Month: August 2020

• Aggressive adware apps invade tens of thousands
  of devices
• Operators designed the apps to run unhindered in
  the background
• Google removed all of the fake apps from the
  Play Store

Security researchers from White Ops have discovered and
tracked a vast ad fraud botnet that used dozens of Android apps pretending to
offer users free items to keep the application installed for at least two
weeks.

At the peak of its activity, the botnet, named TERRACOTTA,
had more than 65,000 infected devices, spoofed more than 5,000 apps and
generated about 2 billion fraudulent bid requests. Such aggressive adware is
usually after one thing — to generate as many fake clicks as possible and
create the impression of users actively clicking on ads.

The old saying, “If something seems too good to be true,
it probably is,” encapsulates the TERRACOTTA botnet offering. Apps offered
users shoes, coupons or concert tickets, and people didn’t have to pay a dime.
If someone were to give out free shoes on a street corner, everyone would be
immediately suspicious. Why not feel the same suspicion when the offer comes
from a random Android app?

“The TERRACOTTA malware offered Android users free goods
in exchange for downloading the app—including shoes, coupons, and concert
tickets—which users never received,” said the researchers.
“Once the app was installed and the malware activated, the malware used the
device to generate non-human advertising impressions purporting to be ads shown
in legitimate Android apps.”

The cybercriminals wrote the apps using the React Native
cross-platform development framework, which didn’t raise any flags. On the
other hand, the apps did require access to powerful permissions, WAKE_LOCK and
FOREGROUND_SERVICE that would let the apps run uninterrupted and invisible in
the background.

Google was quick to remove all of the TERRACOTTA apps,
and its operators used the React Native framework for all of them.
Interestingly, the simple removal of the software from the official store
doesn’t mean it’s gone from the devices. Many of them remain active, although
they can no longer generate funds for their operators.

Thousands of stolen Fortnite accounts are selling like hotcakes in underground marketplaces, amassing around $1.2 million a year for cybercriminals, a new report shows.

The Fortnite Underground Cybercrime Economy report sheds light on a million-dollar business that capitalizes on the popularity of the free-to-play video game that managed to attract over 350 million players within three years of its launch.

According to researchers from Night Lion Security, each Fortnite account sells for between $200 and $250 on average. Still, some can even sell for thousands of dollars, depending on the value of a characters’ in-game skin.

How are cybercriminals managing to crack and steal Fornite accounts? Researchers point the finger to the high number of data breaches and data brokers that fuel the black market for gaming accounts.

“Hacking groups like Gnostic Players and Shiny Hunters account for a vast majority of breaches involving stolen user data, and are indirectly responsible for fueling an entire criminal economy of stolen accounts,” the report said. “These hacked databases are then sliced up and resold, only to provide ammunition for credential stuffing attacks designed to identify valid accounts across different consumer products.”

Researchers also provided a detailed explanation of how bad actors sniff out valid Fortnite accounts, citing DonJugi, a well-known cracker who operates on various underground forums.

“High-end Fortnite cracking tools can average between 15 and 25 thousand checks per minute, or roughly 500 account checks per second,” he said. “Simple variations on existing passwords can yield extremely high results” because users chose common patterns when setting up passwords.

“Checking for valid Fortnite accounts can be as easy as loading a list of email/password combinations into the right software,” the investigators added. “When changing passwords, people commonly make small and predictable changes, like capitalizing the first letter, or adding a single digit at the end of the password,” a practice that makes it easy for hackers to guess the login credentials.

Although the game developer tried to stop mass account checks by limiting the number of logins per IP address, bad actors invest in high-end proxy rotation tools to bypass the restrictions enforced by the platform.

After locating a valid Fortnite login, bad actors check for “valuables” within the account. Digital costumes are “what makes these accounts so valuable, and is at the core of the entire underground Fortnite market,” the paper says.

Successful crackers noted that “checking for skins on Epic Games logins will yield an average success rate of 10-15%.” Logs containing Fortnite character skins are then advertised and sold on different marketplaces at between $10,000 to $30,000.

Investigators indicated that the pandemic accelerated demand for gaming accounts since internet users have more free time on their hands. They also noted that “video game companies have not been successfully in slowing down this underground economy, with the higher-end hackers and sellers of these accounts continuing to make anywhere between six and seven figures per year in revenue.”

The FBI is warning individuals who use online dating apps and platforms to watch out for scammers leveraging social distancing measures and defrauding unsuspecting victims of their hard-earned money.

Romance or confidence scams drew nearly 20,000 complaints back in 2019, with losses totaling almost half of billion dollars, according to the FBI’s Internet Crime Complaint Center (IC3).

“Romance scams result in greater financial losses to victims when compared to other online crimes,” the FBI said. “In 2019, almost 20,000 complaints categorized as romance scams were reported to IC3 (about 1,000 more than the previous year), and the losses associated with those complaints exceeded $475 million”.

These scams are not just financially devastating for victims, who rarely recover their losses, but can also bring emotional distress for romance-seekers.

If you are considering entering a romantic relationship with someone you meet online, take into account the following recommendations from the recent FBI alert:

• Research the individual online by checking if their photo or profile appears on any other platforms

• Don’t rush into a relationship before getting to know the person you are conversing with – romance scammers are exceptional social engineers who prey on human emotion. In most cases, the scammer will always make the first move, pushing you into revealing personal information

• Be wary of individuals who rush you into leaving the dating service or social media platform, asking you for your phone number

• Be suspicious of individuals who promise a face-to-face meeting but always come up with excuses for not being able to meet

• Never provide sensitive information such as Social Security numbers, financial data and home address

• Avoid sending any money to people you don’t personally meet, and never open a bank account for anyone you connect with online. If fraudsters can’t get you to send them money, they might try to trick you into laundering money received from other victims

• If you suspect you are a victim of such scam artists, cease contact with the individuals and file a complaint with local authorities and IC3

• EMV protocol is vulnerable to a
  man-in-the-middle attack
• All VISA credit cards are affected
• VISA has to issue update for POS terminals

Swiss security researchers have discovered a way to
bypass the PIN authentication for Visa contactless transactions. A bug in the
communication protocols lets attackers mount a man-in-the-middle attack without
entering the PIN code.

EMV is the protocol used by all the world’s major banks
and financial institutions. Europay, Mastercard and Visa developed the
standard, and it’s been around for more than 20 years. It stands to reason that
EMV is one of the most scrutinized communication protocols, but the Swiss
research shows that any software or hardware can have vulnerabilities.

The most important reason for the widespread adoption of
the EMV protocol has to do “liability shift,” a procedure that ensures that as
long as the customer approves the transaction with a PIN or signature, the
financial institution is not liable.

The researchers used an application named Tamarin,
developed explicitly to probe the security of communication protocols. They
created a working model that covers all the roles in a regular EMV session: the
bank, the card and the terminal.

“Using our model, we identify a critical violation of
authentication properties by the Visa contactless protocol: the cardholder
verification method used in a transaction, if any, is neither authenticated nor
cryptographically protected against modification,” say the researchers in their
paper.

“We developed a proof-of-concept Android application that
exploits this to bypass PIN verification by mounting a man-in-the-middle attack
that instructs the terminal that PIN verification is not required because the
cardholder verification was performed on the consumer’s device,” they continue.

Criminals can use a stolen VISA card and pay for goods
without access to the PIN, making the PIN completely worthless. A real-world
scenario tested the Visa Credit, Visa Electron, and VPay cards, and it was
successful. Of course, the attack used a virtual wallet instead of a card, as
the terminal can’t distinguish between a real credit card and a smartphone.

Researchers discovered another issue affecting VISA and
some older models of Martercard cards, in addition to the initial problem.

“The card does not authenticate to the terminal the
Application Cryptogram (AC), which is a card-produced cryptographic proof of
the transaction that the terminal cannot verify (only the card issuer can),”
says the researchers. “This enables criminals to trick the terminal into
accepting an unauthentic offline transaction.”

The only good news delivered by the researchers is that
the fix doesn’t require an update for the EMV standard, only updates for the
terminal. Given that there are about 161 million POS terminals in the entire
world, the updating process will be a long one.

Valley Health Systems have been targeted by REvil ransomware operators, according to Cyble security researchers.

The discovery was made during routine monitoring for data leaks when researchers stumbled upon a post made by the ransomware gang.

“Recently, during the monitoring process of data leaks the Cyble Research Team identified a leak disclosure post in which the REvil ransomware operators claimed to have breached Valley Health Systems,” the researchers said.

Bad actors claim to have stolen sensitive data from Valley Health Systems’ network, including patient, client and employee information. Their message says the data will be made public unless the organization agrees to negotiations.

“Hello, we have downloaded your private data, info about clients and employees and we are ready to publish in our blog if you don’t contact us,” REvil said.

The ransomware gang even provided snapshots of exfiltrated data to prove their successful attack.

“The data leak seems to contain the patient’s prescribed prescriptions, patient details (that include full name, date of birth, gender, patient ID), medical scan reports of patients, multiple Digital Imaging and Communications medical files, and much more,” the researchers added.

Although the healthcare provider released no official statement on the attack, the leaked information clearly suggests a data breach.

The healthcare sector has been under constant strain in the past year, and it comes as no surprise that bad actors regularly target these organizations. The highly sensitive data they manage also makes them a prime subject for attacks.

Medical records are highly popular on underground marketplaces, selling for as much as $1,000. Stolen patient records can be used in a wide range of fraudulent schemes, including medical identity theft, tax return fraud and even extortion attempts.

• Half of cybersecurity professionals
  regard misinformation as a major threat to the enterprise
• 46% of organizations plan to improve
  their ability to react to misinformation and fake domains
• Erosion of trust caused by
  misinformation poses ethical, social and technological challenges to
  organizations
• 91% of IT security pros want the
  government to impose stricter measures to tackle misinformation
• Cyberattacks climb 12 points on a benchmark
  tracking the level of threat and impact

The global
pandemic has given a considerable boost to misinformation and the registration
of fake domains, with bad actors using social engineering to spread misleading
news, falsified evidence and incorrect advice, according to a new report.

Cybersecurity
professionals polled by the Neustar International Security Council (NISC) in a
recent study admitted feeling uneasy about the rise in misinformation and fake
domains – seemingly driven by the hype surrounding the global pandemic.

48% of cybersecurity professionals said they regard the increase in misinformation as a threat to the business sector, particularly to large enterprises. And 49% rank the threat as ‘very significant,’ which is why 46% of organizations have ramped up cybersecurity efforts to ensure they can react to the rise in misinformation and fake domains. An additional 35% plan to do the same in the next six months, while another 13% would consider doing it if the issue doesn’t go away.

“Misinformation
is by no means new – from the beginning of time it has been used as a key
tactic by people trying to achieve major goals with limited means,” said NISC
chairman Rodney Joffe. “The current global pandemic, however, has led to a
sharp uptick in misinformation and the registration of fake domains, with
cybercriminals using tactics such as phishing, scams and ransomware to spread
misleading news, falsified evidence and incorrect advice. While the motives of
malicious actors may differ, the erosion of trust caused by misinformation
poses a range of ethical, social and technological challenges to
organizations.”

Since only a
fraction of security execs are confident in their organization’s ability to
identify misinformation and fake domains, most respondents want the government
to impose stricter measures on the internet.

The research
also highlights a 12-point year-on-year increase in the International Cyber
Benchmarks Index, calculated based on the changing level of threat and impact
of cyberattacks. According to NISC, the Index has risen steadily since May of
2017. During May of this year, DDoS attacks and system compromise
were ranked as the greatest concerns to cybersecurity professionals, followed
by ransomware and intellectual property theft.

The most recent AtlasVPN research delves into fraud targeting US military personnel between 2015 and June 2020.

In the past five years, active and former military staff have filed more than 680,000 complaints with the Federal Trade Commission (FTC), reporting over $379.6 million in losses.

While most of the complaints involve identity theft and fraud, cybercriminals did not limit their targets to active military personnel, often stationed overseas. “Veterans were behind the lion’s share of the losses,” the report said. This group filed 61% of the complaints (417,560), accounting for over $217 million in losses.

“The veterans & military retirees’ monetary damages encompass 57% of all losses, totaling $217.2 million,” the researchers added. “Veterans and retirees sent out 417,560 complaints. In other words, 61% of complaints in the last 5 years have been sent by veterans and military retirees.”

It seems that Prizes/Sweepstakes/Lottery scams ensnared military personnel the most, with $51.9 million in reported damages. Interestingly, only 22.4% of victims who reported these scams also reported monetary loss.

Government impostors claimed $46.5 million in monetary losses, with more than 100,000 complaints since 2015. Scammers impersonating businesses were also successful, managing to steal $36.6 million from military personnel.

The forth most profitable swindle concerns romance scams. Fraudsters lured $24.5 million from unsuspecting victims with a median loss of $4,000. Surprisingly though, the losses come from an analysis of just 1,666 reports filed by victims.

Online shopping and tech support scams were also mentioned, inflicting $27.9 million in financial damage. Unlike romance scams, the median loss for online shopping is $166, and $450 for tech support scam victims.

It’s clear that swindlers and scam artists are here to stay. Some recycle old materials, while others try to leverage current economic and political conditions. No matter what trick they pull, internet users need to spread awareness and follow basic cyber hygiene.

In fact, most of these scams can easily be avoided by using common sense. You can’t win the lottery without buying a ticket, and government officials will not call you up to ask for financial or personal information.

Egor Igorevich Kriuchkov, a 27-year-old Russian national, was arrested by FBI after conspiring to bribe a US company employee to manually install malware on the network of an unnamed Nevada-based company.

According to the Department of Justice (DOJ) court documents, Kriuchkov entered the United States on a tourist visa around July 28, and used his Whatsapp to communicate with the employee of the targeted company to receive critical information about the internal infrastructure of the company.

“The purpose of the conspiracy was to recruit an employee of a company to surreptitiously transmit malware provided by the coconspirators into the company’s computer system, exfiltrate data from the company’s network, and threaten to disclose the data online unless the company paid the coconspirators’ ransom demand,” the court document reads.

Kriuchkov and his conspirators often communicated with an employee of the targeted company to plant malware on the network system, promising to pay $1 million in Bitcoin if successful. “He contacted and met with the employee numerous times to discuss the conspiracy,” the DOJ said. “In furtherance of the conspiracy, Kriuchkov provided the employee with a burner phone, and instructed him to leave the burner phone in airplane mode until after the money was transferred.”

The accused also said that they would launch a DDoS attack on the company network, to deflect attention from the malware and allow the exfiltration of sensitive data.

“KRIUCHKOV described the “special projects” as introducing malware into the computer network of Victim Company A,” the DOJ said. “He explained the malware attacks the systems in two ways. Firstly, the malware appears to be an external DDoS attack. This attack occupies the company’s computer security staff and conceals the second attack. The second attack exfiltrates data from the computer network and into the possession of the “group.” The “group” later contacts the company and threatens to make the data public if the company does not pay a large ransom.”

Federal agents detained Kriuchkov in Los Angelas on August 22. The plaintiff will stand trial for one count of conspiracy to cause damage to a protected computer intentionally.

• Safari bug affects users sharing content
• Attackers can exploit the issue to steal files
• Details on the vulnerability are now public,
  Apple has no fix planned

Security researcher Pawel Wylecial has found a Safari bug
attackers could use to steal files from users’ devices. The bug is now known,
as Apple postponed the release of a patch.

Wylecial identified the bug in the Web Share API that
lets users share content via third-party applications such as email clients and
messaging apps. The problem is actually surprisingly easy to exploit and could
lead to much more severe issues.

“The problem is that file:  scheme is allowed and when a website points
to such URL unexpected behavior occurs,” says
Wylecial. “In case such a link is passed to the navigator.share function an
actual file from the user file system is included in the shared message which
leads to local file disclosure when a user is sharing it unknowingly.”

Because user interaction is required for a threat actor
to exploit it, a more sophisticated attackers could disguise or hide the shared
file from the end-user. The researcher even shared a
demonstration of how it’s possible to steal the Safari browser history by using
the web share API.

Affected platforms include iOS (13.4.1, 13.6), macOS
Mojave 10.14.16 with Safari 13.1 (14609.1.20.111.8) and on macOS Catalina
10.15.5 with Safari 13.1.1 (15609.2.9.1.2).

Wylecial reported the bug in April 2020. The company only
acknowledged the problem in August, after saying for many months that the issue
is under analysis. Eventually, the researcher informed Apple that the report
would go public on August 24. The company requested more time and said it plans
to fix the issue in the Spring 2021 security update.

More than four months have passed since the original
notification, and the report is now public. As it stands, no fix or mitigation is
available, and Apple has given no indication that it plans to fix the problem
ahead of their announced schedule.

Since the beginning of the pandemic, the Federal Trade Commission (FTC) has received over 175,000 consumer reports related to Covid-19 scams, totaling a whopping $118.81 million in losses.

So far, the top fraud reports relate to:

• Online shopping, with 26,792 reports
• Travel and vacations, with 21,674 reports
• Credit cards, with 6,063 reports
• Banks, savings, loans and credit card unions, with 4,717 reports
• Healthcare, with 4,109 reports

Online shopping was the number one fraud complaint, causing $16 million in losses, according to the latest report. However, COVID-19 complaints related to fraud, identity theft, Do Not Call, and other consumer protection problems were also noted as a troubling trend.

“These are scams that trick people into ordering products like masks, hand sanitizer, and other high-demand items that never arrive,” the FTC said. “People are also reporting scam text messages related to bogus offers to earn income, phony economic relief programs, fake charities, and government imposters.”

The consumer protection agency also expects an uptick in phone scams leveraging the pandemic and government economic stimulus packages, as imposters seek personal and financial information.

Although the median loss fell from a reported $570 in April to $290, the number of submitted complaints has increased sharply, suggesting scammers are becoming more successful.

It’s critical to stay ahead of scammers and pay attention to red flags pointing to fraud. The FTC advises online shoppers to do some homework before ordering products online, paying attention to the company website and products.

Whatever you do, don’t provide personal or financial information via phone, email and text messages, even if the person who contacts you claims to be a government or financial institution.

If you suspect you have been scammed, inform local authorities and contact your bank to dispute the charges. Brush up on spotting online shopping scams, and install a local security solution to ward off threats and protect your personal data from cybercriminals.