Month: January 2021

The US Federal Trade Commission (FTC) has released information on scammers impersonating the agency, warning the public that the criminals operate a spoofed website to trick consumers into disclosing financial information, with a tantalizing promise of instant cash.

The FTC, an independent agency of the US government, enforces civil US antitrust law and promotes consumer protection.

In a blog post titled “Scam ‘US Trading Commission’ website is not the FTC,” the agency draws attention to an impostor site called “the US Trading Commission” that uses the FTC’s seal and address.

The scam site claims it operates a “personal data protection fund” to compensate those whose personal information has been exposed on the web.

“The site says you can ‘instantly receive’ a cash payment by clicking on some links and giving the site your personal data and bank account or electronic wallet information,” the real FTC warns.

“Of course, if you do that, your money will be gone, you may download malware onto your device, and scammers can misuse your personal information to steal your identity,” the agency notes.

The site promises that payment “is available to residents of all countries of the world,” and there have already been some victims, according to the FTC (hence this week’s warning).

“People as far away as Russia, Ukraine, Belarus, Kazakhstan, and Latvia have reported the site to the FTC, and several have reported losing money,” according to the post.

The agency makes it clear to anyone who might be tempted by such scams that it will never ask anyone for money, or their bank account, credit card, or Social Security number for a refund.

“If the FTC needs to get money to you, we usually send a check through the mail. You can learn about our refund programs at FTC.gov/refunds,” the agency stresses.

Anyone who encounters this scam or others like it are urged to report them to reportfraud.ftc.gov.

This warning was issued on January 25 in a joint statement with the Cybersecurity & Infrastructure Security Agency (CISA).

US citizens are also encouraged to go through CISA’s Security Tips on Avoiding Social Engineering and Phishing Attacks and Preventing and Responding to Identity Theft.

USCellular, a Chicago-based mobile network operator, has revealed a data breach incident affecting an undisclosed number of customers.

The company believes the incident occurred on January 4, 2021, after threat actors managed to trick employees into accessing and downloading malicious software on some retail-store computers.

Two days later, the breach was discovered, prompting the company to reset employee passwords and remove the compromised systems from its computer network.

“On January 6, 2021, we detected a data security incident in which unauth0rized individuals may have gained access to your wireless customer account and wireless phone number,” the notification reads. “A few employees in retail stores were successfully scammed by unauthorized individuals and downloaded software onto a store computer.”

Since the employee was already logged in to the computer retail management (CRM) system, the threat actor could access the store computer and customer-facing systems.

The attack exposed customer account details including name, address, cell phone number, PIN, service plan, and billing and usage statements.

“Your customer account was impacted in this incident,” the company said. “Information in your customer account includes your name, address, PIN code, and cellular telephone numbers(s) as well as information about your wireless services including your service plan, usage and billing statements known as Customer Proprietary Network Information (‘CPNI’).”

USCellular says no Social Security numbers or financial information were stolen since this information “is masked within the CRM system.”

“At this time, we have no indication that there has been unauthorized access to your UScellular online user account (“My Account”),” the telecom explained.

The data breach letter states that all authorized contacts’ PIN numberss, security questions and answers have been reset to prevent fraud on customer accounts.

Users are urged to watch out phishing attempts and report suspicious correspondence by calling the customer service number.

Stop guessing what the internet knows about you. Find out with Bitdefender’s Digital Identity Protection!

iDevice users this week were greeted with a new software update containing enhancements and bug fixes – including patches for three apparently nasty security bugs. Readers are advised to update their iGear quickly. Here’s why:

The latest iOS and iPadOS updates contain fixes for three previously unknown vulnerabilities.

CVE-2021-1782 is described as a flaw that could let a malicious application elevate privileges, while CVE-2021-1871 and CVE-2021-1870 can open the door to remote attackers and enable them to cause arbitrary code execution.

Affected devices include iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation).

For all three vulnerabilities, the Cupertino-based tech giant said on January 26 it was “aware of a report that this issue may have been actively exploited.”

That was Tuesday, so we can safely assume that any unpatched iPhone, iPad or iPod touch that supports the new software is a potential target for motivated threat actors.

And since the cat’s out of the bag regarding these security flaws, any motivated threat actor who previously had no knowledge of the flaws may well be actively exploiting them right now. Which, needless to say, makes updating imperative.

No additional details about the flaws are available as of yet, likely as a precaution not to give threat actors too much leeway before most users get a chance to patch up their Apple gear.

Readers who own one or more of the affected units are urged to visit Settings -> General -> Software Update and tap Download and Install.

• Fully-patched Windows 10 computers using the Chrome browser are being infected by visiting bogus security researcher website.
• Hackers would take weeks or months to gain the trust of security researchers before tricking them into running malicious code.

Threat experts at Google say that they have identified an ongoing hacking campaign that has targeted computer security experts, specifically those researching the very type of software vulnerabilities exploited by cybercriminals.

Google’s Threat Analysis Group (TAG) says that the attackers are backed by the North Korean government, and are using advanced persistent threats (APTs) in an attempt to compromise the computers of their high value targets.

As Google describes, the attackers reach out to their intended victims via email or websites such as Twitter and LinkedIn, posing as fellow researchers.

Over time and in conversations which can last for weeks or months the attackers attempt to establish their credibility and trustworthiness by posting videos of the exploits they claimed to have discovered, or posting links to their research on their blogs or Github.

The “evidence” of their discoveries was further amplified by having other social media accounts under the hackers’ control reshare the links in an attempt to increase its apparent authenticity.

Ingeniously, the attackers then ask the researcher they are targeting if they want to collaborate on vulnerability research together, and share a Visual Studio project with the source code to an exploit they are working on.

A careless researcher may not spot that the project also contains a malicious .DLL file that can install a backdoor onto their computer.

In addition, in some attacks researchers have been compromised after visiting the fake researcher’s blog. As Google explains, visiting the website hosting the blog – even on a fully-patched up-to-date version of the Chrome browser running on a fully-patched version of Windows 10 – can result in computers becoming infected by malware.

Google admits that it is not clear at the moment how the infection is taking place, but it is asking anyone who is able to identify such a previously unknown vulnerability in Chrome to make contact as they would be eligible for a reward under its bug bounty program.

According to The Register, one researcher was targeted by the North Korean hackers was zero-day vulnerability hunter Alejandro Caceres, the co-founder of US-based security research outfit Hyperion Gray.

Caceres said that he had been contacted by a bogus researcher calling himself James Willy, and offered a reward for anyone who could provide the hacker’s true identity and address.

Google’s Threat Analysis Group says that it is sharing details of the hacking campaign in the hope that it will act as a warning to all security researchers to be on their guard:

“We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.”

The Twitter and LinkedIn profiles used by the attackers have since been suspended. Although, of course, there is nothing to stop the hackers creating other accounts in an attempt to ensnare more unsuspecting security researchers.

Dutch police have arrested two Public Health Department (GGD) workers for allegedly stealing information on COVID-19 patients and offering to sell it online to various cybercriminals.

The arrests resulted from a police investigation after RTL Nieuws, a local media outlet, discovered personal information from two GGD systems, storing coronavirus patient information, was being sold on instant messaging apps such as Telegram.

Police said the GGD reported personal data theft from its systems on January 22.

“The cybercrime team of the Central Netherlands police immediately started an investigation,” the police report reads. “This investigation soon led to two employees of the GGD call center. The suspects were both in Amsterdam on Saturday evening, where they were arrested and taken to a cell. It concerns a 21-year-old man from Heiloo and a 23-year-old man from Alblasserdam. The men’s homes were searched; computers have been seized.”

The investigation is ongoing, and authorities have not ruled out additional arrests. The initial police report states that names, date of birth, and address were among personal information put up for sale by the two suspects.

However, the RTL Nieuws investigation revealed that the private data had been offered for sale in large chat groups, including Snapchat and Wickr for months. Some posts provide look-up services for specific individuals that range between 30 and 50 euros.

“You will receive the home and email address and telephone and social security number from someone,” RTL Nieuws explained. “Other accounts offer large datasets containing the private data of tens of thousands of Dutch people. Criminals charge thousands of euros for this because it is relatively unique that social security numbers are sold on such a large scale.”

The data theft and illegal trade of information has obliged the GGD to enforce additional security measures, requiring each employee to sign a confidentiality agreement and submit a Certificate of Good Conduct. The public health service also ensured that remote workers will be thoroughly monitored once system upgrades are made.

The security incident could also have serious legal and financial consequences for the GGD. “This is very bad and may be a serious data breach,” the Dutch Data Protection Authority said. “The AP immediately demanded clarification from the GGD. This data includes name, address, place of residence and telephone numbers and also BSNs: all current and in large quantities. That is very valuable.”

Ransomware attacks are among the greatest security threats we face in the digital world, a trend that has continued to expand and grow in sophistication over the past years.

The threat actor’s goal is simple: Find an opportunistic target and lure it into accessing, downloading or installing malicious software onto their device so it can encrypt user files and prevent them from accessing the system. The victims then reach the all-too-familiar endgame of whether or not to pay a ransom.

Can you put a price on your data?

Most personal data on our devices consists of precious memories and financial information. However, as our kitchens and living rooms have turned into a home office, our devices also hold sensitive work materials and documents we cannot afford to lose.

How do you ensure the best protection for your files and data?

Bitdefender anti-ransomware technologies eliminate the ransomware threat by preventing malicious infections from reaching your device and encrypting your data. Advanced Threat Defense (ATD) continuously monitor all applications running on your systems, inhibiting any file-encrypting behavior from compromising your files. The ATD is designed to neutralize any suspicious process by hunting threat-like actions. Suppose an application attempts to modify host files, inject in other process, disable anti-malware software installed on your device or create startup keys. In that case, the ATD declares the process malicious and stops it from damaging the system.

This innovative proactive detection technology uses advanced heuristic methods to detect known and new ransomware strains in real time, blocking malicious actions, such as file encryption, before they start. Moreover, ATD shares intelligence with Bitdefender’s Global Protective Network to stop even the newest ransomware and exploits and notifies you each time potentially malicious processes and cyber threats are detected.

An additional proactive anti-ransomware security feature ensures that folders containing sensitive documents and files are not lost if a ransomware attack manages to bypass all other security layers. The Ransomware Remediation module allows you to restore critical files and data encrypted by ransomware. If malicious software attempts to encrypt files on your device, a backup of the targeted files will be automatically created, allowing you to restore them with just a few clicks.

The security shortcomings of our devices and systems pose a greater threat than ever, with security breaches and malicious attacks ramping up new victims daily. Secure and protect your data today by choosing a security solution prepared to defend your private data against new and existing threats.

Fraudsters impersonating UK’s National Health Service (NHS) are actively exploiting the COVID-19 vaccination campaign to dupe citizens into providing their personal information through various phishing emails.

The campaign seems to have started on January 25, as seen in the scam recipients’ multiple Twitter posts.

In one version of the phishing email, users are asked to confirm or reject the coronavirus vaccination by accessing the appropriate link.

Regardless of what they may choose, the links direct them to a fake NHS page that asks for personal information such as your name, ‘mother’s maiden name, home address, date of birth, phone number and even credit card details.

“I got this via email. It looks very real, and so does the site that it takes you to”, one Twitter user said. “BUT they ask for bank card details! This is so difficult especially when we read we may be contacted to book via email, text or letter.”

_{NHS COVID-19 phishing email}

Although the email layout may seem legitimate, another user pointed out a red flag, noticing a suspicious email address added in the email’s CC field.

“My wife just received this,” he said. “Can’t believe people are using This method at a time when people feeling so anxious to get a vaccine jab. It looked very legit until we saw the email address in the CC list.”

The NHS was quick to respond to news regarding the fraudulent emails, assuring the population that the COVID-19 vaccine is free of charge.

The agency also provided a checklist for spotting the scam, explaining that citizens are not required to apply for the vaccine or share any documents that prove their identity including, copies of passports, driver’s license, bills and bank details.

Despite public awareness campaigns advertised by UK government agencies, some citizens have already fallen victim to scammers, providing personal and financial information via fraudulent online forms.

Assuming that any provided information will fuel identity theft and fraud-related crimes, victims should notify the appropriate UK government agencies and police. Report any stolen documents to the organization in charge of issuing your credit cards, driver’s license, or passport. Review your credit card statements and bank accounts for any fraudulent charges.

Dating site MeetMindful has discovered that “a well-known hacker” has leaked the details of more than 2 million users registered its web site.

An unnamed security researcher tells ZDNet that the leaked data is a 1.2 GB file containing some highly-sensitive data points, like real name, email address, city, state and ZIP code, body details, dating preferences, marital status, birth date, latitude and longitude, IP address, bcrypt-hashed account passwords, Facebook user IDs and even Facebook authentication tokens.

The leaked data is more than enough to cause serious damage to customers enlisted with MeetMindful, exposing them to sextortion, fraud, and of course psychological damage.

To its credit, the dating site has promptly responded to the leak with a comprehensive security notification addressing affected users.

However, unlike the ZDNet’s source, MeetMindful seems to downplay the severity of the leak, claiming the attacker was only able to grab basic user data that was already outdated. It isn’t clear which version of the story is more accurate.

“A well-known hacker was able to exploit a now-closed vulnerability in our system, and was able to export an outdated version of a list of basic user information,” the company says.

It explains that the incident applies to users who signed up for MeetMindful prior to March 2020, and that users who signed up after March 2020, or have updated their account details since March 2020 are not affected by this incident.

It also mentions that MeetMindful is a fellow victim in a larger campaign targeting several companies, including it, Teespring.com, Bonobos, and others.

“We identified the vulnerability and immediately resolved it, as well as brought in additional development resources to ensure future safety,” according to the notice.

The company further claims that no payment information was viewed or released. The same goes for messages, profile answers, photos, favorites, user views, or any other personal information relating to matches, detailed match preferences, conversations and specific locations, it says.

As a precaution, all users are advised to reset their password “to add additional security to your account,” according to the company. MeetMindful also instructs users to be wary of emails or text messages asking for an account number or password (i.e. phishing / fraud attempts).

Users who have additional questions or detect suspicious activity on their account can contact the company at hello@meetmindful.com.

PALFINGER AG, the giant manufacturer of lifting systems, has posted a statement on its home page confirming it is currently under attack by hackers. Because of the attack, the firm’s IT infrastructure has been crippled.

With 150 crane models and a market share of 35 percent, PALFINGER is the world market leader in hydraulic lifting, loading and handling systems. It employs over 11,000 people in 35 locations across the globe with 5,000 service points. PALFINGER is also the world’s market leader in maritime lifesaving equipment.

The Austrian company this week disclosed a cyber incident that has all but halted its IT operations, in what appears to be the result of a ransomware attack. The firm greets visitors on its website with the following statement:

“PALFINGER Group is currently the target of an ongoing global cyber attack. IT infrastructure is disrupted at the moment (including sending and receiving emails, ERP systems). A large proportion of the group’s worldwide locations are affected. It is not possible to estimate the precise extent and duration of the attack or its consequences at this time. Work is being carried out intensively on a solution.”

The disruption described by the company suggests a ransomware infection, where systems become unusable as data and applications are encrypted and frozen. However, the firm has yet to disclose details of the hack.

Visitors of palfinger.com in different geographies are told the company cannot “receive or process in inquiries, orders, shipments and invoices,” and that existing customers ca only reach PALFINGER via telephone or through social media.

According to the notice, most of the company’s offices and factories around the world have been affected by the cyber attack.

Bitdefender research shows that businesses across all verticals face record numbers of data breaches this year, as misconfigurations resulting from the rapid transition of employees to remote work create security blind spots that attackers will exploit. Unpatched vulnerabilities and misconfigurations mean business clients stand to inherit those security lapses as well, opening the floodgates to supply chain attacks (i.e. SolarWinds).

Motivated politically or economically, cyber actors are showing more interest than ever in critical industry verticals, like healthcare, education, construction, retail, energy and water distribution, as well as municipal infrastructures.

A data broker who allegedly hacked adult chat and web-streaming website MyFreeCams.com has sold nearly 2 million user records on a dark web forum, CyberNews researchers have discovered.

According to the seller’s post, the records were exfiltrated from the company’s servers in December 2020 after a SQL injection allowed him to access and view unauthorized data.

The perp claims to have stolen usernames, emails, clear text passwords, and MFC Token balances of 2 million Premium and Diamond members. The threat actor made a pretty penny, based on his cryptocurrency wallet analysis that showed 49 Bitcoin transactions, equating to more than $22,000.

After selling the stolen records, he immediately deleted his account and post from the forum.

News of the breach also reached MyFreeCams.com, which claims the leak data was traced “to a security incident that occurred more than ten years ago in June 2010.”

The company also emphasized that the vulnerability used to exfiltrate user data was fixed shortly after the incident.

Despite these assurances, MyFreeCams has notified impacted members to reset their passwords.

“MFC’s current systems prevent any similar attack,” the company said. ”Until now, MFC did not have evidence that user data was actually compromised as part of the incident. We have informed affected users by email and reset their passwords. No credit card information was stored or compromised.”

Although users can reset their account passwords and avoid account takeover, the exposed details make for efficient blackmail and extortion attempts from other cybercriminals.

The email addresses and clear-text passwords could also be used in credential stuffing attacks, so users are also advised to review any online account that shared the same username/email and password combination.

Stop guessing what the internet knows about you. Find out with Bitdefender’s Digital Identity Protection!