Security researchers are warning players of a popular MMO game that over 1.3 million user records are being sold on dark web forums.
Usernames, passwords, email addresses, phone numbers and IP addresses belonging to players of Stalker Online were found by researchers from CyberNews.
The firm explained that the passwords were stored only in MD5, which is one of the less secure encryption algorithms around.
Two databases were found on underground sites as part of a dark web monitoring project undertaken by the research outfit, one containing around 1.2 million records and another of 136,000 records.
It appears as if a hacker compromised a Stalker Online web server before stealing the user data and posting a link on its official website as proof.
After confirming the data for sale was genuine, the researchers tried and failed to get in touch with Australian developer BigWorld Technology and its parent company, Cyprus-based Wargaming.net.
Both databases were hosted on legitimate e-commerce site Shoppy.gg, which removed the content when advised by the white hats within a day.
“However, the fact that the storefront was operational for almost a month may suggest that copies of the database containing 1.2 million user records may have been sold on the black market to multiple buyers,” they explained.
“In addition, the removal of the databases from the e-commerce platform does not preclude the hacker from putting them up for sale someplace else. This means that all Stalker Online players should consider their records to still be compromised.”
Although the stolen information didn’t contain any financial data, there’s plenty that cyber-criminals could do with the haul, including credential stuffing, follow-on phishing attacks, email and phone spam, cracking open the email passwords and even holding the gaming accounts themselves ransom.
“Since Stalker Online is a free-to-play game that incorporates micro-transactions, malicious actors could also make a lot of money from selling hacked player accounts on the grey market,” the researchers said.
Nearly £17m has been lost to online fraud over the COVID-19 lockdown period with younger shoppers most affected, according to Action Fraud.
The UK’s National Fraud and Cybercrime Reporting Center claimed that online scams had snared 16,352 victims with online shopping and auction fraud since bricks and mortar stores were ordered to close on March 23.
That amounts to around £16.6m in losses, with the largest group of victims (24%) aged 18 to 26 and residing in cities including London, Birmingham, Manchester, Leeds, Sheffield, Liverpool, Bristol and Nottingham.
In many cases, consumers purchased items such as mobile phones (19%), vehicles (22%), electronics (10%) including gaming kit and laptops, and footwear (4%) but they never arrived. Fraudulent sellers were most likely to be found on eBay (18%), Facebook (18%), Gumtree (10%) and Depop (6%).
Pauline Smith, head of Action Fraud, explained that the trend for younger consumers falling victim most frequently existed long before COVID-19.
“It’s important to shop on sites you know and trust. If you’re using a site you’ve not used before, do your research and check reviews before making a purchase,” she said.
“Always be wary of emails, texts and social media posts that offer products for considerably less than their normal price – this is a common tactic used by criminals. Where possible, use a credit card to make online purchases as this will offer you more protection if anything goes wrong.”
Ben Tuckwell, district manager at RSA Security UK & Ireland, argued that fraudsters thrive in times of disruption.
“The recent shift to e-commerce has been critical for both consumers and the economy, but fraudsters have been quick to take advantage too. In fact, in the first three months of 2020, RSA recovered details of over five million unique compromised cards globally,” he said.
“Banks, card issuers and retailers alike must also step up the war on fraudsters, both in times of crisis and in the future as shopping increasingly moves online. Pioneering businesses are already applying machine learning to better predict whether a payment is likely to be fraudulent.”
Security researchers are warning of a multi-country North Korean phishing campaign designed to capitalize on government COVID-19 bail-out measures.
The operation is being undertaken by Pyongyang’s notorious Lazarus Group, and is “designed to impersonate government agencies, departments, and trade associations who are tasked to oversee the disbursement of the fiscal aid,” according to Cyfirma.
The Goldman Sachs-backed cybersecurity startup said that the campaign was slated to launch over the weekend in the US, UK, India, Japan, Singapore and South Korea.
First spotting evidence of the operation at the start of the month, the researchers claim to have found seven email templates impersonating government departments and institutions like the Bank of England, Singapore’s Ministry of Manpower, Japan’s Ministry of Finance and the US Department of Agriculture.
The group will apparently use millions of email addresses and business contact details to target their victims via these spoofed domains. In many cases the phishing messages will claim to be offering a new government-backed business support payment.
“The hacking campaign involved using phishing emails under the guise of local authorities in charge of dispensing government-funded COVID-19 support initiatives. These phishing emails are designed to drive recipients to fake websites where they will be deceived into divulging personal and financial information,” Cyfirma explained.
“Given the potential victims are likely to be in need of financial assistance, this campaign carries a significant impact on political and social stability.”
Singapore’s CERT has already issued an alert urging businesses and individuals to be vigilant and avoid clicking on links or opening attachments in unsolicited emails.
Despite this new COVID-themed threat from North Korea, Microsoft claimed last week that malicious emails utilizing the pandemic comprised less than 2% of the total detected by the firm over the past four months.
A man from Michigan has been charged with hacking into a medical center's database and stealing the personal information of 65,000 employees.
Federal prosecutors unsealed a 43-count indictment yesterday accusing Federal Emergency Management Agency (FEMA) IT specialist Justin Sean Johnson of illegally accessing data held by the University of Pittsburgh Medical Center (UPMC).
Johnson allegedly hacked into the center's Oracle PeopleSoft database in January 2014 using the nicknames "TDS" and "DS." The indictment accuses the 29-year-old of exfiltrating personal identifying information and tax data belonging to thousands of center staff, then selling it on the dark web for an undisclosed sum.
Data said to have been stolen and sold by Johnson included employees' names, dates of birth, Social Security numbers, addresses, and salary information.
Prosecutors said that over the course of 2017, unidentified conspirators used the exfiltrated data to file hundreds of phony tax returns that claimed approximately $1.7m in false refunds. These returns were then laundered by being converted into Amazon gift cards that were used to purchase goods worth about $885,000 that were shipped to Venezuela and later sold in online marketplaces.
The indictment charges the alleged cyber-criminal with wire fraud, conspiracy, and aggravated identity theft. If he is convicted on all charges, Johnson could spend 20 years locked up in federal prison.
Johnson is being held without bond after being arrested by police in Detroit on Tuesday.
In a statement, the special agent in charge of the US Secret Service field office, Timothy Burke, said: “The health care sector has become an attractive target of cybercriminals looking to update personal information for use in fraud."
UPMC spokesperson Gloria Kreps said identity theft protection monitoring services were provided free to employees affected by the cyber-attack prosecutors have attributed to Johnson.
In an email written to Detroit News, Kreps stated: “At the time of the breach, we helped our employees through the challenge and purchased LifeLock for them for five years for all UPMC employees, 65,000 at that time."
In June 2015, a Pennsylvania judge dismissed a health data breach lawsuit brought against UPMC the year before. The suit was filed by former UPMC employees after a data breach compromised the information of approximately 27,000 members of staff at the center.
A PC gaming service is taking action to eradicate a growing number of racist bots from one of its leading shoot-em-up titles.
Valve said it has introduced new anti-spam measures to the game Team Fortress 2 in an attempt to "mitigate the use of new and free accounts for abusive purposes."
Earlier this month, Kotaku reported that offensive bots were "running rampant" in TF2, overwhelming chats "with everything from annoying troll-speak to full-on racism." According to the gaming site, the title has been beset by bots "of various types" since early 2020.
Frustrated players of the game took to TF2's subreddit, Steam forums, Discords, and other communities, asking for Valve to intervene. Players who tried to tackle the bot problem themselves faced the wrath of the bot user community.
One TF2 player, Pazer, created a tool to automatically detect and remove bots from matches in the games. Angry bot users responded by creating a workaround and making a bot to specifically damage Pazer's reputation in the gaming community.
While the existence of offensive bots in TF2 is nothing new, Gamesindustry.biz reported yesterday that the problem "took a turn for the worse recently as the bots began employing game-breaking hacks and spamming the chat with racist diatribe."
In hopes of tackling the problem, Valve released a new patch on June 16 that restricts certain new accounts from using chat in official matchmaking modes. In announcing the patch, the company said, "Work is ongoing to mitigate the use of new and free accounts for abusive purposes."
Valve has also updated its Report Player functions, empowering players with the ability to disable in-game voice and text chat.
The widespread popularity of Team Fortress 2 has declined since its release in 2007 as players turn to more modern titles. Because of this drop in the number of users, the team-based shooter is now maintained by a skeleton crew, leaving it vulnerable to attacks by threat actors.
In November 2019, veteran Valve employee Greg Coomer said: "There are very few people working on Team Fortress. I don't know the exact number, but it's hardly anyone anymore."
The United States has deported a convicted cyber-criminal and malware creator back to his native Russia.
Computer programmer Stanislav Vitaliyevich Lisov was arrested by Spanish authorities at Barcelona–El Prat Airport on January 13, 2017, at the request of the FBI, then extradited to the United States on January 19, 2018.
Lisov is the creator of banking Trojan NeverQuest and part of a criminal enterprise that used the malware in attempts to steal $4.4m from the bank accounts of hundreds of victims.
The 35-year-old pleaded guilty to one count of conspiracy to commit computer hacking in November 2019 and admitted using NeverQuest to successfully thieve $855,000. He was subsequently sentenced to 48 months in federal prison by the United States District Court for the Southern District of New York.
In addition to his custodial sentence, Lisov was sentenced to three years of supervised release and was ordered to pay forfeiture of $50,000 and restitution of $481,388.04. The maximum sentence he could have been handed would have seen the threat actor spend 35 years behind bars.
After earning credit for time served, the malware-maker was due to be released in a few months' time. However, the United States opted to deport Lisov to Russia on June 16.
Lisov spent six days in an immigration detention facility to which he was transferred from a prison in Pennsylvania on June 10. According to Russian Embassy officials in the US, the cyber-criminal was then transported to New York's JFK International Airport, where he boarded a Moscow-bound Aeroflot flight.
Reports at the time of Lisov's capture stated that the malicious actor was on honeymoon in Barcelona with his new wife when Spanish authorities placed him under arrest.
In a statement to the Russian news outlet RIA Novosti, Alexei Topolsky, a spokesperson for the Russian Consulate General in New York, said Lisov was unrestrained by handcuffs when he arrived for his flight.
According to Topolsky, Lisov, who was dressed in simple clothes and a face mask, "looked like a person who was happy to be going home."
Lisov was met at Sheremetyevo International Airport by his wife, Darya Lisova.
Facebook has removed advertising for Donald Trump’s re-election campaign because it featured a symbol heavily associated with Nazi Germany, in a move likely to dial-up tensions in the US.
The inverted red triangle featured in the ad was reportedly used by the Nazis to mark out political prisoners in concentration camps.
It ran alongside a message from the President claiming that ‘far-left mobs’ are causing mayhem in the US and that left-wing activists loosely labelled “antifa” should be branded a terrorist organization.
“We don’t allow symbols that represent hateful organizations or hateful ideologies unless they are put up with context or condemnation,” Facebook’s head of cybersecurity policy, Nathaniel Gleicher, said in a brief statement.
“That's what we saw in this case with this ad, and anywhere that that symbol is used we would take the same actions.”
Other ads from the same campaign not featuring the symbol were left up, despite their dubious claims.
In fact, Facebook has come under increasing pressure of late to fact-check and remove misleading political ads, or ban them altogether like Twitter.
The social network disappointed many this week when it announced it would merely allow users to switch off social issue, electoral or political ads from candidates or political action committees in their Facebook or Instagram feeds.
This comes after a January update in which Facebook said it would help users to limit the number of political ads they see.
That isn’t good enough for the Biden election campaign. It has begun a petition calling on the social network to ban threatening behavior and lies about how to vote, and wants all political ads to be fact-checked for the two weeks running up to the election.
On the other side, Trump issued an executive order effectively preventing social media companies from fact-checking political statements.
Facebook has been at pains not to take sides in an increasingly fractious debate. In fact, it controversially left up incendiary remarks by Trump which some have claimed were an incitement to violence during recent civil unrest.
Google has removed scores of malicious and fake Chrome extensions being used in a global eavesdropping campaign.
The threat was spotted by Awake Security, which detected 111 of the malicious extensions over the past three months. When it notified Google of the issue last month, it claimed that 79 were present in the Chrome Web Store, where they had been downloaded nearly 33 million times.
Figures for the others not in the official marketplace are hard to calculate for obvious reasons.
“These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc,” it said in a report detailing the investigation.
“After analyzing more than 100 networks across financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations, Awake discovered that the actors behind these activities have established a persistent foothold in almost every single network.”
Spoofed to appear legitimate, the extensions all sent the data they harvested back to ‘legitimate’ domain registrar GalComm, which Awake argued “is at best complicit in malicious activity.”
Those behind the campaign have worked hard to ensure an almost 100% success rate, evading enterprise security proxies, AV and other defenses.
“One reason for this appears to be a smart method for filtering/blocking requests used by this attack campaign. If the client is connecting to the domain from a broadband, cable, fiber, mobile or similar fixed-line ISP type of network, then the client will be delivered the malicious payload. This allows all normal users and enterprises to pass through the filter,” the report explained.
“If the connection is coming from a data center, web hosting service, transit networks, VPN or proxy, the request is redirected to a benign page.”
In some cases, efforts were made to bypass the Chrome Web Store altogether.
“They do so by loading a self-contained Chromium package instrumented with the malicious plugins,” Awake Security said.
“As most users don’t recognize the difference between Chrome and Chromium, when prompted to make the new browser their default, they frequently do – making their primary browser one which will happily continue to load malicious extensions from other GalComm related sources.”
The report suggested the campaign could be tied to state-sponsored activity.
Australian Prime Minister Scott Morrison today warned of a major state-sponsored cyber-espionage campaign targeting government and private sector businesses.
He urged domestic organizations to take steps to improve their resilience, including the use of multi-factor authentication to access cloud and internet-facing systems, and to patch online devices promptly.
“This activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure,” Morrison warned.
“We know it is a sophisticated state-based cyber-actor because of the scale and nature of the targeting and the tradecraft used.”
In a technical advisory yesterday, the Australian Cyber Security Centre (ACSC) referred to the state actor’s “copy-paste compromises” — in other words, its heavy use of proof-of-concept exploits, web shells and other elements “copied almost identically from open source.”
The attackers specifically targeted remote code execution vulnerabilities in development tool Telerik UI, Microsoft Internet Information Services (IIS), SharePoint and Citrix.
“The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases,” the ACSC continued.
“The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organizations.”
When exploits don’t work, the hackers use spear-phishing plus open source and custom tools to achieve persistence. They’ve also been spotted using compromised legitimate Australian websites for command-and-control, in an attempt to hide their activity.
Michael Sentonas, global CTO at CrowdStrike, said his firm had seen a 330% spike in malicious activity in the first half of 2020 versus a year ago, and warned that the lines between e-crime and state-backed attacks are blurring due to increased sophistication of the former.
“Having a front line perspective of the rampant threat activity in Australia that occurs every day, including the number of high-profile breaches in recent months, demonstrates the country is not as prepared as we would like to believe,” he added.
“It is positive that this issue is being raised, and governments and organizations must now take action and harden their defenses against an advanced pool of adversaries”.
Given Australia’s recent geopolitical disputes with its larger neighbor to the north, China will be top of the list of suspects in these attacks.
The United States has sanctioned six Nigerians for operating cyber-scams that stole millions from American victims.
Indictments were unsealed June 16 against Richard Uzuh, Michael Olorunyomi, Alex Ogunshakin, Felix Okpoh, Nnamdi Benson, and Abiola Kayode. The six men are charged with orchestrating elaborate schemes to defraud Americans through Business Email Compromise (BEC) attacks and romance scams.
American citizens lost over $6,000,000 after falling victim to scams where the men impersonated business executives and requested and received wire transfers from legitimate business accounts or masqueraded as romantic partners.
After gaining the trust of their victims, the fraudsters manipulated them into handing over their usernames, passwords, and bank account details in order to steal from them. Several of those who engaged in romance fraud used online tools, including social media and email, to further their social engineering tactics.
Between early 2015 and September 2016, Uzuh and an accomplice would often attack over 100 businesses a day with emails purporting to be from a genuine executive at the target company. By requesting and receiving wire transfers of funds from the victimized firm's bank accounts, the pair were able to steal $6.3m.
Olorunyomi and a co-conspirator led a scheme that preyed on Americans searching for love online. The duo created fake profiles on dating websites and posed as romance seekers to defraud victims out of over $1m between September 2015 and June 2017.
As a result of the sanctions, all property and interests in property of the six men that are in the possession or control of US citizens or within or transiting the United States are blocked, and US persons generally are prohibited from dealing with them.
“Cybercriminals prey on vulnerable Americans and small businesses to deceive and defraud them,” said Secretary of the Treasury Steven Mnuchin.
“As technological advancement increasingly offers malicious actors tools that can be used for online attacks and schemes, the United States will continue to protect and defend at-risk Americans and businesses.”
In July 2019, Treasury’s Financial Crimes Enforcement Network (FinCEN) released an advisory noting that it received over 32,000 reports involving almost $9bn in attempted theft from BEC fraud schemes targeting US financial institutions and their customers since its 2016 advisory.
Recovered funds through FinCEN’s Rapid Response Program, in collaboration with law enforcement, recently surpassed $920m.
In-depth insights into the operations and methods of the elusive InvisiMole organization have been revealed by ESET following an investigation into a new campaign by the espionage group. In this campaign, the group targeted a number of high profile military and diplomatic bodies in Eastern Europe from late 2019 until at least June 2020.
ESET investigators found that InvisiMole collaborated with another cyber-threat actor, Gamaredon, to help it make attacks. Gamaredon would infiltrate the network of interest, potentially gaining administrative privileges, before InvisiMole moved in to launch malware.
ESET researcher Zuzana Hromcová explained: “Our research suggests that targets considered particularly significant by the attackers are upgraded from relatively simple Gamaredon malware to the advanced InvisiMole malware. This allows the InvisiMole group to devise creative ways of operating under the radar.”
The team also discovered four different execution chains InvisiMole uses, created by combining malicious shellcode with legitimate tools and vulnerable executables. The group’s malware is able to remain hidden by protecting components with per-victim encryption, meaning the payload can only be decrypted and executed on the affected computer. InvisiMole was also observed to have a new component that uses DNS tunneling for stealthier C&C communication.
“We were able to document the extensive toolset used for delivery, lateral movement and execution of InvisiMole’s backdoors,” noted Anton Cherepanov, the ESET malware researcher who led the investigation.
InvisiMole is understood to have been active since at least 2013, and has been connected to cyber-espionage campaigns in Ukraine and Russia, including spying on victims using two feature-rich backdoors. The new analysis highlights how the group has significantly improved its abilities to conduct cyber-espionage.
Hromcová added: “With this new knowledge, we’ll be able to track the group’s malicious activities even more closely.”
America's Federal Communications Commission (FCC) has been warned against fully approving the construction of a subsea cable that will directly link the United States to Hong Kong.
A recommendation to partially deny the application to build the Pacific Light Cable Network (PLCN) was sent to the FCC by Team Telecom, formally known as the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.
The committee said the PLCN application raised national security concerns as significant financial backing for the project would be provided by a subsidiary of the fourth largest provider of telecommunications services in the People's Republic of China (PRC).
"As submitted to the FCC, the PLCN application would have allowed for the highest capacity subsea cable connection between the United States and Asia and been the first direct connection between the United States and Hong Kong," said a spokesperson for the US Department of Justice.
"This raised national security concerns, because a significant investor in the PLCN is Pacific Light Data Co. Ltd., a Hong Kong company and subsidiary of Dr. Peng Telecom & Media Group Co. Ltd. (Dr. Peng Group), the fourth largest provider of telecommunications services in the PRC."
The committee’s recommendation explained that PLCN’s proposed Hong Kong landing station would expose US communications traffic to collection by the PRC.
The DOJ said: "Such concerns have been heightened by the PRC government’s recent actions to remove Hong Kong’s autonomy and allow for the possibility that PRC intelligence and security services will operate openly in Hong Kong."
Team Telecom further advised that the FCC grant the portions of PLCN’s application seeking to connect the United States, Taiwan, and the Philippines, that do not have any PRC-based ownership and are separately owned and controlled by subsidiaries of Google LLC and Facebook, Inc.
This approval should only be made on the condition that the companies’ subsidiaries enter into mitigation agreements regarding those connections, advised Team Telecom.
Google's request for Special Temporary Authority (STA) to commercially operate the segment of PLCN connecting the United States and Taiwan for six months was granted by the FCC on April 8, 2020. Approval was given based on obligations set forth in a Provisional National Security Agreement between the tech giant and the US Departments of Justice, Homeland Security, and Defense.
The UK government has abandoned its centralized coronavirus contact-tracing app in favor of a decentralized model, according to the BBC's chief tech correspondent.
Rory Cellan-Jones shared news of the UK's U-turn on Twitter earlier today. Posting as @ruskin147, Cellan-Jones wrote: "BBC scoop - NHS abandons centralized contact tracing app, moves to Apple/Google decentralized model."
A petition by ProPrivacy asking the UK government to change their contact-tracing app’s data collection model from centralized to decentralized to protect user privacy attracted over 1,000 signatures.
Digital privacy expert at ProPrivacy, Ray Walsh, called the government's decision "a huge win for privacy."
"A decentralized app will allow consumers across the UK to download the app without fears that their data could be exploited for secondary purposes," said Walsh.
The National Health Service COVID-19 contact-tracing app was created to tell people when they may have been exposed to the novel coronavirus. A pilot scheme is currently under way in the Isle of Wight to test the app's efficacy.
Lord Bethell, the minister for innovation at the Department of Health and Social Care, said participants of the pilot scheme had indicated that they would rather hear bad news from a person than via an automated text or email.
Health secretary Matt Hancock said at the start of May that the NHS COVID-19 contact-tracing app would be rolled out mid-May. However, Lord Bethell, speaking to the MPs on the Commons science and technology committee, said recently that the app will not be ready before the winter.
“We’re seeking to get something going for the winter, but it isn’t a priority for us,” Bethell stated.
The snail-like pace of the government's contact-tracing app implementation was bemoaned by Ray Walsh.
"It is a shame that it took so long for the NHS and the government to come to the same realization privacy experts had months ago—that in order for an app to be effective it is going to need to be accepted by the general public," said Walsh.
"While this is good news, the reality is that we could have had this app up and running weeks if not months ago, which could have greatly reduced the rate of infection and potentially saved lives."
The UK Information Commissioner's Office (ICO) has issued a report on police practices regarding extraction of data from people’s phones, including phones belonging to the victims of crime.
The report, which is the result of a 2018 complaint made by Privacy International (PI), highlights numerous risks and failures by the police in terms of data protection and privacy rights.
Elizabeth Denham, information commissioner, stated in the report: “This report explains how current mobile phone extraction practices and rules risk negatively affecting public confidence in our criminal justice system.
“I am therefore calling on government to introduce modern rules, through a code of practice that improves data extraction practices. This will build public confidence, notably the confidence of victims of crime and witnesses in permitting extraction of their sensitive personal data. It will also better support police and prosecutors in their vital work.”
Other key points in the report state that police should not seize phones merely to go on ‘fishing’ expeditions, but must focus any extraction on clear lines of enquiry and that current police practices regarding extracting data, especially from victims and witnesses, must be reformed.
Dr Ksenia Bakina, PI’s legal officer said: “Today’s critical report by the ICO vindicates what PI has been saying for over two years. The Police are taking data from people’s phones, including the victims of crime, without applying proper safeguards. This has to stop.
Currently, there is no clear policy guidance or independent, effective oversight for the police’s use of MPE technology, Bakina added.
“Considering the extensive use of mobile phones in our everyday lives, and the significant amount of sensitive personal data stored on them, the public need to know that there are rules and safeguards in place – otherwise the police are left to make up their own rules.
“The ICO's report is a welcome step in the right direction. However, it is just a first step. We need to ensure that the report is a wakeup call that the police finally heed.”
The COVID-19 crisis appears to have had an unexpected impact on underground cybercrime sites, leading to a surge in growth which has left many understaffed, according to Digital Shadows.
The dark web monitoring firm’s Digital Shadows Photon Research Team revealed in a new blog that several forums have recently been forced to go on a hiring spree for new moderators.
In April, an administrator post from English-language cybercrime forum Nulled apparently noted that the ‘community’ was “especially growing rapidly during COVID-19,” and that as a result it “require[s] additional assistance.”
Another post in April, this time from the administrator of English-language site CrackedTO, cited “recent events” as the reason for its hiring plea.
“While there have been many predictable consequences of the ongoing global COVID-19 pandemic, few would have foreseen significant growth for multiple cyber-criminal forums. Digital Shadows has observed forums being stretched at the seams due to their newfound pandemic popularity,” the Digital Shadows team wrote.
“In retrospect, it’s not that surprising: the coronavirus has placed enormous economic pressure on millions of people worldwide. It’s not illogical to surmise that some individuals may have turned to cybercrime to plug holes in their finances.”
The firm explained that cybercrime sites run a highly formalized employee set-up with the administrator sitting at the top of a pyramid, while multiple moderators carry out the day-to-day work.
They are often tasked with specific roles, such as technical support, paying for advertising, enforcing site rules and answering user questions.
The “trials moderators” sought by Nulled and CrackedTO are required to enforce the rules and assist users, as well as clean up malware and spam.
Good moderators seem to be highly sought after, making recruitment also a formalized process.
“Elements of the recruitment advertisements come up again and again: the importance of devoting a significant chunk of time to the role, the requirements for applicants to have a thorough knowledge of the section and the perceived prestige associated with the role,” said Digital Shadows.
“Most also emphasized that these positions are unpaid.”
COVID-19-themed cyber-attacks comprised only a tiny amount of overall threat volumes over the past four months despite sensational headlines, according to Microsoft.
In comments echoing those it made at the start of the crisis, the Microsoft Threat Protection Intelligence Team claimed that even the peak of COVID-related attacks in the first two weeks of March was “barely a blip in the total volume of threats we typically see in a month.”
These were opportunistic attempts to exploit huge public interest in the virus via mainly localized phishing lures, which is why they increased 11-fold the week after the World Health Organization (WHO) officially named the pandemic “COVID-19.”
“This surge of COVID-19 themed attacks was really a repurposing from known attackers using existing infrastructure and malware with new lures,” said Microsoft. “In fact, the overall trend of malware detections worldwide did not vary significantly during this time.”
Although COVID-themed attacks remain higher than they were in early February and will continue as long as the virus does, the vast majority of threats are more typical phishing and identity compromise attempts, it continued.
The key takeaway for IT security teams is that while phishing lures can change quickly, the underlying malware remains the same.
They should therefore double down on enhanced user awareness training programs, “cross-domain signal analysis,” and patching, said Microsoft.
“These COVID-19 themed attacks show us that the threats our users face are constant on a global scale. Investments that raise the cost of attack or lower the likelihood of success are the optimal path forward,” it concluded.
“Focus on behaviors of attackers will be more effective than just examining indicators of compromise, which tend to be more signals in time than durable.”
Google claimed back in April that it is blocking 18 million malware and phishing emails linked to COVID each day, although it also admitted that “in many cases” these threats are not new but repurposed from other campaigns.
Zoom has reversed its controversial decision to restrict access to end-to-end encryption (E2EE) for some users and will now offer the feature to customers of both its free and premium services.
The video conferencing app said it had consulted with rights groups, child safety advocates, government representatives, encryption experts and its own CISO council to gather feedback.
“We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform,” the firm's CEO Eric Yuan said in a blog post yesterday.
“This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform.”
Users of the free service will be required to authenticate in a one-off process with information such as their phone number, in order for the platform to “reduce the mass creation of abusive accounts,” Yuan added.
The news came as rights groups, tech firms and internet users petitioned the firm to reverse its policy on E2EE.
They argued that E2EE is too important to be a premium feature, especially in the context of global protests against racial injustice and government oppression. The technology protects activists, journalists and other vulnerable parts of the population from government repression and surveillance, as well as from cyber-criminals, they said.
The campaigners also argued that want to disguise any malicious intent or illegal activity can simply pay for the premium service.
Yuan was reported saying on an analyst call earlier this month that the firm would not be offering free users E2EE “because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose.”
Mozilla welcomed the news. The tech non-profit, which wrote an open letter to Zoom earlier in the week signed by tens of thousands of internet users, argued that E2EE should always be the default setting, not a luxury.
“We're heartened that Zoom listened to consumers, especially at a time when millions of people are relying on the platform to stay connected amid the pandemic and to organize in support of Black lives,” it said in a statement.
“Zoom’s decision is part of an emerging trend: Consumers are demanding more of the technology products and services they use every day. And companies are changing their products to meet these demands.”
The number of Business Email Compromise (BEC) attacks being leveled at C-Suite executives has declined as threat actors focus on a new target.
Researchers discovered that cyber-criminals had a new springtime victim in their sights, as BEC attacks on finance employees—who hold the key to routine payments—shot up by more than 87%.
The Abnormal Security Quarterly BEC Report for Q1 2020 notes a shift away from individual attacks to group BEC attacks. Campaigns with more than 10 recipients increased by 27% quarter by quarter.
Researchers found that criminals had switched their focus away from paycheck and engagement fraud and toward payment fraud. Invoice fraud attacks were found to have increased more than 75%.
A section of the report was devoted to trends around email account compromise and security attack patterns observed during the COVID-19 pandemic.
Evan Reiser, CEO and co-founder of Abnormal Security, described the attacks related to the outbreak of the novel coronavirus as "among the most sinister in intent that we have ever seen."
Researchers found that COVID-related attacks more than quadrupled between the second and third weeks of March 2020. Cyber-assaults increased 436%, with an average 173% week-over-week increase during the quarter.
COVID-19 vectors exploited by criminals included vaccines, PPE equipment, stimulus checks, PPP payments, layoff concerns, and the popularity of video conferencing tools.
The majority of the coronavirus attacks Abnormal caught were scams that leveraged trusted entities, using compromised and spoofed accounts in order to scam users and companies out of money, steal their credentials, or install malware on their device.
“The email security trends we witnessed during Q1 are most certainly related to the COVID-19 pandemic and the shift to work from home, but they also reflect greater sophistication and attack strategy by threat actors,” said Reiser.
“By increasing campaign target size, attackers increase the opportunity for social validity and by targeting finance employees who manage third-party payments, they’ve found a new vector for payouts.”
Cyber-criminals stepped up their efforts to victimize gamers while millions of people stayed at home this spring to slow the spread of COVID-19.
In the same month, the number of blocked attempts to force gamers onto phishing pages for one of the most popular gaming platforms also increased by a whopping 40% compared to February 2020.
Kaspersky researchers took a special interest in threats to gamers after lockdown measures saw millions turn to video games as a source of entertainment. Beginning in March, online gaming platform SteamDB saw a record number of users, with 20.3 million people in-game simultaneously over one weekend.
According to data from Kaspersky Security Network, cyber-criminals have exploited the increased interest in video games to launch various attacks.
Minecraft, one of the most popular games ever made, was the title most often used by threat actors. Its name featured in more than 130,000 web attacks. The other games used most frequently to launch attacks were Counter-Strike: Global Offensive and The Witcher 3.
Maria Namestnikova, security expert at Kaspersky, said threat actors used the promise of cheats to lure gamers into clicking malicious links.
“The past few months have shown that users are highly susceptible to falling for phishing attacks or clicking on malicious links when it comes to games—whether they’re looking to find pirated versions or eager for a cheat that will help them win,” said Namestnikova.
Yury Namestnikov, also a security expert at Kaspersky, said that gamers working from home who play and toil on the same device should be particularly wary of cyber-threats.
“Now that many players started using the same machines that they use to enter corporate networks for games, their cautiousness should be doubled: risky actions make not only personal data or money vulnerable but also corporate resources,” said Namestnikov.
Kaspersky researchers urged gamers to protect themselves by using strong passwords and two-factor authentication where possible and to be wary of any cheats and pirated copies of video games.
The founder and CEO of two Illinois software companies has been charged with fraudulently claiming over $400,000 from the Paycheck Protection Program (PPP).
Evanston resident Rahul Shah allegedly lied on an application for a forgivable bank loan guaranteed by the Small Business Administration (SBA) under the Coronavirus Aid, Relief, and Economic Security (CARES) Act.
The 51-year-old was charged in a federal criminal complaint filed in the Northern District of Illinois with bank fraud and making false statements to a financial institution.
Shah is the founder and CEO of tech companies Boardshare LLC and Katalyst Technologies, Inc. Both companies are based on Davis Street in downtown Evanston.
Katalyst, which was founded in 2000, also has offices in Atlanta, London, and in several cities in India.
Shah applied for a PPP loan from the bank of Texas on April 15 for Katalyst. On April 30, he applied for a second loan on behalf of N2N Holdings LLC, which operates under the name Boardshare.
According to the Department of Justice (DOJ), Shah "significantly overstated the payroll expenses of a company that he controlled" and submitted falsified IRS documents to the lender.
On an IRS 1099-MISC form, Shah claimed that one of his companies had made payments to several individuals. These claims turned out to be false upon investigation.
In addition, Shah misrepresented his company's payroll expenses for 2019 in documents that he signed and caused to be submitted to the lender.
"A comparison between the documents submitted to the lender and the company’s IRS filings revealed that Shah’s company reported significantly lower payroll expenses to the IRS," said a spokesperson for the DOJ.
An affidavit from James Sams, an agent with the Treasury Inspector General for Tax Administration, said Shah paid Boardshare's employees less than $10k over a period in which he claimed to have spent $426k on payroll.
In an interview with FBI and Treasury agents on May 29, Sams alleges that Shah acknowledged that there were "errors" in his application and blamed them on employees in India.
If convicted of both counts, Shah could face a sentence ranging from probation to up to 60 years in federal prison.