Month: June 2020

Lockdown measures may be easing across the world, but we are not out of the woods yet. Scammers continue to leverage the coronavirus crisis by recycling old ruses or devising new schemes to fool unsuspecting victims.

Governments and police are on full alert as coronavirus-related scams plague the digital landscape, defrauding the population of millions.

Last week, the FBI issued a warning about a new breed of scam related to antibody testing for the virus. According to the agency, fraudsters have started marketing unapproved antibody tests that provide more than just false results to potential customers.

“In response to the vast number of COVID-19 cases, and in an effort to return to a normal economy as soon as possible, researchers have been encouraged to devise testing methods that can be quickly and easily deployed to test large numbers of individuals for COVID-19 antibodies,” the FBI said. “However, not all COVID-19 antibody tests have been approved by the U.S. Food and Drug Administration (FDA), and their efficacy has not been determined.”

Individuals caught in this ruse expose personal information, as bad actors will try to steal sensitive data such as names, date of birth, Social Security Numbers, and other personal health data that could lead to a bad case of identity theft and fraud.

The law enforcement agency also provided a list of common indicators of such swindles, including:

• The FDA ‘approved’ antibody test cannot be verified
• Ads for tests are pushed through popular social media platforms, email, phone or other unsolicited channels
• Vendors offer “free” COVID-19 antibody tests or incentives for undergoing testing
• Individuals contact you in person, by phone or via email claiming that government officials require you to take a COVID-19 antibody test
• Practitioners claim to perform antibody tests for cash

What should you do if such individuals contact you? The FBI recommends checking the FDA website for the updated list of approved COVID-19 antibody tests and testing companies, and use a known laboratory vetted by your health insurance company.

If you are required to share any personal or health information during testing, make sure you are dealing with trusted medical professionals. Follow CDC recommendations or guidance, and check your medical bills for any unusual claims.

Half of computer users confirm that they have fallen victim to some form of cybercrime, according to a new NordLocker cybersecurity report.

The extent of cybercrime has no limits, and while cyber awareness campaigns have spiked in recent months, attacks targeting Internet users have increased in number and sophistication. Malicious actors use more than just coronavirus-related anxieties to fill their pockets, channeling every trick in the book to find their next victim.

In April, the company polled 1,400 Internet users in the US and UK, revealing that over 50% of respondents had fallen victim to malicious cyber activity.

Brits hold steady at 55%, while 67% of Americans admit to having encountered malicious cyber activities while using their Internet-enabled devices. Computer viruses, phishing scams and stolen passwords were among the most common cyber-related incidents mentioned by users:

• 33% of UK respondents compared to 46% of US respondents experienced malware attacks
• 20% of UK respondents compared to 32% of US respondents fell victim to an email scan
• 14% of UK respondents compared to 23% of US respondents claim to have had their passwords stolen

Additionally, some 8% of users in both the UK and US had been hit by a ransomware attack, and asked to pay a ransom to regain access to their documents and files.

The study also revealed some interesting points regarding how the general populace feels about their data becoming exposed online. Most users compare data exposure to losing a wallet, personal documents, or someone breaking into your home.

“Over 75% of users rated losing a device or finding out that someone had access to their personal computer as extremely concerning,” researchers said. “76% of UK users would be extremely concerned about a stolen email password, rating it as worse than losing a job. In the US, it would worry 72% of respondents — they rated it as worse than personal illness but not as bad as losing a job.”

What do users value the most? Users in both countries value their medical records, tax records, personal photos and work-related files, personal info that is mainly stored on their computers. However, these devices are often shared with someone else such as a spouse (around 40%), children (20%), parents (6%), and coworkers (3%).

One the face of it, it sounded like a good idea.

A smartphone app, disguised as a regular app delivering the top world, sports, and entertainment news, containing a secret feature that allows victims of domestic abuse to send a covert distress call for help at the touch of a button.

That was the idea behind the free Aspire News App, launched some years ago by When Georgia Smiled, a US non-profit founded by Robin McGraw and her husband US TV star “Dr Phil” to help victims of domestic violence and sexual assault.

To be honest, that still sounds like a good idea to me – if the app is coded well, and if any data it collects is properly secured.

But what isn’t a good idea is for voice recordings made by the app to be left exposed on an unsecured Amazon Web Services (AWS) S3 bucket, allowing anyone with internet access to download them and listen if they so wish.

According to security researchers at VPN Mentor, who found the exposed data, over 4,000 voice recordings of emergency messages left by victims of domestic violence were available to access – no password required.

Some of the 230MB worth of recordings included personally identifiable information such as names, home addresses, as well as the identities of violent abusers.

Transcripts of just two of the recordings that were exposed reveal the seriousness of the situation:

“[Full Name] is threatening or hurting me. Please send help now. [Full address]”

and

“Please call the police right away and have them come to [Full Address]. I am in great danger. I need you to send the police right away, please…”

Potentially, if the information fell into the wrong hands it could not only expose people who did not want the data revealed at the risk of extortion, but it could also put victims in greater physical danger if their abuser found out.

The researchers attempted to reach out to When Georgia Smiled and the Dr. Phil Foundation to get the serious data breach fixed last Wednesday, but ultimately it took the involvement of AWS itself to get the unsecured web bucket shut down.

So, that’s a happy end to the story, right?

Well, perhaps not.

You see, a security failure like this could lead to victims of domestic abuse losing confidence in Aspire News App. If they do not feel safe any longer using the app, they may find it harder to escape abusive relationships safely.

That clearly wasn’t what Dr Phil and his wife Robin McGraw wanted – the Aspire News app was supposed to help people escape dangerous situations, not make it even harder to find a way out.

NetWalker
ransomware operators have persuaded the University of California San Francisco
to pay over $1 million in an extortion scheme using data-encrypting malware.
The attack, UCSF officials say, didn’t even target the institution.

UCSF’s School of Medicine is among those leading coronavirus-related antibody testing, Bloomberg reports. Yet the ransomware attack detected on servers inside its School of Medicine wasn’t even targeted, according to the IT department of UCSF.

“Our investigation is ongoing but, at this time, we believe that the malware encrypted our servers opportunistically, with no particular area being targeted,” according to a statement on the uscf.edu website. “The attackers obtained some data as proof of their action, to use in their demand for a ransom payment. We are continuing our investigation, but we do not currently believe patient medical records were exposed. As additional facts become known, we will provide further updates.”

USCF says it
quarantined the IT systems within the School of Medicine as a precaution and
claims to have isolated the incident from the core UCSF network.

“Importantly,
this incident did not affect our patient care delivery operations, overall
campus network, or COVID-19 work,” the university said.

However,
according to the statement, the data corrupted by the NetWalker gang’s data-encrypting
malware was nonetheless important to the academic work pursued at the university
serving the public good.

“We
therefore made the difficult decision to pay some portion of the ransom,
approximately $1.14 million, to the individuals behind the malware attack in
exchange for a tool to unlock the encrypted data and the return of the data
they obtained,” UCSF admitted.

“This
incident reflects the growing use of malware by cyber-criminals around the
world seeking monetary gain, including several recent attacks on institutions
of higher education. We continue to cooperate with law enforcement, and we appreciate
everyone’s understanding that we are limited in what we can share while we
continue with our investigation,” it added.

Such a
lucrative payoff will not go unnoticed by rival ransomware gangs. Ransomware
operators worldwide will undoubtedly take USCF’s move as incentive to strike
the American education sector again.

Security researchers have recently discovered a leaky database belonging to the e-learning platform One Class, a remote learning tool that provides educational assistance and study guides to millions of North American students.

Uncovered by vpnMentor researchers during a routine Internet scan, the 27GB database includes 8.9 million records, and is estimated to have improperly stored personal information of more than 1 million students, including those who had their membership rejected by the platform.

The exposed records contained personal identifiable information (PII) including full names, email addresses (some masked), schools and universities attended, phone numbers, course enrollment data, and OneClass account details.

Researchers noted that some of the information could even be linked to minors, since the e-learning platform allows students as young as 13 to register. Additionally, some of the findings include educational data such as faculty details and access different textbooks and online exercises.

The investigators contacted the company on May 25, and OneClass was able to secure the server within 24 hours. However, the company denied any impact, claiming that it was a test server, and the data could not be linked to actual students.

“In response, OneClass immediately secured the database but claimed that it was a test server, and any data stored within had no relation to real individuals,” researchers said. “However, during our investigation, we had used publicly available information to verify a small sample of records in the database. Taking the PII data from numerous records, we found the social profiles of lecturers and other users on various platforms that matched the records in OneClass’s database.”

Company officials provided no additional comments or statements. Since it is not clear if any malicious actor also found the data, the extent of the data breach can only be speculated.

If bad actors had managed to steal the information, more than 1 million students could be at risk. Using the information available, criminals could easily deploy a phishing campaign aimed at stealing credit card information of paying members.

“OneClass users are very young – including minors – and will generally be unaware of most criminal schemes and frauds online,” the researchers added. “This makes them particularly vulnerable targets. It’s also likely many of them use their parent’s credit cards to sign up, exposing their whole family to risk”.

Malicious links embedded with various forms of malware could also be sent to unsuspecting students, potentially rendering their devices useless or encrypting their files unless ransom is paid.

Attackers are looking to steal the credentials of
Instagram, Facebook, and Twitter users with elaborate phishing campaigns. The
target of these campaign employees of major enterprise organizations.

It might seem odd that attackers would go after social
media accounts, but they have good reasons for this strategy. One of the
reasons is that many people tend to use the same passwords for their personal
and work accounts, which means that bad actors will often get a password that
works on multiple domains.

These campaigns look just like any other phishing
attempt. The goal is to trick people into entering their credentials into
websites that look very much like the original they’re impersonating. It’s a
well-known method that relies on the employees’ lack of training to recognize
phishing campaigns.

“These attacks impersonate popular social media platforms to deliver phishing emails to influential users of each platform by impersonating Instagram, Facebook, and Twitter, in an attempt to extract login credentials,” say the researchers from Abnormal Security.

“In each case, these social media platforms are
impersonated and contain urgent language, pressing the user to take action or
their accounts will be deleted. The action to be taken is embedded in a link
provided to appeal the decision to delete the account by the platform.”

The landing websites look very much like their real
counterparts, and the Twitter domain imitates the actual one by replacing the
“i” with a lower case “l”.

With so many people working from home, the activity on
social media increased accordingly. If the employees lack the proper training
to recognize a phishing campaign, they might be tempted to go through the steps
and give their credentials to a third-party. It’s important to know that social media
websites or any other services will not issue such emails, threatening
suspension or termination of services. Always be careful when receiving email
seemingly coming from official sources, and never open attachments coming from
unknown sources.

22-year old man from Vancouver, Washington, has been sentenced to a US federal prison for his role in the development of the Satori botnet, which launched distributed denial-of-service (DDoS) attacks from hijacked IoT devices.

The Satori botnet, based upon similar code to the notorious Mirai botnet which knocked major websites offline in 2016, is thought to have compromised hundreds of thousands of IoT devices, exploiting vulnerabilities to even infect routers wrongly assumed to have been protected with strong passwords.

Kenneth Currin Schuchman, who used the online handle “Nexus-Zeta”, was sentenced yesterday to 13 months in prison, having previously pleaded guilty to charges under the Computer Fraud & Abuse Act. In addition, Schuchman has been ordered to serve 18 months of community confinement to help him address mental health and substance abuse issues, and a three year term of supervised release.

After being initially charged in August 2018 Schuchman was released to pretrial supervision, but broke the terms of his release by making the astonishing decision to continue to create and operate a DDoS botnet, and communicate with his co-conspirators.

In one Discord chat with a co-conspirator using the handle “Viktor”, Schuchman is reminded that he is not supposed to be using the internet without the supervision of his father.

The conversation is accompanied by a screen capture from Schuchman’s conditions of release.

Schuchman, who has already spent 13 months confined in a jail in Alaska, is not the only person of interest to law enforcement as it investigates the Satori botnet.

As Brian Krebs reports, minutes after Schuchman’s sentencing the US Department of Justice charged men from Canada and Northern Ireland for their alleged involvement in the Satori and related IoT botnets.

Aaron Sterritt, 20, from Larne, Northern Ireland and 31-year-old Logan Shwydiuk of Saskatoon, Canada are said by prosecutors to have built, maintained, and sold access to the botnets under their control.

Sterritt is particularly of interest. According to the Department of Justice he was a criminal associate of Schuchman, and used the aliases “Viktor” or “Vamp.” As a teenager he was involved in the high-profile hack of TalkTalk, sentenced to 50 hours community service, and – perhaps most painfully of all – ordered to write a letter apologising to the telecoms firm.

It’s no excuse for criminal behaviour, of course, but the Satori botnet would not have been capable of launching crippling DDoS attacks if it hadn’t successfully recruited vulnerable routers and other IoT devices to form part of its army.

Businesses and home users can play their part by ensuring that IoT devices are not using default or easy-to-crack passwords, are running the latest security patches, and are properly configured and defended to reduce the threat surface.

But there is also a need for manufacturers to build more secure devices in the first place, and to ensure that when a new vulnerability is discovered that it can be easily rolled out to protect customers and the rest of the internet.

Earlier this week, the FBI released a security alert warning K-12 schools about the increased risk of ransomware attacks during the coronavirus crisis. Since the transition to online learning and remote work for teachers, K-12 schools have become a lucrative target for cyber criminals.

The notification highlights the fact that bad actors may leverage the increased use in Remote Desktop Protocol (RDP) accounts of internal school systems to deploy malicious file-encrypting software that could cripple school districts.

K-12 schools lack dedicated budgets for a professional team to handle endpoint security and remote access infrastructure, and these shortcomings only increase the risks for targeted attacks against school districts.

“Cyber actors are likely to increase targeting of K-12 schools during the COVID-19 pandemic because they represent an opportunistic target as more of these institutions transition to distance learning,” reads the Private Industry Notification. “K-12 institutions have limited resources to dedicate to network defense, leaving them vulnerable to cyber attacks.”

While most ransomware attacks may start through a phishing email, cybercriminals have increasingly exploited vulnerabilities in open RDP instances to spread malware over the past years. Most notably, the FBI warns about Ryuk ransomware attacks, a type of malware known to exploit RDP endpoints as its initial point of entry.

Since 2016, more than 860 security incidents relating to K-12 public schools and districts have been reported, including ransomware, DDoS and phishing attacks. In 2019 alone, the unauthorized use of K-12 school IT systems resulted in 348 publicly disclosed incidents from more than 330 educational agencies across the United States.

Multiple school closures, monetary loss, identity theft, tax fraud, and altered school records accompanied these cyber-related incidents.

The Private Industry Notification comes with a list of recommendations, including:

• Dedicated training and awareness programs for all staff members regarding potential threats and phishing emails
• Implementing two-factor authentication for accounts
• Creating backup systems for critical data
• Installing an advanced security solution on endpoints
• Keeping operating systems and software updated

On April 21, UK government’s National Cyber Security Centre (NCSC) launched the highly anticipated Suspicious Email Reporting Service (SERS) that allows Brits to report any phishing or suspicious emails they receive in their inboxes — including Covid-19 related ones.

Today, NCSC announced it hit a new achievement. In just two months after its christening, SERS received one million reports from the British public, with a daily average of 16,500 emails.

Part of the Cyber Aware campaign showing internet users how to maintain good cyber hygiene habits and stay safe online, SERS helps security minded citizens brush up on their phishing email spotting and actively participate in blocking cybercrime.

The NCSC reports it was able to block or take down 10,200 malicious URLs linked to 3,485 individual sites. More than half of these scams relate to cryptocurrency schemes. However, the tool also detected fake online shops and spoofs involving brands such as TV Licensing, HMRC, Gov.uk and the DVLA.

“Unquestionably, a vast number of frauds will have been prevented, thanks to the public reporting all these phishing attempts”, Karen Baxter from the City of London Police said. “Not only that, but it has allowed for vital intelligence to be collected by police and demonstrates the power of working together when it comes to stopping fraudsters in their tracks.”

10% of the scams were removed within an hour of them being reported, and 40% were taken down 24 hours after they’d been flagged.

“The kind of scams we’ve blocked could have caused very real harm and I would like to thank everyone who has played their part in helping make the internet safer for all of us”, NCSC Chief Executive Officer Ciaran Martin, said. “While it’s right that we should celebrate reaching this milestone, it is important for all of us to remain on our guard and forward any emails that don’t look right to report@phishing.gov.uk.”

After a suspicious email is forwarded to NCSC, authorities will analyze the message and any associated webpages. Should malicious activity be discovered, security experts will attempt to block the sender’s email address and remove any malicious websites associated with that address. Even if the organization cannot individually confirm the outcome of their review, it reassures users that all submissions will be carefully inspected and acted upon.

Users should also be aware that the online reporting service is not a means for submitting fraud complaints. Consumers that suffered any fraudulent attempts are urged to notify the UK’s National Fraud and Cyber Crime Reporting Centre on Action Fraud.

Twitter is warning
paying customers of its advertising and analytics platforms in an email that it
is “possible” others could have accessed their personal and financial
information as a result of a bug.

As reported by BBC News, Twitter learned in May of a flaw in its platform that stored billing information of its clients in the browser’s cache. The company said it was “possible” others could have accessed that information, according to an email sent to clients obtained by the news network

The data in
question includes email addresses, phone numbers and the last four digits of
clients’ credit card numbers, the report says. Twitter claims there is
currently no evidence that clients’ billing information was compromised. The
issue affects mostly business clients who use Twitter’s paid advertising and
analytics modules.

Non-business
users don’t seem to be affected by the bug, which Twitter quickly patched.

“We’re
very sorry this happened,” the email says. “We recognise and appreciate the
trust you place in us, and are committed to earning that trust every day.”

The microblogging service is not at its first run-in with a serious bug in its platform. In 2019, a bug exposed phone numbers associated with millions of Twitter accounts. In another instance, the company was caught using multi-factor authentication phone numbers to target users with ads. And earlier this year, Twitter revealed a bug that caused direct messages to be stored in Mozilla Firefox browsers for up to seven days.