A notorious Russian cyber-criminal made over $1.5m in just the past three years selling access to corporate networks around the world, according to a new report from Group-IB.
The study profiles the work of “Fxmsp” on underground forums where he published his first ad selling access to business networks in 2017.
Over the following years he would compromise banks, hotels, utilities, retailers, tech companies and organizations in many more verticals.
In just three years he claimed to have compromised over 130 targets in 44 countries, including four Fortune 500 firms. Some 9% of his victims were governments.
Group-IB calculated the $1.5m figure purely from publicized sales, although 20% of those Fxmsp compromised were made through private sales, meaning the hacker’s trawl is likely to be even bigger.
Fxmsp even hired a sales manager in early 2018.
He leapt to infamy in 2019 after a widely publicized compromise of the networks of three anti-virus vendors, before apparently going quiet.
According to the report, Fxmps’s tactics were disconcertingly simple. The hacker would scan IP addresses for open RDP ports, especially 3389, brute force the RDP password, disable any AV and firewall and then create additional accounts.
Next, he would install the Meterpreter backdoor on exposed servers, harvest and decrypt dumps from all accounts and then install backdoors on the backups. This meant if a victim spotted something suspicious and rolled back to backups, Fxmsp could achieve persistence.
“Fxmsp is one of the most prolific sellers of access to corporate networks in the history of the Russian-speaking cyber-criminal underground. He set a trend and his success inspired many others to follow suit: the number of sellers of access to corporate networks increased by 92% in H2 2019 vs H1 2017, when Fxmsp entered the market,” said Dmitry Volkov, CTO of Group-IB.
“Prior to Fxmsp joining the underground, the sellers would offer RDP access to separate servers, without even bothering to ensure persistence or performing reconnaissance in the network. Fxmsp took this service into a whole new level.”
In a recent report on the cybercrime underground, Trend Micro warned that access-as-a-service is becoming an increasingly popular offering on dark web sites. Prices for Fortune 500 companies can reach up to US$10,000, it claimed.
Over two-thirds of malware detected in the first three months of the year was hidden in HTTPS encrypted tunnels in a bid to evade traditional AV, according to Watchguard.
The security vendor’s latest Internet Security Report for Q1 2020 is distilled from analytics provided by its 44,000 global appliances.
During the period they blocked over 32 million malware variants and nearly 1.7 million network attacks.
Some 67% of that malware was delivered via HTTPS connections and 72% of these encrypted attacks apparently featured zero-day malware which would have been missed by legacy signature-based AV.
The growing popularity of HTTPS is down in part to initiatives like Let’s Encrypt, backed by the non-profit Internet Security Research Group (ISRG). However, while it has improved website security and user privacy, it also offers cyber-criminals a free and easy way to disguise their activity.
“Some organizations are reluctant to set up HTTPS inspection due to the extra work involved, but our threat data clearly shows that a majority of malware is delivered through encrypted connections and that letting traffic go un-inspected is simply no longer an option,” said Corey Nachreiner, chief technology officer at WatchGuard.
“As malware continues to become more advanced and evasive, the only reliable approach to defense is implementing a set of layered security services, including advanced threat detection methods and HTTPS inspection.”
Interestingly, the vendor claimed that it detected 6.9% less malware and 11.6% fewer network attacks than in the previous quarter despite the apparent uptick in COVID-themed threats.
It suggested that this could be because fewer users were operating within the traditional corporate network perimeter during Q1 thanks to work-from-home mandates.
However, data from Microsoft last week revealed that COVID-19 attacks represented less than 2% of total threats detected in the first four months of the year. Thus, rather than drive a new surge in overall attack volumes, these threats were merely rebranded and switched from existing campaigns.
Twitter has contacted its business clients to warn them of a potential breach of their data.
It said that email addresses, phone numbers and the last four digits of card numbers may have been accessed by others, thanks to a technology snafu which exposed the information.
It meant that billing information viewed on ads.twitter.com or analytics.twitter.com may have been exposed in the browser’s cache.
The social network first became aware of the incident on May 20 and said it took immediate action to remediate and notify any affected customers.
The snafu is not thought to have affected consumer users of the service, according to the BBC.
This isn’t the first time something like this has happened on the social platform.
Around a month before this incident, Twitter warned users that non-public information may have been stored in their Firefox browser’s cache.
“This means that if you accessed Twitter from a shared or public computer via Mozilla Firefox and took actions like downloading your Twitter data archive or sending or receiving media via Direct Message, this information may have been stored in the browser’s cache even after you logged out of Twitter,” it said at the time.
Although it’s unclear how many businesses were affected by the May breach, experts generally agreed that incidents of this kind are likely to have a limited impact on customers’ data security and privacy.
“The vector here requires physical access to the device, so it may not be as exploitable as an alert like this might indicate,” explained Edgescan product architect, David Kennefick.
“What Twitter has done is update its headers to include no-store and no-cache, which disables storing data from a website locally.”
Tripwire senior security researcher, Craig Young, added that the incident could still provide a “teachable moment” regarding shared computers.
“Whether you regularly rely on libraries or internet cafes for access or just need to print the occasional boarding pass from a hotel lobby, there can be a risk of exposing personal data,” he argued.
“Ideally, the best solution is to simply avoid using shared computers when entering or accessing personal data but this is not always an option. The next best solution is to bring your own web browser and take it with you when you go.”
An Australian swimming star has been targeted by a vicious blackmail attempt undertaken via social media.
Malicious messages were sent to Commonwealth Games gold medalist Shayna Jack over the weekend by an unidentified cyber-criminal via Facebook. The miscreant threatened to post pictures of Jack unless they received a ransom payment.
In a creepy message designed to scare the swimmer, the threat actor told Jack: "I can see what you're doing at all times."
At first, Jack ignored the threat, but the 21-year-old contacted Queensland police after receiving more messages along with a sinister warning that something "disturbing" would be posted on her Facebook page if she didn't respond.
"If you don't pay – you will regret this," wrote the anonymous attacker.
Jack received further threats demanding that she pay up at around 9.40pm on Monday night. On Tuesday morning, the sportswoman awoke to find a malicious message posted on her Facebook account by her cyber-attacker.
Whoever authored the post had timed the execution of their threat to do the most damage to Jack's professional swimming career. The water star is currently appealing against a 4-year ban she received after testing positive for the performance-enhancing drug Ligandrol.
Jack was tested for the drug ahead of the 2019 World Swimming Championships held in South Korea.
Hoping to exploit Jack's predicament, the attacker posted a message purporting to be from her which read: "I regret that I used doping at the 2017 Olympics."
Fortunately, since no Olympic Games were held in 2017, the cyber-criminals made it easy to for Facebook users to spot their lie.
Jack's lawyer Tim Fuller said the extortion attempt had left the swimmer feeling "shaken."
Fuller branded the actions of the threat actor as "disgusting" and added that it could have had a major impact on the result of the swimmer's appeal.
A date was set for Jack's appeal hearing earlier this month by the Court of Arbitration for Sport. Throughout her ordeal, the swimmer has protested her innocence and maintained that she has never knowingly ingested Ligandrol.
The drug is a banned muscle-builder that was designed to treat muscle wasting diseases and osteoporosis.
An American police procedural comedy television show has topped the list of most dangerous TV titles for US citizens to watch online.
McAfee analyzed more than 100 of the most popular TV and movie titles available on US streaming sites as defined by “best of” articles that appeared in a range of US publications. Researchers then hunted down and recorded all the high-risk websites associated with each entertainment title.
Shows and movies were then awarded a danger ranking based on the total number of malicious websites with which they were found to be associated. Focus was placed on sites that enabled viewers to access content for free.
Topping the chart of most dangerous movies to escape into during lockdown was the dramatic 2011 Mixed Martial Arts picture Warrior starring Joel Edgerton and Tom Hardy. Law enforcement laughter romp Brooklyn Nine-Nine led the list of riskiest TV shows to watch via the web.
“With consumers increasingly going online to stay entertained during lockdowns it has created the perfect storm for web crime,” said Baker Nanduru, vice-president of consumer endpoint segment at McAfee.
Nanduru said threat actors kept a keen eye on which shows were winning the hearts of the public so that they could target their malware for maximum gain.
“History has proven that cyber-criminals follow consumer trends and behaviors to educate their scam strategies," added Nanduru.
"It’s important that consumers stay alert while online and avoid malicious websites that may install malware or steal personal information and passwords.”
Cyber-criminals were found to have no qualms about exploiting society's most vulnerable members for their own gain. Children’s movies accounted for four of the top 10 movies McAfee identified as at high risk of being targeted by cyber-criminal activity.
Kid's flicks to be wary of were The Incredibles, Aladdin, The Lion King, and Frozen 2. Movies for a more mature audience that attackers tend to target included Zombieland and Swingers.
Researchers advised viewers to avoid illegal streaming sites that are often "riddled with malware disguised as pirated video files."
Digital transformation in the cybersecurity industry will be a major driver of mergers and acquisitions (M&A) over the remainder of 2020, according to ICON Corporate Finance. This follows a survey by the technology-focused investment bank of some of the most active M&A buyers in the UK, which showed that there remains substantial interest in tech sector acquisitions despite the economic fallout of COVID-19.
ICON found that the key areas for expansion are expected to be in cybersecurity, fintech, cloud, managed services, healthtech, AI and enterprise software. This is because digital transformation has become the most pressing priority for organizations in the aftermath of COVID-19.
In regard to cybersecurity, ICON noted that companies are increasingly turning to technology to protect against potential business disruption caused by cyber-attacks, ensuring employees and systems are secure, particularly in the context of the huge rise in remote working. According to Pitchbook Data’s Emerging FinTech research, this is particularly the case for financial institutions, where new areas of risk and regulation have been introduced to address increasing cyber-threats and data security concerns.
ICON added that it believes organizations in the US tech market will continue to be especially active in seeking out M&A opportunities in deep tech and disruptive young companies.
With this in mind, the investment bank, which has previously facilitated IQVIA’s acquisition of UK-based Optimum Contact, and JP Morgan’s funding of UK-based Mosaic Smart Data, is opening an office in San Francisco. This is to provide clients in Europe, Africa and Asia with direct access to the “epicenter of the world’s tech community.”
CEO and founder of ICON, Alan Bristow, commented: “As the world discovers the new normal, it is the tech sector that will drive societal changes and enable new ways of working. The US West Coast’s innovative approach and its dominance in deals origination is the core driver for our new presence in San Francisco. We are excited to be bringing US markets to Europe’s doorstep, and vice versa.”
A city in Oregon has paid a ransom of $48,000 to regain control over its computer network following a cyber-attack.
The city of Keizer's computer system was successfully targeted by threat actors using ransomware in the early hours of June 10. The attack left officials unable to access either files or their email accounts for a full seven days.
In a hand-delivered statement viewed by Oregon Live shortly after the attack was carried out, city officials said: “We are taking this seriously, and are working to resolve the situation as quickly as possible."
Unable to recover the encrypted files themselves, despite engaging the help of the "appropriate authorities," officials eventually acquiesced to the ransom demand issued by the attacker(s).
Subsequently, by around 11:45am on June 17, employees of the Marion County city were able to once again access their email accounts and files.
The ransomware attack was first detected on the morning of June 10 when city employees tried and failed to access the data and programs they rely on to carry out their duties.
A city spokesperson said: “We were presented with a request for a ransom payment needed to obtain the needed decryption keys."
While the city was unable to fend off this particular cyber-attack, officials are hopeful that lessons have been learned from it that will prove useful in the event of further digital strikes.
“We believe that the forensic investigation could provide critical information to defend against attacks in the future,” said a city spokesperson.
The city said that no sensitive data appears to have been accessed or misused as a result of the ransomware attack.
Keizer isn't the only place in Oregon to be targeted by ransomware this year, nor is the city alone in its decision to pay up to retrieve encrypted files and data. In January of this year, a ransom of $300,000 was paid by Tillamook County to recover information held hostage by cyber-criminals following a ransomware attack.
The county's commissioners voted unanimously to negotiate with the attackers for an encryption key after attempts to safely recover data impacted by the attack failed.
Speaking at the Westminster eForum policy conference on identifying and tackling the key issues in the online space and assessing the industry’s response so far, Professor Victoria Nash, deputy director, associate professor and senior policy fellow at the Oxford Internet Institute, said she admired but “was anxious about the breadth” of the Online Harms whitepaper, and the lack of distinction between legal and illegal online harms.
She said she had been very pleased to see a “clear distinction between the attention that will be given to the illegal harms and an approach in the context of legal but harmful which focuses more on procedure and governance and encouraging responsible behaviors by companies rather than focusing on specific pieces of content and having them removed.”
In particular, she argued there was room to establish the role of the regulator in being able to consider how to credit those technology companies who are proactive, as well as take action against problematic issues.
Highlighting recent events, Nash said that some of these represent the issues for regulators and technology companies going forward. She flagged the issue of hate speech, as reports continue around Facebook removing adverts, which she called “a failure to deal with the rise in hateful content,” and she said that the Oxford Internet Institute’s own research has seen a rise in hate speech since the COVID-19 pandemic began.
“At a time when we are asking companies to do more and to step up and reduce this content online, the nature of that content continues to advance and change, which poses challenges,” she said. “The other thing we need to bear in mind about that is that there is a tension between a need to remove content rapidly, but perhaps we give companies less credit for doing so accurately.”
Discussing the challenges posed by disinformation, Nash said the importance of this has been “magnified over the past few months.” She said as an academic, the spread of this issue has been monitored but “the speak of junk news may reach more individuals” than a genuine news story.
“While tackling it is a challenge and we understand its spread, we don’t understand its effects,” she stated. “So if companies are taking a proportionate and risk-based approach to removing content on their platforms, what does that look like in regard to disinformation? Does it mean removing it, does it mean de-ranking it, does it mean flagging it?”
She said there are no clear answers to those questions yet, but the whitepaper, regulator and technology companies need to deal with these issues.
“Whilst we’re closer to having a policy framework that is appropriate and likely to be effective in reducing our exposure to online harms, the nature of the challenge is not becoming any less complex,” she said. In particular, support for the technology companies will be necessary.
In a question posed by Infosecurity about the need for human moderators to work alongside AI and machine learning to flag harmful content, Susie Hargreaves, chief executive of the Internet Watch Foundation, said it was important to have human moderation, even while technology improves, but there is no “magic bullet” yet. “We are at a stage where the technology is developing, but we cannot get away from the need for human moderation,” she said.
Ben Bradley, head of digital regulation at techUK, said there are technical solutions on disinformation where you can see, detect and disrupt actions, but the larger challenge is how misinformation develops over time. “While you can build the tools, it does emphasize the need for greater thinking around this,” he said.
The Age Verification law is set to be revived for the UK Government’s online harms bill.
Speaking at the Westminster eForum policy conference around next steps for online regulation in the UK, Sarah Connolly, director, security and online harms at DCMS, said that age verification “has a fairly troubled history” and it is the intention of DCMS “to roll it into the wider online harms agenda, so that will be the vehicle that will make changes.”
The Age Verification proposals were previously met with conflict over practicalities, both in ensuring that it was operated efficiently, and over the data protection of those approved. Under the proposal, pornography websites would be required to verify that users are aged 18 or older. Suggested ways of doing this included running verification checks on credit cards, or by making verification passes available to purchase from newsagents on the presentation of photo ID.
However, the plan was abandoned in October 2019 due to implementation difficulties.
Speaking on the plans for the Online Harms bill, Connolly said “we all know that the internet is used to abuse, to bully, to promote terrorism, to abuse children and to undermine democracy.” As a result, in the four years she has been working on this issue, there has “been a real momentum to get something done in this space,” but the challenge is to do the right thing in an “incredibly complex area.”
Part of the plan is to enshrine a government duty of care among websites and networks where users are able to share user generated content, and this duty will be enforced by an independent regulator whom government is yet to name.
“This is not something we can do alone, and we’re pretty clear that lots of stakeholders will have a role in helping us tackle this public policy concern,” she said.
Connolly said work continues on the policy, and intends to publish a full government response before the end of the year. “I don’t think for a moment that government has a monopoly of good ideas on this, that is why my team and I are keen to talk and listen to you all, including to people who disagree with our approach as we have changed positions previously in response to those conversations, as it is an immensely complex and difficult issue and it is really important that we get it right,” she said.
US government websites are taking another major step forward to becoming more secure after it was announced that all .gov TLDs would be changed to enforce HSTS preloading.
The DotGov program made the announcement on Sunday, stating that all new .gov domains will be automatically preloaded from September 1 2020. The transitioning of historical ones will take longer.
The HSTS standard ensures a user’s browser always enforces an HTTPS connection to a website, including preventing users from clicking through if the domain has a certificate error.
“For a user to take advantage of HSTS, however, their browser has to see the HSTS header on a site at least once. This means that users are not protected until after their first successful secure connection to a given domain, which may not occur in certain cases,” wrote DotGov.
“To solve this problem, a domain can be submitted to the HSTS preload list, a list of domains embedded into browsers that get HSTS enabled automatically, even for the first visit. Domains that preload protect their entire ‘namespace,’ including all current or potential subdomains.”
Although new .gov TLDs will be preloaded automatically from September, existing ones will take much longer to transition. If preloading was switched on today, those that don’t currently offer HTTPS would become inaccessible to users, DotGov warned.
The organization is collaborating with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to ensure .gov domain owners are ready for the move, but said it would take some time.
“Actually preloading is a simple step, but getting there will require concerted effort among the federal, state, local and tribal government organizations that use a common resource, but don’t often work together in this area,” it explained.
“With concerted effort, we could preload .gov within a few years.”
All US government agencies were supposed to have made their websites accessible through HTTPS-only via HSTS by the end of 2016.
Over two-fifths of businesses are considering replacing email as their primary communications channel as the country begins to open-up again after lockdown, according to a new report.
Think tank Parliament Street commissioned the poll of 200 senior decision makers in medium and large UK firms to better understand how COVID-19 will change the world of work going forward.
Some 43% claimed they were “actively considering replacing email” as the main form of online communication for employees, with cloud- and app-based alternatives.
Real-time chat capabilities in cloud-based platforms can offer more efficient ways for staff to collaborate from within documents they are all working on, argued Zoho’s European managing director, Sridhar Iyengar.
“With remote working more widespread than ever, it is inevitable that these new communication methods, which instigate faster decisions, more streamlined processes and instant approvals, are superseding email in many cases as preferred tools for employee communication,” he continued.
“Not all communication is needed to be in real-time, but these other channels can do a better job of replicating the speed of in-person office work when more timely responses are required.”
Email is also more exposed to cyber-threats than end-to-end encrypted online alternatives. Half (51%) of global firms suffered a ransomware attack, 58% saw an increase in phishing and 60% experienced an uptick in impersonation attacks via email over the past year, according to Mimecast.
Although the government has lifted lockdowns imposed on non-essential retailers and is set to allow hospitality businesses to open up from July, organizations that can are still urged to support remote working for as many staff as possible.
Half of those firms surveyed by Parliament Street said they will continue to mandate working from home for all employees, even once the country returns to ‘normal.’
Some 61% said they’re looking to refresh their digital strategy to make flexible working easier and 64% are training staff remotely to improve their skills in this area.
Those findings chimed with what Sonny Sehgal, CEO of managed services firm Transputec, is seeing.
“By embracing IT as an enabler of workplace change, forward-thinking businesses will be able to move forward swiftly, empowering a new generation of staff through flexible and productive working practices,” he said.
A major supply chain breach appears to have led to the exposure of hundreds of thousands of sensitive US police records dating back over two decades.
WikiLeaks-like organization Distributed Denial of Secrets released the trove on Friday, claiming it contained 10 years of data from over 200 police departments, fusion centers and other training and support resources. Fusion centers are designed to promote info-sharing between state and local police departments.
“BlueLeaks provides unique insights into law enforcement and a wide array of government activities, including thousands of documents mentioning #COVID19,” the group tweeted.
The 269GB trove contains “police and FBI reports, bulletins, guides and more,” it said.
A National Fusion Center Association (NFCA) alert seen by journalist and researcher, Brian Krebs, apparently confirmed the breach but claimed the leaked data actually dates back 24 years, to August 1996.
It is said to contain names, email addresses, phone numbers, ACH routing numbers, international bank account numbers (IBANs), as well as personally identifiable information (PII) and images on suspects.
“Preliminary analysis of the data contained in this leak suggests that Netsential, a web services company used by multiple fusion centers, law enforcement, and other government agencies across the United States, was the source of the compromise,” the NFCA reportedly wrote.
“Netsential confirmed that this compromise was likely the result of a threat actor who leveraged a compromised Netsential customer user account and the web platform’s upload feature to introduce malicious content, allowing for the exfiltration of other Netsential customer data.”
There are fears that the data could endanger lives, if used by organized crime groups to unmask undercover police officers and witnesses, whilst potentially causing reputational harm to suspects who were subsequently released.
“It's no surprise that law enforcement was the target of this data breach. With the current civil and political climate, a wide range of threat actors, from activists to nation states, would be interested in revealing this sort of confidential information,” argued Gurucul CEO, Saryu Nayyar.
“Now is a good time to review and update security postures, policies and tools, especially where they involve third party vendors and SaaS applications that may not give an organization direct control of their sensitive data.”
A member of a Florida school board has denied responsibility for a social media post that implied her professional achievements had not been acquired via white privilege.
Broward School Board member Ann Murray claims that a controversial meme that appeared on her personal Facebook page on Sunday, June 21, was posted by a hacker who had compromised her account.
The meme, which was criticized as racist by some other Facebook users, was shared on 77-year-old Murray's page at around 5:30pm after being posted by another user, Keith Medford, on June 8.
The content of the meme appears to imply that there is no inherent career advantage to being white.
It read: “When I was born, they must have ran out of white privilege because I had to work my ass off to get where I am.”
Murray was distraught by the appearance of the post on her page and swore on her husband's grave to the Sun Sentinel that she was not responsible for sharing it.
“Goodness gracious. Why would I put something out there like that?” said Murray.
“I only post funny things, mostly about animals."
The school board member said that she was now considering closing her Facebook account down following repeated hacks of her page.
“That’s the second time in two months my Facebook page has been hacked," said Murray. "I may be shutting the whole thing down."
The controversial meme denying the existence of racial bias in the workplace was removed from Murray's page by 9pm on the day on which it was posted, but not before other Facebook users had torn into the school board member for apparently sharing it.
Commenters described what they believed to be Murray's actions as “racist,” “tone-deaf,” “disgusting,” and “reprehensible.” The supposed sharing of such a grammatically incorrect message by a school board member attracted no criticism.
Following the post's removal, Murray posted a message stating that Facebook customer service had notified her “about UNUSUAL account activity, with someone signing in from UNRECOGNIZED DEVICES.”
She added: “I apologize for anything that posted, that was disrespectful.”
Previous posts on Murray's Facebook page include messages supporting America's black community such as AFL-CIO endorsements of prominent black political candidates and a quote from Martin Luther King Jr.
Henry Kyle Frese worked for the DIA from February 2018 to October 2019 as a counterterrorism analyst and held a Top Secret / Sensitive Compartmented Information security clearance.
The 31-year-old resident of Alexandria, Virginia, was found guilty of passing secrets relating to the weapons capabilities of some foreign countries to two journalists on multiple occasions in 2018 and 2019.
According to court documents, Frese and a female reporter referred to as Journalist 1 were romantically involved and lived together at the same residential address from January 2018 to November 2018.
United States government agencies have confirmed that in the spring and summer of 2018, a news outlet published eight articles, all authored by the same journalist (Journalist 1), that contained classified information regarding the capabilities of certain foreign countries’ weapons systems.
These articles contained classified intelligence from five intelligence reports (the compromised intelligence reports) made available to appropriately cleared recipients in the first half of 2018.
Frese, who followed Journalist 1 on Twitter, re-tweeted her posts announcing the publication of articles containing the classified information that he had searched for on a classified US government computer system and supplied to her.
“Frese repeatedly passed classified information to a reporter, sometimes in response to her requests, all for personal gain,” said Assistant Attorney General for National Security John Demers.
Journalist 2 began texting and speaking to Frese after the pair were introduced by Journalist 1 in or about April 2018. Following the introduction, Frese stated in a Twitter direct message sent to Journalist 1 that he was “down” to help Journalist 2 if it would help the career of Journalist 1 “progress.”
Between mid-2018 and late September 2019, Frese orally transmitted information classified at the Top Secret level to Journalist 1 on 12 separate occasions and transmitted information classified at the Secret level to Journalist 1 on at least four occasions.
Zachary Terwilliger, US attorney for the Eastern District of Virginia, said Frese’s actions "had real consequences and caused actual harm to the safety of this country and its citizens.”
Frese was sentenced on June 17 to 30 months behind bars.
An alleged breach of COVID-19 test result data is being investigated by authorities in Indonesia.
Concerns over a possible breach were raised after a hacker tried to sell what they claimed was the personal information of hundreds of thousands of people who had been tested for the novel coronavirus in Indonesia on an online forum.
Posting on the database sharing and marketplace forum RaidForums on June 18, the alleged hacker claimed to have exfiltrated the test results and personal details of 230,000 people.
The possible cyber-criminal posted a for-sale notice under the username "Database Shopping." A sample of the allegedly leaked data was displayed along with an offer to sell the entire set for US$300.
Information the alleged hacker claimed to have accessed included names, addresses, phone numbers, ages, and nationalities. Also included were the private medical records of people who had been tested for COVID-19 at a number of different hospitals in well-known tourist hotspot, Bali.
"I sell it to the enthusiast," wrote the hacker in their post, before claiming to have similar data available for purchase, swiped from other parts of Indonesia. Areas that Database Shopping claimed to have targeted included Jakarta and the West Java provincial capital of Bandung.
The Indonesian government has denied that a breach of any COVID-19 test data has taken place. However, an investigation into the alleged hack has been launched by the Communication and Information Technology Ministry and the national police's criminal investigation department.
Communication and information technology minister Johnny Plate said the matter was being examined by the National Cyber and Encryption Agency.
Plate told The Straits Times on June 21: "The Covid-19 database and the results of the examinations at the ministry's data center are safe."
The minister added that data centers and other ministries and government institutions will be assessed by the ministry to ensure that all data remained secure.
The government's denial of a data breach was seconded on June 21 by the National Cyber and Encryption Agency, according to local Indonesian media.
Last month, a different hacker advertised for sale on RaidForums the personal data of 15 million Indonesian users of Tokopedia for $5,000.
Security researchers are warning players of a popular MMO game that over 1.3 million user records are being sold on dark web forums.
Usernames, passwords, email addresses, phone numbers and IP addresses belonging to players of Stalker Online were found by researchers from CyberNews.
The firm explained that the passwords were stored only in MD5, which is one of the less secure encryption algorithms around.
Two databases were found on underground sites as part of a dark web monitoring project undertaken by the research outfit, one containing around 1.2 million records and another of 136,000 records.
It appears as if a hacker compromised a Stalker Online web server before stealing the user data and posting a link on its official website as proof.
After confirming the data for sale was genuine, the researchers tried and failed to get in touch with Australian developer BigWorld Technology and its parent company, Cyprus-based Wargaming.net.
Both databases were hosted on legitimate e-commerce site Shoppy.gg, which removed the content when advised by the white hats within a day.
“However, the fact that the storefront was operational for almost a month may suggest that copies of the database containing 1.2 million user records may have been sold on the black market to multiple buyers,” they explained.
“In addition, the removal of the databases from the e-commerce platform does not preclude the hacker from putting them up for sale someplace else. This means that all Stalker Online players should consider their records to still be compromised.”
Although the stolen information didn’t contain any financial data, there’s plenty that cyber-criminals could do with the haul, including credential stuffing, follow-on phishing attacks, email and phone spam, cracking open the email passwords and even holding the gaming accounts themselves ransom.
“Since Stalker Online is a free-to-play game that incorporates micro-transactions, malicious actors could also make a lot of money from selling hacked player accounts on the grey market,” the researchers said.
Nearly £17m has been lost to online fraud over the COVID-19 lockdown period with younger shoppers most affected, according to Action Fraud.
The UK’s National Fraud and Cybercrime Reporting Center claimed that online scams had snared 16,352 victims with online shopping and auction fraud since bricks and mortar stores were ordered to close on March 23.
That amounts to around £16.6m in losses, with the largest group of victims (24%) aged 18 to 26 and residing in cities including London, Birmingham, Manchester, Leeds, Sheffield, Liverpool, Bristol and Nottingham.
In many cases, consumers purchased items such as mobile phones (19%), vehicles (22%), electronics (10%) including gaming kit and laptops, and footwear (4%) but they never arrived. Fraudulent sellers were most likely to be found on eBay (18%), Facebook (18%), Gumtree (10%) and Depop (6%).
Pauline Smith, head of Action Fraud, explained that the trend for younger consumers falling victim most frequently existed long before COVID-19.
“It’s important to shop on sites you know and trust. If you’re using a site you’ve not used before, do your research and check reviews before making a purchase,” she said.
“Always be wary of emails, texts and social media posts that offer products for considerably less than their normal price – this is a common tactic used by criminals. Where possible, use a credit card to make online purchases as this will offer you more protection if anything goes wrong.”
Ben Tuckwell, district manager at RSA Security UK & Ireland, argued that fraudsters thrive in times of disruption.
“The recent shift to e-commerce has been critical for both consumers and the economy, but fraudsters have been quick to take advantage too. In fact, in the first three months of 2020, RSA recovered details of over five million unique compromised cards globally,” he said.
“Banks, card issuers and retailers alike must also step up the war on fraudsters, both in times of crisis and in the future as shopping increasingly moves online. Pioneering businesses are already applying machine learning to better predict whether a payment is likely to be fraudulent.”
Security researchers are warning of a multi-country North Korean phishing campaign designed to capitalize on government COVID-19 bail-out measures.
The operation is being undertaken by Pyongyang’s notorious Lazarus Group, and is “designed to impersonate government agencies, departments, and trade associations who are tasked to oversee the disbursement of the fiscal aid,” according to Cyfirma.
The Goldman Sachs-backed cybersecurity startup said that the campaign was slated to launch over the weekend in the US, UK, India, Japan, Singapore and South Korea.
First spotting evidence of the operation at the start of the month, the researchers claim to have found seven email templates impersonating government departments and institutions like the Bank of England, Singapore’s Ministry of Manpower, Japan’s Ministry of Finance and the US Department of Agriculture.
The group will apparently use millions of email addresses and business contact details to target their victims via these spoofed domains. In many cases the phishing messages will claim to be offering a new government-backed business support payment.
“The hacking campaign involved using phishing emails under the guise of local authorities in charge of dispensing government-funded COVID-19 support initiatives. These phishing emails are designed to drive recipients to fake websites where they will be deceived into divulging personal and financial information,” Cyfirma explained.
“Given the potential victims are likely to be in need of financial assistance, this campaign carries a significant impact on political and social stability.”
Singapore’s CERT has already issued an alert urging businesses and individuals to be vigilant and avoid clicking on links or opening attachments in unsolicited emails.
Despite this new COVID-themed threat from North Korea, Microsoft claimed last week that malicious emails utilizing the pandemic comprised less than 2% of the total detected by the firm over the past four months.
A man from Michigan has been charged with hacking into a medical center's database and stealing the personal information of 65,000 employees.
Federal prosecutors unsealed a 43-count indictment yesterday accusing Federal Emergency Management Agency (FEMA) IT specialist Justin Sean Johnson of illegally accessing data held by the University of Pittsburgh Medical Center (UPMC).
Johnson allegedly hacked into the center's Oracle PeopleSoft database in January 2014 using the nicknames "TDS" and "DS." The indictment accuses the 29-year-old of exfiltrating personal identifying information and tax data belonging to thousands of center staff, then selling it on the dark web for an undisclosed sum.
Data said to have been stolen and sold by Johnson included employees' names, dates of birth, Social Security numbers, addresses, and salary information.
Prosecutors said that over the course of 2017, unidentified conspirators used the exfiltrated data to file hundreds of phony tax returns that claimed approximately $1.7m in false refunds. These returns were then laundered by being converted into Amazon gift cards that were used to purchase goods worth about $885,000 that were shipped to Venezuela and later sold in online marketplaces.
The indictment charges the alleged cyber-criminal with wire fraud, conspiracy, and aggravated identity theft. If he is convicted on all charges, Johnson could spend 20 years locked up in federal prison.
Johnson is being held without bond after being arrested by police in Detroit on Tuesday.
In a statement, the special agent in charge of the US Secret Service field office, Timothy Burke, said: “The health care sector has become an attractive target of cybercriminals looking to update personal information for use in fraud."
UPMC spokesperson Gloria Kreps said identity theft protection monitoring services were provided free to employees affected by the cyber-attack prosecutors have attributed to Johnson.
In an email written to Detroit News, Kreps stated: “At the time of the breach, we helped our employees through the challenge and purchased LifeLock for them for five years for all UPMC employees, 65,000 at that time."
In June 2015, a Pennsylvania judge dismissed a health data breach lawsuit brought against UPMC the year before. The suit was filed by former UPMC employees after a data breach compromised the information of approximately 27,000 members of staff at the center.
A PC gaming service is taking action to eradicate a growing number of racist bots from one of its leading shoot-em-up titles.
Valve said it has introduced new anti-spam measures to the game Team Fortress 2 in an attempt to "mitigate the use of new and free accounts for abusive purposes."
Earlier this month, Kotaku reported that offensive bots were "running rampant" in TF2, overwhelming chats "with everything from annoying troll-speak to full-on racism." According to the gaming site, the title has been beset by bots "of various types" since early 2020.
Frustrated players of the game took to TF2's subreddit, Steam forums, Discords, and other communities, asking for Valve to intervene. Players who tried to tackle the bot problem themselves faced the wrath of the bot user community.
One TF2 player, Pazer, created a tool to automatically detect and remove bots from matches in the games. Angry bot users responded by creating a workaround and making a bot to specifically damage Pazer's reputation in the gaming community.
While the existence of offensive bots in TF2 is nothing new, Gamesindustry.biz reported yesterday that the problem "took a turn for the worse recently as the bots began employing game-breaking hacks and spamming the chat with racist diatribe."
In hopes of tackling the problem, Valve released a new patch on June 16 that restricts certain new accounts from using chat in official matchmaking modes. In announcing the patch, the company said, "Work is ongoing to mitigate the use of new and free accounts for abusive purposes."
Valve has also updated its Report Player functions, empowering players with the ability to disable in-game voice and text chat.
The widespread popularity of Team Fortress 2 has declined since its release in 2007 as players turn to more modern titles. Because of this drop in the number of users, the team-based shooter is now maintained by a skeleton crew, leaving it vulnerable to attacks by threat actors.
In November 2019, veteran Valve employee Greg Coomer said: "There are very few people working on Team Fortress. I don't know the exact number, but it's hardly anyone anymore."