Month: July 2020

A joint operation headed by European and British law
agencies dismantled the Encrochat messaging service, leading to the arrests of more
than 100 people as well as the seizure of numerous weapons and ammunitions, drugs
and millions in criminal funds.

Encrochat was an instant messaging service with a twist.
It was an application deployed on custom-build Android devices that had the
camera, microphone and GPS removed. The idea was to make it difficult for law
enforcement to track the users.

The devices were running dual operating systems, and
allowed users to wipe data remotely if they lost the devices. These services
were not cheap, with each device costing around €1,500 for six months of
operation. Encrochat had around 60,000 users globally, including 10,000 in the
UK.

Law enforcement agencies managed to crack Encrochat,
allowing them to intercept, share and analyze millions of messages exchanged
between criminals to plan serious crimes. In fact, the messages were read in
real-time, allowing law enforcement to prevent serious crimes.

“A large number of suspects have also been arrested in
several countries which were not participating in the JIT but particularly
affected by the illegal use of these phones by individuals active in organised
crime, including in the UK, Sweden and Norway. Many of these investigations
were connected with international drug trafficking and violent criminal
activities,” says
Europol.

Only in the Netherlands, for example, more than 100
suspects were arrested, 8,000 kilogram of cocaine and 1,200 kilograms of
crystal meth were seized along with €20 million in cash and 19 synthetic drugs
labs were dismantled.

The entire operation only ended on June 13, when the
developers of EncroChat figured out their platform had been hacked and sent a
message to all its users with the advice to immediately throw away the phones.

A Nigerian national faces charges in the United States
emanating from various cybercrime schemes that included business email
compromise (BEC) frauds and a number of other alleged infractions.

Ramon Olorunwa Abbas, 37, a.k.a. “Ray
Hushpuppi” and “Hush,” is a Nigerian national and Dubai resident
accused of involvement in a few major BEC schemes that affected a U.S. law
firm, a foreign bank and an English Premier League soccer club.

In BEC attacks, bad actors use real credentials for
legitimate emails and trick third parties into making wire transfers. In many
cases, communications come from high up the hierarchical ladder, and employees
skip the usual security measures.

Abbas was arrested in the United Arab Emirates, with the
FBI’s help, and now faces charges after being expelled to The United States.

“The affidavit alleges that Abbas and others
committed a BEC scheme that defrauded a client of a New York-based law firm out
of approximately $922,857 in October 2019,” states
the press release from the Department of Defense.

“Abbas and co-conspirators allegedly tricked one of
the law firm’s paralegals into wiring money intended for the client’s real
estate refinancing to a bank account that was controlled by Abbas and the
co-conspirators.”

Abbas is also accused of conspiring to launder funds
stolen in a $14.7 million cyber-heist from a foreign financial institution in
February 2019. He was also targeting an English Premier League soccer club to
steal $124 million.

The prosecutors say that, if convicted of conspiracy to
engage in money laundering, Abbas would face a statutory maximum sentence of 20
years in federal prison.

BEC schemes are one of the most damaging cybercrimes, and
one reason is that criminals don’t need much technical expertise to pull it
off. It’s a lot different from breaching corporate infrastructure, for example.

A former employee of Yahoo has been sentenced and ordered to pay a fine after exploiting his privileged access to hack into the personal accounts of thousands of Yahoo users, in his hunt for naked photographs and videos of young women.

As we previously reported, 34-year-old Reyes Daniel Ruiz, of Tracy, California, admitted last year that he had cracked account passwords and abused internal systems at Yahoo, copying stolen explicit images and videos onto a personal hard drive at his home.

Amongst Ruiz’s more than 6000 victims were personal friends and work colleagues,

And, having breached Yahoo email acccounts, Ruiz took advantage of the situation to also break into Dropbox, Facebook, Gmail, Hotmail, Apple iCloud, and PhotoBucket accounts – after requesting password resets from the third-party sites be sent to the victim’s registered email address at Yahoo.

As ZDNet reports, court documents reveal that Yahoo Mail engineers were alerted to suspicious account activity on June 21 2018.

Ruiz became aware on the same day that his activities had been uncovered, and left work early to destroy evidence at his home – including the hard drive storing images, and a list of future intended victims he planned to hack.

On August 24 2018, the FBI searched Ruiz’s residence, and the by-now-dismissed software engineer admitted he had destroyed evidence, and that he had done so in an attempt to avoid prosecution.

That admission was a sensible decision by Ruiz, because a US court has decided that he will not have to serve any jail time for the hack.

Under normal circumstances, Ruiz could have faced up to five years in prison and a $250,000 fine. Instead he has been sentenced to probation and home confinement for five years, and ordered to pay a $5,000 fine and $118,456 in restitution to the hacked email provider.

Presumably, it also played in Ruiz’s favour that he had never been in trouble with the law before, had not distributed the stolen naked images and videos, had made not attempt to contact his victims, and purely used the material for “his own self-gratification.”

Nonetheless, that’s no excuse or waiver for what Ruiz did, and for the distress which his victims must have experienced when they discovered they had fallen victim to his plot.

Although there will be some who will feel that Ruiz should serve a jail sentence for what he did, and it’s understandable that his victims might feel rightly outraged that his sentence means he has avoided incarceration, reading his sentencing memorandum gave me the impression that his actions had already resulted in significant hardship.

Ruiz has only managed to get temporary, low-paid employment since he was dismissed by Yahoo, and his finances appear to be in dire straits. If he hadn’t cooperated with the authorities, or had shared the images online this story might have had a very different ending.

Hopefully this case will act as a warning to others – if you have an urge to see naked pictures and explicit videos of people, there are plenty of places you can find them legally on the internet. You don’t need to put your career and liberty at risk by hacking into innocent people’s accounts.

This month, WizCase researchers discovered 5 separate data leaks of personal information belonging to dating app users in the US, Japan and South Korea.

The data, which was easily accessed due to misconfigured and unsecure servers, included user information such as personal identifiable information (PII) and other sensitive data:

• CatholicSingles.com – a 17MB database exposed 50,000 records of US customers, including real names, email addresses, billing addresses, phone numbers, age, gender, occupation, education, payment methods, and activity levels. While many profiles were banned or cancelled, the most recent login activity dates back to 2019, and analysts speculate these users could still be active on the platform.

• SPYKX.com (Congdaq/Kongdak app) – a 600MB leak of the South Korean dating app exposed the personal information of 123,000 users, including emails, phone numbers, clear-text passwords and GPS data.

• YESTIKI.com – The US-based dating app was found leaking 352MB of data, exposing the names, phone numbers, GPS location, user ratings, activity logs, and Foursquare secret key IDs of 4,300 users.

• Blurry (dating app hosted by hyperitycorp.com) – Approximately 70,000 records were exposed by the South Korean app. The database of 367MB contained private chat messages that included personal identifiable information such as Instagram user names and WhatsApp phone numbers.

• Charin and Kyuun – two Japanese dating apps exposed the largest unsecured database. 57GB exposed more than 1 million user records, including email addresses and clear-text passwords, user IDs, mobile device information, and search preferences such as distance and age.

As with any data breach that could leak complete PII, the consequences are greatly amplified for victims. If cyber-criminals get their hands on the user’s full name, address and date of birth, it becomes easy for them to steal their identity.

Moreover, users are vulnerable to phishing and phone scams that can ultimately be used to steal financial data or harass friends and family members. Using the leaked data, bad actors could also attempt to extort victims, threatening to expose the user’s private information and activity on the dating apps.

It’s crucial for anybody active on these dating apps to immediately change their password, and review any personal information that was made available. Victims should also pay close attention to any unsolicited emails, and install a local security solution on their devices.

Microsoft released an out-of-band update for Windows 10
to patch a couple of high-severity vulnerabilities affecting the Windows Codecs
Library that would allow attackers to execute arbitrary code.

Windows 10 users are used to getting major updates during
Patch Tuesdays, which comes once a month. The current cycle is scheduled to
land on July 14, but sometimes the problems are so severe that developers hurry
patches along.

A patch can also be pushed ahead of time when major
vulnerabilities are found to be actively exploited in the wild. Microsoft does
say that it’s not currently exploited in the wild, but the fact that they could
potentially impact hundreds of millions of Windows 10 versions, from all over
the world, is reason enough for a quick patch.

“A remote code execution vulnerability exists in the way
that Microsoft Windows Codecs Library handles objects in memory,” reads the advisory.
“An attacker who successfully exploited this vulnerability could obtain
information to further compromise the user’s system. Exploitation of the
vulnerability requires that a program process a specially crafted image file.”

The issue is all the more problematic for users because
there are no known mitigations for the CVE-2020-1425
and CVE-2020-1457
vulnerabilities, meaning that the only way to ensure protection is to install
the patches.

The biggest issue with vulnerabilities that affect such a
wide range of users is that, one or two years from now, a considerable number
of devices will still be vulnerable because they haven’t applied the patch.

The security update is being rolled out through the
Microsoft Store, which means that it doesn’t require the user’s input, allowing
the patch to reach many more people than through regular channels.

U.S. District Judge R. Gary Klausner, sentenced 50-year-old Turhan Lemont Armstrong to more than 21 years in federal prison yesterday for running a $3.3 million credit card, loan and real estate fraud scheme.

According to authorities, the Los Angelas-area local used stolen identities and Social Security numbers, primarily those of children, to obtain credit cards, open bank accounts, set up shell companies, apply for loans, and purchase assets such as homes and vehicles.

Since parents rarely think to monitor their children’s credit score, the scheme went on for nearly a decade, allowing Armstrong and his accomplices to apply for loans from multiple financial institutions across the country. The loans were used in the purchase of multiple cars that were later exported out of the United States.

As per the May 2019 conviction report, the accused failed to report any income to the IRS between 2009 and 2017, but continued to maintain multiple residences in Georgia, Florida and Northridge. During the investigation, the authorities found multiple fake IDs, hundreds of credit cards and social security numbers of his victims.

The Department of Justice (DOJ) announced that Armstrong was found guilty of all 51 counts in his 2019 federal grand jury indictment. The charges include conspiracy to commit financial institution fraud, financial institution fraud, making false statements to financial institutions, conspiracy to commit money laundering, money laundering, conspiracy to commit access device (credit card) fraud, access device fraud, interstate transportation of stolen vehicles, and aggravated identity theft.

“[Armstrong’s] criminal conduct was more than a series of bad decisions – it was a way of life,” reads a passage of the sentencing memorandum. “The victims of [Armstrong’s] crimes run the gamut: banks, credit card issuers, car dealerships, utility companies, and the people all over the country whose identities [he] stole.”

The number one goal of identity thieves is to make as much profit as possible off your personal identifiable information. Whether they apply for loans, fill out false tax returns or acquire medical insurance in your name, some of these crimes can go unnoticed for months, or even years. Children identities are especially tempting for cyber thieves. In a 2017 study conducted by Javelin Research, more than 1 million children had their identities stolen, with 66% of victims under the age of 8.

It’s important to avoid sharing your child’s Social Security number when possible, but if you do, inquire how the organizations protects you and your child’s personal information. Keep your documents and sensitive information in a secure place, and immediately take action if your child’s school discloses a data breach.

If your young one is highly active on the Internet, you might want to provide him with some handy cyber security tips, that will help protect his personal information and your household devices.

Bad actors are targeting unsecured MongoDB servers, wiping their database and leaving ransom notes outlining threats to leak the stolen information and report owners for GDPR violations.

According to Victor Gevers, the chairman of the international non-profit organizations GDI Foundation, hackers are actively scanning the Internet for unsecured and vulnerable MongoDB servers.

More than 22,000 ransom notes have been uploaded to exposed MongoDB databases, accounting for nearly 47% of all MongoDB NoSQL databases that are accessible online.

This type of attack has been observed since April 2020. After cyber criminals infiltrate and steal the data, they leave a “READ_ME_TO_RECOVER_YOUR_DATA” ransom note:

“All your data is a backed up. You must pay 0.015 BTC to [redacted] 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server! You can buy bitcoin here, does not take much time to buy https://localbitcoins.com with this guide https://localbitcoins.com/guides/how-to-buy-bitcoins After paying write to me in the mail with your DB IP: [redacted]”

Gervers also noted that Shodan, the IoT search engine, has listed more than 15,000 affected MongoDB databases, while Binary Edge filed around 23,000.

Cyber criminals have been capitalizing on unsecure databases for years. However, this series of targeted attacks brings a new feature – threats related to GDPR legislation. Victims who refuse the pay 0.015 BTC (around 140 US dollars) will be reported to GDPR authorities, and possibly face a larger fine.

“The trick is if you pay, then you want your data back and no GDPR trouble,” Gerver added. “So this means you are willing to pay even more when they extort for more? People pay for real valuable data. So this way, they figure out what has value, I guess.”

“123456” is the most widely used password on breached accounts, according to a recent password re-use study c by computer engineering students at Cyprus University.

Last month, student Ata Hakçıl analyzed more than 1 billion username and password combinations that were leaked online from various corporate data breaches, revealing some alarming results:

• 1 billion credentials were reduced to just 168,919,919 passwords and 393,386,953 usernames
• The most common password is 123456, covering around 7 million entries per billion
• The most common 1,000 passwords cover 6.607% of all passwords
• Average password length is only 9.4822 characters long
• Only 12.04% of analyzed passwords contained special characters
• 28.79% of passwords contain letters only
• 26.16% of passwords are lowercase only
• 13.37% of passwords are numbers only
• 34.41% of all passwords end with digits, but only 4.522% of all passwords start with a digits

Only 8.83% of analyzed passwords were unique, with an average length of 9.7965 characters. 20% of the passwords contained letters only and 15.02% displayed just lowercase letters.

Making matters worse, the analyzed data was gathered from various data dumps, including some roughly five years old. User behavior has apparently not improved over time, and there is no doubt that cyber criminals have exploited this carelessness.

This statement can be backed up by the conflicting state of Internet users when it comes to their account security. A May report issued by LastPass, 80% of respondents said they were concerned with having their passwords stolen. However, 66% of participants use the same password on their online accounts, and 53% have not changed their passwords in the last 12 months.

Taking into consideration the vulnerable state of the digital landscape, users should start focusing on the security of their online accounts. It might be time-consuming for some, but can you put a price on your account privacy and safety of personal information?

Good cyber hygiene practices is the first step. Start with analyzing your password re-use and complexity. If you need some help with creating strong, yet easy-to-memorize passwords, we’re here to assist you with some handy tips and additional security practices to better secure your online accounts.

Chinese companies Huawei and ZTE Corp have been
designated national security threats by the US Federal Communications
Commission (FCC), citing the companies’ close ties with the Chinese Communist
Party and the military.

The United States took a new step in this direction after
the FCC’s ban in November 2019 on the use of universal service support to
purchase equipment or services from companies posing a national security
threat.

“With today’s Orders, and based on the overwhelming
weight of evidence, the Bureau has designated Huawei and ZTE as national
security risks to America’s communications networks—and to our 5G future,” said
FCC Chairman AjitPai. 

“Both companies have close ties to the Chinese Communist
Party and China’s military apparatus, and both companies are broadly subject to
Chinese law obligating them to cooperate with the country’s intelligence
services.”

Both companies are at the forefront of the development of
5G technology, which has already been implemented by numerous carriers across
the world. The US has long maintained that Huawei and ZTE are providing the
Chinese government and military apparatus with backdoors that would let them intercept
communications.

While both Chinese companies have denied any wrongdoing,
Chinese law does state that companies have to assist in espionage activities.
The designation of Huawei and ZTE as threats to national security will have
immediate ramifications, as the money from the FCC’s $8.3 billion-a-year
Universal Service Fund may no longer be used to purchase, obtain, maintain,
improve, modify, or otherwise support any equipment or services produced or
provided by these suppliers.

It’s still unclear how many US carriers have started to
remove that technology from their infrastructure or how long it will take. It’s
also unclear what they are going to use for replacements, although there are
some alternatives to the Chinese-developed 5G technology.

Last month, Google removed 25 Android apps from its Google Play Store after discovering they were stealing users’ Facebook account credentials.

The malicious apps, identified by security company Evina, appeared to be created by the same developer, Rio Reader LLC, and were downloaded more than 2.34 million times before Google decommissioned them.

The apps, which mimicked legitimate applications such as step counters, image editors, video editors, wallpaper apps, flashlight apps, file managers and mobile games, shared the same malicious code, enabling them to steal login credentials of any Facebook user.

“When an application is launched on your phone, the malware queries the application name. If it is a Facebook application, the malware will launch a browser that loads Facebook at the same time,” researchers said. “The browser is displayed in the foreground which makes you think that the application launched it. When you enter your credentials into this browser, the malware executes java script to retrieve them. The malware then sends your account information to a server.”

Most of the apps appear to have been created in 2019, with downloads numbering between 10,000 and 500,000. This means the bad actors were able to harvest the credentials of many Facebook users before being shut down. The full list of apps, created date and number of installs can be seen below:

Luckily, when Google removes an app from the Play Store, the company also disables the application installed on users’ devices, and notifies customers through its Play Protect service.

Google has been removing apps that are laced with adware or unsafe from its platform since the beginning of the year. While not all bogus apps are discovered and removed in due time, Android users can also play an important role in spotting them.

The next time you search for an app, pay attention to the reviews and number of downloads. Unprofessional-looking apps boasting one-word four- or five-star reviews most harbor a hidden agenda.