 11.2% of user-generated content related to events and ticketing posted across its customers' websites was fake, designed to extort money from victims.

The company's fraud experts believe that scammers were trying to exploit home-bound consumers in need of entertainment with fake streaming concerts and other virtual events.

Categories: Cyber Risk News

US Unmasks Fxsmp Hacker

Info Security - Wed, 07/08/2020 - 18:47
US Unmasks Fxsmp Hacker

The US has unmasked a notorious hacker going by the name Fxsmp this week after it unsealed an indictment originally filed against him in 2018. The court documents also revealed more information about his activities and the organizations that he targeted with others in his cybercrime group.

The hacker's real name is Andrey Turchin, and he lives in Kazakhstan. Also known as Andej Turchin, Akik Dalv, and Vadim bld, his group has accessed over 300 corporate entities, educational institutions, and governmental bodies spread across 40 countries, the indictment said. Over 30 of the victims were in the US, and Turchin also claimed to have access to over 200 government and law enforcement networks in the UK.

Along with the mass scanning for exposed RDP ports and brute force attacks already detailed in a report from Group-IB, Turchin also used phishing emails with malicious files or URLs to target employees, said the indictment.

Once Turchin and his group had accessed a victim's system, they would sell access for a fee ranging from thousands of dollars to upwards of $100,000 in some cases. "With respect to some entities, for instance, those deemed potentially high-value targets (e.g., financial institutions), the group further negotiated a cut, or percentage, of future profits derived by the buyer from use of the purchased unauthorized network access," the document added.

The document also revealed more information about entities that Turchin had targeted, including a port authority in Cowlitz County, Washington, an Alaskan distributor of petroleum products, a Colorado law firm, and an online money transfer and digital payment services company in New York. The group also compromised an African bank and a luxury hotel group.

The group advertised this access across various underground forums. According to the indictment, it used a broker service to manage an escrow account when arranging access for clients. The potential buyer transmitted funds to the broker in return for time-limited access to the victim's network. When the client was happy with the access quality, they would unlock the escrow funds and Turchin or his colleagues would unlock unlimited access to the network. They would also give the buyer technical support for a set period after the sale.

Although Turchin has been indicted, there is no guarantee that he will be arrested as there is no extradition treaty between Kazakhstan and the US. In the past, the US has had to wait for perpetrators to travel to sympathetic countries or to visit the US before it can arrest them.

Categories: Cyber Risk News

UK Stalkerware Usage Soars During Lockdown

Info Security - Wed, 07/08/2020 - 18:03
UK Stalkerware Usage Soars During Lockdown

Anti-malware company Avast saw a sharp spike in the use of stalkerware during the UK's pandemic lockdown, it revealed this week. Installations of online spying and stalking apps across the country rose 83% on average from March onward, compared to January and February.

Stalkerware apps are unauthorized software applications introduced onto a person's phone without their knowledge. They feed back information on the victim's activities, such as their surfing habits, text messages, and location. They can also communicate the contents of their emails and even allow the perpetrators to listen in on peoples' phone calls. Apps like these are often disguised as parental control or employee tracking software, or even remote access tools, but they tend to hide their presence.

The use of stalkerware in the UK during the lockdown was especially high compared to a 51% global increase in the use of this software, Avast said. Since March, the company has protected over 1,400 users in the UK from stalkerware and other spying apps, it added.

The figures correlate with reports of an increase in domestic violence in the UK during lockdown. In May, anti-abuse charity Refuge reported a 50% increase in calls to its helpline and a surge of more than 300% in visits to its website since the lockdown began.

The news comes a month after antivirus testing site AV-Comparatives updated its stalkerware testing report to measure the performance of various antivirus tools in detecting these products. Overall, it found an increase in detection rates since last running the test in November 2019. While there were some improvements in detecting Android stalkerware (Avast's rate increased from 70% to 75%, for example), the biggest increase was for Windows-based stalkerware. Avast detected 8 of the 10 Windows stalkerware programs tested, compared to 5 last November.

In the Windows test, 4 of 10 antivirus programs detected all 10 Windows stalkerware apps (Bitdefender, ESET, Kaspersky, and Norton). Android detection remains more difficult, it seems, with no companies detecting all 20 titles tested on that platform. The best performers were Kaspersky and Trend Micro, both of which detected 95% of Android-based stalkerware, followed by ESET.

The AV-Comparatives test emerged from work with the Electronic Frontier Foundation's Coalition Against Stalkerware, launched last November.

Categories: Cyber Risk News

Microsoft Confirms Takedown of Phishing Domains

Info Security - Wed, 07/08/2020 - 15:40
Microsoft Confirms Takedown of Phishing Domains

Microsoft has been approved to take control of malicious web domains which were used to send phishing messages regarding COVID-19.

According to a blog by Tom Burt, corporate vice-president of customer security and trust at Microsoft, said this was part of disrupting operations which were taking advantage of the global pandemic in an attempt to defraud customers in 62 countries around the world. 

Burt claimed Microsoft’s Digital Crimes Unit (DCU) first observed these criminals in December 2019, when they deployed a sophisticated, new phishing scheme designed to compromise Microsoft customer accounts. 

The attackers attempted to gain access to customer emails, contact lists, sensitive documents and other valuable information. The phishing emails were designed to look like they originated from an employer or other trusted source, and frequently targeted business leaders across a variety of industries, attempting to compromise accounts, steal information and redirect wire transfers. 

In recent months, the phishing emails contained messages regarding COVID-19 as a means to exploit pandemic-related financial concerns, using terms such as “COVID-19 Bonus,” and encouraging victims to click on malicious links. Once these links were clicked on, the user was prompted to grant access permissions to a malicious web application controlled by the criminals and access the victim’s Microsoft Office 365 account.

“This scheme enabled unauthorized access without explicitly requiring the victims to directly give up their login credentials at a fake website or similar interface, as they would in a more traditional phishing campaign,” Burt explained.

“As we’ve observed, cyber-criminals have been adapting their lures to take advantage of current events, using COVID-19-related themes to deceive victims. While the lures may have changed, the underlying threats remain, evolve and grow, and it’s more important than ever to remain vigilant against cyber-attacks.”

Burt claimed Microsoft takes measures to monitor and block malicious web apps based on telemetry indicating atypical behaviour, and in cases where criminals suddenly and massively scale their activity and move quickly to adapt their techniques to evade Microsoft’s built-in defensive mechanisms, additional measures such as the legal action filed in this case are necessary.

“This unique civil case against COVID-19-themed BEC attacks has allowed us to proactively disable key domains that are part of the criminals’ malicious infrastructure, which is a critical step in protecting our customers, Burt said.

“Microsoft and our Digital Crimes Unit will continue to investigate and disrupt cyber-criminals and will seek to work with law enforcement agencies around the world, whenever possible, to stop these crimes.”

Jake Moore, cybersecurity specialist at ESET, said: “The ability to send a phishing email from a trusted source is the perfect disguise for any threat actor. Compromised domains are very much sought after, so closing the option will no doubt act as a severe blow to those attempting to gain control and use them for illicit purposes. 

“This latest move won’t eradicate the phishing email problem but it will no doubt plug a sizeable hole in a major issue seen worldwide.”

Categories: Cyber Risk News

Organizations’ Security Measures Failing to Keep Pace with BYOD Use

Info Security - Wed, 07/08/2020 - 14:45
Organizations’ Security Measures Failing to Keep Pace with BYOD Use

Businesses are increasingly embracing the use of BYOD in the workplace but are not taking corresponding steps to protect corporate data. This is according to the Bitglass 2020 BYOD Report, in which 69% of IT professionals surveyed revealed that employees at their companies are allowed to use personal devices to perform work functions.

A significant proportion of organizations also allow BYOD for contractors (26%), partners (21%), consumers (18%) and suppliers (16%).

It is a trend that’s likely to continue as more businesses shift to remote working as a result of the COVID-19 pandemic.

Yet the report highlights that businesses do not have sufficient security in place to protect themselves against this growing use of insecure devices to access their systems. The study discovered that over half (51%) of organizations lack any visibility into file sharing apps, 30% have no visibility or control over mobile enterprise messaging tools and only 9% have cloud-based anti-malware solutions in place.

To exacerbate the problem, in order to properly secure BYODs, 69% said they required physical access to the device while 51% need the device pin, which presents difficulties.

The biggest BYOD security concerns outlined by the respondents were data leakage (69%), users downloading unsafe apps or content (57%), lost or stolen devices (55%), unauthorized access to data and systems (55%) and malware infections (52%).

Anurag Kahol, CTO of Bitglass, said: “The top two reasons enterprises hesitate to enable BYOD relate to company security and employee privacy. However, the reality is that today’s work environment requires the flexibility and remote access that the use of personal devices enables. To remedy this standoff, companies need comprehensive cloud security platforms that are designed to secure any interaction between users, devices, apps or web destinations.”

A study published last month found that 60% of remote workers in the UK regularly engage in practices including using unmanaged, insecure BYOD devices to access corporate systems.

Categories: Cyber Risk News

Billions of Banking and Social Media Credentials Available Online

Info Security - Wed, 07/08/2020 - 13:00
Billions of Banking and Social Media Credentials Available Online

Around 15 billion credentials are in circulation in cyber-criminal marketplaces.

According to new research from Digital Shadows, a 300% increase in stolen credentials from over 100,000 data breaches in the past two years means there are more than 15 billion credentials in circulation. These include credentials for bank accounts, social media and video streaming services.

Of these, more than five billion were assessed to be ‘unique’ – i.e. they have not been advertised more than once on criminal forums.

Rick Holland, CISO and VP of strategy at Digital Shadows, said: “The sheer number of credentials available is staggering and in just over the past 1.5 years, we’ve identified and alerted our customers to some 27 million credentials – which could directly affect them.

“Some of these exposed accounts can have (or have access to) incredibly sensitive information. Details exposed from one breach could be reused to compromise accounts used elsewhere.”

Many account details are offered free of charge, but of those on sale, the average account trades for $15.43. Bank and financial accounts are the most expensive, averaging at $70.91, however they trade for upwards of $500, depending on the ‘quality’ of the account.

There was also evidence that methods to bypass 2FA were commonly discussed on cyber-criminal forums. In one example, in December 2019, a user on the Russian-language cyber-criminal forum Exploit created a thread to sell a method designed to bypass 2FA systems at a United States-based online bank. They stated that their system would allow seven to nine out of 10 accounts to be accessed without requiring SMS verification, and that they considered their offer to be worth $5000. 

In an email to Infosecurity, security researcher and speaker Troy Hunt said he was not “overly surprised by the numbers” as he had noticed a lot more credential stuffing lists in circulation recently and just like the pandemic itself, they seem to be replicating at a fierce rate.

“It’s one of those things that’s very easy to propagate and I often see the same data represented in different derivatives, for example, expressed by the domain of the email account or the geographic location of the account holder.”

Asked if he felt more accounts were being created due to people working from home and getting more deliveries, Hunt said: “Personally, I think it’s too early to see an impact on credential stuffing lists due to the pandemic. Yes, there’s a lot more people working remotely, but these lists are curations of previous data breaches bundled up and passed around as sources for brute-forcing login pages.

“These lists are also dependent on having passwords accessible in either plain text or with weak cryptographic protection (i.e. MD5 or SHA-1 hashes) which fortunately is becoming increasingly uncommon.”

Digital Shadows also observed the growth of ‘account takeover as-a-service’ where, rather than buying a credential, criminals can rent an identity for a given period, often for less than $10.

For this price, the service collects fingerprint data (such as cookies, IP addresses, time zones) from an individual (the target), which makes it considerably easier to perform account takeovers and transactions that go unnoticed. Such is the popularity of these services that users on forums are desperate to acquire invite codes to this market. 

Holland added: “The message is simple – consumers should use different passwords for every account and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised.”

Categories: Cyber Risk News

BotRx Appoints Cybersecurity Veteran to Spearhead Global Market Expansion

Info Security - Wed, 07/08/2020 - 11:45
BotRx Appoints Cybersecurity Veteran to Spearhead Global Market Expansion

Malicious bot mitigation and detection company BotRx has announced the appointment of cybersecurity veteran Peter Christou as its new EVP of global sales to lead the firm’s expansion into EMEA and other global markets.

US-based BotRx uses moving target defense technologies to protect websites, mobile applications and IoT devices from automated bot attacks such as credential stuffing, account takeover and content scraping. It is now seeking to grow its presence in new geographies.

Christou brings more than 25 years of experience in helping security startups and firms grow across the globe. He will lead BotRx in developing new partnerships and contributing to the company’s sales and business strategies.

“This is an exciting time for the company as we continue to grow and develop our international footprint,” said Ming Xu, co-founder and CEO of BotRx. “We are delighted to be welcoming industry expert Peter Christou onboard as the EVP of global sales. With his strong track record and expertise in driving international expansion, we look forward to establishing our technology in new markets.”

Malicious bot attacks are one of the most prolific threats facing organizations of every shape and size today, added Christou.

“Our ability to solve the problem in a new and innovative way gives us tremendous growth opportunity across all markets. I’m thrilled to be joining the company to help steer this outreach across the EMEA region,” he concluded.

Categories: Cyber Risk News

Casino App Clubillion Leaks PII on “Millions” of Users

Info Security - Wed, 07/08/2020 - 11:01
Casino App Clubillion Leaks PII on “Millions” of Users

An unsecured Elasticsearch database has been leaking data on millions of global gambling app users, according to researchers at vpnMentor.

The group discovered the unsecured database hosted on AWS as part of a broader web mapping project. It was quickly traced back to casino app Clubillion, which was contacted on March 23. The database was finally secured on April 5, five days after AWS was also contacted.

Unlike many similar discoveries, this online database was updated with huge amounts of users’ personal information every single day: in the region of 200 million new records, or 50GB, daily, and sometimes considerably more, according to vpnMentor.

These records included every action taken by every player on the app (“win,” “lose,” “update account,” etc.) and personally identifiable information (PII) including emails, private messages, winnings and IP addresses.

The research team warned that gambling apps are a popular target for cyber-criminals, who go looking for PII and to target software vulnerabilities in order to install malware on users’ devices.

Sophisticated phishing campaigns could leverage specific leaked activity data showing transaction errors from card payments on the app. By following up with individual emails targeted at these users, cyber-criminals stand a stronger chance of eliciting more personal and financial information or tricking the user into installing covert malware, vpnMentor claimed.

“On a single day, tens of thousands of individual Clubillion players were exposed. Each one of these players could be targeted by malicious hackers for fraud and cyber-attacks – along with millions more whose records were also contained in the database,” it claimed.

“The most immediate risk for Clubillion is the loss of players. Data security is a growing concern for everyone these days, and this leak could turn many players off the app. Clubillion is not unique, and players have plenty of other choices for free gambling apps.”

The firm could now also face extra scrutiny from GDPR regulators and from Google Play and the App Store, vpnMentor warned.

Categories: Cyber Risk News

Magecart Group Made Millions Targeting 570+ Sites

Info Security - Wed, 07/08/2020 - 10:15
Magecart Group Made Millions Targeting 570+ Sites

Security researchers have uncovered a Magecart group that has infected over 570 e-commerce sites around the world over the past three years, enhancing its scale and sophistication over this time.

The “Keeper” group was identified and named by Gemini Advisory in reference to the domain (fileskeeper[.]org) which was used to inject malicious digital skimming JavaScript and to receive stolen card data.

However, in total the firm found a network of 64 attacker domains associated with the group which were used to deliver malicious payloads, and a further 73 exfiltration domains used to receive stolen payment card data.

These domains were usually registered to look like legitimate ones, such as popular website plugins and payment gateways, in order to stay under the radar.

As is the norm, the group went after smaller e-commerce sites in the hope that they were less well-defended. However, some of these online stores still garnered over 500,000 visitors per month.

Over 85% of victims were operating the popular Magento CMS, with the largest number (28%) located in the US, followed by the UK and the Netherlands. However, victims from a total of 55 countries were affected.

During its analysis, Gemini discovered an unsecured access log on its control panel, which provided further insight into the scope of the campaign.

“This access log stored 184,000 compromised cards with time stamps ranging from July 2018 to April 2019. This likely indicated the total number of cards collected from numerous Keeper infections during this time period,” it explained.

“Based on the provided number of collected cards during a nine-month window, and accounting for the group’s operations since April 2017, Gemini estimates that it has likely collected close to 700,000 compromised cards. Given the current dark web median price of $10 per compromised Card Not Present (CNP) card, this group has likely generated upwards of $7m from stealing and selling compromised payment cards in its full lifespan.”

Categories: Cyber Risk News

Pages