Month: June 2020

In the past 3 months, more than 44 million Americans have filed for unemployment, and as local officials rush to provide benefits for jobless citizens, fraudsters are having a field day. Spikes in unemployment fraud have spread across the United States, and scammers have been relentlessly filing for unemployment benefits during the Coronavirus crisis.

According to a report from Q6 Cyber, cyber criminals on Dark Web forums and marketplaces have been promoting the best techniques for stealing unemployment benefits from unsuspecting citizens. Go-to service providers offer a range of tutorials, personal identifiable information, documents, and even compromised unemployment benefit accounts.

The report also shows that underground marketplaces offer a variety of sensitive documents, including credit reports, W-2 forms, fake IDs and pay slips, aiding criminals in their illegal activity.

Apparently, a comprehensive ‘how-to’ guide for fraudulently gaining unemployment benefits sells for as little as $50, and vendors provide testimony of their success rate by attaching screenshots of their benefit payments.

In the past months, Washington State paid out more than $500 million in fraudulent claims, recovering just $333 million, according to Employment Security Department Commissioner Suzi LeVine. Michigan suspended payment to 340,000 accounts over growing concerns about imposter fraud.

Ohio officials reported at least 1,500 cases of fraud. Stolen personal identifiable information from currently employed individuals is used to illegally obtain benefits. According to the Ohio Department of Job and Family Services (ODJFS), victims who receive a letter confirming the PIN number for unemployment benefits, but have not applied for any financial aid, should immediately report the fraudulent act and closely monitor their bank accounts.

Last week, Massachusetts officials reported around 300 calls from locals who claimed to have been targeted by this national scam. “We are working with our state and federal partners to determine the sources of these fraudulent claims and take appropriate action,” Attorney General Maura Healey said. “In the meantime, if you encounter one of these scams, stay alert, stay calm and report this fraud.”

The City of Florence in northern Alabama has agreed to pay a ransom of US $300,000 worth of Bitcoin to hackers who compromised its computer systems and deployed ransomware.

At an emergency meeting this week, the Florence City Council unanimously voted to give in to the extortionists’ demands and pay the cybercriminals behind the attack.

Embarrassingly for the council workers, they were first warned that hackers had infiltrated a Windows 10 PC connected to their IT systems in late May by security blogger Brian Krebs.

Krebs says that he alerted “numerous officials” that criminals specialising in deploying ransomware had compromised their network and – if not stopped – might launch a more widespread attack.

It appears, however, that the Florence city council failed to successfully expel the hackers, who activated their DoppelPaymer ransomware on the city’s IT systems on June 5th.

At the time, Florence Mayor Steve Holt told the media that the city’s email system had been shut down, but that no ransom had been demanded, and officials did not believe that any information had been lost.

Less than a week later the City of Florence realises that things are more serious. As Mayor Steve Holt told journalists, money from the city’s insurance fund will be used to pay the hackers’ ransom demands:

“We began taking every precaution we could possibly take, and then on June 5 it actually hit us. It appears they may have been in our system since early May – over a month going through our system.” “It’s a roll of the dice for us to say ‘nope we’re not doing that,’ and if they actually have our information in their possession they can send it publicly. This unfortunately is a response on our part to pay to make sure they delete it.”

Quite how the council will be able to 100% confirm that the hackers have permanently erased any data they have stolen is unclear, but the gang behind the DoppelPaymer ransomware is reputed to keep its word and not release data after a ransom has been paid.

The same DoppelPaymer ransomware has recently struck NASA contractor Digital Management Inc (DMI) and previously hit the city of Torrance, in the South Bay region of Los Angeles.

Unfortunately Florence is not the only US city to find itself dealing with the aftermath of a ransomware infection this week.

The city of Knoxville, Tennessee, shut down its computer systems after ransomware encrypted its systems in the early hours of Thursday.

In social media posts, the public were advised that court sessions were cancelled as a result of the computer network being offline.

A post on the city’s official website, meanwhile, warns the city’s 180,000 residents that “City online services are currently unavailable.”

A spokesperson said that the FBI had been informed of the attack, which was first spotted by employees of the fire department at approximately 4:30am on June 11th.

Knoxville officials have declined to make public the size of the ransom demand they have received, and no information has been shared about the type of ransomware that was involved.

Cities and government departments are on the horns of a dilemma when it comes to ransomware attacks.

The risk when you give in to an extortionist’s ransomware demand is that you are encouraging other criminals to launch similar attacks. A strong message is sent out to other attackers that organisations are prepared to pay a ransom if hit by ransomware. And that, inevitably, means more ransomware attacks for all of us to fend against.

But at the same time, attacked councils may feel that there is less of a financial hit paying their ransomware attacker than trying to recover from an infection. And if the ransomware attack has also stolen data from an organisation – which the most pernicious strains of ransomware do today – then you may feel that you are protecting your citizens better by at least trying to stop their possibly sensitive data from being leaked to the outside world.

In July last year, a resolution was passed by the the United States Conference of Mayors (USCM) agreeing to “stand united against paying ransoms in the event of an IT security breach.”

Judging by the decision made unanimously this week by the emergency meeting of the City of Florence, Alabama, that is a resolution which some cities are choosing to ignore.

A cyberattack forced Australian beverage manufacturer Lion to shut down its IT system, interrupting manufacturing and orders, the company disclosed on June 9.

“We immediately shut down all our systems as a precaution, and we have continued to work with cyber experts to determine how much longer our systems will be impacted,” the company said.

While there is no evidence of a data breach, the company is still investigating the incident that halted its brewery output across the country. To continue serving customers and partners, Lion adopted manual systems to receive and process orders.

“This attack could not have come at a worse time for Lion, particularly for our valued pub and club customers who are in the very early stages of recovery following the COVID-19 closures,”said company officials. “In the Dairy & Drinks business, some parts of customer service still remain offline and whilst we are operating across most of our manufacturing network, due to the nature of fresh dairy and juice products there have been some service misses in some customer channels as we have worked to manually key and pick orders.”

Making matters worse, the disruption of business follows a major IT upgrade project that spanned across a two-year period. The technological enhancement implied centralizing the company’s 500 applications into one cloud-based platform.

No additional information was provided, but the possibility of ransomware attack can’t be excluded.

This is not the first malicious attack to affect an Aussie business this year. Toll, a leading transportation company, was hit by two ransomware attacks, in which malicious actors managed to steal sensitive information and disrupt business operations. Additionally, BlueScope Steel suffered a company-wide cease of production after a ransomware attack at their US-based facilities.

Malicious actors are on top of their game and continue to wreak havoc worldwide. It has become critical for organizations and businesses to make sure that their IT systems and networks are protected from cyber threats while also ensuring that their remote workforce follows good cyber hygiene patterns.

The Covid-19 lockdown and stay-at-home orders have changed the way we work, shop and handle our finances.

As mobile banking tools become a go-to alternative for customers who continue in the struggle of social distancing, the FBI anticipates a surge in banking trojans and fake banking apps.

Financial gain is at the top of cybercriminals’ agenda, and targeting mobile banking apps to steal credentials and take over banking accounts makes for an easy paycheck.

In a Public Service Announcement published on the Internet Crime Complaint Center (IC3), the FBI advises the public “to be cautious when downloading apps on smartphones and tablets, as some could be concealing malicious intent.”

Banking trojans often disguise themselves in mobile apps that look genuine, such as a game, messaging platform, a handy tool or even a flashlight. But the malicious program is secretly after your personal and financial information. Most of the time, this type of malware remains dormant on your device. When you launch your banking app, the malicious program creates “a false version of the bank’s login page and overlays it on top of the legitimate app,” the FBI said.

Cyber criminals also create fake banking apps that mimic official platforms. For example, a 2018 study revealed that around 65,000 fake apps were detected on popular app stores.

“These apps provide an error message after the attempted login and will use smartphone permission requests to obtain and bypass security codes texted to users,” the agency added.

How can you avoid becoming the next victim?

The FBI also listed a number of tips that can help protect your devices and private information from malicious activity, including:

• Download apps from trusted sourced only – many financial institutions often provide a link to their mobile banking app directly on their website. You can also scan a QR code that will direct you the official app store where you can download and install the corresponding app.

• Enable two-factor or multi-factor authentication – this will help safeguard your account from malicious activity.

• Never access links from untrusted sources – good cyber hygiene mandates not to click on links from untrusted sources. Monitor your inbox and text messages, and delete any suspicious correspondence.

• Use strong passwords – when creating your mobile banking account, use unique credentials that are not shared with any of your other accounts.

• Report any suspicious apps – should you stumble upon any suspicious apps, report them immediately to your financial institution.

Honda reportedly has been forced to shut down some of its
plants around the world following a cyberattack of unknown origin.

Honda’s auto plants in Ohio (United States) and Turkey,
along with a couple of motorcycle plants in South America and India, halted production
after a
cyberattack hit the infrastructure. The company has yet to say why
the type of cyberattack was responsible for the shutdown, only that they are
working to fix the situation.

This is not the first time cyberattack to seriously
affect Honda. In 2017, it was one of many companies that fell prey to the
WannaCry ransomware. According to a report from Bleeping Computer, the latest
information indicates that another ransomware is to blame, but this time it’s
Snake (EKANS).

An analysis from milkream
supports the idea that Honda might be victim of another ransomware attack.
Someone from the mds.honda.com domain checked a sample of the ransomware on
Virustotal. While it’s not definitive proof, milkream also posted the alleged
ransom note.

The disruption of the company’s operations comes at a
very early stage in the restart operations. Much of Honda’s production was shut
down during the COVID-19 pandemic, and it’s just starting back up. Moreover,
some plants have yet to open, and now, with the cyberattack to deal with, it
will take a while for the company to resume normal production.

Ransomware attacks are surging in 2020, with many groups
employing new tactics, such as stealing private data before encrypting the
systems and using that information to blackmail victims. The latest reports
from Honda don’t indicate any kind of data exfiltration or that private data
was accessed from the outside, but it’s still early in the investigation.

Yesterday, Nintendo released a new statement confirming that an additional 140,000 user accounts were exposed after the Nintendo Network ID (NNID) system was compromised in April 2020.

Before confirmation of the security incident, the company received multiple reports from users reporting unauthorized logins to their accounts, and even fraudulent use of stored credit card data.

In an initial statement on April 24, Nintendo acknowledged that around 160,000 accounts were affected by a security incident that led to the leak of personal identifiable information such as nicknames, date of birth, country, region, email address and gender.

Users were asked to immediately reset their account passwords and enable two-factor authentication, and the company removed the faulty login function using the NNID.

Nearly two months after their first report, the number of compromised accounts has now reached 300,000.

“We posted a report on unauthorized login on April 24th, but as a result of continuing the investigation after that, there were approximately 140,000 additional NNIDs that may have been accessed maliciously,” the company said. “We have also reset the passwords for these 140,000 NNIDs and the Nintendo accounts that were linked with them, and contacted the customer separately. At the same time, we are taking additional security measures.”

The company also said it is in the process of refunding affected users, and that less than 1% of all NNIDs illegally accessed may have also suffered fraudulent transactions through their Nintendo account.

While credential stuffing was named the prime vector leading to the data breach, the culprits responsible for this fraudulent activity remain unnamed. Credential stuffing attacks can lead to account takeover, and victims that use the same password for each online account can suffer great financial losses.

This is why it’s wise to use separate email and password when you create a new account. If creating a new email address is not for you, create a strong and unique password and use multi-factor authentication to add an additional layer of security.

Nearly 39 million Americans have lost their jobs since the COVID-19 crisis struck the nation three months ago. With this unprecedented level of unemployment, fraudsters have set up shop on job-seeking websites.

Falling victim to a job scam has never been easier. Scammers are known to create official-looking websites and email accounts to convey a sense of reliability and trust to potential victims. Many of these bogus job vacancies are listed on popular websites, and with remote work in high demand, applicants may have a hard time spotting the scam.

If you are in search of a job or simply browsing for one, here are the top warning signs to look out for:

• You did not apply for the job – scammers will contact you saying that they found your resume online. In many cases, they will offer you the job right away or wish to interview you.

• The job opening is above your pay grade – fraudsters entice victims with a too-good-to-be-true paycheck. No experience needed and flexible hours will be promoted in the ad.

• You’re hired right away – after just a quick phone call or video call interview, a so-called HR specialist immediately contacts you to offer you the job.

• Job descriptions are vague – as a rule of thumb, always ask for details regarding jobs you apply for. Scammers often avoid providing additional information regarding the advertised position, claiming that training will be provided.

• Grammatical errors and unprofessional emails — most of time, the devil is in the details. Pay attention to the email or job listing before applying. While some job communications might seem well-written at first, emails often contain spelling, punctuation and grammatical mistakes.

• Bogus email addresses – inspect the email address of the person or company who is hiring. Check if the email address was already reported for fraudulent activity.

• You are asked to provide sensitive personal information – fraudsters will ask for your bank account information to set up direct deposit or transfer money to your account. In some cases, you can be asked to open a new bank account or fill out a credit report form on another website. This way, the scammers will steal your personal information such as Social Security Number and other key information.

More than $40 million has been lost to coronavirus-related scams, and financial losses are expect to rise even higher this summer. Be wary of what websites you use and never provide sensitive personal information to individuals contacting you online about jobs. Do your research on the company that is hiring, and report any suspicious activities to local authorities.

A vast campaign targeting WordPress-based websites was
identified by the Wordfence Firewall as it targeted 1.3 million pages, trying
to leverage known plugins and theme vulnerabilities.

WordPress is just one of the platforms used to create and
deploy websites and, just like its competitors, it’s always subject to attacks.
Since it’s a complex ecosystem, with numerous plugins and themes for millions
of projects, the area of attack is considerable.

As not all developers fix security problems identified in
their components and not all webmasters actually upgrade the components to
their latest version, the number of exposed websites is substantial.

A total of 130 million attacks were deployed against 1.3
million websites over the course of just three days, between May 29 and May 31.
The attackers are looking for unpatched XSS vulnerabilities. Exploited
successfully, the vulnerabilities would let the bad actors access the
configuration files and database credentials.

“In this case the attackers are attempting to download
wp-config.php, a file critical to all WordPress installations which contains
database credentials and connection information, in addition to authentication
unique keys and salts,” say the researchers. “An attacker with access to this
file could gain access to the site’s database, where site content and users are
stored.”

In short, if the attack is successful, criminals could
use the stolen credentials to add an administrative user, steal data, or even
to delete the website entirely. Even if the attack lasted for just three days,
over 20,000 different IPs were used, and it’s not the first time. This
indicates the presence of an extensive attack bot network.

WordPress users are advised to look for the indicators of
compromise underlined in the advisory
and to make sure to change the credentials if they think they might have been
compromised.

On June 5, Europol announced the launch of the European Financial and Economic Crime Centre (EFECC), designed to reinforce and strengthen support for European Union States in the struggle to combat economic crime.

“The centre we are launching today will help step up financial investigations across the EU,” said Ylva Johansson, EU Commissioner for Migration, Home Affairs and Citizenship. “Financial and economic crime harms us all and doesn’t stop at national borders. And it’s often a key activity of organised crime groups that we can uncover if we follow the money. With our new centre, we’ll be better equipped to fight economic crime together.”

The center will be staffed 65 65 international experts and analysts providing operational assistance against criminal activities that have crippled EU’s economy in past years. Economic crime has soared, costing EU nations over €100 billion a year, Europol reports. Millions of EU citizens and thousands of business fall victim to organized crime groups each year, and only 1.1% of criminal profits are confiscated by authorities, according to estimates.

Additionally, the COVID-19 pandemic has given criminals new opportunities to exploit vulnerable citizens, and to target businesses attempting to fight through economic distress.

“The fallout from the COVID-19 pandemic has weakened our economy and created new vulnerabilities from which crime can emerge,” said Catherine De Bolle, Executive Director of Europol. “Economic and financial crime, such as various types of fraud, money laundering, intellectual property crime, and currency counterfeiting, is particularly threatening during times of economic crisis.”

“Unfortunately, this is also when they become most prevalent,” she said. “The European Economic and Financial Crime Centre (EFECC) at Europol will strengthen Europol’s ability to support Member States’ and partner countries’ law enforcement authorities in fighting the criminals seeking to profit from economic hardship. EFECC will serve as a platform and toolbox for financial investigators across Europe. We look forward to making lasting partnerships with them and fighting economic and financial crime together.”

To complement the inauguration of the EFECC, Europol also published a strategic report outlining Europe’s fight against financial and economic crime. Money laundering, various types of fraud and intellectual property crime were the fastest-growing criminal threats in Europe.

Many of these fraud schemes remain undetected, and international cooperation has become indispensable in hampering illegal activity. Criminals feed off the anonymity provided by the dark web, and use the platform to orchestrate sophisticated attacks against EU institutions and businesses. Exploiting the economic stimulus in the wake of the COVID-19 has often been on the agenda of cyber criminals seeking to defraud public funding.

Moreover, spikes in counterfeit goods have riddled the digital world. Platforms selling fake Coronavirus-related merchandised have sprung up overnight, promoting unconfirmed pharmaceuticals and home test kits. Frightened and unsuspecting consumers flocked to these bogus online shops, emptying their pockets and creating a prejudice for additional fraudulent schemes and even health risks.

The infamous
cyber extortionist gang known as Maze Team has breached a company that supports
the US Minuteman III nuclear deterrent, according to reports.

Westech
International has several contracts with the U.S. military, including engineering
support and maintenance for the Minuteman III intercontinental ballistic
missile (ICBM) program. ICBMs can carry a payload of multiple thermonuclear
warheads and can travel more than 6,000 miles to their target. The United
States has hundreds of ICBMs stockpiled in U.S. Air Force facilities in northern
states such as Montana, North Dakota and Wyoming.

Maze
recently breached Westech to encrypt the company’s data and demand ransom, but
not before copying sensitive data to conduct its usual double-extortion
operations. In fact, Maze has already started leaking documents online to
pressure Westech to cave in, Sky News reported.

“We
recently experienced a ransomware incident, which affected some of our systems
and encrypted some of our files,” a Westech spokesperson told the media outlet.
“Upon learning of the issue, we immediately commenced an investigation and
contained our systems. We have also been working closely with an independent
computer forensic firm to analyse our systems for any compromise and to
determine if any personal information is at risk.”

Some of the
leaked files are said to include “extremely sensitive data, including payroll
and emails,” but it is unclear if the dump also includes classified military information.

The report
speculates that Russian-speaking operatives might be commanding the cyber
offensive. Their intentions? “To monetise their haul by selling information
about the nuclear deterrent on to a hostile state,” reporter Alexander Martin
writes, citing U.S. court documents alleging that Russian cyber criminals and
intelligence services have teamed up to steal classified government documents.