COVID-19 Exacerbated Existing Cybercrime Patterns, Europol Says

Europol has published its seventh Internet Organized Crime Threat Assessment (IOCTA), the agency’s annual cybercrime report containing updates on the latest trends and effects of cybercrime in the European Union and beyond.

Much has changed since last year’s IOCTA edition, yet some things are still the same, the agency notes.

“Although the COVID-19 crisis showed us how criminals actively take advantage of society at its most vulnerable, this opportunistic behavior of criminals should not overshadow the overall threat landscape,” according to the press release issued this week. “In many cases, COVID-19 has enhanced existing problems.”

Key findings from this year’s report include:

  • Criminals quickly exploited the pandemic to attack vulnerable people
  • Phishing, online scams and the spread of fake news became an effective strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19
  • Ransomware attacks have become more sophisticated, targeting specific organizations in the public and private sector through victim reconnaissance
  • Criminals have added another layer to their ransomware attacks by threatening to auction off stolen data, increasing the pressure on victims to pay the ransom
  • Traditional banking Trojans have evolved into modular malware to cover more PC digital fingerprints, which are later sold for different needs
  • Detection of online child sexual abuse material jumped sharply at the peak of the COVID-19 crisis; offenders use P2P networks, social networking platforms, and encrypted communications to hide their crimes
  • SIM swapping, which allows criminals to port victims’ SIMs to their own phones and thwart multi-factor authentication, is a new entry in this year’s IOCTA trends section
  • While Tor remains the preferred dark web platform, criminals have started to use other privacy-focused, decentralised marketplace platforms to sell their illegal goods – chief among them is OpenBazaar

“The Coronavirus Pandemic has slowed many aspects of our normal lives,” EU Commissioner for Home Affairs, Ylva Johansson, said. “But it has unfortunately accelerated online criminal activity. Organised Crime exploits the vulnerable, be it the newly unemployed, exposed businesses, or, worst of all, children. This report shows the urgent need for the EU to step up the fight against organised crime [online] and confirms the essential role of Europol in that fight.”

Readers can download the full IOCTA 2020 report here.

CISA and DoD Warn of Sophisticated Threat Actor Wielding New SlothfulMedia Malware

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense (DOD) Cyber National Mission Force (CNMF) have revealed that new malware dubbed SlothfulMedia is currently used by a sophisticated threat actor.

The two agencies published details on new malware they called SlothfulMedia, which attackers have already used in many countries, including India, Kazakhstan, Kyrgyzstan, Malaysia, Russia and the Ukraine. A sample of the dropper was uploaded on Virustotal.

“The sample is a dropper, which deploys two files when executed,” reads the announcement. “The first is a remote access tool (RAT) named ‘mediaplayer.exe’, which is designed for command and control (C2) of victim computer systems. Analysis has determined the RAT has the ability to terminate processes, run arbitrary commands, take screenshots, modify the registry, and modify files on victim machines. It appears to communicate with its C2 controller via Hypertext Transfer Protocol (HTTP) over Transmission Control Protocol (TCP).”

The second package is harmless, only designed to delete the dropper after the initial RAT gained persistence and can survive a reboot. If the infection succeeded, a new service named ‘Task Frame’ is created, allowing the RAT to load after reboot.

According to the description, this malware targets Windows devices, and the dropper is a 32-bit executable. The name ‘mediaplayer.exe’ is only there to fool a superficial inspection.

Recommendations from law agencies include keeping antivirus signatures and engines up to date, disabling printer files and sharing services, enforcing a strong password policy, and more.

The law agencies have yet to name the threat actors behind the new malware, but revealing the malware’s signatures and details will help security solutions more easily intercept SlothfulMedia.

Cybersecurity Awareness Month. 2020 the perfect year to talk, think and act cybersecurity.

The expression “you are part of something big” has a less mystical meaning nowadays. 59% of the global population, or almost 4.57 billion people, are part of the Internet as active users.

A minute on the Internet in 2020 means 404,444 hours of Netflix videos streamed by users, 2,704 TikTok app installations, 6,659 packages shipped by Amazon, 208,333 participants in Zoom meetings, 500 hours of YouTube videos uploaded by users, 347,222 Instagram stories, and 41.7 million messages shared on WhatsApp (source: Statista). 

Most of us are online, and we spend more time online, but are we safer? 

What has 2020 taught us about cybersecurity so far? 

As the Internet has become the main space for human interactions and the primary way to work, socialize, learn and support one another, it has become even less safe. One lesson of the Covid-19 pandemic is that hackers target people’s increased dependence on digital tools, fears, hopes and new habits. The pandemic has given hackers a new set of opportunities. It started with coronavirus-themed scams and phishing in March when we detected nine times more coronavirus-related malware reports than in the previous months. In a recent survey, 32% of consumers say they have been targeted by digital fraud related to Covid-19.

So what can we do?

The overarching theme for Cybersecurity Awareness Month 2020* is “Do your part. #BeCyberSmart.” It’s exactly what we have done this year in other aspects of our lives, and it worked. It will certainly make our interconnected world safer and more resilient for everyone. 

Let’s bust the four most common myths about online security and take appropriate actions:

Myth: Antivirus is a thing of the past.

Truth: What people call “antivirus” has evolved into a multi-layered security suite over the years. While it’s true that “regular” antivirus has been dead for several years now, a capable security suite is a must for all connected devices today. Leaving a single gadget unprotected is like leaving the door of your house open to see if any burglar gets in. In short, “if you connect it, protect it.” Most antivirus software subscriptions cover more devices. Install protection on all of them to keep your family safe. 

Myth: Any password will do just fine.

Truth: A weak password can turn your life upside down. If hackers manage to guess it, they gain full access to your email, personal documents, bank accounts, photos and videos. Choose strong, complex, unique passwords and enable two-factor authentication for all your online accounts that support this feature. If possible, choose to have two-factor codes delivered in an app rather than via SMS. This way, your online shopping, video streaming, online education, work and emails will not allow logins with stolen or leaked usernames and passwords. 

Myth: A VPN doesn’t really protect my online privacy.

Truth: Yes, it does. A VPN encrypts your computer traffic and routes it through several geographical locations, hiding your IP address and protecting you against the mass data collection common to both cyber-criminals and your local Internet Service Provider. This can be useful in a lot of situations – like when you’re using public WiFi – because it means that no one sharing the network with you can see the information you send over it. If you are unsure who operates the open network you are about to connect to, make sure VPN is ON before sending anything remotely valuable.

Myth: A cyberattack can’t happen to me.

Truth: There is an estimated cyberattack every 39 seconds, which makes the chances of experiencing one higher than you think. For example, reports show you have a one in 4 chance of falling victim to a data breach, and oftentimes, you have done nothing wrong except for sign up for a popular yet vulnerable service. By comparison, the average person has a 1 in 50 chance of experiencing a home burglary, 1 in 14,600 chance of being struck by lightning, 1 in 2.7 million chance of being mauled by a grizzly bear, and 1 in 175 million chance of winning the lottery.

Nowadays, we can’t imagine a world without the Internet. It is hard to predict exactly how the online world’s future will look, but one thing is for sure – we have to stay safe.

*Cybersecurity Awareness Month was launched by the National Cyber Security Alliance & the U.S. Department of Homeland Security in October 2004. It was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secured online. Read more about it at  https://staysafeonline.org.

Aussie Social News App Leaks 80,000 User Records Online

A team of CyberNews researchers has disclosed that Snewpit, an Australian news-sharing platform, has leaked close to 80,000 users records.

The exposed data housed in an unsecured Amazon Web Services (AWS) server includes usernames, full names, email addresses, profile pictures and videos. Leaks include:

• 256 videos uploaded by app users and developers
• 23,586 photos documenting local events uploaded by users
• 4 CSV files – including one with 79,725 user information such as full names, email addresses, usernames, user descriptions, last login times and total time spent using the app
• Profile pictures of thousands of users

Investigators disclosed their findings on September 24 to Snewpit, which secured the records on the same day.

Although Snewpit developers detected no suspicious activity, the AWS bucket was exposed for five weeks, meaning any individuals with direct access to the link could have accessed and downloaded the data.

”We will be reviewing all access control settings and ensuring our user data is secure and encrypted,“ Snewpit founder Charlie Khoury said in response to the incident. “We take our data and security seriously and will endeavor to make sure this does not happen again.”

While there are no signs of user account compromise, Snewpit aficionados should change their account passwords and monitor their inboxes for any phishing or other suspicious emails.

Users shouldn’t overlook the incident just because the database lacked highly sensitive information such as credit card or Social Security numbers.

Bad actors can do wonders with small pieces of your digital persona, such as an email address or username – information that may seems unworthy of attention.

Sisters of Charity Health System Informs Patients of Data Breach

As the year unfolds, more victims of the Blackbaud data breach come forward. The Sisters of Charity Health System (SCHS) recently disclosed that intruders may have accessed backup copies used by SCHS for fundraising during the cyberattack on their third-party cloud service provider.

“On July 16, 2020, Blackbaud informed us it had discovered that an unauthorized individual had gained access to Blackbaud’s systems between February 7 and May 20, 2020, and may have acquired backup copies of databases used by its customers, including backups of the databases that SCHS entities use for fundraising efforts,” SCHS said.

According to a notice, the attack on Blackbaud may have affected SCHS entities including Mercy Medical Center, Providence Hospitals, St. Vincent Charity Medical Center, Building Healthy Communities, Early Childhood Resource Center, Healthy Learners, Joseph’s Home, Light of Hearts Villa, Regina Health Center, and South Carolina Center for Fathers and Families.

SCHS also notes that the database involved in the incident may have included patients’ names, gender, date of birth, contact information and treating physicians.

“The database may have also contained information about relationships with SCHS entities such as donation history, volunteer service and employment, if any,” SCHS added.

Sisters of Charity Health System has assured patients that the data security incident only impacted constituent and donor databases, and no access to medical systems or protected health records was detected. All sensitive information, such as Social Security numbers, credit card numbers, and financial account information, was encrypted and not accessible to the attackers.

While Blackbaud may have paid the attackers’ ransom demands to delete any stolen data permanently, affected individuals should remain vigilant against any suspicious communication via email, text, or phone calls.

In response to the data breach, SCHS has emailed all impacted patients and has set up a dedicated customer service number to assist with any questions or concerns.

Google Prepares Security Team to Investigate Third-Party Apps

Google is preparing a new security initiative and building a new team with a single purpose — to investigate sensitive applications available through the Google Play Store.

Google scans all Android apps for malware before uploading them to the Play Store, but that’s not sufficient, especially for apps that deal with sensitive data. According to a ZDNet report, Google has posted a new Security Engineering Manager job ad, looking to fill a new position.

“Security Engineers work hands-on with network equipment and actively monitor our systems for attacks and intrusions,” says Google. “You also work with software engineers to proactively identify and fix security flaws and vulnerabilities.”

The responsibilities listed shed a little more light on the specifics of the job. “A team that performs reverse engineering, technical security assessments, code audits and design reviews of third party Android applications and libraries.”

The fact that Google is looking to scrutinize third-party apps a lot more closely is a good thing. In theory, it should make the ecosystem a lot safer. Applicants should also conduct research to identify new attack vectors against Android applications and improve security across systems.

Security and privacy have become a lot more important in the past few years, with various third-party companies pushing apps and SDKs that bypass, intentionally or by mistake, some of the Android operating system’s limitations.

Leaving aside some of the more popular apps that will undoubtedly come under scrutiny, the new security team will likely look at some of the other Android ecosystem problems, such click-fraud apps or fleeceware, which are far more common than everything else.

Fake npm Packages Found in GitHub Repository

Security researchers discovered four vulnerable npm packages uploaded to GitHub that were capable of collecting the user’s IP address, geolocation and device hardware data.

Not all attacks have a high-visibility profile. Some threat actors use much more subtle channels to spread malware. In this case, it’s about four npm packages typically used by developers to manage packages that are dependencies for various projects.

The four packages discovered by Sonatype had similar names to the original ones, with the attacker using a technique named typosquatting. Basically, if the user didn’t pay enough attention and typed the wrong letter, he would download the fake package.

“The two packages representing next-generation software supply chain attacks rely on typosquatting – an attack that impersonates legitimate packages and makes them available for unsuspecting developers to download,” says Sonatype. “For example, the developer requests the ‘electron’ package but unintentionally spells it ‘electorn’.”

This is also called a supply chain attack because threat actors trick users into downloading the wrong app or package from a legitimate source. In this case, `electorn`, `loadyaml`, `lodashs`, and `loadyml` are the packages in question. They gathered only about 400 downloads, but that’s only because someone happened to look in that direction.

Supply chain attacks are a big problem and, as projects become more complex, with multiple dependencies, security systems have to keep up. A piece of malware capable of sharing the geolocation of users is dangerous enough but, depending on the project, it can do much more damage.

Since Github was quick to remove the packages, the campaign was short-lived and its end goal remains a mystery. It’s possible that the attacker was collecting data to determine the course of action. But it’s also possible that such specific libraries could have impacted critical projects using them.

Tennessee Man Sentenced to 17 Years in Federal Prison for Identity Theft and Fraud

James Jackson, a 58-year-old resident of Memphis, Tennessee, has been sentenced to 17 years in federal prison for 13 counts of mail fraud, aggravated identity theft, access device fraud and mail theft.

According to US Attorney Michael Dunavant, between 2014 and 2015, Jackson obtained the personal information of numerous individuals – most of whom were deceased – and used it to take over their financial accounts.

His MO included searching online obituaries and articles to discover the identities of recently deceased individuals, singling out people who might have credit accounts, or financial investments that could be exploited.

It appears that Jackson succeeded in impersonating his victims, both male and female, contacting banks, credit card companies and financial firms, persuading them to mail new credit cards to vacant homes and hotels found in the Memphis area.

“A search of Jackson’s computers revealed that he had been researching the deceased victims,” the Department of Justice (DOJ) said. This was done through use of numerous online obituary sites and nationwide news articles. In a subsequent search of Jackson’s mother’s house, agents found a box of Jackson’s business cards, wherein he claimed to be the ‘Father of Identity Theft.’”

Additionally, he was also behind the sale of $340,000 of stock out of one of his victim’s investment accounts. On top of 207 months in federal prison without parole, Jackson was ordered to pay over $300,000 in restitution to his victims’ families.

“Aggravated identity theft and schemes to defraud or compromise the personal and financial security of vulnerable and deceased victims will not be tolerated,” Dunavant said.

“This case demonstrates our commitment to protect the personal and financial information of citizens and institutions and to hold offenders accountable for these disturbing crimes of dishonesty. This self-proclaimed ‘Father of Identity Theft’ will now have to change his name to ‘Father Time’ because he will be doing plenty of it in federal prison.”

Retail Giant H&M Fined More Than $41 Million for Breaching GDPR Regulations

Hamburg’s data protection watchdog has fined a Hennes&Mauritz (H&M) subsidiary $41.4 million for violating stipulations of the European Union General Data Protection Regulation (GDPR).

According to the Hamburg Data Protection Authority (HmbBfDI), the penalty was levied for excessive use of employee data collected and stored on company networks.

Violations of employee privacy started as early as 2014 after HmbBfDI discovered that the company was storing extensive confidential information, including medical records, financial and social media data.

“Since at least 2014, parts of the workforce have been subject to extensive recording of details about their private lives,” HmbBfDI said in a press release. “Corresponding notes were permanently stored on a network drive. After absences such as vacations and sick leave – even short absences – the supervising team leaders conducted so-called Welcome Back Talks with their employees.”

Large volumes of information appeared to have also been gathered during private conversations between managers and employees. Data concerning holiday experiences, family issues, religious beliefs, and symptoms of illnesses were also collected and accessed by up to 50 other managers.

“The recordings were sometimes made with a high level of detail and recorded over greater periods of time documenting the development of these issues,” HmbBfDI added.

“In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment. The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”

To restore confidence within the company, H&M said it will compensate affected employees and implement new data protection measures, including a newly appointed data protection coordinator.

NCSC Warns Admins Not to Disable Updates to Keep Flash Alive in 2021

A dire warning came from UK’s National Cyber Security Centre (NCSC), advising IT administrators not to disable the update mechanism to keep Adobe Flash past its end-of-life date, set for the end of 2020.

It’s been a long time coming. Adobe Flash is finally going away, with all of the major browsers pledging to remove it entirely from their software. Right now, browsers advise users that Flash is disabled, but users can still choose to enable it. After 2020, modern browsers will eliminate Flash support entirely, with no way of installing it.

The NCSC is trying to get ahead of the curve because some IT admins might take drastic measures to keep Adobe Flash Player alive, at the cost of security. One way to do that is to disable the operating system’s update mechanism or software to prevent automatic Flash removal.

“All of the major browser vendors have committed to removing Flash from their products entirely by the end of 2020,” says the NCSC.

“At that point, you won’t even be able to optionally turn it back on again. After 2020, you’ll have to use an old, unpatched version of your browser to continue using Flash Player. In the case of Edge, Internet Explorer and Safari, it will likely be necessary to disable the underlying platform’s update mechanism too. That would be very bad.”

Regular users will likely ignore this important event because it won’t affect them. But some Flash-dependent projects in large organizations will feel the impact. Developers, vendors and IT administrators will have to work together to remove any dependencies from existing projects.

Adobe is already committed to removing Flash from official web sources so users can’t forcefully install it afterward. Right now, the software has over 1,000 unpatched vulnerabilities, including some researchers discovered only two months ago.

Posts navigation

1 2 3 4 5 6 7
Scroll to top