Author Archives: Connor Madsen

Cyber News Rundown: Arizona School Ransomware Attack

Reading Time: ~ 2 min.

Ransomware Closes Arizona School District

As many students began returning for the fall semester, classes were cancelled in the Flagstaff Unified School District in Arizona after a ransomware attack disabled some of the district’s computer systems. Officials haven’t yet released any additional information on the ransom demanded or if any sensitive employee or student documents was compromised. The attack is another in a chain of ransomware campaigns affecting dozens of school districts around the country in recent months.

Want more on the latest threats to your online security and privacy?
Follow us on Facebook and Twitter to stay up to date.

BEC Scam Targets Toyota Corporation

A subsidiary company of Toyota fell victim to a business email compromise (BEC) that could cost more than $37 million. Using social engineering to convince the victim to send the wire transfer has become a common practice around the world and earned scammers an estimated $1.3 billion in 2018 alone. Officials are still working to determine the proper course of action to recover the stolen funds, though it is unlikely they will be able to track down their present location.

International BEC Sting Nets 281 Arrests

With the cooperation of many law enforcement agencies around the world, at least 281 individuals were taken into custody for their roles in various BEC scams. Along with the arrests, officials seized $3.7 million in cash that had been stolen by redirecting wire transfers while posing as a high-level executive. While the majority of arrests came from Europe and Africa, nearly a quarter occurred in the U.S.

LokiBot Campaign Affects U.S. Manufacturer

A poorly written email phishing campaign was recently discovered with a rather malicious payload called  LokiBot. In the scam, once a victim would open the attachment (with assurances in the email that it simply needs to be reviewed), an archive would unzip and allow the payload to begin hunting for credentials and any other sensitive information stored on the system. After reviewing the LokiBot sample, the IP address from which the campaign originated from has been tied to several other, similar campaigns from recent months.

Oklahoma State Trooper Pension Fund Stolen

Malicious hackers recently stole more than $4.2 million from the Oklahoma State Trooper’s pension fund, which was to be used to assist roughly 1,500 retired law enforcement agents in the state. While most of the benefits programs should remain unaffected, officials are confident that they will be able to recover the funds, which would also be covered by insurance company if unable to be recovered.

The post Cyber News Rundown: Arizona School Ransomware Attack appeared first on Webroot Blog.

Cyber News Rundown: Deepfake Voice Fraud

Reading Time: ~ 2 min.

Deepfake BEC Scam 

A new variant of the well-known BEC scam has implemented a feature that has yet to be used in an email scam: voice fraud. Using an extremely accurate deepfake voice of a company’s CEO, scammers were able to successfully convince another company to wire $250,000 with the promise of a quick return. Unfortunately, that transfer was quickly spread out through a number of countries, leaving investigators with very little clue as to the identity of the scammers.  

Yves Rocher Data Leak 

The customer databases belonging to French retailer Yves Rocher were found to be publicly available by researchers who discovered the records of over 2.5 million customers. In addition to the personal data, the details for over 6 million transactions, and internal Yves Rocher information were grouped with the exposed database. The internal data could be a major opportunity for any competitors to obtain some crucial footings in the marketplace.  

German Mastercard Breach 

Officials recently learned of a data breach that was affecting nearly 90,000 German Mastercard holders that are part of their members loyalty program. Nearly half of the exposed email addresses have already been compromised in previous data breaches, according to Have I Been Pwned, though the affected customers should still update their credentials. Fortunately, this breach only affected the loyalty program members rather than the entirety of Mastercard’s world-wide client base.  

Ransomware Wave Hits US 

Continuing on from a summer full of ransomware attacks on US cities comes a streak of 13 new attacks that range from the East Coast to the West Coast. Sadly, several of the victims have already paid out some portion of the demanded ransoms, with some insurance companies even attempting to negotiate with the attackers for a lower payout. With this streak, the total number of ransomware attacks in the US in 2019 is up to 149, 20% of which involved educational institutions.   

UK Travel Agency Breach 

A UK-based travel agency has recently fallen victim to a data breach that could affect over 200,000 of their customers. The main leak included audio files for the affected customers confirming travel and payment plans, as the travel firm completes their deals over the phone. The audio files appear to have bene publicly available for a span of nearly 3 years, but quickly secured the sensitive information once they were informed of its current status.  

The post Cyber News Rundown: Deepfake Voice Fraud appeared first on Webroot Blog.

Cyber News Rundown: Social Media Bots Attack

Reading Time: ~ 2 min.

Cybercriminals use Botnets to Launch Attacks on Social Media

According to a new report, more than half of all login attempts on social media sites are fraudulent, and at least 1 in 4 new account creation attempts are also fraudulent. With the sheer number of potential victims these types of sites provide attackers, these strategies are proving to be more and more lucrative. Even more worrisome: at least 10% of all digital handshakes from online purchases to new accounts being created are being made by malicious actors.

Cybercriminals target end users. Learn why businesses need security awareness training.

xHelper Trojan Infects Thousands of Android Devices

A new Trojan has infected over 30,000 devices in a very short time. By disguising itself as a JAR archive, the dropper is able to move quickly through a system, rather than being installed within a bundle as a standard APK. At least two variants of the Trojan have been spotted, one running extremely silently on infected devices while the other does less to hide itself, creating an actual xHelper icon and pushing an increasing number of notifications to the device.

Malicious PDF Scanner App

Researchers recently notified Google of a Trojanized CamScanner app that has been downloaded over 100 million times. The app itself is used to download and launch a malicious payload, after making contact with the attacker’s servers. Fortunately, Google is quick to act when they receive these types of reports, and has already removed the app from the Play Store. This app follows in a long line of high-install malicious apps to hit the Google™ Play Store in the last couple months.

Cable Companies Delay Robocall-Detection Implementation

Following the FCC decision to push out a technology that would allow all telecom companies to implement detections for the excessive number of robo-calls their customers receive every year. Unfortunately, the FCC never made an official deadline, so the lobby groups for the cable companies have been pushing for further delays. Hopefully, more telecom companies will get behind this technology and start helping their customers avoid this kind of harassment.

Hosting Provider Data Breach

A data breach was recently revealed by Hostinger, a hosting provider, which could affect their entire 14-million-strong customer base. Within the last week, the company identified unauthorized access to one of their servers, which contained sensitive customer information. Fortunately, Hostinger resolved the vulnerability quickly and pushed out a mandatory password reset to all affected users.

The post Cyber News Rundown: Social Media Bots Attack appeared first on Webroot Blog.

Cyber News Rundown: Android Adware

Reading Time: ~ 2 min.

Android Apps Riddled with Adware

Another 85 photo and gaming apps have been removed from the Google Play store after they were discovered to have been distributing adware to the roughly 8 million users who had downloaded the fake apps. The adware itself is rather tricky: by sitting dormant on devices for at least 30 minutes to avoid detection, they are then able to display a steady stream of full-screen ads that make users wait through each in its entirety before allowing continued use of the app.

Learn more about mobile security for shopping, banking and browsing.

Texas Hit by Multiple Ransomware Attacks

Several Texas municipalities have fallen victim to a single ransomware campaign affecting at least 22 locations and asking a cumulative ransom of $2.5 million. The state of Texas has been under fire for the past few months, suffering a seemingly endless string of ransomware attacks on local governments. Fortunately, many of the targeted districts have been swift to remediate issues and are already on the path to full system recovery, managing to avoid paying heavy ransoms.

Steam Zero-Days Released After Valve Bans Submitter

A researcher recently found several zero-day vulnerabilities within the Steam API that could allow for local privilege escalation (LPE), which could then allow malware to use the client as a launching point. Unfortunately, Valve decided the bug was outside of its scope of responsibility, locked the report, and refused to investigate it any further, also banning the submitter from the bug bounty program. Eventually, after much negative media coverage, Valve pushed out a patch that was quickly subverted by another workaround. It is unusual for a company with so many active users to blatantly ignore one of Microsoft’s most commonly patched vulnerabilities.

Adult Site Database Exposed

Yet another adult site has fallen victim to poor information security practices after a database containing personally identifiable information belonging to nearly 1 million users was misconfigured and left publicly available. The leak was discovered by researchers who were able to verify a breach and swiftly report it to the site, which took only four days to secure the data. Site users were notified of the breach and are being advised to change login credentials, especially those using work devices or contact details.

Magecart Found in Poker Tracker

The infamous Magecart card-skimming script was recently found loaded into Poker Tracker’s main site, which allows online poker players to make statistics-based betting decisions. It was later revealed that the site was fully injected via an outdated version of Drupal that has since been updated. The attack left the attackers with a copy of every payment made through the site or the app. 

The post Cyber News Rundown: Android Adware appeared first on Webroot Blog.

Cyber News Rundown: Hookup App Exposes Users

Reading Time: ~ 2 min.

Hookup App Leaks User Locations

Geo-locating and other sensitive data has been leaked from the hookup app 3fun, exposing the information for more than 1.5 million users. While some dating apps using trilateration to find nearby users, 3fun showed location data capable of tracing a user to a specific building or floor. Though users had the option to disable coordinate tracking, that data was nevertheless stored and available through the app’s API. 3fun has since resolved the leak and has hopefully implemented stronger security measures considering the private nature of their client’s activities.

Ransomware Attacks on DSLR Cameras

Malware authors continue to find new victims, as a ransomware variant has been found to be remotely attacking Canon DSLR cameras and demanding a ransom to regain access to the device. Researchers have found multiple vulnerabilities that could allow attackers to perform any number of critical functions on the cameras, including displaying a ransom note and remotely taking pictures with the camera. Fortunately, Canon has already begun issuing patches for some of its affected devices, though it’s taking longer to fully secure others.

Take back your privacy. Learn more about the benefits of a VPN.

Google Drive Exploit Allows Phishing Campaign to Flourish

A new phishing campaign has been discovered that uses a legitimate Google Drive account to launch a phishing campaign that impersonates the CEO asking the victim to open the Google Docs file and navigate to the phishing site’s landing page. Luckily for victims, the campaign has a few tells. The phony CEO email address uses a non-conforming naming convention and the email itself appears to be a hastily compiled template.

British Airways Data Leak

British Airways has again come under scrutiny, this time after it was discovered that their e-ticketing system was leaking sensitive passenger data. The leak stems from flight check-in links that were sent out to customers containing both their surname and booking confirmation numbers completely unencrypted within the URL. Even more worrisome, this type of vulnerability has been well-known since last February when several other airlines were found to have the same issue by the same security firm.

Android Trojan Adds New Functionality

Following in the footsteps of Anubis, an Android banking Trojan for which source code was recently revealed, Cerberus has quickly filled the void without actually borrowing much of that code. One major change is that Cerberus implemented a new method of checking if the device is physically moving or not, in hopes of avoiding detection by both the victim and any researchers who may be analyzing it. Additionally, this variant uses phishing overlays from several popular sites to further collect any login credentials or payment card data.

The post Cyber News Rundown: Hookup App Exposes Users appeared first on Webroot Blog.