Month: September 2020

With more than half the world now using social media and internet traffic increased 30%, new digital behaviors adopted during the coronavirus lockdown continue to reshape the digital landscape.

Consumers worldwide shifted to online services, with more than 346 million people creating new digital identities over the past year.

Is the digital population handing out ‘freebies’ to cybercriminals?

According to Bitdefender’s Digital Identity Protection service, 40.65 percent of users have between two and 11 personal data entries exposed online, and nearly 60 percent have more than 12 data points publicly available.

Our digital identities are comprised of a series of data points we leave behind when accessing the internet – the websites you visit, accounts and profiles, posts and comments on social media platforms such as Facebook and Instagram.

Our digital identity has become one of the most valuable assets in cyberspace, and every piece of personal data can be potentially monetized – not just for retail purposes.

Underground marketplaces flourish on stolen personal information from data breaches. But, more often, cybercriminals and scammers scour social media platforms for careless exposure of personal data that can be used in an attack.

Here are the top trends in online exposure per data entry point:

• 19.79% for home or physical address
• 17.05% for gender
• 13.30% for names
• 11.85% for URLs
• 9.21% for jobs
• 7.32% for usernames
• 6.53% for dates of birth
• 5.45% for email addresses
• 5.44% for education
• 2.24% for phone numbers

Oversharing information such as your home address, phone number, and workplace via social media can bring serious repercussions. While the information you share may seem harmless at first, cybercriminals strive to collect as much about you as possible in the reconnaissance phase of an attack.

Their main goal is to dupe you into accessing a malicious link or providing sensitive information such as credit card and Social Security numbers.

Scammers may also single you out as a potential victim based on how they see your digital profile. The more you share online, the better a target you become.

The data breach pandemic

Harvesting publicly available information can prove time-consuming for scam artists and fraudsters. Luckily for them, a fresh batch of leaked personal identifiable information (PII) from data breaches is always up for grabs on the dark web.

Bitdefender’s telemetry has also picked up a troubling trend on the extent of users’ exposure to data breaches. An in-depth analysis of the Digital Identity Protection community revealed that over half of all users (51.66 percent) appeared in one to five data breaches since 2010.

Additionally, 26.69 percent of users have had personal information exposed in six to 10 data breaches, while 21.62 percent have experienced more than 10 data breaches in the past decade.

With work-from-home becoming the new normal in many industries, cybersecurity and privacy concerns for businesses and individuals have surged, suggesting a lack of consumer awareness, employee training and security measures.

Protecting personal and financial information has become a cumbersome 24/7 job with no bulletproof strategies to withstand the sheer expansion of digital threats. The pandemic has proved to be the most significant facilitator of cybersecurity threats and attacks leveraging people’s fears and vulnerabilities.

Criminals are actively using the global crisis to commit fraud and identity theft. According to an FTC report, Americans have lost more than $77 million in fraud related to COVID-19 so far this year. Additionally, impersonation scams cost UK consumers a whopping £58 million within the first six months of 2020.

Although there is no magic bullet or software that can fully protect us from crime related to data breaches and identity theft, good cyber hygiene practices can go a long way in fighting online risks.

Since we often expose our personal information freely on social media platforms, it may be time to start making more privacy-driven decisions for our future digital endeavors.

Going entirely offline is not a viable option, but you can take steps to minimize your digital footprint exposure and limit the chances of becoming another identity-theft statistic.

If you don’t know where to start, we can assist you with real-time insights into the extent of your data exposure.

A ransomware incident forced international insurance and risk management giant Arthur J. Gallagher & Co. (AJG) to take its computer systems offline on Saturday, the firm has disclosed.

In a filing with the US Securities Exchange Commission, the insurance broker said it is in “the process of restarting most of our business systems.”

“On September 26, 2020, Arthur J. Gallagher & Co. (the “Company”) detected a ransomware incident impacting a limited portion of our internal systems,” the federal filing reads. 

“We promptly took all of our global systems offline as a precautionary measure, initiated response protocols, launched an investigation, engaged the services of external cybersecurity and forensics professionals, and implemented our business continuity plans to minimize disruption to our customers.”

The attack also affected systems of subsidiary Gallagher Bassett Services, whose website remained offline on Tuesday.

The 8-K form also states that AJG does not “expect the incident to have a material impact on our business, operations or financial condition.”

However, data exfiltration should not be excluded since the company is still in the early stages of assessing the attack’s impact. 

The ransomware attack could have serious implications for customers and employees due to the highly sensitive nature of the data collected by insurers.

This data may include personal, medical and financial information that can be used to conduct other cybercrimes and fraud.

Universal Health Services (UHS), one of the largest hospital chains in the US, was hit by an apparent cyberattack over the weekend that disrupted IT and phone systems at healthcare facilities in California, Florida, Texas, Arizona and Washington DC.

According to UHS employee reports, the attack occurred on Sunday morning, when various systems in the Emergency Department (ED) began shutting down.

“I was sitting at my computer charting when all of this started,” a UHS employee stated on Reddit. “It was surreal and definitely seemed to propagate over the network. All machines in my department are Dell Win10 boxes. When the attack happened multiple antivirus programs were disabled by the attack and hard drives just lit up with activity. After 1min or so of this the computers logged out and shutdown. When you try to power back on the computers they automatically just shutdown.”

UHS officials described the systems outage as an “IT security issue.”

“The IT Network across Universal Health Services (UHS) facilities is currently offline,” UHS said in a statement on Sept 28. “We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible.”

With IT systems down, nurses and physicians have a hard time delivering medical care and treatments to patients. Employees say staff is forced to work “old school,” using offline documentation methods for charting medication.

“In the meantime, our facilities are using their established back-up processes including offline documentation methods,” UHS added. “Patient care continues to be delivered safely and effectively. No patient or employee data appears to have been accessed, copied or misused.”

Although UHS has yet to confirm the type of malicious attack, the scenario suggests ransomware.

UHS’ systems outage reminds us of the ransomware attack on Düsseldorf University Hospital (UKD). What started as a network disruption forced the hospital to deregister as an emergency care facility and postpone patient appointments. The attack didn’t just inhibit proper medical care. A woman in need of urgent medical admission died after being taken to another city for treatment.

KuCoin, a Singapore-based cryptocurrency exchange, has disclosed a security incident that resulted in the unauthorized transfer of roughly $150 million in digital assets.

In a notice published last week, KuCoin notified clients that it detected suspiciously large withdrawals starting September 26.

In response to the Incident, KuCoin Global CEO Johnny Lyu hosted a livestream and announced that part of the Bitcoin, ERC-20, and other tokens in KuCoin’s hot wallets were transferred out of the exchange, which contained few parts of the total assets holdings.

“The assets in the cold wallets are safe and unharmed, and the hot wallets have been re-deployed,” the CEO said.

The losses, however, are by no means trivial. According to an updated announcement, the attackers left with around $150 million in various cryptocurrencies, including Bitcoin, Ethereum, Litecoin, Stellar Lumens, Tron, and Tether. The firm has frozen the compromised hot wallets and has deployed new ones. KuCoin is also working with other exchanges to prevent the attackers from withdrawing the stolen funds.

Lyu tells customers to rest assured that if any user fund is affected by this incident, it will be entirely covered by KuCoin’s insurance fund.

“To ensure the security of users’ assets, we will conduct a thorough security review. The deposit and withdrawal service will be suspended during the period. We will restore the service gradually after ensuring a safe state. We will keep you updated,” the company said.

KuCoin has published a list of suspicious wallet addresses, urging clients to add them to their blocklist. The company is still trying to identify the vulnerabilities exploited by the attackers. Lyu also said his company would “definitely” upgrade its wallet risk management system.

Two weeks ago, cryptocurrency exchange Etherbase lost $5.4 million to hackers overnight. Eterbase managed to track the criminals’ wallets to several rival crypto exchanges, including Binance, Huobi, and HitBTC. Like KuCoin, the firm assured customers it had the funds needed to cover the losses.

Nearly a week has passed since Tyler Technologies announced a ransomware attack that disrupted its internal corporate network and phone systems.

While the company is still in the process of mitigating the cyberattack and systems outage, some Tyler customers reported several suspicious logins to client systems.

Although Tyler Technologies says that, “the environment where we host software for our clients is separate and segregated from our internal corporate environment,” the latest security update urges clients to reset remote support passwords.

“Because we have received reports of several suspicious logins to client systems, we believe precautionary password resets should be implemented,” reads the advisory. “If clients haven’t already done so, we strongly recommend that you reset passwords on your remote network access for Tyler staff and the credentials that Tyler personnel would use to access your applications, if applicable.”

Additionally, clients should report any suspicious activity or logins at Security@tylertech.com.

Tyler has also implemented additional security measures to protect its client systems. “We have disconnected points of access between Tyler’s internal systems and our client systems to further protect our clients,” the company added. “We have also enabled targeted monitoring of our corporate and hosted environments to supplement the monitoring we already had in place.”

The latest notification published on Sept. 27, provides insight into the attack’s impact on Tyler’s employee information. To date, there is no reason to believe that any human resources information was affected.

According to a brief Q&A list on the official website, the software used for Tyler’s financial management, payroll, and HRIS functions is housed outside its corporate network. There has been no evidence to suggest that the ransomware attack impacted the hosted environment.

The software vendor is working closely with the FBI to catch the perpetrators and has declined to provide additional information regarding the malicious infection.

“We have confirmed that the malicious software the intruder used was ransomware,” Tyler said. “Because this is an active investigation, we will not provide any additional specifics relating to our incident response or our investigation at this time.”

An unsecured server belonging to the popular Town Sports fitness chain has exposed over 600,000 customers and staff members’ personal information.

Customer and employee records were stored in an unsecured Amazon S3 bucket, and included:

• Full names
• Street addresses
• Phone numbers
• Email addresses
• Last four digits of credit cards
• Credit card expiration dates
• Billing history

Fortunately, the database did not store any account passwords or full credit card details.

According to security researcher Bob Diachenko who analyzed the database, the server was unprotected for nearly one year, leaving room for unauthorized individuals to browse and steal customer information. Town Sports secured the server just a day after Diachenko disclosed his findings on September 21.

“We do not know if any unauthorized parties accessed the data while it was exposed, but affected customers and staff could assume as much,” Comparitech researchers said. Our research indicates unsecured databases can be found, stolen, and attacked within just a few hours of exposure.”

If cybercriminals had found and accessed the database, they could use the information to target gym and staff members. Town Sports members should keep an eye out for suspicious emails or phone calls. Never share personal or financial information via phone, email, or chat with any individuals who may contact you online.

Town Sports International owns multiple fitness centers and gyms across the US East coast, including New York Sports Clubs, Boston Sports Clubs, Philadelphia Sports Clubs, Washington Sports Clubs, Lucille Roberts, and Total Woman Gym and Spa.

This recent security incident could not come at a worse time, as the fitness chain filed for bankruptcy on September 14. The company has not issued an official statement or comment regarding the data breach.

Tyler Technologies, the self-proclaimed largest provider of US public sector software and technology services, is struggling with a cyberattack that disrupted many of its operations.

As of yesterday, the official website tylertech.com is offline, and a maintenance notice greets users accessing the page:

“Our Tyler Technologies corporate website is temporarily unavailable. We are aware of the issue and are working to bring the site back online. Please check back soon.”

The Texas-based company offers end-to-end management solutions to over 15,000 government offices across all US states, Canada, the Caribbean and Australia.

According to a statement released by Chief Information Officer Matt Bieri, the company discovered an unauthorized party gained access to internal phone and information technology systems on September 23.

“Early this morning, we became aware that an unauthorized intruder had disrupted access to some of our internal systems,” Bieri said in an email sent to Tyler Technology clients.

“Upon discovery and out of an abundance of caution, we shut down points of access to external systems and immediately began investigating and remediating the problem. We have since engaged outside IT security and forensics experts to conduct a detailed review and help us securely restore affected equipment. We are implementing enhanced monitoring systems, and we have notified law enforcement.”

His statement suggests that the attack was limited to their internal systems only, with no customer data impacted by the intrusion.

“At this time and based on the evidence available to us to-date, all indications are that the impact of this incident is limited to our internal network and phone systems,” Bieri added. “We currently have no reason to believe that any client data, client servers, or hosted systems were affected.”

According to BleepingComputer, RansomExx ransomware operators are responsible for the attack on Tyler Technologies. The gang has been linked to recent attacks on the Texas Department of Transportation (TxDOT) and Konica Minolta.

Time will tell if the intrusion was indeed just limited to Tyler’s internal systems. Although RansomExx operators have not set up a data leak page showcasing their latest victims, the possibility of data exfiltration should not be excluded.

A joint statement released by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday warns that foreign actors and cybercriminals are likely to exploit this year’s US mail-in voting system to spread disinformation about the 2020 elections.

“The increased use of mail-in ballots due to COVID-19 protocols could leave officials with incomplete results on election night,” a public service announcement reads.

These potentially delayed results could provide bad actors with the necessary time to spread false information via online social media platforms.

“Foreign actors and cybercriminals could exploit the time required to certify and announce elections’ results by disseminating disinformation that includes reports of voter suppression, cyberattacks targeting election infrastructure, voter or ballot fraud, and other problems intended to convince the public of the elections’ illegitimacy,” the alert said.

They “could create new websites, change existing websites, and create or share corresponding social media content to spread false information in an attempt to discredit the electoral process and undermine confidence in U.S. democratic institutions.”

The announcement urges American voters to be patient with the delayed results and gather information from trustworthy sources such as official government election websites. In case of any reports about problems regarding the voting results, citizens should verify the information trough multiple reliable sources, and avoid sharing vague or misleading information on social media.

“The FBI and CISA urge the American public to critically evaluate the sources of the information they consume and to seek out reliable and verified information from trusted sources, such as state and local election officials,” the two agencies added. “The public should also be aware that if foreign actors or cyber criminals were able to successfully change an election-related website, the underlying data and internal systems would remain uncompromised.”

The warning also recommends that voters report any potential election crimes directly to the FBI and flag any suspicious social media posts that appear to be spreading misleading or false information.

• Members of Shopify’s support team abused access to company network
• Customer contact information and order details accessed
• FBI and international law enforcement agencies are investigating

Shopify, the major ecommerce platform which powers many online stores, has revealed that it suffered a serious breach of security at the hands of two rogue employees.

According to a statement released by the firm, two unnamed members of Shopify’s support team abused their access to the company’s systems in order to access customer transaction details from approximately 200 merchants running online stores.

Customer data which may have been exposed includes:

• Contact information (such as email address, name, and postal address)
• Order details, including which products and services may have been purchased.

Thankfully, Shopify says that “complete payment card numbers or other sensitive personal or financial information were not part of this incident.”

That type of information would clearly have increased the severity of the breach, but that’s not to say that there’s no harm in the data which has been exposed.

After all, scammers could exploit contact information and purchase details to craft convincing phishing emails that might attempt to steal users’ passwords or payment information.

In addition, it’s clear that things could have been much worse in terms of scale as well. Shopify boasts of being used by more than one million businesses in 175 different countries, and is considered the third-largest online retailer in the United States after Amazon and eBay.

Ideally no merchants being impacted by the breach would have been the best result of all – but fewer than 200 out of one million suggests that Shopify were able to take action before things escalated to a disastrous level.

Shopify says that upon discovering the breach terminated the individuals’ network access and informed law enforcement agencies. It also says that it is contacting affected merchants to notify them of the incident.

Of course, the “insider threat” posed by malicious employees is one of the biggest potential threats that any company can face. Rogue staff are not the same as malicious remote hackers – they have been granted legitimate access to a network, given passwords, and have access to systems which may not arouse suspicion unless there is out-of-the-norm behaviour which rings alarm bells.

In its statement Shopify reassured merchants and their customers that it treats security as a priority:

“Our teams have been in close communication with affected merchants to help them navigate this issue and address any of their concerns. We don’t take these events lightly at Shopify. We have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.”

“To put it simply, we are committed to protecting our platform, our merchants, and their customers. We will continue to work hard to earn your trust every day.”

Europol this week has announced the arrest of 179 vendors of illicit goods on the dark web, in a coordinated operation known as DisrupTor.

According to the press release, operation DisrupTor follows the takedown of Wall Street Market, the world’s then second largest illegal online market in the dark web, which provided investigators with the data and materials required to identify suspects behind dark web accounts used for illegal activity.

“As a result, 179 vendors who engaged in tens of thousands of sales of illicit good were arrested across Europe and the United States,” the Europol states. “Over $6.5 million were seized in both cash and virtual currencies, alongside some 500 kilograms of drugs, including fentanyl, oxycodone, hydrocodone, methamphetamine, heroin, cocaine, ecstasy, MDMA, and medicine containing addictive substances; and 64 firearms.”

Most of the vendors arrested were located in the United States (121), followed by Germany (42), the Netherlands (8), the United Kingdom (4), Austria (3), and Sweden (1). Investigators are still working to identify the individuals behind various dark web accounts associated with these activities.

Operation DisrupTor was a massive a collaborative effort between the law enforcement and judicial authorities of Austria, Cyprus, Germany, the Netherlands, Sweden, Australia, Canada, the United Kingdom and the United States, Europol said.

“Law enforcement is most effective when working together, and today’s announcement sends a strong message to criminals selling or buying illicit goods on the dark web: the hidden internet is no longer hidden, and your anonymous activity is not anonymous. Law enforcement is committed to tracking down criminals, no matter where they operate – be it on the streets or behind a computer screen,” the Head of Europol’s European Cybercrime Centre (EC3), Edvardas Šileris, said.

The bust will undoubtedly send shockwaves across dark web vendors, with the Europol confidently boasting that “the golden age of dark web marketplace is over.”

Previously police would typically take down illegal marketplaces only to see them mushroom back into existence months, or even weeks later. More recently, these concentrated efforts have enabled local and international law enforcement to actually pinpoint the individuals behind the illicit trade and detain them.

Europol also issues a cautionary note to individuals tempted by the offers on the dark web:

“Law enforcement can also trace back illicit transactions to both the buyer and seller. An individual who purchased illicit goods from hidden sites is at risk of prosecution in a number of countries. The dark web is not a fairy tale – vendors and buyers are no longer hidden in the shadow,” the agency warns.