Month: July 2020

UK’s National Cyber Security Centre (NCSC) has issued a warning about the growing risks of sports organizations becoming valuable targets for ransomware attacks, phishing campaigns and Business Email Compromise (BEC).

“We are urging sports teams and organizations to strengthen their cyber security defenses after a new survey revealed that 70% have been attacked by cyber criminals in the last 12 months,” The NCSC said in a recent tweet.

According to a survey commissioned by the agency, cyber threats and attacks have increased significantly in the past year. The report shows that at least 70% of sports organizations have fallen victim to at least one cyber incident, which is “more than double the average for UK businesses.”

The report highlights that around 30% of incidents resulted in direct financial damage to the victims, with costs per incident varying from £500 to £100,000.

Sports organizations are mainly targeted by financially motivated cyber-criminals, and data collected during the survey suggests that most cyber-attacks use common techniques such as phishing, password spraying and credential stuffing. When security measures are poorly implemented, bad actors can easily exploit unpatched or unsecure systems, and deploy social engineering schemes to gain access to employee accounts or business systems.

“While cyber security might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cyber criminals cashing in on this industry is very real,” said Paul Chichester, Director of Operations at the NCSC. “I would urge sporting bodies to use this time to look at where they can improve their cyber security – doing so now will help protect them and millions of fans from the consequences of cyber crime.”

However, according to research, criminals take their time before undergoing an attack, gathering intel and information on sports organizations to assure 100% success.

BEC schemes were named the biggest cyber threats for sports organizations. Around 75% of respondents said that fraudulent emails, text messages and phone calls were the main attack vectors.

Most recently, a managing director of the Premier Football League fell victim to a spearphishing attack that allowed cyber-criminals to use his credentials to redirect £1 million to their account. In this case, the attackers set up Office 365 auto-forwarding rules to external email accounts and managed to re-route nearly 10,000 emails. Luckily, the transfer failed, as the fraudulent payment was stopped by the financial institutions’ fraud control systems.

The NCSC advises “one of the best technical controls to reduce the risk of BEC is multi-factor authentication (MFA).”

“MFA provides an extra layer of security for online services, preventing attackers from accessing them with passwords alone,” the report said. “Survey results indicate that 51% of sports organisations already use MFA on some services, this is a key action area.”

Malware attacks were also a popular trend cited by the agency, with 40% of all attacks on sports organizations involving some form of malicious software, a quarter of which was ransomware.

“Basic security controls such as antivirus, firewalls and user access controls are typically implemented by sports organisations,” the NCSC said. “However, 21% of surveyed companies do not have a patching strategy and 25% do not back up their data.”

The agency recommends patching and ensuring that all operating systems are running on the latest updates. Organizations should also focus on backing up their data, to decrease the financial impact and recovery time in case of an attack.

32% of
consumers say they have been targeted by digital fraud related to COVID-19,
with phishing emerging as the world’s top digital fraud scheme related to the
pandemic, according to TransUnion, the US consumer credit reporting agency.

TransUnion
aggregates information on over 1 billion individual consumers in more than 30 countries.
Its customers include over 65,000 businesses.

New data from the firm’s Consumer Financial Hardship studies reveals phishing as the top digital fraud scheme worldwide related to the COVID-19 pandemic.

The agency
surveyed 7,384 adults in Canada, Colombia, Hong Kong, South Africa, the UK, and
the US between June 30 and July 6, 2020. Globally, 32% of respondents said they
had been targeted by digital fraud related to COVID-19. 27% said they were hit
with pandemic-themed phishing scams.

The most
common types of COVID-19 fraud faced by Internet users in the areas were:

• Phishing, 27%
• Third-party-seller scams on
  legitimate online retail websites, 21%
• Charity and fundraising scam, 19%
• Unemployment scam, 18%
• Fraudulent COVID-19 vaccines, cures,
  tests and PPE, 15%
• Fake insurance, 15%
• Shipping fraud, 14%
• Identity theft, 14%
• Stolen credit card or fraudulent
  charges, 13%
• Stimulus check scam, 12%
• Someone changing personal or account
  information via a call center, 12%
• Account taken over, 11%

Schemes vary
somewhat by country, as TransUnion reveals in another breakdown. For example,
while phishing is most prevalent in Canada, Hong Kong, the UK and the US,
unemployment scams are the top threat reported by South African residents. Colombia,
for its part, regularly deals with third-party seller scams on legitimate
online retail websites.

“From the
impacts of phishing and other well documented COVID-19 scams like unemployment
fraud, it’s clear that fraudsters have the data and increasing opportunities to
create synthetic identities and utilize stolen identities,” said Shai Cohen,
senior vice president of Global Fraud & Identity Solutions at TransUnion.
“Identity fraud is a primary way fraudsters leverage stolen consumer data from
phishing and other social engineering schemes. It can have long-term impacts
for consumers such as the compromise of multiple online accounts and bringing
down credit scores, which we anticipate will increase during pandemic
reconstruction.”

Garmin, the GPS navigation and wearable technology manufacturer, has reportedly suffered a large-scale ransomware attack that crippled its infrastructure.

Yesterday, the company tweeted that all of its Garmin Connect services are down.

“We are currently experiencing an outage that affects Garmin Connect, and as a result, the Garmin Connect website and mobile app are down at this time,” the tweet reads. “This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience.”

Since the announcement, Garmin users have nervously flocked to the company’s Twitter page, asking for updates, and speculating about a targeted cyber-attack.

Garmin has yet to provide any updates regarding the unscheduled ‘maintenance’ of their systems. However, according to a Taiwanese media outlet, the outage will also extend to Garmin’s production lines, which will be offline for 2 days (July 24-25).

The report by iThome says Garmin employees were told that a virus attacked one of the company’s servers, and that the entire production line could not be opened. Although Garmin has not confirmed the speculation, users are becoming restless, and some have even expressed their worry regarding the safety of their personal data:

“Hopefully it’s just an outage and not a hack/breach, since it’s taking so long to recover.”

“It would be nice to have an update. If it is an attack it would be nice to know if users could be targeted trough your apps? Should we worry?”

“Sooooo is this a ransomware attack? Does an unauthorized party now have access to our personal data?”

“Any word if any personal information was stolen in the attack? I have no worries with it being down as long as data and payment information wasn’t stolen.”

Hopefully, Garmin officials will update their statements in coming days. Taking into consideration the long downtime and lack of details provided by the company, a ransomware attack can’t be excluded.

Evolution and innovation have been a part of Bitdefender’s DNA for more than two decades. With our new Bitdefender solutions (Bitdefender Antivirus Plus, Bitdefender Internet Security, Bitdefender Total Security) we’re delivering on our promise to constantly improve on an already stellar performance in detecting online threats.

Today marks the next step in expanding our view on cybersecurity by both improving our under-the-hood protection and performance technologies and by expanding security to your entire home environment and IoT devices. With more than 80 patented security technologies and a proven record of accomplishment and awards from independent testing organizations, we’ve continually set the standard for security.

What’s new, you ask?

Designed around a security-as-a-service concept, one change brings forth a streamlined user interface that gives you a consistent experience across all devices and operating systems, making it easier, faster, and more intuitive to find the features you need most. Finding the data protection and privacy features you need has never been easier.

While some changes revolve around user experience, others involve some under-the-hood technology optimizations designed to boost performance and threat detection. For instance, we’ve made significant improvements to core technologies and machine learning algorithms to accurately identify new and unknown threats. With online threats and malware shattering the 1 billion-sample milestone, our technologies and patented machine learning algorithms can both cope with this ever-increasing number of threats, and accurately detect them before they damage your system.

As for performance, we’ve fine-tuned our technologies so that any system impact is considerably lower than ever, allowing you to focus on and enjoy what truly matters. Now you can play, work and enjoy the performance of your system while being protected by an award-winning security solution.

And since attackers will stop at nothing when it comes to exploiting vulnerabilities and misconfigurations on your system to install threats or compromise your data, we’ve made some improvements to our Vulnerability Scanner. Fixing each found vulnerability or misconfiguration leaves attackers unable to leverage any of them to compromise your system. Protecting against threats and malware is more than just accurately detecting them, but also about knowing what your potential weak spots are so you can strengthen your security posture.

And for your iOS devices, you can now surf the web without fearing malicious, phishing or fraudulent websites. With Web Protection on, you’ll be relying on a proprietary Bitdefender VPN solution built for iOS, capable of filtering out traffic that puts your data at risk, regardless of the browser or app that attempts to access dangerous or fraudulent content.

Your Privacy is Important

Since we value your security and privacy, we’ve also made improvements to our VPN solution. Now with many of us working from home, the need for a reliable and secure VPN connection has become “the new norm.”

The new and improved VPN is now 25 percent faster, and it has an internet kill-switch that suspends traffic if the connection drops accidentally. It also comes with increased media-streaming capabilities that even enable you to access previously geo-restricted media content.

While our Premium VPN solution with unlimited encrypted traffic is a standalone offering, it is also included in our consumer line products but limited to 200 MB of traffic per day for each device. This is perfect for testing out the technology and its capabilities before opting for unlimited traffic, complete anonymity, and even the ability to safely stream media content.

All that and more is now available with our new generation of security, so that you can keep both your data and your privacy safe from prying eyes. Regardless of what operating system you use, whether it’s Windows, Mac OS, Android, and even iOS, check out the new Bitdefender.

For those of you with a valid subscription, you can safely upgrade to the new version – your old license is valid for the new products as well.

According to the European Union Agency for Fundamental Rights (FRA), 55% of European citizens are concerned about their online data being accessed by cyber criminals and fraudsters.

FRA surveyed around 35,000 people across all EU member states, UK and North Macedonia for the study to determine a comprehensive set of opinions concerning data protection and consumer rights, and the depth of fraudulent activity citizens have been exposed to.

The report highlights that 8% of EU citizens have experienced some form of online fraud or misuse of their online bank account or credit card details in the past 5 years. Most notably, citizens with long-term health problems (14%) and low-income households (11%) show a higher percentage of malicious activity.

More than 80% of online banking and credit card fraud was reported by victims to financial authorities or police. However, in many cases where a report was not filed, victims said they did not consider the incident serious enough to report (22%), that they had no proof (22%), or that they were able to take care of the issue themselves without reporting it (21%).

Additionally, 16% of respondents who chose not to report the incident claimed reporting it was too much trouble, or that they did not know how or where to report fraudulent activity.

When asked ‘How worried are you that in the next 12 months you could experience” misuse of your online bank account or credit or debit card details, 57% of respondents from Spain said they are very worried, in comparison with 23% of respondents from the UK.

Concerns regarding unauthorized access of data is a common denominator among all the surveyed aged groups. However, this concern is more common among older respondents. For example, the concern afflicted 64% of respondents over the age of 65 compared to 46% of 16-29-year olds.

Respondents also worry about advertisers, businesses and foreign governments illegally accessing their data. 31% of people in the EU are concerned about advertisers or businesses accessing the information they have shared online without their permission.

“Meanwhile, 30% are concerned about their data being accessed by foreign governments without their knowledge or permission (based on people who use the internet at least sometimes)”, the report said.

Yesterday, the University of York disclosed a security incident that affected Blackbaud, a third-party service provider offering customer relationship management (CRM) tools for nonprofits and educational organizations.

According to a data breach memo, Blackbaud fell victim to a ransomware attack earlier in May, when the attackers infiltrated their systems and were able to “remove a copy of a subset of data from a number of their clients,” including University of York.

As per a detailed forensic investigation reported by Blackbaud, the data accessed by the cybercriminals included:

• Personal identifiable information such as name, title, gender, date of birth, student number, phone, email address, LinkedIn profile URL
• Course and educational details
• Records of fundraising activities with alumni
• Professional details

The report also reveals that Blackbaud “met the cybercriminal’s ransomware demand.” After payment, the cloud service provider highlighted that it even received “assurances from the cybercriminal that data had been destroyed.”

The company also confirmed that no encrypted information such as account details or passwords were accessed during the attack, and no credit card or other financial details were part of the exfiltrated data.

“The cybercriminal did not access credit card information, bank account information, or social security numbers,” Blackbaud said. “Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”

Despite these assurances, University of York officials claimed to have launched their own investigation, and informed the Information Commissioner’s Office (ICO) of the breach.

“We are working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security,” reads the data breach notification.

While the educational organization said “there is no need for our community to take any action at this time,” students and staff members are advised to remain vigilant and monitor their accounts for any suspicious activity.

US authorities
have charged two Chinese hackers for allegedly hacking into the systems of
hundreds of companies, governments and individual dissidents, as well as firms developing
COVID-19 vaccines, testing technology, and treatments, the U.S. Department of
Justice (DOJ) announced this week.

An 11-count indictment alleges Li Xiaoyu, 34, and Dong Jiazhi, 33, conducted a hacking campaign lasting more than ten years to the present, targeting companies in countries with high-technology industries, including the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom. Both hackers were trained in computer application technologies at the same Chinese university, according to the DOJ’s press release.

Allegedly
backed by the Chinese government, the duo targeted industries like high-tech
manufacturing, and medical device, civil, and industrial engineering, as well
as business, educational, gaming, solar energy, pharma and defense. Starting
around Sept. 1, 2009, and continuing through July 7, 2020, they exfiltrated
sensitive data and intellectual property saving their (Chinese) sponsors
precious time and resources in key areas of research and development.

“In at least
one instance, the hackers sought to extort cryptocurrency from a victim entity,
by threatening to release the victim’s stolen source code on the Internet.  More recently, the defendants probed for
vulnerabilities in computer networks of companies developing COVID-19 vaccines,
testing technology, and treatments,” the DOJ said.

Li and Dong typically
gained footholds in targeted infrastructures by exploiting publicly known /
unpatched software vulnerabilities in popular web server software, web
application development suites, and software collaboration programs. They also leveraged
insecure default configurations in common applications and their initial
foothold to steal access credentials and deploy malware to remotely execute
commands on victim computers.

They allegedly packaged victim data in encrypted RAR archives, changed the extensions to .jpg, altered system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks’ ‘recycle bins,’ according to the indictment. The duo frequently re-victimize targets that were slow to patch their entry points – in some cases returning years after the original breach, the DOJ said.

The
defendants are charged with conspiracy to commit computer fraud, conspiracy to
commit theft of trade secrets, conspiracy to commit wire fraud, unauthorized
access of a computer, and aggravated identity theft, which – if the hackers are
caught and prosecuted in a U.S. court of law – in total carry more than 40
years of prison for each individual.

Maybe Coinbase should send Twitter an invoice, because it certainly sounds like their quick thinking helped prevent last week’s hack from leaving a lot more Twitter users with empty wallets.

As we reported at the time, cybercriminals successfully managed to seize control of a number of high profile Twitter accounts last week, using them to tweet out messages designed to trick unsuspecting followers into handing over their Bitcoins.

The messages, which were posted from the genuine Twitter accounts of the likes of Joe Biden, Bill Gates, Elon Musk, Barack Obama, Kanye West, Apple, Uber, and others invited users to send their money to a Bitcoin wallet under criminal control, with the promise that they would double their money.

Twitter subsequently confirmed that a social engineering attack had “successfully targeted some of our employees with access to internal systems and tools,” and this is what had allowed hackers to hijack the accounts for the scam.

To its credit, Twitter has been fairly open about the incident, and shared that it believed 130 accounts had been targeted in the attack.

In all it is estimated that the hackers had approximately $100,000 transferred to them by users duped by the scam.

That’s obviously not good, but things could have been a lot worse.

According to an interview with Forbes, quick action by leading Bitcoin exchange Coinbase prevented much more money from being sent to the scammers.

WizCase researchers have stumbled upon five leaky e-learning websites that exposed the personal information of nearly 1 million users, including minors. Each exposed database was housed on misconfigured and unsecured servers, allowing unauthorized access to sensitive information.

Cybersecurity researchers noted that the platforms were predominantly used by underage people, and the exposed data included full names, email addresses, ID numbers, phone numbers, home addresses and date of birth and school or course information.

Escola Digital, a Brazilian website offering a wide range of digital courses for both students and teachers was found leaking the personal records of nearly 75,000 active users between 2016 and 2017. On top of personal identifiable information, the misconfigured bucket included links to certificates of users who attended the platform’s online classes.

MyTopDog, a South African children-oriented study platform providing practice tests and interactive games, exposed over 800,000 student records, courtesy of a misconfigured Amazon S3 bucket. Within a 50MB database, researchers discovered various types of data:

• An Excel file containing 50,000 entries of PII of users registered in 2016-2017
• A CSV file with 800,000 user entries with full names, cellphone numbers, date of birth, gender and guarding contact information
• PDF file that seemed to be part of business agreement between the e-learning platform and a local school

Okoo, an online learning platform for children in Kazakhstan, exposed 7,200 user records that included PII and nearly 1 million entries regarding user activity on the platform and analytics. The misconfigured 418 MB database revealed PII such as full names, clear-text passwords, email addresses, completed courses, and quiz scores of students. Additionally, researchers found an entry that appeared to include admin credentials.

“However, those weren’t tested for ethical reasons,” the team of investigators said. “This poses multiple threats to the site and its users as attackers could use administrative login details to manipulate Okoo content and easily access extensive user data.”

Square Panda, a US-based virtual platform that helps children learn how to read and write, exposed the information of nearly 15,000 users. A MB CVS file stored a backup users’ personal data, including full names, email addresses, phone numbers, and account type (parent or teacher).

Playground Sessions, a virtual piano lesson platform in the United States, revealed the private information of around 4,100 users registered between 2011 and 2013. Besides full names, usernames, emails and hashed passwords, the leak included app scores, lessons and practice records.

Researchers warn that the risks for parents, students and teachers to fall victim to identity theft or fraud are high.

“As many users whose data was leaked aren’t active on the sites anymore, they’re less likely to realize these companies still have their information,” the investigators said. “However, it’s still possible that their data can be used to aid in various types of online crimes. These dangers are even bigger since many of the users affected by the leaks are children and young people.”

Argentina’s
largest telecom was recently hit by ransomware, with the attackers demanding a
huge ransom, and setting a deadline for today.

Telecom, a
leading operator in the country, is being held for ransom by an unknown group
of hackers, invezz.com reports. The operators, presumed to be the
infamous REvil group, demand $7.5 million in Monero, a hard-to-trace crypto
currency.

Several
Twitter users who apparently caught wind of the incident early shared screen
grabs of Telecom’s internal messaging about the hack. One user even obtained
the ransom notes, which not only instruct Telecom how to make the payment and
receive the decryptor, but also how to buy Monero.

Argentina's major telephone company, Telecom, just got hacked. Hackers requesting a ransom of $7.5 million in Monero. $XMR pic.twitter.com/AGNvAXh1cg

— Alex Krüger (@krugermacro) July 19, 2020

The good news is the company’s systems are still firing on all cylinders. The bad news is the ransomware infection reached terminals holding sensitive data, the report says. In recent times, ransomware operators have typically leveraged the sensitivity of the data to press victims to pay, threatening either to delete the data or to make it public.

The
attackers reportedly plan to double their ransom demand if Telecom fails to pay
by the end of today.