Feed aggregator

US Deports NeverQuest Cyber-Thief

Info Security - Fri, 06/19/2020 - 15:50
US Deports NeverQuest Cyber-Thief

The United States has deported a convicted cyber-criminal and malware creator back to his native Russia. 

Computer programmer Stanislav Vitaliyevich Lisov was arrested by Spanish authorities at Barcelona–El Prat Airport on January 13, 2017, at the request of the FBI, then extradited to the United States on January 19, 2018. 

Lisov is the creator of banking Trojan NeverQuest and part of a criminal enterprise that used the malware in attempts to steal $4.4m from the bank accounts of hundreds of victims. 

The 35-year-old pleaded guilty to one count of conspiracy to commit computer hacking in November 2019 and admitted using NeverQuest to successfully thieve $855,000. He was subsequently sentenced to 48 months in federal prison by the United States District Court for the Southern District of New York.

In addition to his custodial sentence, Lisov was sentenced to three years of supervised release and was ordered to pay forfeiture of $50,000 and restitution of $481,388.04. The maximum sentence he could have been handed would have seen the threat actor spend 35 years behind bars. 

After earning credit for time served, the malware-maker was due to be released in a few months' time. However, the United States opted to deport Lisov to Russia on June 16. 

Lisov spent six days in an immigration detention facility to which he was transferred from a prison in Pennsylvania on June 10. According to Russian Embassy officials in the US, the cyber-criminal was then transported to New York's JFK International Airport, where he boarded a Moscow-bound Aeroflot flight.

Reports at the time of Lisov's capture stated that the malicious actor was on honeymoon in Barcelona with his new wife when Spanish authorities placed him under arrest. 

In a statement to the Russian news outlet RIA Novosti, Alexei Topolsky, a spokesperson for the Russian Consulate General in New York, said Lisov was unrestrained by handcuffs when he arrived for his flight.

According to Topolsky, Lisov, who was dressed in simple clothes and a face mask, "looked like a person who was happy to be going home."

Lisov was met at Sheremetyevo International Airport by his wife, Darya Lisova.

Categories: Cyber Risk News

Facebook Pulls Trump Campaign Ad Featuring Nazi Symbol

Info Security - Fri, 06/19/2020 - 11:00
Facebook Pulls Trump Campaign Ad Featuring Nazi Symbol

Facebook has removed advertising for Donald Trump’s re-election campaign because it featured a symbol heavily associated with Nazi Germany, in a move likely to dial-up tensions in the US.

The inverted red triangle featured in the ad was reportedly used by the Nazis to mark out political prisoners in concentration camps.

It ran alongside a message from the President claiming that ‘far-left mobs’ are causing mayhem in the US and that left-wing activists loosely labelled “antifa” should be branded a terrorist organization.

“We don’t allow symbols that represent hateful organizations or hateful ideologies unless they are put up with context or condemnation,” Facebook’s head of cybersecurity policy, Nathaniel Gleicher, said in a brief statement.

“That's what we saw in this case with this ad, and anywhere that that symbol is used we would take the same actions.”

Other ads from the same campaign not featuring the symbol were left up, despite their dubious claims.

In fact, Facebook has come under increasing pressure of late to fact-check and remove misleading political ads, or ban them altogether like Twitter.

The social network disappointed many this week when it announced it would merely allow users to switch off social issue, electoral or political ads from candidates or political action committees in their Facebook or Instagram feeds.

This comes after a January update in which Facebook said it would help users to limit the number of political ads they see.

That isn’t good enough for the Biden election campaign. It has begun a petition calling on the social network to ban threatening behavior and lies about how to vote, and wants all political ads to be fact-checked for the two weeks running up to the election.

On the other side, Trump issued an executive order effectively preventing social media companies from fact-checking political statements.

Facebook has been at pains not to take sides in an increasingly fractious debate. In fact, it controversially left up incendiary remarks by Trump which some have claimed were an incitement to violence during recent civil unrest.

Categories: Cyber Risk News

Malicious Chrome Extensions Downloaded Over 33 Million Times

Info Security - Fri, 06/19/2020 - 09:30
Malicious Chrome Extensions Downloaded Over 33 Million Times

Google has removed scores of malicious and fake Chrome extensions being used in a global eavesdropping campaign.

The threat was spotted by Awake Security, which detected 111 of the malicious extensions over the past three months. When it notified Google of the issue last month, it claimed that 79 were present in the Chrome Web Store, where they had been downloaded nearly 33 million times.

Figures for the others not in the official marketplace are hard to calculate for obvious reasons.

“These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc,” it said in a report detailing the investigation.

“After analyzing more than 100 networks across financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations, Awake discovered that the actors behind these activities have established a persistent foothold in almost every single network.”

Spoofed to appear legitimate, the extensions all sent the data they harvested back to ‘legitimate’ domain registrar GalComm, which Awake argued “is at best complicit in malicious activity.”

Those behind the campaign have worked hard to ensure an almost 100% success rate, evading enterprise security proxies, AV and other defenses.

“One reason for this appears to be a smart method for filtering/blocking requests used by this attack campaign. If the client is connecting to the domain from a broadband, cable, fiber, mobile or similar fixed-line ISP type of network, then the client will be delivered the malicious payload. This allows all normal users and enterprises to pass through the filter,” the report explained.

“If the connection is coming from a data center, web hosting service, transit networks, VPN or proxy, the request is redirected to a benign page.”

In some cases, efforts were made to bypass the Chrome Web Store altogether.

“They do so by loading a self-contained Chromium package instrumented with the malicious plugins,” Awake Security said.

“As most users don’t recognize the difference between Chrome and Chromium, when prompted to make the new browser their default, they frequently do – making their primary browser one which will happily continue to load malicious extensions from other GalComm related sources.”

The report suggested the campaign could be tied to state-sponsored activity.

Categories: Cyber Risk News

Sophisticated State-Backed Attack Rocks Australia

Info Security - Fri, 06/19/2020 - 08:28
Sophisticated State-Backed Attack Rocks Australia

Australian Prime Minister Scott Morrison today warned of a major state-sponsored cyber-espionage campaign targeting government and private sector businesses.

He urged domestic organizations to take steps to improve their resilience, including the use of multi-factor authentication to access cloud and internet-facing systems, and to patch online devices promptly.

“This activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure,” Morrison warned.

“We know it is a sophisticated state-based cyber-actor because of the scale and nature of the targeting and the tradecraft used.”

In a technical advisory yesterday, the Australian Cyber Security Centre (ACSC) referred to the state actor’s “copy-paste compromises” — in other words, its heavy use of proof-of-concept exploits, web shells and other elements “copied almost identically from open source.”

The attackers specifically targeted remote code execution vulnerabilities in development tool Telerik UI, Microsoft Internet Information Services (IIS), SharePoint and Citrix.

“The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases,” the ACSC continued.

“The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organizations.”

When exploits don’t work, the hackers use spear-phishing plus open source and custom tools to achieve persistence. They’ve also been spotted using compromised legitimate Australian websites for command-and-control, in an attempt to hide their activity.

Michael Sentonas, global CTO at CrowdStrike, said his firm had seen a 330% spike in malicious activity in the first half of 2020 versus a year ago, and warned that the lines between e-crime and state-backed attacks are blurring due to increased sophistication of the former.

Having a front line perspective of the rampant threat activity in Australia that occurs every day, including the number of high-profile breaches in recent months, demonstrates the country is not as prepared as we would like to believe,” he added.

“It is positive that this issue is being raised, and governments and organizations must now take action and harden their defenses against an advanced pool of adversaries”.

Given Australia’s recent geopolitical disputes with its larger neighbor to the north, China will be top of the list of suspects in these attacks.

Categories: Cyber Risk News

US Indicts Six Nigerians Over $6m Email Scam

Info Security - Thu, 06/18/2020 - 15:35
US Indicts Six Nigerians Over $6m Email Scam

The United States has sanctioned six Nigerians for operating cyber-scams that stole millions from American victims. 

Indictments were unsealed June 16 against Richard Uzuh, Michael Olorunyomi, Alex Ogunshakin, Felix Okpoh, Nnamdi Benson, and Abiola Kayode. The six men are charged with orchestrating elaborate schemes to defraud Americans through Business Email Compromise (BEC) attacks and romance scams. 

American citizens lost over $6,000,000 after falling victim to scams where the men impersonated business executives and requested and received wire transfers from legitimate business accounts or masqueraded as romantic partners. 

After gaining the trust of their victims, the fraudsters manipulated them into handing over their usernames, passwords, and bank account details in order to steal from them. Several of those who engaged in romance fraud used online tools, including social media and email, to further their social engineering tactics.

Between early 2015 and September 2016, Uzuh and an accomplice would often attack over 100 businesses a day with emails purporting to be from a genuine executive at the target company. By requesting and receiving wire transfers of funds from the victimized firm's bank accounts, the pair were able to steal $6.3m.

Olorunyomi and a co-conspirator led a scheme that preyed on Americans searching for love online. The duo created fake profiles on dating websites and posed as romance seekers to defraud victims out of over $1m between September 2015 and June 2017.

As a result of the sanctions, all property and interests in property of the six men that are in the possession or control of US citizens or within or transiting the United States are blocked, and US persons generally are prohibited from dealing with them.

“Cybercriminals prey on vulnerable Americans and small businesses to deceive and defraud them,” said Secretary of the Treasury Steven Mnuchin. 

“As technological advancement increasingly offers malicious actors tools that can be used for online attacks and schemes, the United States will continue to protect and defend at-risk Americans and businesses.”

In July 2019, Treasury’s Financial Crimes Enforcement Network (FinCEN) released an advisory noting that it received over 32,000 reports involving almost $9bn in attempted theft from BEC fraud schemes targeting US financial institutions and their customers since its 2016 advisory. 

Recovered funds through FinCEN’s Rapid Response Program, in collaboration with law enforcement, recently surpassed $920m.

Categories: Cyber Risk News

ESET Reveals New Insights into Espionage Group InvisiMole

Info Security - Thu, 06/18/2020 - 15:08
ESET Reveals New Insights into Espionage Group InvisiMole

In-depth insights into the operations and methods of the elusive InvisiMole organization have been revealed by ESET following an investigation into a new campaign by the espionage group. In this campaign, the group targeted a number of high profile military and diplomatic bodies in Eastern Europe from late 2019 until at least June 2020.

ESET investigators found that InvisiMole collaborated with another cyber-threat actor, Gamaredon, to help it make attacks. Gamaredon would infiltrate the network of interest, potentially gaining administrative privileges, before InvisiMole moved in to launch malware.

ESET researcher Zuzana Hromcová explained: “Our research suggests that targets considered particularly significant by the attackers are upgraded from relatively simple Gamaredon malware to the advanced InvisiMole malware. This allows the InvisiMole group to devise creative ways of operating under the radar.”

The team also discovered four different execution chains InvisiMole uses, created by combining malicious shellcode with legitimate tools and vulnerable executables. The group’s malware is able to remain hidden by protecting components with per-victim encryption, meaning the payload can only be decrypted and executed on the affected computer. InvisiMole was also observed to have a new component that uses DNS tunneling for stealthier C&C communication.

“We were able to document the extensive toolset used for delivery, lateral movement and execution of InvisiMole’s backdoors,” noted Anton Cherepanov, the ESET malware researcher who led the investigation.

InvisiMole is understood to have been active since at least 2013, and has been connected to cyber-espionage campaigns in Ukraine and Russia, including spying on victims using two feature-rich backdoors. The new analysis highlights how the group has significantly improved its abilities to conduct cyber-espionage.

Hromcová added: “With this new knowledge, we’ll be able to track the group’s malicious activities even more closely.”

Categories: Cyber Risk News

FCC Warned Against Approving US/Hong Kong Subsea Cable

Info Security - Thu, 06/18/2020 - 14:51
FCC Warned Against Approving US/Hong Kong Subsea Cable

America's Federal Communications Commission (FCC) has been warned against fully approving the construction of a subsea cable that will directly link the United States to Hong Kong.

A recommendation to partially deny the application to build the Pacific Light Cable Network (PLCN) was sent to the FCC by Team Telecom, formally known as the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.

The committee said the PLCN application raised national security concerns as significant financial backing for the project would be provided by a subsidiary of the fourth largest provider of telecommunications services in the People's Republic of China (PRC).

"As submitted to the FCC, the PLCN application would have allowed for the highest capacity subsea cable connection between the United States and Asia and been the first direct connection between the United States and Hong Kong," said a spokesperson for the US Department of Justice. 

"This raised national security concerns, because a significant investor in the PLCN is Pacific Light Data Co. Ltd., a Hong Kong company and subsidiary of Dr. Peng Telecom & Media Group Co. Ltd. (Dr. Peng Group), the fourth largest provider of telecommunications services in the PRC."

The committee’s recommendation explained that PLCN’s proposed Hong Kong landing station would expose US communications traffic to collection by the PRC. 

The DOJ said: "Such concerns have been heightened by the PRC government’s recent actions to remove Hong Kong’s autonomy and allow for the possibility that PRC intelligence and security services will operate openly in Hong Kong."

Team Telecom further advised that the FCC grant the portions of PLCN’s application seeking to connect the United States, Taiwan, and the Philippines, that do not have any PRC-based ownership and are separately owned and controlled by subsidiaries of Google LLC and Facebook, Inc. 

This approval should only be made on the condition that the companies’ subsidiaries enter into mitigation agreements regarding those connections, advised Team Telecom. 

Google's request for Special Temporary Authority (STA) to commercially operate the segment of PLCN connecting the United States and Taiwan for six months was granted by the FCC on April 8, 2020. Approval was given based on obligations set forth in a Provisional National Security Agreement between the tech giant and the US Departments of Justice, Homeland Security, and Defense. 

Categories: Cyber Risk News

UK U-Turns on Contact Tracing App Privacy

Info Security - Thu, 06/18/2020 - 14:27
UK U-Turns on Contact Tracing App Privacy

The UK government has abandoned its centralized coronavirus contact-tracing app in favor of a decentralized model, according to the BBC's chief tech correspondent. 

Rory Cellan-Jones shared news of the UK's U-turn on Twitter earlier today. Posting as @ruskin147, Cellan-Jones wrote: "BBC scoop - NHS abandons centralized contact tracing app, moves to Apple/Google decentralized model."

petition by ProPrivacy asking the UK government to change their contact-tracing app’s data collection model from centralized to decentralized to protect user privacy attracted over 1,000 signatures.

Digital privacy expert at ProPrivacy, Ray Walsh, called the government's decision "a huge win for privacy."

"A decentralized app will allow consumers across the UK to download the app without fears that their data could be exploited for secondary purposes," said Walsh.

The National Health Service COVID-19 contact-tracing app was created to tell people when they may have been exposed to the novel coronavirus. A pilot scheme is currently under way in the Isle of Wight to test the app's efficacy.

Lord Bethell, the minister for innovation at the Department of Health and Social Care, said participants of the pilot scheme had indicated that they would rather hear bad news from a person than via an automated text or email. 

Health secretary Matt Hancock said at the start of May that the NHS COVID-19 contact-tracing app would be rolled out mid-May. However, Lord Bethell, speaking to the MPs on the Commons science and technology committee, said recently that the app will not be ready before the winter. 

“We’re seeking to get something going for the winter, but it isn’t a priority for us,” Bethell stated.

The snail-like pace of the government's contact-tracing app implementation was bemoaned by Ray Walsh.

"It is a shame that it took so long for the NHS and the government to come to the same realization privacy experts had months ago—that in order for an app to be effective it is going to need to be accepted by the general public," said Walsh.

"While this is good news, the reality is that we could have had this app up and running weeks if not months ago, which could have greatly reduced the rate of infection and potentially saved lives."

Categories: Cyber Risk News

ICO Report Calls for Reforms Around Police Data Extraction

Info Security - Thu, 06/18/2020 - 12:15
ICO Report Calls for Reforms Around Police Data Extraction

The UK Information Commissioner's Office (ICO) has issued a report on police practices regarding extraction of data from people’s phones, including phones belonging to the victims of crime.

The report, which is the result of a 2018 complaint made by Privacy International (PI), highlights numerous risks and failures by the police in terms of data protection and privacy rights.

Elizabeth Denham, information commissioner, stated in the report: “This report explains how current mobile phone extraction practices and rules risk negatively affecting public confidence in our criminal justice system.

“I am therefore calling on government to introduce modern rules, through a code of practice that improves data extraction practices. This will build public confidence, notably the confidence of victims of crime and witnesses in permitting extraction of their sensitive personal data. It will also better support police and prosecutors in their vital work.”

Other key points in the report state that police should not seize phones merely to go on ‘fishing’ expeditions, but must focus any extraction on clear lines of enquiry and that current police practices regarding extracting data, especially from victims and witnesses, must be reformed.

Dr Ksenia Bakina, PI’s legal officer said: “Today’s critical report by the ICO vindicates what PI has been saying for over two years. The Police are taking data from people’s phones, including the victims of crime, without applying proper safeguards. This has to stop.

Currently, there is no clear policy guidance or independent, effective oversight for the police’s use of MPE technology, Bakina added.

“Considering the extensive use of mobile phones in our everyday lives, and the significant amount of sensitive personal data stored on them, the public need to know that there are rules and safeguards in place – otherwise the police are left to make up their own rules.

“The ICO's report is a welcome step in the right direction. However, it is just a first step. We need to ensure that the report is a wakeup call that the police finally heed.”

Categories: Cyber Risk News

Pandemic Popularity Forces Dark Web Forums to Recruit

Info Security - Thu, 06/18/2020 - 10:55
Pandemic Popularity Forces Dark Web Forums to Recruit

The COVID-19 crisis appears to have had an unexpected impact on underground cybercrime sites, leading to a surge in growth which has left many understaffed, according to Digital Shadows.

The dark web monitoring firm’s Digital Shadows Photon Research Team revealed in a new blog that several forums have recently been forced to go on a hiring spree for new moderators.

In April, an administrator post from English-language cybercrime forum Nulled apparently noted that the ‘community’ was “especially growing rapidly during COVID-19,” and that as a result it “require[s] additional assistance.”

Another post in April, this time from the administrator of English-language site CrackedTO, cited “recent events” as the reason for its hiring plea.

“While there have been many predictable consequences of the ongoing global COVID-19 pandemic, few would have foreseen significant growth for multiple cyber-criminal forums. Digital Shadows has observed forums being stretched at the seams due to their newfound pandemic popularity,” the Digital Shadows team wrote.

“In retrospect, it’s not that surprising: the coronavirus has placed enormous economic pressure on millions of people worldwide. It’s not illogical to surmise that some individuals may have turned to cybercrime to plug holes in their finances.”

The firm explained that cybercrime sites run a highly formalized employee set-up with the administrator sitting at the top of a pyramid, while multiple moderators carry out the day-to-day work.

They are often tasked with specific roles, such as technical support, paying for advertising, enforcing site rules and answering user questions.

The “trials moderators” sought by Nulled and CrackedTO are required to enforce the rules and assist users, as well as clean up malware and spam.

Good moderators seem to be highly sought after, making recruitment also a formalized process.

“Elements of the recruitment advertisements come up again and again: the importance of devoting a significant chunk of time to the role, the requirements for applicants to have a thorough knowledge of the section and the perceived prestige associated with the role,” said Digital Shadows.

“Most also emphasized that these positions are unpaid.”

Categories: Cyber Risk News

#COVID19 Attacks Still Less Than 2% of Total Threats

Info Security - Thu, 06/18/2020 - 09:25
#COVID19 Attacks Still Less Than 2% of Total Threats

COVID-19-themed cyber-attacks comprised only a tiny amount of overall threat volumes over the past four months despite sensational headlines, according to Microsoft.

In comments echoing those it made at the start of the crisis, the Microsoft Threat Protection Intelligence Team claimed that even the peak of COVID-related attacks in the first two weeks of March was “barely a blip in the total volume of threats we typically see in a month.”

These were opportunistic attempts to exploit huge public interest in the virus via mainly localized phishing lures, which is why they increased 11-fold the week after the World Health Organization (WHO) officially named the pandemic “COVID-19.”

“This surge of COVID-19 themed attacks was really a repurposing from known attackers using existing infrastructure and malware with new lures,” said Microsoft. “In fact, the overall trend of malware detections worldwide did not vary significantly during this time.”

Although COVID-themed attacks remain higher than they were in early February and will continue as long as the virus does, the vast majority of threats are more typical phishing and identity compromise attempts, it continued.

The key takeaway for IT security teams is that while phishing lures can change quickly, the underlying malware remains the same.

They should therefore double down on enhanced user awareness training programs, “cross-domain signal analysis,” and patching, said Microsoft.

“These COVID-19 themed attacks show us that the threats our users face are constant on a global scale. Investments that raise the cost of attack or lower the likelihood of success are the optimal path forward,” it concluded.

“Focus on behaviors of attackers will be more effective than just examining indicators of compromise, which tend to be more signals in time than durable.”

Google claimed back in April that it is blocking 18 million malware and phishing emails linked to COVID each day, although it also admitted that “in many cases” these threats are not new but repurposed from other campaigns.

Categories: Cyber Risk News

Zoom Will Offer End-to-End Encryption for All Users

Info Security - Thu, 06/18/2020 - 08:24
Zoom Will Offer End-to-End Encryption for All Users

Zoom has reversed its controversial decision to restrict access to end-to-end encryption (E2EE) for some users and will now offer the feature to customers of both its free and premium services.

The video conferencing app said it had consulted with rights groups, child safety advocates, government representatives, encryption experts and its own CISO council to gather feedback.

“We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform,” the firm's CEO Eric Yuan said in a blog post yesterday.

“This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform.”

Users of the free service will be required to authenticate in a one-off process with information such as their phone number, in order for the platform to “reduce the mass creation of abusive accounts,” Yuan added.

The news came as rights groups, tech firms and internet users petitioned the firm to reverse its policy on E2EE.

They argued that E2EE is too important to be a premium feature, especially in the context of global protests against racial injustice and government oppression. The technology protects activists, journalists and other vulnerable parts of the population from government repression and surveillance, as well as from cyber-criminals, they said.

The campaigners also argued that want to disguise any malicious intent or illegal activity can simply pay for the premium service.

Yuan was reported saying on an analyst call earlier this month that the firm would not be offering free users E2EE “because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose.”

Mozilla welcomed the news. The tech non-profit, which wrote an open letter to Zoom earlier in the week signed by tens of thousands of internet users, argued that E2EE should always be the default setting, not a luxury.

“We're heartened that Zoom listened to consumers, especially at a time when millions of people are relying on the platform to stay connected amid the pandemic and to organize in support of Black lives,” it said in a statement.

“Zoom’s decision is part of an emerging trend: Consumers are demanding more of the technology products and services they use every day. And companies are changing their products to meet these demands.”

Categories: Cyber Risk News

BEC Attackers Ditch C-Suite in Favor of Fresh Target

Info Security - Wed, 06/17/2020 - 18:11
BEC Attackers Ditch C-Suite in Favor of Fresh Target

The number of Business Email Compromise (BEC) attacks being leveled at C-Suite executives has declined as threat actors focus on a new target.

According to new research published today by Abnormal Security, BEC attacks on C-Suite executives decreased by 37% in the first quarter of 2020 compared to the final quarter of 2019. 

Researchers discovered that cyber-criminals had a new springtime victim in their sights, as BEC attacks on finance employees—who hold the key to routine payments—shot up by more than 87%. 

The Abnormal Security Quarterly BEC Report for Q1 2020 notes a shift away from individual attacks to group BEC attacks. Campaigns with more than 10 recipients increased by 27% quarter by quarter. 

Researchers found that criminals had switched their focus away from paycheck and engagement fraud and toward payment fraud. Invoice fraud attacks were found to have increased more than 75%.

A section of the report was devoted to trends around email account compromise and security attack patterns observed during the COVID-19 pandemic. 

Evan Reiser, CEO and co-founder of Abnormal Security, described the attacks related to the outbreak of the novel coronavirus as "among the most sinister in intent that we have ever seen."

Researchers found that COVID-related attacks more than quadrupled between the second and third weeks of March 2020. Cyber-assaults increased 436%, with an average 173% week-over-week increase during the quarter.

COVID-19 vectors exploited by criminals included vaccines, PPE equipment, stimulus checks, PPP payments, layoff concerns, and the popularity of video conferencing tools. 

The majority of the coronavirus attacks Abnormal caught were scams that leveraged trusted entities, using compromised and spoofed accounts in order to scam users and companies out of money, steal their credentials, or install malware on their device.

“The email security trends we witnessed during Q1 are most certainly related to the COVID-19 pandemic and the shift to work from home, but they also reflect greater sophistication and attack strategy by threat actors,” said Reiser. 

“By increasing campaign target size, attackers increase the opportunity for social validity and by targeting finance employees who manage third-party payments, they’ve found a new vector for payouts.”

Categories: Cyber Risk News

Sharp Rise in Web Attacks on Gamers

Info Security - Wed, 06/17/2020 - 17:33
Sharp Rise in Web Attacks on Gamers

Cyber-criminals stepped up their efforts to victimize gamers while millions of people stayed at home this spring to slow the spread of COVID-19.

New research published today by Kaspersky found that in April, the daily number of blocked attempts to direct users to malicious gaming-themed sites increased by 54%, compared to January 2020.

In the same month, the number of blocked attempts to force gamers onto phishing pages for one of the most popular gaming platforms also increased by a whopping 40% compared to February 2020. 

Kaspersky researchers took a special interest in threats to gamers after lockdown measures saw millions turn to video games as a source of entertainment. Beginning in March, online gaming platform SteamDB saw a record number of users, with 20.3 million people in-game simultaneously over one weekend. 

According to data from Kaspersky Security Network, cyber-criminals have exploited the increased interest in video games to launch various attacks. 

Minecraft, one of the most popular games ever made, was the title most often used by threat actors. Its name featured in more than 130,000 web attacks. The other games used most frequently to launch attacks were Counter-Strike: Global Offensive and The Witcher 3.

Maria Namestnikova, security expert at Kaspersky, said threat actors used the promise of cheats to lure gamers into clicking malicious links. 

“The past few months have shown that users are highly susceptible to falling for phishing attacks or clicking on malicious links when it comes to games—whether they’re looking to find pirated versions or eager for a cheat that will help them win,” said Namestnikova.

Yury Namestnikov, also a security expert at Kaspersky, said that gamers working from home who play and toil on the same device should be particularly wary of cyber-threats.

“Now that many players started using the same machines that they use to enter corporate networks for games, their cautiousness should be doubled: risky actions make not only personal data or money vulnerable but also corporate resources,” said Namestnikov.

Kaspersky researchers urged gamers to protect themselves by using strong passwords and two-factor authentication where possible and to be wary of any cheats and pirated copies of video games.

Categories: Cyber Risk News

Illinois Tech CEO Charged with #COVID-Relief Fraud

Info Security - Wed, 06/17/2020 - 16:47
Illinois Tech CEO Charged with #COVID-Relief Fraud

The founder and CEO of two Illinois software companies has been charged with fraudulently claiming over $400,000 from the Paycheck Protection Program (PPP).

Evanston resident Rahul Shah allegedly lied on an application for a forgivable bank loan guaranteed by the Small Business Administration (SBA) under the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

The 51-year-old was charged in a federal criminal complaint filed in the Northern District of Illinois with bank fraud and making false statements to a financial institution.  

Shah is the founder and CEO of tech companies Boardshare LLC and Katalyst Technologies, Inc. Both companies are based on Davis Street in downtown Evanston. 

Katalyst, which was founded in 2000, also has offices in Atlanta, London, and in several cities in India. 

Shah applied for a PPP loan from the bank of Texas on April 15 for Katalyst. On April 30, he applied for a second loan on behalf of N2N Holdings LLC, which operates under the name Boardshare. 

According to the Department of Justice (DOJ), Shah "significantly overstated the payroll expenses of a company that he controlled" and submitted falsified IRS documents to the lender. 

On an IRS 1099-MISC form, Shah claimed that one of his companies had made payments to several individuals. These claims turned out to be false upon investigation.

In addition, Shah misrepresented his company's payroll expenses for 2019 in documents that he signed and caused to be submitted to the lender.

"A comparison between the documents submitted to the lender and the company’s IRS filings revealed that Shah’s company reported significantly lower payroll expenses to the IRS," said a spokesperson for the DOJ. 

An affidavit from James Sams, an agent with the Treasury Inspector General for Tax Administration, said Shah paid Boardshare's employees less than $10k over a period in which he claimed to have spent $426k on payroll. 

In an interview with FBI and Treasury agents on May 29, Sams alleges that Shah acknowledged that there were "errors" in his application and blamed them on employees in India. 

If convicted of both counts, Shah could face a sentence ranging from probation to up to 60 years in federal prison.

Categories: Cyber Risk News

Widespread Security Vulnerabilities in Mobile Banking Apps

Info Security - Wed, 06/17/2020 - 14:31
Widespread Security Vulnerabilities in Mobile Banking Apps

Half of mobile banks are vulnerable to fraud and theft of funds due to inadequate security on apps, according to a study by Positive Technologies. The analysis found that mobile banking applications have a raft of security flaws which can be exploited by cyber-criminals to access sensitive data and commit fraud.

Positive Technologies said that none of the 14 mobile banking applications tested had an acceptable level of security. In regard to the applications installed by clients, 43% were shown to store important information on the phone in clear text, making the data at risk of being accessed by an unauthorized party. In addition, 76% of the vulnerabilities can be exploited without physical access to the device and over one-third can be exploited without administrator rights.

Each mobile bank analyzed had an average of 23 vulnerabilities on the server side, which contained 54% of all the vulnerabilities found. Close to half (43%) had server-side vulnerabilities in business logic, which attackers can use to access sensitive user information and commit fraud. The report also stated that hackers can steal user credentials in five out of seven mobile banks while card information is at risk in one-third.

There were also variations in the types of security flaws between iOS and android apps; in iOS, no flaws were rated above ‘medium,’ whereas in android, 29% were ‘high risk.’

Olga Zinenko, analyst at Positive Technologies, commented: “Banks are not protected from reverse engineering of their mobile apps. Moreover, they give short shrift to source code protection, store sensitive data on mobile devices in clear text and make errors allowing hackers to bypass authentication and authorization mechanisms and bruteforce user credentials. Through these vulnerabilities, hackers can obtain usernames, account balances, transfer confirmations, card limits and the phone number associated with a victim’s card.

“We urge that banks do a better job of emphasizing application security throughout both design and development. Source code is rife with issues, making it vital to revisit development approaches by implementing SSDL practices and ensuring security at all stages of the application lifecycle.”

Just last week, the FBI warned that cyber-criminals are seeking to take advantage of the growing use of mobile banking apps during COVID-19.

Categories: Cyber Risk News

Petitions Demand Zoom Changes End-to-End Encryption Stance

Info Security - Wed, 06/17/2020 - 11:20
Petitions Demand Zoom Changes End-to-End Encryption Stance

Technology companies and rights groups are calling on Zoom to reverse its stance on end-to-end encryption, which currently denies users of its free service the strongest possible security and privacy protections.

The video conferencing app controversially announced earlier this month that only users of its premium service would have their conversations protected by end-to-end encryption.

“Free users for sure we don’t want to give [end-to-end encryption] because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” CEO Eric Yuan reportedly said.

Now a coalition of non-profits, tech groups and tens of thousands of internet users have called on the firm to change its mind.

An open letter to Yuan from the EFF and Mozilla, signed by over 19,000 internet users, argued that offering the strongest possible security to all users is more important now than ever, at a time when political activists and protesters may be the target of government surveillance.

“Best-in-class security should not be something that only the wealthy or businesses can afford. Zoom’s plan … will leave exactly those populations that would benefit most from these technologies unprotected,” it noted.

“Around the world, end-to-end encryption is already an important tool for journalists and activists that are living under repressive regimes and fighting censorship. We recognize that Zoom's business model includes offering premium features for paid accounts, but end-to-end encryption is simply too important to be one of those premium features.”

A separate petition sent to the firm by Fight for the Future, Daily Kos, MPower Change, Mijente, Kairos, Media Alliance and Jewish for Peace has garnered over 50,000 signatures.

It claimed that Yuan’s defense of the decision, that the firm wanted to help law enforcement, was absurd.

“People with bad intentions can just pay for the account to ensure their calls are secure,” it argued. “Meanwhile, people who can’t afford Zoom’s services are left vulnerable to cyber-criminals, stalkers and hackers.”

Zoom’s recent admission that it suspended the accounts of Chinese human rights activists after a request from Beijing will only add further weight to the calls.

Categories: Cyber Risk News

Avast Appoints Nick Viney to Lead Telco, IoT and Family Security Business Unit

Info Security - Wed, 06/17/2020 - 10:30
Avast Appoints Nick Viney to Lead Telco, IoT and Family Security Business Unit

Global digital Security and privacy product provider Avast has announced the appointment of Nick Viney as senior vice-president and general manager for its Telco, Internet of Things (IoT) and Family security business unit.

Viney joins Avast from Cyber 1 – a publicly listed enterprise cybersecurity provider – where he was Group CEO. He has previously held roles at McAfee, Google and Microsoft.

In his new role, he will oversee Avast’s global strategy and lead the development of the company’s position in smart home security while expanding its overall portfolio of security products and partners including telecommunications providers and original equipment manufacturers.

“Avast is a company I have long admired for its commitment to innovation, focus on the customer and for its mission to make the world a safer place for everyone, particularly the most vulnerable in our society,” said Viney.

“These are values I have stood by throughout my entire career and I’m looking forward to leading some important projects for the company that are tackling real-world cybersecurity problems and issues for consumers today.”

Categories: Cyber Risk News

Aerospace Executives Targeted Via LinkedIn Recruitment Messages

Info Security - Wed, 06/17/2020 - 10:00
Aerospace Executives Targeted Via LinkedIn Recruitment Messages

Attackers leveraged LinkedIn and posed as recruiters in order to steal information and money from European military and aerospace executives.

According to new research from ESET, the technique involved threat actors contacting the executives via LinkedIn posing as recruiters. Named Operation In(ter)ception, the actions took place from September to December 2019 and began with what ESET called “a quite believable job offer, seemingly from a well-known company in a relevant sector” and contained a OneDrive link which contained a PDF document with salary information related to the fake job offer.

However, ESET malware researcher Dominik Breitenbacher said malware was silently deployed on the victim’s computer giving the attacker “an initial foothold and reached a solid persistence on the system.”

Among the tools the attackers utilized was custom multistage malware that often came disguised as legitimate software, and modified versions of open-source tools.

Speaking on ESET’s Virtual World conference this week, head of threat research, Jean-Ian Boutin, said the job offer was often “too good to be true” and while the conversation would start out as friendly, the attacker would pressure the executive to answer questions more and more rapidly. The attacker would also ask what system the executive was using in order to determine configurations.

Boutin said the PDF file was a decoy, which featured positions with expected salaries. However, the executable creates a scheduled task on the victim’s computer, a built-in functionality in Windows, which is automatically launched. “This can be very useful in an enterprise set up, but is also a common technique used by threat groups to ensure their malicious payload is run periodically once it is installed,” he said.

He explained that the malicious payload in the scheduled task is used by the attacker to connect to an external server “and is able to download and execute arbitrary content.”

Post-attack, Boutin said all of the exfiltrated data was placed in password-protected RAR archives, and uploaded to Dropbox using a command line tool. “What made this threat actor difficult to track was that their operators were really careful and cleaned up their traces when moving from one system to another,” he said. The attackers also removed the LinkedIn profiles once the compromise was successful.

During the research, ESET also determined some similarities with actions by the Lazarus group, who had been attributed as being involved with the Sony Pictures attack and the WannaCry outbreak. Whilst ESET said there was not enough information to definitely attribute these attacks to the Lazarus Group, there were some similarities in the code and tactics used.

In a comment sent to Infosecurity, Paul Rockwell, head of trust and safety at LinkedIn, said: “We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors in order to protect our members. We don’t wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies.

“Our teams utilize a variety of automated technologies, combined with a trained team of reviewers and member reporting, to keep our members safe from all types of bad actors. We enforce our policies, which are very clear: the creation of a fake account or fraudulent activity with an intent to mislead or lie to our members is a violation of our terms of service.

“In this case, we uncovered instances of abuse that involved the creation of fake accounts. We took immediate action at that time and permanently restricted the accounts.”  -

Categories: Cyber Risk News

#COVID19 Forces Positive Long-Term Changes to Cybersecurity

Info Security - Wed, 06/17/2020 - 09:30
#COVID19 Forces Positive Long-Term Changes to Cybersecurity

COVID-19 lockdowns around the world have led to an increase in some of the most common attack types, but also a realization that businesses must change going forward, according to over 80% of IT professionals polled by Bitdefender.

The security vendor interviewed 6724 security and IT staff in May across the UK, US, Australia/New Zealand, Germany, France, Italy, Spain, Denmark and Sweden, covering all sizes of organization.

Some 86% claimed attacks had increased during lockdown, especially phishing (26%), ransomware (22%), social media threats/chatbots (21%), cyber-warfare (20%), Trojans (20%) and supply chain attacks (19%). In some cases, such as ransomware (31%) and DDoS (36%) the increase in volume of attacks was in the double-digits.

Around a third (34%) of respondents warned that home working employees were too relaxed about security, leading to concerns over phishing (33%) and accidental data leaks (31%). A third claimed home workers aren’t following protocol by identifying and flagging suspicious activity.

Other risks from remote working highlighted by respondents include third parties using corporate laptops and devices (38%) and the use of personal messaging services for work (37%).

Unsurprisingly, half (50%) said they had no contingency plan in place for a scenario such as COVID-19.

However, on the positive side, global organizations are taking proactive steps to improve cybersecurity readiness and resilience going forward.

Over a fifth (22%) said they’ve started providing VPN and made changes to VPN session lengths, 20% have shared cybersecurity guides and deployed pre-approved applications and content filtering, and 19% have updated employee training.

Almost a third (31%) said they intend to keep 24/7 IT support once the pandemic recedes and will increase security training. Even better, 23% said they’re going to increase cooperation with key business stakeholders when drawing up cybersecurity policies, and a similar number will increase outsourcing of IT security functions.

Liviu Arsene, global cybersecurity researcher at Bitdefender, argued that customer loyalty, trust and the bottom line are at risk if organizations don’t get cybersecurity right during the pandemic, and beyond.

“COVID-19 has however presented infosec professionals with the opportunity to reassess their infrastructure and refocus on what end users/employees really need and want in terms of cybersecurity support,” he added.

“It is also evident that, despite identifying risks, there is still a need for further investigation into what investments need to be made to ensure that corporate data and employees are both safe from bad actors. While it’s a challenge to make changes now, it will shore up business for the future and many more unknown scenarios.”

Categories: Cyber Risk News