Month: February 2020

Barbara
Corcoran, one of the business moguls who head up the judging team on US TV’s
“Shark Tank” investment show, has lost nearly $400,000 to an email
scammer.

According to media reports, a scammer – posing as Corcoran’s executive assistant – forwarded Corcoran’s bookkeeper an invoice earlier last week, requesting that payment be made.

The
invoice asked that US $388,700.11 be transferred electronically into a
German-based bank account, claiming to belong to a company called FFH CONCEPT
GmbH.

Unfortunately,
the truth was that the email did not really originate from Corcoran’s executive
assistant.  Instead, the scammers had
created an email address that looked the same as the executive assistant’s,
apart from a difference in one single letter.

Sadly,
Corcoran’s bookkeeper did not spot the minor difference in the email address,
and so when she asked questions such as the purpose of the payment, her
communication went straight to the scammers rather than the genuine assistant.

On
Tuesday this week, seemingly satisfied by the answers she had been given by the
scammers posing as Barbara Corcoran’s executive assistant, the bookkeeper
transferred almost $400,000 into the bank account controlled by the scammers.

It was
only when the bookkeeper cc’d Corcoran’s assistant directly (rather than by
replying to one of the scam emails) with confirmation that the money transfer
had been made that it became dramatically clear that something had gone
terribly wrong.

Speaking to People magazine, Barbara Corcoran appeared remarkably upbeat about the theft:

“I
lost the $388,700 as a result of a fake email chain sent to my company. It was
an invoice supposedly sent by my assistant to my bookkeeper approving the
payment for a real estate renovation. There was no reason to be suspicious as I
invest in a lot of real estate. I was upset at first, but then remembered it
was only money.”

It’s
good that Corcoran is showing such a positive attitude, as it seems unlikely
she will be able to recover the money from the fraudsters.

If
even a businesswoman with the profile of Barbara Corcoran can have money stolen
by scammers then it can happen to anyone. 
All of us need to be on our guard, looking for clues that invoices might
not be legitimate, or emails may have originated from outside the company, to
reduce the chances of a theft succeeding.

A ransomware attack against the police
department in Stuart, Florida last year had an unexpected consequence; the
police officers had to drop several cases after losing important evidence.

When a ransomware attack hits an
institution or company, expectations are roughly the same. People either pay to
restore services, which doesn’t always guarantee a decryption key from the attackers,
or they don’t pay and lose the information entirely. If they’re lucky, they
have backups. The entire process is followed by the purchase of new equipment
and services. This means the overall cost of a ransomware attack is usually
much higher than the ransom itself, and way higher than the cost of avoiding
the whole problem in the first place by setting up a security solution.

In the Stuart incident, the ransomware
hit police servers and infrastructure, resulting in the loss of data that
included evidence against various defendants. After the dust settled, the State
Attorney’s Office had to drop 11 narcotic cases for loss of evidence.

Much of the non-physical evidence in a
trial is stored on police computers. Things like photos and videos were wiped
clean, setting back the prosecutorial process so much that it was impossible to
continue with the cases.

According to a WPTV investigation,
if the Florida cases progressed unimpeded, the prosecutors would have brought
28 charges against six defendants for various counts, including meth
possession, cocaine possession, selling, manufacturing, or delivering various
narcotics, and the illegal use of a two-way communication device.

The asked for a ransom of $300,000,
payable in Bitcoin, but the administration refused to pay. It took more than
six weeks for the police department to recover.

Someone stole the client list of a somewhat obscure company called Clearview AI. While that might not seem like much, the company was recently in the news for all the wrong reasons – it claims that it scrapes the Internet for public images to use for facial recognition, to then sell that data to law enforcement.

Clearview AI would not be the first company to try to sell data to police, but the suspicious part is that nobody knows who actually gets access to their data. And the company has yet to make any statement regarding their client list, with the exception of a small “trust us” blog post.

According to a Daily Beast report,
Clearview AI notified its clients that an intruder accessed a list of
customers. It said the servers and infrastructure remain untouched, but that
doesn’t seem to have been the goal of the presumptive attacker.

The company avoided the word “hacker”
and only referred to someone gaining “unauthorized access.” The vulnerability
was fixed and whoever got the client list had no access to the law-enforcement
agencies’ search histories.

“Security is Clearview’s top priority,” company
attorney Tor Ekeland told The Daily Beast. “Unfortunately, data breaches are
part of life in the 21st century. Our servers were never accessed. We patched
the flaw, and continue to work to strengthen our security.”

For now, there is no indication that the
client list was released to the public and it’s not clear how extensive the
intrusion really was.

Security researchers have followed the
evolution of a piece of infostealer malware named Raccoon, as it’s being
developed and enhanced to work in as many scenarios as possible, including
email clients, Internet browsers, and more.

Infostealers are a type of malware
designed for a very specific purpose, to steal credentials from as many sources
as possible. Raccoon is one such tool that’s developed as a
malware-as-a-service, which means it’s available to cybercriminals through various
forums. More precisely, it’s rented at $75 per week or $200 per month, and deploying
it doesn’t require extensive technical knowledge.

The Racoon malware, initially spotted in
the wild in April 2019, was built to steal all kinds of information, such as
credentials, credit card information, and even cryptocurrency wallets. Since
it’s distributed as malware-as-a-service, it’s continuously adapted and
enhanced to cover more and more avenues. As it stands, it covers almost 60 apps
including email clients, most Internet browsers, and major cryptocurrency
wallets.

This malware can spread to unsuspecting
victims in two ways. One is through exploit kits embedded into a website to infect
users with unpatched browsers and operating systems. The other is through
phishing campaigns that persuade people to open a Microsoft Office email and
run a macro script.

What’s interesting about this malware is
that its developers are expanding features to include ever-more attack vectors.

“Raccoon targets 29 chromium-based
browsers including Google Chrome, Opera, etc that have the same folder
structure and share a similar codebase, which leads to a similar way of
handling sensitive data,” explain
the researchers.

“The stealer also relies on the
same methodology for Mozilla based applications. When looking for
cryptocurrency wallets, Racoon targets popular applications like Exodus, Jaxx
and more.”

While this relatively new malware is not
all that complex and dangerous, the fast rate of development makes it a
favorite for attackers, especially since it doesn’t require programming experience.
The best ways for people and companies to stay safe is to keep devices and
software up to date, to use a security solution, and to be wary of potential
phishing campaigns.

Researchers have discovered a new SMS phishing campaign
targeting mobile numbers in the United States aiming to steal online banking
credentials and install the Emotet malware wherever possible.

SMS phishing campaigns, also known as smishing, follows a
straightforward recipe. Victims receive an SMS message with an embedded link,
sending them to a malicious site. Sometimes, it’s just a phishing scheme, with
attackers looking to steal credentials. But the same platform can be used to trick
people into installing malware, which could serve a variety of purposes,
including transforming the device into a bot for other attacks.

This is the case with this current smishing campaign,
which aims to do as much damage as possible, and that includes stealing
credentials and infecting terminals with malware. When people open the link in the
SMS warning them about a locked bank account, they are redirected to a website
that looks very much like the real deal but with a different domain.

“Our researchers found the file on the distributing
domain and looked into some obfuscated malicious PowerShell scripts that led us
to additional Emotet-serving domains,” said
the IBM X-Force researchers. The attackers used a known obfuscation technique
that’s found in the TrickBot malware, so it’s possible there’s a connection
between the two.

Smishing is part of the same family as phishing (email)
and vishing (voice). Tricking users into providing their credentials to a
third-party is the main objective. Users should always check the links and
messages received via SMS or emails and remember that banks don’t request
personal details, including user names, passwords, credit card numbers, PIN, or
anything else, through online connections.

It’s also a good idea to install a security solution, no
matter the platform (PC, Mobile, iOS and MacOS,) that can spot possible
phishing attempts and prevent the installation of malware.

The Defense Information Systems Agency (DISA), which handles
IT and telecommunications support for the White House and U.S. military troops,
has disclosed a data breach that may have affected 200,000 people between May
and July 2019.

According to a letter sent by
the U.S. defense agency to victims, Social Security numbers and other personal information
stored on a system on their network might have been compromised.

 “While there is no evidence to suggest that any of the potentially compromised PII was misused, DISA policy requires the agency to notify individuals whose personal data may have been compromised”, according to the letter, dated Feb. 11, 2020.

The agency has also stated that new protocols and additional
security measures have since been put in since to prevent future incidents and protect
personal identifiable information.

Following the breach, DISA vows to provide free credit monitoring services to victims, and advises those concerned about identity-theft related crimes to visit the FTC’s website for additional information and prevention steps.

The agency has given no further information. Details such as
who was responsible for the breach and what systems were compromised will most
probably remain unknown.

The disclosure of this security breach further darkens the
2019 cyber landscape, which had already reached an all-time high in number of
exposed records. The event shows that no system can be bulletproof and that
sooner or later, anyone can fall victim to data breaches, even a Department of
Defense (DOD) agency overseeing presidential communications.

Google has removed more than 600 apps from the Play Store
and banned them from the Google AdMob and Google Ad Manager advertising
platforms for violating policies on disruptive ads.

The massive Google Play Store marketplace holds lots of
interesting apps, but it’s also home to less-than-honest apps and developers out
just to make a quick buck. One way to make money is through ads, but apps that only
show ads when they are running may not make so much money.

So, developers find ways to show ads even when the apps
are not in use, which is a clear violation of existing policies. Of course,
some mechanisms are in place to counter harmful and dishonest apps, but it’s
not a perfect system. And malevolent developers always seek new ways to
circumvent protections.

“We define disruptive ads as ads that are displayed to users in unexpected ways, including impairing or interfering with the usability of device functions,’ says Per Bjorke, Senior Product Manager, Ad Traffic Quality. “While they can occur in-app, one form of disruptive ads we’ve seen on the rise is something we call out-of-context ads, which is when malicious developers serve ads on a mobile device when the user is not actually active in their app.”

It might not seem like a big problem, but it’s a sure way
to disrupt phone usage. Imagine trying to shut down a full-screen app that has
no exit button right when you’re attempting to answer a call. And this is just
one of many situations in which ads can be intrusive, especially since they’re
not running inside the apps that serve them.

Fighting this problem is an ongoing process, and Google
says it’s now enrolling the help of a machine-learning tool that should be able
to spot these apps before they cause any damage. The only issue is that such
tools sometimes cause collateral damages as well, at least before it has a
chance to learn what they need to do.

A couple of German software developers discovered an
oversight in McDonalds’ promotion systems that allowed them to get as many
hamburgers as they wanted, without paying anything.

While software vulnerabilities or loopholes are sometimes
used for nefarious purposes, that’s not always the case. The same can be said of
white hackers and software developers who want to make the online world a safer
place.

McDonald’s has a promotions systems that offers rewards
for some orders, which is not out of the ordinary. But, according to a Vice report,
a couple of developers found the code behind the promotion system could be
exploited in a way that would allow them to get pretty much anything from the
fast-food chain.

Their first attempt was in Berlin. They generated a €17
voucher, placed an online order, and got the OK. The two developers didn’t want
to pick it up initially, but they eventually went to the store and explained
the situation. Surprisingly, the manager said that they should take the order.
They tried again, in another restaurant, in Hamburg, for 15 burgers, and it
worked. But they notified the manager and canceled the order before it was prepared.

Eventually, they contacted customer service in an attempt
to notify the company about the hack, but that didn’t work. Vice contacted
McDonald’s on behalf of the two developers, but the company didn’t acknowledge
the problem. The problem was ultimately fixed, and the developers even received
a reward from McDonald’s for their efforts.

Hackers have installed ransomware on systems of a natural
gas compression facility in the United States, affecting the operational
technology (OT) network, including human-machine interfaces (HMIs), data
historians, and polling servers.

The Cybersecurity and Infrastructure Security Agency
(CISA) offered details of the attack in an effort to inform other organizations
about the danger of such intrustions and mitigation techniques.

In this case, a human served as the entry point for the
hackers. Someone fell for a phishing email that contained a link that triggered
the installation of malware. After the hackers had access to the network,
infecting it with ransomware was easy.

While the attack on the natural gas compression facility could
inflict a lot of damage, the hackers lacked access to programmable logic
controllers (PLCs), so the company didn’t lose control of the actual operation.

This was one of the more fortunate cases, where the
organization had quick access to backups, and restoration only took a couple of
days.

“The victim’s existing emergency response plan focused on
threats to physical safety and not cyber incidents,” says the advisory. “Although
the plan called for a full emergency declaration and immediate shutdown, the
victim judged the operational impact of the incident as less severe than those
anticipated by the plan and decided to implement limited emergency response
measures.”

Mitigation measures recommended by CISA include network
segmentation, multi-factor authentication, data backups, specific Account Use
Policies and Users Account control, spam filters, endpoint protection,
disabling office macro scripts, and keeping software up to date. All of these
are just the basic protections any company and organization should employ.

The CISA advisory doesn’t say what type of ransomware was
used, how much ransom was requested, or name the hackers, but Ryuk and
Sodinokibi have been used in the past on industrial systems.

The Twitter account of FC Barcelona has been hacked by
the OurMine group, who had time enough to post sensitive information, seemingly
taken from private messages.

After OurMine took control of the account, they said
private messages on the platform indicate Neymar might be returning to the
team. The footballer left FC Barcelona in 2017, so it would be big news if he returned,
not to mention that this would be the worst way to make such an important
announcement.

Losing access to Twitter accounts is nothing new for
individuals or companies. Accounts are usually taken over via a technique
called credential stuffing. Companies and large organizations use analytic
tools that allow them to better measure the impact of their posts. Such
third-party tools don’t have the same kind of security, and usually have direct
access to the account.

Hackers get a hold of user names and passwords through
various leaks, then try them on various services. A bad tendency among people to
reuse credentials on multiple online services doesn’t help. Of course, the use
of a multi-factor authentication solution would have been great, but it’s
unclear whether such protection was deployed.

“FC Barcelona’s Twitter accounts have been hacked,
which is why messages from outside our club have appeared, and which have been
reported and deleted. The tweets were made through a third-party tool for data
analytics,” the club wrote on
Twitter.

“FC Barcelona will conduct a cybersecurity audit and
will review all protocols and links with third-party tools, in order to avoid
such incidents and to guarantee the best service to our members and fans,” it said.
“We apologize for any inconvenience this situation may have caused.”

As you might have noticed, they said nothing about the
supposedly leaked information, which is actually the best you can do in these
situations, whether it was true or not. Furthermore, this is the second time
this has happened. The previous time was in 2017 — by the same group.