Info Security

Subscribe to Info Security  feed
Updated: 17 min 9 sec ago

Hackers Target Fortnite with V-Buck Scams

Mon, 10/29/2018 - 16:30
Hackers Target Fortnite with V-Buck Scams

According to new research released by ZeroFOX, Fortnite has become a hotbed for scammers targeting the in-game currency of the popular online game. Between early September and early October, ZeroFOX generated more than 53,000 alerts related to Fortnite scams, of which 86% came from social media and 11% from web domains, according to today’s blog post.

Fortnite is free to play, which ZeroFOX said is a driving force for many gamers; however, players can make in-game purchases with the game’s V-Buck currency. Despite each individual transaction only costing a few dollars, Fortnite is reportedly making an estimated $300 million a month on in-game purchases, making this an increasingly attractive target for scammers, who are looking to trick users into getting their V-Bucks on the cheap or even for free. Of the games estimated 43 million players, all of whom are required to be at least 12 years old, many are falling victim to the scams, according to the research.

While the V-Bucks are only available through Fortnite, scammers have reportedly crafted fraudulent coupon sites and “V-Buck generators” to trick players into sharing personal information that includes their game credentials, credit card information and home addresses, said ZeroFOX.

“Games with a microeconomy, especially Fortnite, are prime targets for attackers to leverage their security attacks, scams and spam against,” said Zack Allen, director of threat operations at ZeroFOX. “These economies are a great way to make money without attracting too much attention to yourself because of the lack of regulation and the nuances of the economy (try describing a 'V-Buck' to any local law enforcement officer, you most likely will get a blank stare).

“Due to the professionalism of these sites and the relative ease it takes to make a new website, players should be especially aware because a scam can turn into something malicious quickly. Surrendering your username and password in a phishing attack or downloading and executing malware are not out of reach in terms of probability for these websites.”

Categories: Cyber Risk News

EFF Says DMCA Expansion Doesn't Go Far Enough

Mon, 10/29/2018 - 13:21
EFF Says DMCA Expansion Doesn't Go Far Enough

Security researchers can now examine more infrastructure and other complex systems without the fear of legal consequences, according to Zero Daily. A rule by the Library of Congress's Copyright Office has expanded the ability of security to discover vulnerabilities that threaten digital security.

The Federal Register said that the rule went into effect October 28, 2018, and gives this summary of it: “The Librarian of Congress adopts exemptions to the provision of the Digital Millennium Copyright Act (DMCA) that prohibits circumvention of technological measures that control access to copyrighted works, codified in the United States Code. As required under the statute, the Acting Register of Copyrights, following a public proceeding, submitted a Recommendation concerning proposed exemptions to the Librarian of Congress. After careful consideration, the Librarian adopts final regulations based upon the Acting Register's Recommendation.”

However, the Electronic Frontier Foundation (EFF) said the ruling does not go far enough, stating that the exemptions are still too narrow and complex. Before the final ruling, EFF submitted a request for exemptions and explained: “We cited a broad range of examples where Section 1201 interfered with people’s use of their own digital devices. But the Office expanded the exemption only to 'smartphone[s],' 'home appliance[s],' and 'home system[s], such as a refrigerator, thermostat, HVAC or electrical system.'”

In requesting that the Copyright Office work toward improving exemptions, EFF legal director Corynn McSherry said, “It’s absurd that a law intended to protect copyrighted works is misused instead to prevent people from taking apart or modifying the things they own, inhibit scientists and researchers from investigating safety features or security enhancements and block artists and educators from using snippets of film in noncommercial ways. The exemption process is one highly flawed way of alleviating that burden."

While EFF supports the changes, the organization remains steadfast in its position that DMCA is an unconstitutional restriction on freedom of speech and added, “EFF represents entrepreneur Andrew 'bunnie' Huang and Professor Matthew Green in a lawsuit seeking to overturn Section 1201. Having finished this year’s rule-making, we look forward to continuing that case.”

Categories: Cyber Risk News

EFF Says DMAC Expansion Doesn't Go Far Enough

Mon, 10/29/2018 - 13:21
EFF Says DMAC Expansion Doesn't Go Far Enough

Security researchers can now examine more infrastructure and other complex systems without the fear of legal consequences, according to Zero Daily. A rule by the Library of Congress's Copyright Office has expanded the ability of security to discover vulnerabilities that threaten digital security.

The Federal Register said that the rule went into effect October 28, 2018, and gives this summary of it: “The Librarian of Congress adopts exemptions to the provision of the Digital Millennium Copyright Act (DMCA) that prohibits circumvention of technological measures that control access to copyrighted works, codified in the United States Code. As required under the statute, the Acting Register of Copyrights, following a public proceeding, submitted a Recommendation concerning proposed exemptions to the Librarian of Congress. After careful consideration, the Librarian adopts final regulations based upon the Acting Register's Recommendation.”

However, the Electronic Frontier Foundation (EFF) said the ruling does not go far enough, stating that the exemptions are still too narrow and complex. Before the final ruling, EFF submitted a request for exemptions and explained: “We cited a broad range of examples where Section 1201 interfered with people’s use of their own digital devices. But the Office expanded the exemption only to 'smartphone[s],' 'home appliance[s],' and 'home system[s], such as a refrigerator, thermostat, HVAC or electrical system.'”

In requesting that the Copyright Office work toward improving exemptions, EFF legal director Corynn McSherry said, “It’s absurd that a law intended to protect copyrighted works is misused instead to prevent people from taking apart or modifying the things they own, inhibit scientists and researchers from investigating safety features or security enhancements and block artists and educators from using snippets of film in noncommercial ways. The exemption process is one highly flawed way of alleviating that burden."

While EFF supports the changes, the organization remains steadfast in its position that DMAC is an unconstitutional restriction on freedom of speech and added, “EFF represents entrepreneur Andrew “bunnie” Huang and Professor Matthew Green in a lawsuit seeking to overturn Section 1201. Having finished this year’s rule-making, we look forward to continuing that case.”

Categories: Cyber Risk News

Girl Scouts Alerted to Possible Data Breach

Mon, 10/29/2018 - 11:15
Girl Scouts Alerted to Possible Data Breach

Thousands of members of the Girl Scouts in California may have had their personal information stolen after one of its official email accounts was accessed by an unauthorized third party last month.

Reports suggest that as many as 2800 girl scouts in Orange County may have been affected in an incident which lasted just a day.

Affected information could include names, email and home addresses, driver’s license details, insurance policy numbers and health history information.

Those hit by the breach were contacted last week.

They were told that the attack began on September 30 when an unauthorized third party gained access to an official Girl Scouts Orange County Travel email account, which was used to “send emails to others” — presumably phishing emails.

“Some of the emails stored in this account, which included emails with dates as far back as 2014 through October 1, 2018, contained information about our members,” the note explained. “Out of an abundance of caution, we are notifying everyone whose information was in this email account.”

The anonymous third party had access to the account for only one day from September 30 to October 1 this year.

Identity data belonging to children is particularly attractive to hackers as it can often be monetized more easily before the alarm is raised.

That’s because there are often limited financial records associated with the identities of minors, making it easier to open new fake accounts in their name.

In 2017, over a million US children were affected by identity fraud, resulting in losses of $2.6 billion and families forced to pay $540 million, according to research from Javelin Strategy & Research earlier this year.

The report claimed that 60% of child identity fraud victims know the fraudster, versus just 7% of adult victims.

Categories: Cyber Risk News

Canadian Crypto-Exchange Shutters After $6m ‘Hack’

Mon, 10/29/2018 - 10:23
Canadian Crypto-Exchange Shutters After $6m ‘Hack’

Customers of a little-known Canadian cryptocurrency exchange are set to lose all their coins after hackers allegedly made off with around $6m, although some suspect an exit scam.

MapleChange took to Twitter on Sunday morning to claim that it had “sustained a hack” and was investigating the issue.

“Due to a bug, some people have managed to withdraw all the funds from our exchange. We are in the process of a thorough investigation for this,” it continued in a separate tweet soon after. “We are extremely sorry that it has to come to end like this. Until the investigation is over, we cannot refund anything.”

The firm confirmed that it was unable to refund any Bitcoin or Litecoin funds, but that it was trying to do so for other currencies, asking customers to PM their details.

“We are sending all of the coin developers the wallets containing the coins we have left. So far, LMO and CCX have been handed over the funds,” it said.

Around 913 BTC ($5.8m) was apparently ‘stolen’ in the raid, with some reports suggesting that this might actually be an exit scam.

Although the firm still appears to be active on Twitter, its domain is now defunct.

“There is no incentive for using small exchanges. Use established exchanges that are regulated, & transparent,” tweeted cryptocurrency analyst, Joseph Young.

“Small exchanges also focus on maximizing profitability, not security or investor protection.”

Changpeng Zhao, CEO of the world’s biggest Bitcoin exchange, Binance, argued that customers should steer clear of exchanges which don’t store funds in cold wallets. These are typically more secure than hot wallets as they’re not connected to the internet.

“Avoid using exchanges that doesn't have anything in their cold wallets,” he tweeted.

It’s unclear how many customers MapleChange has, but its Twitter account has less than 2,000 followers, versus 236,000 for Binance’s Zhao.

Categories: Cyber Risk News

Facebook Removes Scores of Fake Iran-Linked Accounts

Mon, 10/29/2018 - 09:43
Facebook Removes Scores of Fake Iran-Linked Accounts

Facebook revealed on Friday that it has removed 82 Pages, Groups and accounts linked to Iran which it said were spoofed to appear as if run by US and UK citizens.

In total, the social network took down 30 Pages, three Groups and 33 accounts on Facebook, as well as 16 accounts on Instagram — accusing them of “coordinated inauthentic behavior.”

“The Page administrators and account owners typically represented themselves as US citizens, or in a few cases UK citizens — and they posted about politically charged topics such as race relations, opposition to the President, and immigration,” explained head of cybersecurity policy, Nathaniel Gleicher.

“Despite attempts to hide their true identities, a manual review of these accounts linked their activity to Iran. We also identified some overlap with the Iranian accounts and Pages we removed in August.”

Facebook’s initial research seems to indicate limited exposure for the content: around one million accounts are said to have followed at least one of the Pages, around 25,000 accounts joined at least one of the Groups, and more than 28,000 accounts followed at least one of the Instagram accounts in question.

In addition, those behind the spoof accounts spent less than $100 in advertising, and of the seven events hosted, only 110 people expressed an interest in at least one event, it said.

However, separate reports claim slightly different findings: Facebook page I Need Justice Now had more than 13 million video views, the Digital Forensic Research Lab told the BBC.

The social network claimed it now has over 20,000 employees working specifically on safety and security, with AI tools also helping to detect fake accounts.

The revelations come just days before the crucial midterm elections in the US and during ongoing Brexit-related tensions in the UK.

Categories: Cyber Risk News

Pages