Month: March 2020

As the number of coronavirus infections continues to rise, we are becoming more dependent on video chat apps to connect with family, friends and coworkers.

There’s never been a better time for face-to-face social networks to shine, and the Houseparty app has become a sensation in the digital world these past weeks. Houseparty is one of a number of apps that allow family and friends to get together and make video calls, play games or just relax while watching their favorite show.

However, starting on Monday, many app users claimed their online accounts, including Spotify, Paypal, Instagram, Snapchat, Netflix, PayPal, have been compromised. The elephant in the room is none other than the popular video chat app.

As news of the alleged data breach continues to spread, many users have joined the online riot and advise any Houseparty aficionados to immediately delete the app from their devices.

One user said: “DELETE HOUSEPARTY! My PayPal which was with the same email address has been hacked and money taken from my bank!”

“Delete house party – somebody has hacked my Spotify from it,” one user wrote.

“PSA everyone delete ur houseparty account as they have hacked my Spotify and Netflix from POLAND and the US,” added another.

The creators of the app, quickly responded to the accusations and denied any data breach, claiming that the rumors are part of an elaborate smear campaign. The company went so far as to offer a $1 million check to the person who can provide any evidence of such an attempt.

“We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1,000,000 bounty for the first individual to provide proof of such a campaign to bounty@houseparty.com,” said the company in a recent tweet.

The developers continue to support their users and provide further reassuring messages: “All Houseparty accounts are safe – the service is secure, has never been compromised, and doesn’t collect passwords for other sites.”

Video conferencing apps are known to have been exploited by cyber criminals in the past, and the supposed data breach is not to be taken lightly. Internet users often use the same password for more than one online account, and it is recommended that any affected parties start changing passwords for all of their online accounts to avoid any further damages.

After reports that the Zoom app on iOS was sending
details about the users’ devices to Facebook, even if they had no Facebook
account, the company announced that it removed the Facebook SDK from the
application.

The Facebook SDK sends telemetry back, usually about
devices it’s installed on, including hardware and operating system. While this
information might help Facebook determine the hardware the apps are being
installed on and the software ecosystems used, it’s at least strange to see the
SDK send back this data for users who have no Facebook account or didn’t choose
to use the Facebook login feature.

An investigation by Motherboard
revealed this fact about the Facebook SDK implemented into the web conferencing
app Zoom. It turns out that analytics was shared when users simply opened the
app. The information sent back included details about the time zone, the time
the app was opened, the default language, the iOS version, the IP address, the
mobile carrier, and hardware details about the device itself.

Zoom implemented the Facebook SDK to let users log in by
using their Facebook credentials, but after the investigation revealed that it
was doing more than that, the team decided to remove it entirely.

“We were made aware on Wednesday, March 25, 2020, that
the Facebook SDK was collecting device information unnecessary for us to
provide our services,” said Zoom in a blog post.
“The information collected by the Facebook SDK did not include information and
activities related to meetings such as attendees, names, notes, etc.”

“We decided to remove the Facebook SDK in our iOS client
and have reconfigured the feature so that users will still be able to log in
with Facebook via their browser.”

An update is now available for the Zoom app, and users
need to install it as soon as possible. It’s still possible to log in with Facebook
credentials, but new users will have to use the web version through the default
browser.

A database containing the private information of Georgian citizens is up for grabs on a dark web forum. Researchers from Under the Breach stumbled on the data leak over the weekend, and reported that it contained 4,934,863 entries.

Full names, physical addresses, dates of birth, ID numbers, and mobile phone numbers were among personal identifiable information wrapped up and shared in a 1.04 GB Microsoft access database file.

Although the data initially pointed to the Central Election Commission of Georgia (CEC), the administration said the data released by hackers is different from the voter list data posted on their election portal.

The origin of the information remains a mystery, since the Georgian state has a population of approximately 3.7 million (according to the 2019 census), and the leaked file contains information of deceased citizens.

The organization also said it detected no suspicious activity on its network, and it only provides information on approximately 3.5 million voters that doesn’t include details such as telephone number and personal ID number. Still, the commission started an investigation this Monday.

The data dump poses a serious risk for the Georgian people. Once in the hands of bad actors, the information can be used for more nefarious purposes such as identity theft, impersonation and phishing attacks.

Even if the data leak does not include passwords or credit card information, every piece of personal identifiable information is important to identity thieves.

Criminals can use the names together with other scraped data and open new credit card accounts, apply for loans, or deploy personalized phishing emails to trick the recipient into offering financial information.

As Covid-19 continues to wreak havoc globally, companies are keeping their employees at home. To ensure compliance and stay atop security standards, teleworkers have to patch into their company’s infrastructure using remote desktop protocol (RDP) and virtual private networks (VPN). But not everyone uses these solutions securely.

Research by the folks behind Shodan, the search engine for Internet-connected devices, reveals that IT departments globally are exposing their organizations to risk as more companies go remote due to COVID-19.

“The Remote Desktop Protocol (RDP) is a common way for Windows users to remotely manage their workstation or server. However, it has a history of security issues and generally shouldn’t be publicly accessible without any other protections (ex. firewall whitelist, 2FA),” writes Shodan creator John Matherly.

After pulling new data regarding devices exposed via RDP and VPN, Matherly found that the number of devices exposing RDP to the Internet on standard ports jumped more than 40 percent over the past month to 3,389. In an attempt to foil hackers, IT administrators sometimes put an insecure service on a non-standard port (aka security by obscurity), Matherly notes. But this number too has climbed, by around 37 percent, over the same period. With the growing number of cyber-attacks capitalizing on COVID-19 and remote workers, cybercriminals undoubtedly know all too well where, when and how to hit.

Furthermore, the number of servers running VPN protocols on different ports has jumped by a third, from nearly 7.5 million to nearly 10 million. One such protocol is the Point-to-Point Tunneling Protocol (PPTP), an obsolete method for implementing virtual private networks that’s riddled with known security issues. The known vulnerabilities relate to the underlying PPP authentication protocols used, as well as the design of the MPPE protocol and the integration between MPPE and PPP authentication for session key establishment.

Another worrying find is the increase in exposure for industrial control systems (ICS), which typically keep critical infrastructures alive across the globe. Hackers exploiting a vulnerability in ICS applications can have dire consequences for cities and indeed entire nations.

Payments in cryptocurrency are not limited to extortionists who provide you their Bitcoin (BTC) wallets in their ‘contact info’.

Adapting to the growing popularity, merchants around the world have added payment options that accept bitcoin or other types of cryptocurrency.

Last week, security researcher Harry Denley, exposed nine websites advertising fake Bitcoin-to-QR code generators:

• bitcoin-barcode-generator[.]com
• bitcoinaddresstoqrcode[.]com
• bitcoins-qr-code[.]com
• btc-to-qr[.]com
• create-bitcoin-qr-code[.]com
• free-bitcoin-qr-codes[.]com
• freebitcoinqrcodes[.]com
• qr-code-bitcoin[.]com
• qrcodebtc[.]com

All BTC to QR Code websites have an identical interface and claim that, if you enter your Bitcoin address, the QR code will be instantly generated. “A super practical way to get a scannable code to send Bitcoin transactions” – or an easy way for cyber thieves to make a quick buck.

The programs that should convert your actual Bitcoin address into a QR code for easier fund transfers, actually generate a QR code corresponding to five different bitcoin wallets of the perp, the investigation reveals.

So far, the fake QR code generators have managed to scam victims out of 7 BTC ($45,000). What makes the hoax so puzzling is that cryptocurrency users have the ability to generate a QR code through their wallet, however, they opted to rely on bogus online code generators instead. Since this functionality can be found in both virtual cryptocurrency wallets and some exchange points, it’s recommended to stay away from these online tools and websites — they do nothing but steal your funds.

Interestingly enough, the above websites are hosted on three separate servers, anchoring an additional 450 suspicious websites boasting keywords such as COVID-19, cryptocurrencies and Gmail.

While most of the discovered domains are offline, some point to bitcoin transaction accelerators that vow to speed up your bitcoin transfers if you pay 0.001 BTC (6 USD). Four of the domains are listed below:

• bitcoin-transaction-accelerator[.]com
• transaction-accelerator[.]com
• bitcoin-tx-transaction-accelerator[.]com
• viabtc-transaction-accelerator[.]com

The bitcoin addresses of these accelerators have gathered over 15 BTC so far, which rounds up to $100,000.

VPN services are available to iOS users, but they don’t seem to work as intended due to a bug in iOS that doesn’t allow all network connections to route through the VPN service as soon as it starts.

ProtonVPN found a vulnerability in iOS 13.3.1 that directly affects all VPN connections, no matter which application initializes the private tunnel. The issue persists in the latest iOS 13.4 version as well.

Most companies follow a responsible disclosure program, which means they first notify the developers of the affected app or the makers of a hardware component about an issue, giving them time to fix it. In this case, Apple was given 90 days before the vulnerability was made public. The company has yet to issue a fix, but they are working on options for mitigation.

As it turns out, when a user initializes a VPN connection, iOS doesn’t close all network connections, allowing them to remain online. At some point, the connection is reinitialized through the VPN, but it’s entirely up to the OS, and users have no choice.

While it might not seem like a big deal, imagine you’re trying to use a VPN, but its full functionality is crippled because of communications from other components, such as the messaging applications or the notification service.

“The VPN bypass vulnerability could result in users’ data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays),” says ProtonVPN in the notice.

“The more common problem is IP leaks. An attacker could see the users’ IP address and the IP address of the servers they’re connecting to,” the company said. “Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server. Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common.”

All VPN apps are affected by this vulnerability, as it’s impossible to kill the connections kept open by the OS. The only temporary solution is to run the VPN app, turn Airplane Mode on and off, then hope that all connections will then be rerouted through the tunnel. It’s impossible to say that it’s going to be completely effective, though.

Cyber criminals hit a new low this month, proving once again that they’ll go to any lengths to extort their victims. This time around, it’s not just about ruining your reputation and disclosing a ‘dirty little secret’ to your friends and family. Scammers have gift-wrapped the traditional extortion email in a desperate attempt to make you pay up.

The bargaining chip

If old gimmicks don’t pay off, new phishing emails are leveraging the Coronavirus pandemic. How? The scammer demands payment in Bitcoin, or else he will infect your family members with Coronavirus. Seems like threat actors have transitioned to bioterrorism overnight, claiming that “No matter how smart you are, believe me, if I want to affect, I can.”

While this dare-devilish threat is false, their efforts show that some bad actors are struggling to make a buck amid the pandemic.

Bitdefender Labs has spotted a separate version of the Covid-19 extortion stunt, where the swindler posing as your neighbor claims to have been tested positive for the virus. In this petty dry run, the perp goes on to mention that he has just a week to live, and shows his contempt by asking you to transfer money to his Bitcoin wallet.

We know you have a lot on your plate this time, and while new versions of the scam are likely to turn up in the come weeks, rest assured that we are committed to fending off any such hoaxes that might end up in your Inbox. While we focus on protecting your devices from malware and phishing attacks, you can follow some easy but effective steps to stay safe while browsing the Internet:

• Change your passwords periodically – passwords are the gateway to your account and your online persona. Regularly updating your login passwords for e-commerce websites and social media accounts can help keep you safe from account takeover attacks and identity theft. A guide on how to create a strong password can be found here.
• Enable two- or multi-factor authentication – This gives your online accounts an extra layer of protection.
• Ignore online offers promoting Coronavirus cures, home test kits or vaccinations –numerous fake ads have been shared on social media and other platforms that were quick to dupe consumers.
• Don’t click on links or download files from untrusted sources – accessing unfamiliar links or downloading files on your devices may bring a malicious payload. It’s best to keep your browsing patterns limited to what’s closer to home.

We’re going to keep doing what we’ve always done – protecting you from malicious activity.

Stay Safe!

A notorious ransomware gang claims to have successfully compromised the infrastructure… of a company selling cyberinsurance.

The Maze ransomware group says it has encrypted data belonging to Chubb, which claims to be one of the world’s largest insurance companies, and is threatening to publicly release data unless a ransom is paid.

The announcement by the cybercrime gang was published on Maze’s website, where it lists what it euphemistically describes as its “new clients”.

Maze’s normal modus operandi is to compromise an organisation, steal its data, infect the network with its ransomware, and post a pre-announcement on its website as a warning to the corporate victim that if they do not pay a ransom their stolen data will be be published on the internet.

At the time of writing, Maze has published no proof that it has successfully infected Chubb’s systems. It has published the email addresses of its Chief Executive, Vice Chairman, and Chief Operating Officer, but this is information which could have been easily obtained through other means than hacking.

When asked to provide more information, the Maze group is currently keeping its lips sealed – presumably waiting to see if Chubb will pay a ransom.

For its part, Chubb told Bleeping Computer that – with the help of cybersecurity experts and law enforcement agencies – it was investigating whether hackers might have stolen data from a third-party service provider as it has not found any evidence that its own network has been compromised:

“We are currently investigating a computer security incident that may involve unauthorized access to data held by a third-party service provider. We are working with law enforcement and a leading cybersecurity firm as part of our investigation. We have no evidence that the incident affected Chubb’s network. Our network remains fully operational and we continue to service all policyholder needs, including claims. Securing the data entrusted to Chubb is a top priority for us. We will provide further information as appropriate.”

Whether it was Chubb or one of its external partners remains to be seen, but the mention of Chubb on Maze’s list of “new clients” was enough to prompt security researchers to explore the state of Chubb’s security – with some discovering that the company appeared to have left RDP open for anyone to access via the internet, and that the firm was using unpatched Citrix Netscaler servers (commonly exploited in past Maze ransomware attacks)

More and more companies are choosing to take out commercial cyberinsurance policies to mop up some of the costs if they are hit by ransomware and other forms of hacker attacks. For a large company selling cyberinsurance to potentially be one of the latest ransomware victims is particularly ironic, and sends a warning to all firms not to be complacent about the threat.

Scammers continue to piggyback on the COVID-19 Coronavirus scare with new tricks, this time targeting U.S. Army service members with phone calls requesting their personal information and promising a testing kit to check if they’re infected, according to the Military Times.

The outlet, which describes itself as a trusted, independent source for news and information on the most important issues affecting service members and their families, has put out the following warning:

“If you’re a Tricare recipient and someone calls you out of the blue offering a COVID-19 test kit, hang up the phone and contact Tricare officials.”

The notice comes after the Defense Health Agency said it learned of scammers trying to steal personal information of Tricare beneficiaries using the promise of non-existent COVID-19 testing kits.

Scammers call beneficiaries directly with an offer to sell COVID-19 testing kits and even ship them to the prospective victim’s address. Operatives behind the swindle reportedly request personal information such as Social Security numbers and bank or credit card information.

Service members are instructed to report unsolicited attempts to sell or send a COVID-19 testing kit to this link. Furthermore, service members should not physically walk into their local military hospital or clinic if they feel they may have symptoms of COVID-19. Instead, they should stay home and contact their medical provider, the notice states.

“You will be assessed and screened for potential or suspected exposure, and if necessary, an appointment with a physician will be arranged. Legitimate COVID-19 tests will be ordered by a physician after the assessment and screening,” according to the Military Times.

U.S. government agencies and police are scrambling to keep the American public safe from COVID-19 scams, including phishing emails arriving in their inbox with attachments purporting to contain vital information about the contagion and how to fight it.

The best advice right now is to refrain from making decisions over any unsolicited calls, SMS messages, or emails claiming to lend a helping hand, free masks or testing kits, or miracle cures. Opportunistic fraudsters use the anxiety created by a crisis to take advantage of their unsuspecting victims.

For the past week, U.S. lawmakers have been discussing proposed stimulus checks to help the country through this coronavirus-induced economic crisis. The $2 trillion stimulus package that will offer help to American citizens affected by the Coronavirus outbreak unanimously passed in the Senate this Wednesday and was sent to the President for signing.

The Better Business Bureau (BBB) has already issued a warning for citizens to keep an eye out for government grant scam.

What should you expect?

Fraudsters posing as government officials may contact you via telephone, email or social media posts and messages, claiming you can apply for a free grant with 100% guaranteed acceptance. If you fall for their ruse, you are asked to submit a one-time processing fee. The punchline: you’ll never see a dime of the so-called grant money they promised.

Fake checks and grant scams are old news in the swindling business. What make this particular scam stand out is that fraudsters started deploying the scheme before the newly proposed legislation became a reality.

The BBB Scam Tracker was already hit by complaints from the community.

“I received a text message stating “Government Relief Available” with a link to click. The link is tCXQ[.]site/3VeoS and had MSG:3VeoS at the bottom of the message. I knew this had to be a scam. I did not click the link because I had seen on Facebook about some scam texts being sent out. I hope these people are caught and prosecuted for trying to take advantage of people in a time of struggle”, one user described on March 25.

An earlier recipient posted a similar message on March 21, stating “A Facebook Messenger message from a personal friend started informing me about a government grant for retired people that sounded great ’cause she got her money within three weeks. I contacted the FGG & WHO agent that she worked with. Through text messages she helped me fill out a form over my cell phone which included my(winner’s as they put it) full name and address my deceased parents’ names, occupation status, age, marriage status, husband’s name, cell phone number & provider, monthly amount from Social Security and credit score and for $1,000 filing fee in a gift card I would receive $100,000 as a grant.”

Another scam description from Mar 25, says “Texted saying click here for government relief. Could be covid19 related.”

According to a separate report from March 24, “Attorney Robert Menendez Incharge 2020 contacted me through a friends Instagram account. He asked for the following information.
Full name; Mother Name; Address; Male/Female; state; married/single; cell no; age; occupation; e-mail; monthly income; attached I.D. image; do you have credit cards; what’s your credit score; etc.”

Tips to help you spot the emerging COVID-19 Grant Scam

• Understand that your government will not communicate with you directly through social media messages on Facebook, Instagram or WhatsApp.
• Do not pay any money for a free government grant. If you have to pay to claim it – you can’t really call it free. A real government agency will not ask you to pay any processing fees.
• Do your research and check if the agency contacting you exists. Contact the organization and ask if the message you received is legitimate. Cyber criminals often spoof phone numbers or email addresses, making it appear that you’re contacted by the real person.
• Scammers often impersonate real people on social media, so be wary of messages with grant-related content you receive from ‘your friend’. You can call your friend to verify if he sent the message.

Stay Safe!