Microsoft patched a serious Windows DNS Server
vulnerability with a CVE score of 10.0, and the latest indication is that it hasn’t
been used in the wild in any current attacks.
Microsoft issues updates each month, usually fixing a
variety of security issues and other vulnerabilities. There are always a few
critical ones but, unless the vulnerability is used in attacks, Microsoft waits
for patch Tuesday.
Since Windows is such a large ecosystem, odds are that many
vulnerabilities are still undiscovered, not to mention possible vulnerabilities
that have yet to be introduced into the code. What sets the CVE-2020-1350
apart is that it has a CVSS score of 10.0, which is not very common.
It’s a wormable vulnerability in the Windows DNS Server,
allowing bad actors to infect other computers, remotely, without user
interaction.
“This issue results from a flaw in Microsoft’s DNS
server role implementation and affects all Windows Server versions.
Non-Microsoft DNS Servers are not affected,” says
Microsoft. “Wormable vulnerabilities have the potential to spread via
malware between vulnerable computers without user interaction. Windows DNS
Server is a core networking component.”
This type of security issue is the textbook reason why
users should always keep their systems up to date. If installing the update is
not possible, Microsoft offers a registry-based workaround, although that’s not
an ideal situation.
Of course, while it looks like the vulnerability wasn’t
used, bad actors will take the patch and figure out how to exploit it. And
since the vulnerability is present in all Windows Server versions starting with
2003, it’s likely that numerous users will fail to apply the patch, leaving
them exposed to future attacks.
A good example is BleeKeep, a vulnerability found in
Microsoft’s Remote Desktop Protocol and patched more than a year ago. To this
day, there are numerous Windows machines still vulnerable to BlueKeep.
The popular TikTok app was deemed a security risk by
Wells Fargo, and its employees have been told to delete the app from their
phones. It’s not the first company to suggest this course of action, following
mixed messages from Amazon.
TikTok took the world by storm and, until recently, was mostly
used by young people and kids. From there, it grew in popularity among the
general population. Since many companies and even governments issue devices their
employees, the application inevitably landed on such endpoints.
A Chinese company called ByteDance builds the
application, which is where the problems arise. The developers have been
accused of collecting data and sharing it with the Chinese government, although
no tangible proof has been found. Given existing legislation in China, which
grants the government extensive power of access to private-sector data
generated by companies in their country, the security concerns seem legitimate.
According to a CCN report,
a Wells Fargo spokesperson confirmed the information.
“A small number of employees with corporate-owned
devices who had installed the TikTok application,” The spokesperson said. “Due
to concerns about TikTok’s privacy and security controls and practices, and
because corporate-owned devices should be used for company business only, we
have directed those employees to remove the app from their devices.”
A few days ago, Amazon sent an internal memo saying
pretty much the same thing, only to backtrack a few hours later, saying that it
has been sent by mistake. On the other hand, TikTok is not staying silent.
“Tens of millions of Americans, including Wells
Fargo employees, come to TikTok for entertainment, inspiration and connection,
especially during the pandemic. Our hope is that whatever concerns Wells Fargo
can be answered through transparent dialogue so that their employees can
continue to participate in and benefit from our community,” reads the
announcement from TikTok.
Whatever is happening with the app is still open for
debate, but more companies and government will likely continue to push for its
elimination.
A 32-year old California man was sentenced to 46 months in federal prison after pleading guilty to a million-dollar scheme involving stolen identities of United States service members and veterans.
During his trial, Trorice Crawford admitted that he and his co-conspirators stole money from military members’ bank accounts from May 2017 to July 2020 after infiltrating a Department of Defense portal.
According to a report, Crawford’s co-defendant, Frederick Brown, a former medical records administrator for the U.S. Army, exfiltrated personal identifiable information of thousands of military members using his smartphone. Brown logged into the Armed Forces Health Longitudinal Technology Application and stole names, social security numbers, DOD ID numbers, dates of birth and contact information.
The data was passed on to others who used the information to access various Department of Defense and Veterans Affairs benefits websites and steal millions of dollars.
“The Department of Justice will not tolerate fraud on America’s warfighters and veterans,” said Acting Assistant Attorney General Ethan P. Davis of the Department’s Civil Division. “Working with our partners and using all tools available, we are committed to protecting those who protect us.”
Once the culprits gained access to records designed to enable military members to access benefits information, they recruited at least 30 money mules who could help with money laundering.
The ‘hired’ money mules provided their bank account numbers to receive the stolen funds, and according to the Department of Justice (DOJ) press release, “each unauthorized transfer from a victim’s accounts ranged from between $8,000 to $13,000.”
“Crawford kept a percentage of the withdrawn funds for himself and oversaw the transmission of the remaining amounts by means of international money remittance services to others in the Philippines,” the release said.
An FTC report published earlier this year said that, “active duty service members are 76% more likely than other adults to report that an identity thief misused an existing account.”
Moreover, military personnel are 22% more likely to fall victim to new account fraud, with one-fifth of active troops experiencing identity fraud. The DOJ’s announcement only reinforces the claim, highlighting the lengths that identity thieves will go to in order to get an easy paycheck.
LiveAuctioneers, an online auction platform headquartered in the United States, has confirmed a security incident after a database containing 3.4 million user records was put up for sale on the dark web for $2,500.
“As of July 11th, 2020, our cybersecurity team has confirmed that an unauthorized third party accessed certain user data through a security breach at a LiveAuctioneers data processing partner that occurred on June 19,” the company said. “LiveAuctioneers was one of a number of their partners who have experienced a breach from an unauthorized party since this data processing partner’s security was compromised. Our cybersecurity team has ensured the unauthorized access has ceased.”
According to a data breach notification posted by the live auction marketplace, the affected information includes names, email and mailing addresses, phone numbers and encrypted passwords. However, the data broker selling LiveAuctioneers’ user data claimed that the database includes decrypted passwords and social media profiles.
The data breach memo also states that there is no evidence to suggest access to complete credit card data, and that no auction history was affected.
“Not all of this information may have been present on your account,” LiveAuctioneers said. “Additionally, our cybersecurity team has confirmed that complete credit card numbers were not accessed, and we have no reason to believe auction history was affected.”
On the same day, LiveAuctioneers disabled passwords on all bidder accounts, and advised users to follow the necessary steps to change their passwords. The company also emphasized that, although no auctioneer accounts were affected by the breach, a separate email containing personalized instructions for enhancing account security was sent on July 11.
LiveAuctioneers members can also follow additional security measures including:
• Changing the password to all of their online accounts that shared login credentials used for their LiveAuctioneers account. • Review accounts for any suspicious activity • Be wary of unsolicited email that could be seeking additional personal information, and never click on links or download attachments from unfamiliar or suspicious sources.
A zero-day vulnerability affecting the Zoom client for
Windows has been discovered that would allow an attacker to execute arbitrary
code on remote devices. Only Windows 7 and older OSes were affected, further
complicating the situation.
Zoom vulnerabilities pop up constantly, but that’s also
likely due in part to the app’s sudden popularity. The COVID-19 pandemic pushed
the Zoom app to the forefront, mostly because of permissive default features
that allowed people to use it without a premium account.
With so many users actively engaging in videoconferences,
it was just a matter of time before Zoom become an active target for hackers
and security researchers. Out of all possible problems, zero-day
vulnerabilities are the most troublesome.
In this case, it was a vulnerability available only in
Windows 7 and older products. Even if these products are no longer supported,
it doesn’t mean that they’re not used. In fact, Windows 7 still has a market
share of around 5%. Given the large number of PCs out there, that leaves a lot
of vulnerable devices.
“The vulnerability allows a remote attacker to
execute arbitrary code on victim’s computer where Zoom Client for Windows (any
currently supported version) is installed by getting the user to perform some
typical action such as opening a document file. No security warning is shown to
the user in the course of attack,” said
the researchers from 0patch who disclosed the exploit.
For unknown reasons, the researcher who found the problem
didn’t want to report the vulnerability to Zoom and left this job to 0patch.
Following disclosure, Zoom issued a patch that covered the Windows 7 version.
Unfortunately, it’s only a matter of time before other
security issues are found with Windows 7 and its interactions with other
software. Since Microsoft no longer supports the OS, the problems will only go
away when people stop using that operating system.
A US District court in California has found a Russian hacker guilty of breaking into the networks of LinkedIn, Dropbox, and the now defunct social network Formspring, and selling their user databases on the computer underground.
In October 2016, Yevgeniy Nikulin was arrested at a hotel restaurant in central Prague – an event caught on video camera.
It had been four years since Nikulin had compromised the PC of a LinkedIn employee, and planted malware to steal their access credentials to the professional networking services internal systems.
With his privileged access, Nikulin was able to access LinkedIn’s user database – which included email addresses, usernames, and passwords stored as notoriously weak non-salted SHA1 hashes.
The poor security used by LinkedIn to store its passwords made it simple for them to be cracked, and for hackers to explore whether they would also unlock other online accounts.
High profile victims of the security breach, who had made the mistake of reusing their LinkedIn password elsewhere on the internet, included Facebook founder Mark Zuckerberg, actor Jack Black, and social media influencer Kylie Jenner.
Following the success of his LinkedIn hack, Nikulin was able to turn his attention to other targets. He used details derived from the compromised LinkedIn databases to launch a successful phishing attack against a Dropbox employee – breaking into their account, and gaining access to sensitive data.
Between May and July 2012, Nikulin was able to amass the email addresses and hashed passwords for some 68,680,741 Dropbox accounts.
Unfortunately, Dropbox was apparently unaware of the true scale of the security breach at the time.
In a July 2012 blog post, Dropbox admitted that an undisclosed number of users’ email addresses had been exposed, after some users had complained about receiving spam.
That’s good advice, but it took another four years, in August 2016, for Dropbox to confirm the size of the breach it had suffered.
It had taken a similar length of time for the true scale of the LinkedIn hack to become public knowledge. At first it was reported that the LinkedIn hack might have compromised 6.5 million user accounts, but – in May 2016 – a grand total of 117 million LinkedIn accounts, alleged to have been obtained from the 2012 hack, were put up for sale on a cybercrime forum.
In the meantime, another website had fallen victim to Nikulin. The Russian hacker successfully phished details from a worker at the now-extinct social network Formspring, which later rebranded itself as Spring.me. With that privileged access, Nikulin is said to have stolen the details of over 30 million users.
Nikulin’s cybercriminal activities had made for an extravagant lifestyle, as ZDNetreports, including expensive watches, European travel, and luxury cars including a Lamborghini Huracan, a Bentley, a Continental GT, and a Mercedes-Benz G-Class.
Following his arrest in the Czech Republic, Nikulin found himself ultimately extradited to the United States to face trial, where a court heard investigators had been able to trace the hacks back to Nikulin via an IP address used during one of the attacks, back to his location in Moscow.
Last week in San Francisco, after just six hours of deliberation by the jury, Nikulin was found guilty.
“Nikulin’s conviction is a warning to would-be hackers, wherever they may be,” said US Attorney David L. Anderson. “Computer hacking is not just a crime, it is a direct threat to the security and privacy of Americans. American law enforcement will respond to that threat regardless of where it originates.”
32-year-old Nikulin is scheduled to be sentenced in September. According to prosecutors, he could face up to 10 years in prison for each count of selling stolen usernames and passwords, installing malware on protected computers.
In addition, Nikulin could be sentenced for up to five years for each count of conspiracy and computer hacking, and faces a mandatory two year sentence for identity theft.
It doesn’t sound like he’ll be sitting down in a Prague restaurant or driving one of his luxury sports cars any time soon.
The fraud landscape is evolving and, as the world becomes increasingly digital, so do the criminals. From petty schemes to high-class social engineering strategies, fraudsters cash out on billions each year.
Creating a fake identity
The FTC calls synthetic identity fraud “one of the fastest-growing financial crimes” in the United States. Unlike traditional forms of identity theft, criminals don’t steal an identity, but create a new one, using a combination of fake and real information. For example, an identity thief can combine real Personally Identifiable Information (PII) such as a Social Security number with a fake name and address to open bank accounts and seek credit, apply for a job or obtain health insurance.
Although it takes longer for criminals to establish a realistic credit history, fraudsters may create multiple “customer profiles” before attempting to make a large purchase or obtain significant bank loans. As such, their modus operandi includes piggybacking on accounts belonging to other real or fake individual with a good credit score.
After creating a fake identity, the fraudster will apply for credit, immediately triggering the creation of a credit file or proof that the identity exists. The scammer will repeatedly apply for credit until it is approved, and continue to legitimize the synthetic identity. In the end, the fraudster will “bust out” and completely vanish without paying his loans.
According to the Payments Fraud Insights report published by the Federal Reserve, “the ease and low cost of creating synthetic identities contributes to the widespread impact of this type of fraud on the financial, insurance and healthcare industries, government agencies and consumers.”
“Sophisticated crime rings can leverage multiple tactics at scale to cultivate synthetic identities, including using fake addresses, creating sham businesses and forming relationships with collusive merchants to cash in,” the report continues.
Common aspects of synthetic identities include:
• Multiple identities with the same SSN • Credit file depth is inconsistent with customer age or other profile information • Multiple applications from the same phone number, mailing address or IP address • Use of secured credit lines or piggybacking to build credit • SSN issued after 2011 • Multiple authorized users on the same account
Children and elderly citizens make for better targets
In the case of synthetic identity fraud, cyber thieves are known to mainly target minors and the elderly because they are less inclined to check their credit reports, allowing fraudulent activity to go on for years without detection.
The personal information of children is highly sought after on dark web marketplaces, and reports show that newborn and infants social security numbers, birth dates and names, sell for an average of $300 per record. It’s also estimated that children are 51 times more likely to fall victim to identity theft than adults.
If you wish to prevent your child’s social security number from being used as part of a synthetic ID, it’s highly recommended that you check their credit reports on a regular basis, and even request that credit institutions freeze the child’s credit until the age of 16.
The cost of synthetic ID fraud
Millions of identities are exposed each year through data breaches and data leaks, providing cyber thieves the means to conduct synthetic identity fraud.
As highlighted in a Federal Reserve report, this type of fraud is harder to detect, with 85% to 94% of all synthetic identities not being flagged as high risk by existing fraud models. Moreover, an analysis conducted by the Auriemma Group suggested that synthetic identity fraud accounted for 20% of all credit losses in 2016, costing U.S. banks more than $6 billion.
Synthetic identity theft has been around for decades, shrouding the criminal activities of fraudsters seeking to cash up on illegally obtained credits. One of the largest synthetic ID rings was detected in 2013, when the Department of Justice (DOJ) charged 18 people in an international credit card fraud scheme spanning across 28 states and eight countries. Using these fake identities, the scammers obtained more than 25,000 credit cards, inflicting $200 million in losses.
Can you prevent synthetic identity fraud?
Unfortunately, synthetic ID fraud is harder to pin down for law enforcement and individuals. With so much of our personal information being scraped and sold by to the highest bidder on the dark web, the odds of becoming another identity theft victim are high.
However, you can take some measures to protect you and family:
• Never provide your SSN to individuals contacting you via phone, email or social media • Monitor your credit history on a regular basis • Review your annual Social Security statement • Keep your personal documents safe
We’ve reached the half-year mark and online scammers are
still taking advantage of the uncertainties brought on by the pandemic.
Cyber-attacks targeting both consumers and business surged
worldwide, and the trend shows no sign of stopping any time soon. In recent
months, coronavirus-related attacks spiked, and email has remained the prime
vector of choice for enabling them. What are the latest phishing trends that
fraudsters use in an attempt to steal personal and financial details from
Internet users?
In the past two months, Bitdefender’s telemetry has shown
a steady surge of coronavirus-related emails, with 42.9% of the correspondence flagged
as suspicious, fraudulent or malicious.
Fraudsters continue to exploit the coronavirus to spread malicious links and attachments, with many phishing emails impersonating agencies and bodies such as the World Health Organization (WHO).
Some of the latest ruses include updates on the evolution of the virus and malicious attachments that infect the recipients’ device when accessed. Scammers also act under the guise of the government, leveraging the temporary ban on importing or exporting goods, or financial institutions offering COVID-19 Financial Relief Fund.
Coronavirus ‘cures’ were also marketed by fraudsters who offer new miracle drugs that can cure the illness “within five days.”
Of course, their list would not be complete without a reminder to purchase some protective gear. Our Bitdefender labs also flagged emails advertising Covid-19 reusable facemasks.
Additionally, some peculiar spikes in phishing emails relating to different financial institutions were noticed. A campaign targeting Standard Bank customers started on May 14, and continued up until mid-June, with various upticks during the end and the beginning of the week.
More than 97% of incoming emails were suspicious,
fraudulent or malicious, and it appears that cyber-criminals have a tendency to
lay low on Saturday, most likely because users also take a break from reading
emails.
On June 8, more than 95% of the influx of emails relating to HSBC bank was fraudulent in nature.
A third phishing campaign mimicking the World Bank was observed the next day. Nearly 81% of the correspondence that impersonated this grant institution turned out to be malicious.
Fraudsters also took advantage of the popularity of money
transfer companies such as Moneygram. A steady flow of phishing emails was observed
between June 23 and July 1. 91% of emails using company’s name were malicious
and, surprisingly enough, the crooks were offering to compensate victims who had
previously paid off scammers.
Most phishing emails seem innocent at first, and appear
to originate from a trusted source such as government organizations, ministries
of health, centers for public health or a bank. However, they contain malicious
attachments or embedded links, that once accessed, deploy various malware on
the recipient’s device. This malicious software can let cyber crooks take
control of your computer, log your keystrokes, access your personal information
and financial data, and even encrypt your data with ransomware.
Cyber criminals know you are busy and have a lot on your
mind. They transmit a sense of urgency and prey on human emotion, hoping you
will miss red flags. This makes phishing one of the most reliable means for
identity thieves to steal your personal and financial data.
While some fraudsters have updated their tactics and
spend a longer time planning their endgame, not all of them do. The most
frequent tip-offs include:
poor grammar and obvious spelling mistakes
the messages ask for your personal
information
the message is unsolicited and appears to be
from a government, health or financial agency
Mozilla suspended the Firefox Send service after it
received reports that it was used by bad actors to host and send malware to
unsuspecting users.
Firefox Send is a
service that lets people upload files and send them to other users in a secure
manner. The payload is encrypted on the server, making it difficult for third
parties to intercept. While it might be a good service for people looking for
privacy, it was also used in nefarious purposes.
It was just a matter of time before malware operators
figured out that a trusted online service used to send files, which also
features a timeout function for the hosted data, was a great tool to deploy
everything from trojans to ransomware.
According to a ZDNet report,
security researchers noticed this worrying trend a while ago and kept pestering
the company to do something about the situation. Unfortunately, investigations
into possible attacks were hampered by the fact that links to the infected
files expired by the time a proper analysis could be performed.
One of the features that security experts wanted to see
added to Firefox Send was a “Report File” button, but that didn’t
happen. But, in a surprise move, Mozilla moved to suspend the service entirely
until they could safely provide this service.
We will temporarily take Firefox Send offline while we
make improvements to the product,” said Mozilla to ZDNet. “Before
relaunching, we will be adding an abuse reporting mechanism to augment the
existing Feedback form, and we will require all users wishing to share content
using Firefox Send to sign in with a Firefox Account. We are carefully
monitoring these developments and looking critically at any additional next
steps,” the company explained.
There is no timeline for the service’s return, and all
links generated by the service that were still available have been deactivated.
The pandemic impacted more than just our way of living. As the world slowly adapted to social distancing and a work-from-home environment, our view on digital privacy and cybersecurity has emerged as a leading challenge. With much of our daily routines shifting online, Internet users experience unprecedented challenges from cybercriminals that have stepped up their game, readjusting to the new normal.
According to a report published by the Cybersecure Policy Exchange at Ryerson University in Toronto, 57% of Canadians said they have been a victim of some form of cybercrime. The findings highlight a significant increase from 2017, when only 36% of the respondents reported such attempts.
“Internet users around the world are reporting greater levels of concern about their online privacy than they were a year ago”, researchers said. “More access points, increased connectivity, and therefore more opportunities for threats to target weak spots.”
The survey was organized in mid-May, and polled 2,000 citizens in an attempt to “understand Canadians’ experiences, choices and priorities toward their cybersecurity and digital privacy”.
Among the self-reported cybercrime experiences, the unintentional install or download of malware was mentioned by 31% of the respondents. 28% claimed to have experienced a data breach that exposed personal information, and 22% had an online account hacked.
Surprisingly, only 13% admitted to have been a victim of a phishing attack, and 8% unintentionally installed or downloaded ransomware on their computers.
The report also emphasized a significant increase in digital consumption, revealing the top online activities during the first two months of social distancing:
• Online banking (87%) • Online messaging and video calls (79%) • Online shopping (77%) • Social Media (76%) • Online News (74%) • Online Healthcare (19%)
When asked to express their view on the security of personal data, a majority of Canadians trust government institutions, banks, and healthcare providers to keep their information safe. On the downside, just 15% of the respondents trust social media platforms, such as Facebook, to keep their data secure. The results are as expected though, considering the privacy scandals that revolved around these platforms over the past years.
Moreover, social media platforms have been a consistent target for cybercriminals focusing on committing a range of fraudulent schemes, exploitation, and identity theft.
