Category Archives: Cybercrime

New EU-funded project aims to disrupt wildlife cybercrime

A new European Union (EU)-funded project aims to disrupt criminals trafficking wildlife in or via the EU using the internet, postal or fast parcel services. The project is implemented by a strong coalition gathering WWF, IFAW, INTERPOL, the Belgian Customs and TRAFFIC. The project is led by WWF Belgium, in affiliation with TRAFFIC. Funded by the Internal Security Fund of the Directorate General for Migration and Home Affairs of the European Commission, the two-year “Disrupting … More

The post New EU-funded project aims to disrupt wildlife cybercrime appeared first on Help Net Security.

French authorities released the PyLocky decryptor for versions 1 and 2

Good news for the victims of the pyLocky Ransomware versions 1 and 2, French authorities have released the pyLocky decryptor to decrypt the files for free.

French authorities have released a decryptor for pyLocky Ransomware versions 1 and 2. The decryptor allows victims to decrypt their files for free. It was developed in collaboration between French law enforcement, the French Homeland Security Information Technology, and Systems Service, along with independent and volunteer researchers.

“PyLocky is very active in France, both within the professional environment (SMEs, large businesses, associations, etc.) as well as at home. This tool is a result of a collaborative Among the agencies of the french Ministry of Interior, Including the first Brigade of fraud investigations in information technology  (BEFTI) of the Regional Directorate of the Judicial Police of Paris , on the of technical elements gathered during its investigations and collaboration with volunteer researchers.” reads the post published by the French Ministry of Interior states it is more active in Europe.

“Those elements allowed the Homeland Security Information Technology and Systems Service ST (SI) ², part of the National Gendarmerie , to create that software.”

French Ministry of Interior pointed out that the ransomware hit many people in Europe, especially SMBs, large businesses, associations.

The pyLocky decryptor allows to decrypt file for version 1 (filenames having the .lockedfile or .lockymap extensions) and version 2 ( extensions .locky).

pyLocky Decryptor

The pyLocky Decryptor could be downloaded from the following link:

https://www.cybermalveillance.gouv.fr/wp-content/uploads/2019/02/PyLocky_Decryptor_V1_V2.zip

The decryptor has as pre-requisite the installation of the Java Runtime.

“This software decrypts the encryption of files with the extension .lockedfile or .lockymap and version 2 (encrypted files with the .locky extension) of PyLocky.” continues the report. “It requires a computer running the operating system Microsoft Windows 7 or higher and the execution environment Java JRE (Java Runtime Environment) version 8.”

The malware researcher Michael Gillespie analyzed the decryptor and noticed the presence of 2 hardcoded private RSA keys that were likely obtained by French police from the access to the C2 server hosted on the Tor network.

Let me remind you that the decryptor doesn’t clean the infected systems.

Pierluigi Paganini

(SecurityAffairs – pyLocky Decryptor, malware)

The post French authorities released the PyLocky decryptor for versions 1 and 2 appeared first on Security Affairs.

Ransomware disrupts worldwide production for Belgian aircraft parts maker

ASCO Industries, a manufacturer of aerospace components with headquarters in Zaventem, Belgium, has been hit with ransomware, which ended up disrupting its production around the world. The attack reportedly started on Friday and the extent of the internal damage is still unknown. About ASCO Industries ASCO Industries is a privately held company that was acquired by Kansas-based Spirit AeroSystems in 2018. At the time it had 1,400 employees world-wide. It designs and manufactures wing components, … More

The post Ransomware disrupts worldwide production for Belgian aircraft parts maker appeared first on Help Net Security.

FIN8 Hacking Group is back with an improved version of the ShellTea Backdoor

After two years of silence, FIN8 group is back and carried out a new campaign against the hotel-entertainment industry employing the ShellTea/PunchBuggy backdoor.

Two years later after the last report, FIN8 group is back and carried out a new campaign against the hotel-entertainment industry using an improved version of the ShellTea/PunchBuggy backdoor.

The last time security experts documented the FIN8’s activities was in 2016 and 2017. At the time, FireEye and root9B published detailed reports about a series of attacks targeting the retail sector.

FireEye documented obfuscation techniques used by the group in June 2017 and the involvement of PUNCHTRACK POS-scraping malware.

The ShellTea backdoor was analyzed by researchers Root9b in June 2017, the malware was used by threat actors to deliver the PoC malware.

Now experts at Morphisec revealed to have observed a new campaign attributed to the FIN8 group that targeted entities in the hotel-entertainment industry.

“During the period of March to May 2019, Morphisec Labs observed a new, highly sophisticated variant of the ShellTea / PunchBuggy backdoor malware that attempted to infiltrate a number of machines within the network of a customer in the hotel-entertainment industry.” reads the analysis published by Morphisec. “It is believed that the malware was deployed as a result of several phishing attempts.”

Experts believe the attackers launched phishing attacks in the attempt of delivering PoS malware.

Researchers also gathered evidence of overlap between FIN8 and FIN7 attacks, even if the two groups are considered separated.

“Given the nature of the industry targeted in the attack uncovered by Morphisec, we assume that this was also an attempted POS attack.” continues the analysis. “In this report, we investigate this latest variant of ShellTea, together with the artifacts it downloaded after the Morphisec Labs team detonated a sample in a safe environment.”

The attack chain starts with a fileless dropper using PowerShell code executed from registry keys and leading to ShellTea.

The ShellTea attempt to evade detection by checking the presence of virtualized environments and standard analysis tools. The malicious code uses a hacking algorithm for most of its functions, the algorithm is similar to the one implemented for previous ShellTea version.

ShellTea is then injected into Explorer, it communicates with the C2 over HTTPs and supports various commands, such as loading and executing a delivered executable, creating/executing processes, executing any PowerShell command using downloaded native Empire ReflectivePicker, and of course downloading and executing a POS malware.

Attackers use the PowerShell script to collect information on the user and the network, then sends Gzipped data to the C2 and delete it.

Experts pointed out that attackers are constantly innovating their arsenal, their new techniques are able to easily evade standard POS defenses.

“The hospitality industry, and particularly their POS networks, continues to be one of the industries most targeted by cybercrime groups. In addition to this attack by FIN8,we’ve seen multiple attacks by FIN6FIN7 and others.” concludes Morphisec.

Many POS networks are running on the POS version of Window 7, making them more susceptible to vulnerabilities. What’s more, attackers know that many POS systems run with only rudimentary security as traditional antivirus is too heavy and requires constant updating that can interfere with system availability.” ” As we see here, attack syndicates are constantly innovating and learn from their mistakes – the numerous improvements and bug fixes from the previous version of ShellTea are evident. The techniques implemented can easily evade standard POS defenses. “

Pierluigi Paganini

(SecurityAffairs – FIN8, hacking)

The post FIN8 Hacking Group is back with an improved version of the ShellTea Backdoor appeared first on Security Affairs.

Radiohead releases a trove of stolen music in response to the hack

The English rock Radiohead released 18-hour trove of private recordings from their 1997 album “OK Computer” in response to the recent hack.

The alternative rock band Radiohead released an 18-hour trove of private recordings from their 1997 album “OK Computer” after being hacked by crooks that demanded a ransom of $150,000 for the music.

Radiohead uploaded 1.8-gigabyte of recording, live performances, and some unpublished songs on their website (radiohead.bandcamp.com).

Radiohead

The hackers’ dream of making money stealing the music vanished, now anyone can access them for free.

The group is also offering for sale downloads of an album of the 18 hacked MiniDiscs for £18 and donating the proceeds to the Extinction Rebellion environmental campaign group. That’s amazing guys!

“We’ve been hacked,” explained frontman Thom Yorke.

“It’s not v interesting,” he added. “As it’s out there it may as well be out there, until we all get bored and move on.”

Below the tweet published by the group guitarist, Jonny Greenwood that confirmed the hack occurred last week.

“Someone stole Thom’s minidisk archive from around the time of OK Computer, and reportedly demanded $150,000 on threat of releasing it,” Greenwood wrote.

“So instead of complaining — much — or ignoring it, we’re releasing all 18 hours on Bandcamp in aid of Extinction Rebellion,”.

Immediately after the hack, the Reddit user ‘ u/santicol’ revealed that someone claiming to have the stolen music attempted to offer it to a “well known leaker” and offered them previews of the tracks.

“The user described how someone claiming to have the archive came in contact with a “well-known leaker” and offered them previews of the tracks.” reported the AFP press.

“They were asking upwards of $150,000 for the entire set, at $800 per studio track and $50 per live track,” added the Reddit user.

“The leaker seems to be well known in some spaces and has a history of trading in very rare/high profile material,”.

Pierluigi Paganini

(SecurityAffairs – Radiohead, hacking)

The post Radiohead releases a trove of stolen music in response to the hack appeared first on Security Affairs.

How Machine Learning Helps Improve Cybersecurity

Cyberattacks have increased on an unprecedented scale. Reasons are many. The main reason obviously is our increasing dependence on computing devices (computers, smartphones etc) and the internet for our day-to-day needs. It’s today a world of quickly evolving technologies. The technology that we depend on today has interconnectedness as one of its salient features. This, plus our habit of using unsecured networks and devices (like, for example, public Wi-Fi) for convenience’s sake, too has proven to be the cause for an unprecedented increase in cyberattacks.

Of the various technologies that we use today to prevent cyberattacks and to ensure cybersecurity, machine learning deserves special mention. Machine learning definitely is a great technology that offers some highly efficient security solutions and thus helps prevent cybercrime.

Today, we discuss how machine learning helps improve and ensure cybersecurity in today’s world…

Today, we have many machine learning apps that are used for enhancing cybersecurity. There are many such apps that help monitor networks for cybersecurity issues and to detect vulnerabilities or breaches. Such apps also help enterprises generate automated responses whenever there are cyberattacks. Let’s take a look at how these apps work and how they can be used for security purposes like spam detection, risk detection, detection of phishing attacks and malware detection.

Machine learning apps and spam detection

Machine learning apps play a very important role when it comes to performing spam detection. Different reports suggest that more than half of all email today is spam, and hence there’s an increasing need for spam filters which could effectively block such spam from reaching inboxes and causing trouble. It’s among such spam that malware-laden phishing emails too feature. Today we have robust machine learning-powered spam filters, which work based on different sets of rules to identify and filter spam and which are also cost-effective. That these machine learning-powered spam filters are highly flexible and efficient compared to other knowledge-based methods makes them more suited for combating cybercrime in today’s context. Such machine-learning spam filtering tools work based on entirely dynamic kinds of algorithms, which are based on pre-classified datasets that classify emails as spam or not spam based on many features, including the hyperlinks, the attachments, the word frequency count, the HTML tags, the length of the email, the IP address etc.

Machine learning apps and risk detection

Risk detection and responding to potential risks on a timely basis are all part of the very foundations of cybersecurity. Machine learning apps that are used for cybersecurity help monitor, analyze and respond to all kinds of threats and attacks that happen on the networks, the software and the applications, plus the hardware as well. It has to be remembered that infiltration or infection of a network happens much before detection; attackers could infiltrate systems or networks and remain there without doing anything for many months before launching an attack. It’s here that machine learning comes in handy. Machine learning plays a key role in identifying and detecting cybercrime, in protecting networks and their components from all kinds of risk, and in response and recovery as well.

Detection of phishing attacks using machine learning

Most research data show that cybercriminals are increasingly using phishing techniques to launch cyberattacks. In fact, phishing techniques are the most popular among all techniques used to launch attacks. All internet users get phishing emails delivered to their inboxes on a regular basis and hence detection of phishing attacks is important as regards preventing cybercrime. Phishing attacks could lead to the breach of sensitive personal data including credit card data, banking data, login credentials, intellectual property etc. Phishing attacks are widely used for launching ransomware strikes as well. There are different kinds of phishing attacks and hence anti-phishing methods basically fall under three main groups, namely detective methods, preventive methods and corrective methods. Machine learning algorithms are widely used to help detect phishing emails or websites. This is done by monitoring and analyzing data and related features like the number of links, IP addresses, IP-based URLs, JavaScript presence etc.

Machine learning and malware detection

For long we have had traditional malware detection methods which focused on identifying features like hashes, file properties, code fragments etc. But with the introduction of server-side polymorphism, such detection methods have become irrelevant and obsolete. Today, we have worked out a big shift from the former rule-based malware-detection methods and focus more on detecting malware by analyzing files during the pre-execution phase itself using machine learning. Detecting advanced malware attacks, including ransomware attacks, have thus become easier and more effective, thanks to machine learning. We also use deep learning algorithms to detect rare, high-profile targeted attacks. Thus, machine learning is helping us detect all kinds of malware including trojans, ransomware, adware, spyware etc.

Machine learning has its own limitations as well!

Machine learning, which has immense possibilities when it comes to preventing cybercrime, has its limitations as well. For example, there are ambiguities relating to the definitions of activities as ‘normal’ or ‘anomalous’. There are also issues pertaining to adaptability to new patterns and drastically changing methods of cyberattacks. Fake positives also pose a headache to machine learning methods.

Well, despite these limitations, it’s to be mentioned that machine learning is definitely helping us in ensuring improved cybersecurity. The limitations would in due course be overcome, and machine learning would definitely offer us more possibilities as regards cybercrime detection and prevention.

Related Blogs:

Man Vs. Machines: Employing Artificial Intelligence in Cybersecurity

Cyber security and strategy

Average Cost of Cyberattack Exceeds $1 Million

The post How Machine Learning Helps Improve Cybersecurity appeared first on .

CIA sextortion campaign, analysis of a well-organized scam

Crooks are posing as CIA agents in a sextortion campaign, they are sending emails to inform the victims of an investigation into online pedophilia rings.

Crooks are posing as CIA agents in a new sextortion campaign, they are sending emails to inform potential victims of an ongoing investigation into online pedophilia rings.

Fraudsters are offering to drop the investigations on the victims for money, according to experts at Kaspersky.

“The author of the e-mails that caught our experts’ collective eye poses as a CIA officer who has allegedly found the recipient’s details in Case #45361978 (relating to possession and distribution of child pornography, or so it seems). ” reads a post published by Kaspersky. “The “officer” states that the CIA is about to swoop in on more than 2,000 individuals suspected of pedophilia in 27 countries around the globe. The message implies that the recipient is accused of being one of them. “

Crooks claim they are conducting a “large international operation set to arrest more than 2000 individuals in 27 countries.”

In order to scare people and trick them into paying, the fraudsters claim to have collected evidence of the illegal activities, they are telling the victims that they have collected the mark’s home and work addresses, contact information, they also claim to have recorded each recipient’s ISP and browsing history, social media activity. chat logs, and also Tor browsing activity,

The fake CIA agents are offering to drop the investigation and destroy the evidence for a $10,000 Bitcoin payout.

“I read the documentation and I know you are a wealthy person who may be concerned about reputation,” reads the scam email message sent to the victims. “I am one of several people who have access to those documents and I have enough security clearance to amend and remove your details from this case.”

Sextortion campaigns are not a novelty in the threat landscape, in most cases, victims concern of reputational damage in case hackers will expose their immoral habits to friends and colleagues.

The messages used in the “CIA” sextortion campaign are well-written with a good layout, they appear as authentic.

“Such messages are sent to thousands or even millions of people in the hope that just a handful will swallow the bait,” explained Kaspersky senior anti-spam analyst Tatyana Scherbakova.

“Given the size of the ransom, if even a few victims pay up, it will have been worth the cybercriminals’ time and effort.”

Below the recommendations provided by Kaspersky:

  • Never pay scammers; that would only encourage the extortionists even more.
  • Do not respond to the e-mail, even if you really want to prove to the author that your name is in the “case file” by mistake. By doing so, you would be confirming that your address is valid and provoke an even greater wave of spam. For the same reason, do not try to troll the scammers.
  • Close the message and mark it as spam — this will help the spam filter to do its job better.

Pierluigi Paganini

(SecurityAffairs – sextortio, scam)

The post CIA sextortion campaign, analysis of a well-organized scam appeared first on Security Affairs.

Retro video game website Emuparadise suffered a data breach

Retro video game website Emuparadise revealed to have suffered a data breach that exposed 1.1 Million accounts back in April 2018.

Emuparadise is a website that offers tons of roms, isos and retro video games, users can download and play them with an emulator or play them with the web browser.

The security breach occurred in April 2018 and exposed account information for approximately 1.1 million Emuparadise forum members.

Since August 2018, Emuparadise no longer host game ROMs, anyway it continued to offer any kind of info for retro video games and operated community forums.

Emuparadise hacki

Over the weekend, some Emuparadise forum members reported to have received data breach notification notices from the popular services Have I Been Pwned and HackNotice. The notices notify them of the security breach and inform them that their data were exposed as part of the data breach that occurred in April 2018.

The notice issued by the service Have I Been Pwned states that 1,131,229 accounts from Emuparadise forums were exposed in an incident occurred in April 2018. The forums run on a vBulletin CMS, a very popular platform, but older versions are known to be vulnerable to several issues.

HIBP received the data from dehashed.com on June 9th, 2019, exposed info includes mail addresses, IP address, usernames and passwords stored as salted MD5 hashes.

“In April 2018, the self-proclaimed “biggest retro gaming website on earth”, Emupardise, suffered a date breach.” states Have I Been Pwned. “The compromised vBulletin forum exposed 1.1 million email addresses, IP address, usernames and passwords stored as salted MD5 hashes.

At the time of writing, it is not known how DeHashed obtained the huge trove of data.

Experts pointed out that Emuparadise data are offered for sale in the cybercrime underground and on hacking forums since early 2019.

Pierluigi Paganini

(SecurityAffairs – Emuparadise, hacking)

The post Retro video game website Emuparadise suffered a data breach appeared first on Security Affairs.

Spain extradites 94 Taiwanese to China phone and online fraud charges

Spanish authorities extradited 94 Taiwanese to China to face telephone and online fraud charges, Taiwan’s Foreign Ministry expressed a strong regret.

Spain extradited 94 Taiwanese to China to face telephone and online fraud charges, the indicted were transferred via plane by officials.

“The suspects arrived Friday morning at Beijing airport on a chartered flight. Footage on state broadcaster CCTV showed uniformed officers escorting them off the China Eastern plane one-by-one.” reads a post published by the AP press.

The Taiwan Central News Agency reported that Taiwan’s Foreign Ministry expressed “serious concern and strong regret.”

The investigation on the scam operations in Spain started in 2016, crooks targeted victims in China. A joint operation conducted by Chinese and Spanish Police allowed the identification of the people involved. In December, authorities raided 13 sites in Madrid, Barcelona and other cities in Spain.

These arrests could be considered as the result of the first joint operation conducted by China with a European country against telecom fraud.

According to the Chinese Public Security Ministry, the telephone and online frauds allowed the suspects to earn 120 million yuan ($17 million).

In the fraud scheme, the criminals impersonate Chinese authorities and attempt to trick victims into transferring money to accounts controlled by the scammers.

“Similar scams operate from several countries and usually prey on Chinese.” continues the AP. “The callers typically masquerade as Chinese authorities and pressure or persuade the victims to transfer money to the scammers’ accounts.”

Spainish authorities already extradited 225 suspects, 218 of which are Taiwanese.

Even is Taiwan split from China in 1949 during a civil war, Beijing still considers the country as part of its territory. The two governments signed an agreement in 2009 to join the efforts in the fight against the crime.

The tension between the countries peaked after the election of Taiwanese President Tsai Ing-wen, that is not considered aligned with Chinese politic.

Chinese authorities asked foreign countries, including Spain, to move criminals to China where they would face severe sentence.

Taiwan evidently doesn’t agree with the decision of Spain authorities of extraditing the suspects to China, instead of its country.

Liu Zhongyi, the deputy director of the Chinese Criminal Investigation Bureau, highlighted the difficulties associated with international investigations that involve differed law frameworks implemented by different states, such as China and Spain.

“We have overcome various difficulties,” Zhongyi told CCTV.

Liu explained that many other criminal gangs operating in the China-Myanmar border area and in Southeast Asia are targeting Chinese citizens.

Pierluigi Paganini

(SecurityAffairs – phone scam, online fraud)

The post Spain extradites 94 Taiwanese to China phone and online fraud charges appeared first on Security Affairs.

Crooks stole about $10 million from GateHub cryptocurrency wallet service

Cyber criminals stole 3.2 million Ripple coins (XRP), worth nearly $10 million, from the users of the GateHub cryptocurrency wallet service.

A new cyber heist made the headlines, crooks stole 3.2 million Ripple coins (XRP), worth nearly $10 million, from the users of the GateHub cryptocurrency wallet service.

“Recently, we have been notified by our customers and community members about funds on their XRP Ledger wallets being stolen and immediately started monitoring network activity and conducted an extensive internal investigation.” reads a preliminary statement published by GateHub.

“Although we have not identified any action or omission by GateHub that may have facilitated or allowed this apparent theft to occur, we apologize deeply to all of our customers for this issue and pledge to get to the bottom of it.”

GateHub

The company pointed speculate the attackers might have abused API to steal the funds. GateHub explained that each API requests to the victim’s accounts were authorized with a valid access token. The company did not observe suspicious logins or evidence of brute force attacks, however, its staff noticed an increased amount of API calls using valid access tokens.

The suspicious requests were originated from a limited number of IP addresses likely compromised by the attackers. At the time, it is still unclear how the attackers have decrypted the secret keys. The company disabled all the access tokens on June 1st.

“We have however detected an increased amount of API calls (with valid access tokens) coming from a small number of IP addresses which might be how the perpetrator gained access to encrypted secret keys,” continues the statement.

“That, however, still doesn’t explain how the perpetrator was able to gain other required information needed to decrypt the secret keys. All access tokens were disabled on June 1st after which the suspicious API calls were stopped,”

The community member Thomas Silkjær who, one of members who warned GateHub about the theft, published a report on incident. that:

“On June 1 we were made aware of a theft of 201,000 XRP … and immediately started investigation. It turned out that the account robbed was managed through Gatehub.net, and that the offending account (r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k) had stolen substantial amounts from several other XRP accounts, likely to be or have been managed through Gatehub.net.” reads the report.

The experts identified several other accounts connected to the cyber heists, for a total of 12 primary suspect accounts.

“From analysing access logs by victims and transactions made on the XRP ledger, it does not appear that any accounts were breached on gatehub.net directly, using client login credentials.” states the researcher.

The community member was not able to discover the root cause of the hack, it explored various options including repeating nonces, a bad practice in handling RippleTrade migration of user accounts, Browser client hacking, and also the leak of an old data base containing encrypted private keys.

GateHub immediately notified law enforcement, an investigation is still ongoing.

Pierluigi Paganini

(SecurityAffairs – hacking, GateHub)

The post Crooks stole about $10 million from GateHub cryptocurrency wallet service appeared first on Security Affairs.

BlackSquid malware uses multiple exploits to drop cryptocurrency miners

A new piece of malware appeared in the threat landscape, dubbed BlackSquid it targets web servers with several exploits to deliver cryptocurrency miners.

Security experts at Trend Micro have discovered a new Monero cryptomining miner, dubbed BlackSquid, that is targeting web servers, network drives, and removable drives.

The new piece of malware leverages many exploits to compromise target systems and implements evasion techniques to avoid detection.

According to the experts, BlackSquid has worm-like propagation capabilities and it can be used to launch brute-force attacks.

“This malware, which we named BlackSquid after the registries created and main component file names, is particularly dangerous for several reasons.” states Trend Micro. “It employs anti-virtualization, anti-debugging, and anti-sandboxing methods to determine whether to continue with installation or not. It also has wormlike behavior for lateral propagation.”

The peculiarity of the BlackSquid malware is the employment of a set of the most dangerous exploits

While many forms of malicious code will employ one or two exploits for known vulnerabilities in popular systems, BlackSquid differs in this regard. 

The list of exploits used by the malware includes EternalBlue, DoublePulsar; exploits for CVE-2014-6287, Tomcat arbitrary file upload vulnerability CVE-2017-12615, CVE-2017-8464; and three ThinkPHP exploits for different versions of the framework.

The threat is delivered via infected webpages, exploits, or through removable network drives.

BlackSquid leverages the GetTickCount API to randomly select IP addresses of a web server and to attempt to infect them.

The malware implements anti-virtualization, anti-debugging, and anti-sandboxing methods to determine whether to deliver the miner or not.

“Simultaneous with its attacks, BlackSquid also downloads and executes two XMRig cryptocurrency-mining components.! continues the analysis. “The miner in resource is the primary miner used, but it also determines if the targeted system has a video card. If the system checks for Nvidia and AMD video cards using WQL (WMI Query Language, where WMI stands for Windows Management Instrumentation), the malware downloads the second component into the system to mine for graphics processing unit (GPU) resource.”

The malware halts the infection routine if at least one of the following conditions is met:

  • The victim’s username is included in a list of common sandbox usernames:
  • The disk drive model is equal to one included in a specific list;
  • The device driver, process, and/or dynamic link library is one of a specific list used by the malicious code.

BlackSquid exploits the EternalBlue-DoublePulsar exploits (MS17-010 SMB RCE exploit) to propagate through the target network. The malware uses the remote code execution (RCE) flaw to gain the same user rights as the local system user.

If the infected system has a video card such as Nvidia and AMD video cards using WQL (WMI Query Language, where WMI stands for Windows Management Instrumentation), the malicious code downloads a second component into the system to mine for graphics processing unit (GPU) resource.

Trend Micro says that the majority of BlackSquid attacks have, so far, been detected in Thailand and the United States. The last week of May is the most active period on record.

The presence of coding errors and skipped routine suggests that BlackSquid is still in the process of development and testing.

“Given its evasion techniques and the attacks it is capable of, BlackSquid is a sophisticated piece of malware that may cause significant damage to the systems it infects. If successful, this malware may enable an attacker to escalate unauthorized access and privileges, steal proprietary information, render hardware and software useless, or launch attacks on an organization (or even from an organization into another).” concludes Trend Micro.

“But considering the erroneous code and purposely skipped routines, we also think that the cybercriminals behind this malware are likely in the development and testing stages;”

Pierluigi Paganini

(SecurityAffairs – BlackSquid, hacking)

The post BlackSquid malware uses multiple exploits to drop cryptocurrency miners appeared first on Security Affairs.

2018 in numbers: Data breaches cost $654 billion, expose 2.8 billion data records in the U.S.

Cybercriminals exposed 2.8 billion consumer data records in 2018, costing over $654 billion to U.S. organizations, according to ForgeRock. Cyberattacks to U.S. financial services organizations cost the industry over $6.2 billion in Q1 2019 alone, up from just $8 million in Q1 2018. Even though investments in information security products and services have been on the rise, with $114 billion invested in 2018, cybercriminals continue to attack organizations across a wide spectrum of industries to … More

The post 2018 in numbers: Data breaches cost $654 billion, expose 2.8 billion data records in the U.S. appeared first on Help Net Security.

Despite disclosure laws, cybercrime may be widely underreported

While attack vectors remain largely the same year over year, attack volume will increase and cybercrime may be vastly underreported, according to the 2019 State of Cybersecurity Study from global IT and cybersecurity association ISACA. “Underreporting cybercrime – even when disclosure is legally mandated – appears to be the norm, which is a significant concern,” said Greg Touhill, Brigadier General (ret), ISACA Board Director, president of Cyxtera Federal and the first US Federal CISO. “Half … More

The post Despite disclosure laws, cybercrime may be widely underreported appeared first on Help Net Security.

The Cost of Cybercrime

Really interesting paper calculating the worldwide cost of cybercrime:

Abstract: In 2012 we presented the first systematic study of the costs of cybercrime. In this paper,we report what has changed in the seven years since. The period has seen major platform evolution, with the mobile phone replacing the PC and laptop as the consumer terminal of choice, with Android replacing Windows, and with many services moving to the cloud.The use of social networks has become extremely widespread. The executive summary is that about half of all property crime, by volume and by value, is now online. We hypothesised in 2012 that this might be so; it is now established by multiple victimisation studies.Many cybercrime patterns appear to be fairly stable, but there are some interesting changes.Payment fraud, for example, has more than doubled in value but has fallen slightly as a proportion of payment value; the payment system has simply become bigger, and slightly more efficient. Several new cybercrimes are significant enough to mention, including business email compromise and crimes involving cryptocurrencies. The move to the cloud means that system misconfiguration may now be responsible for as many breaches as phishing. Some companies have suffered large losses as a side-effect of denial-of-service worms released by state actors, such as NotPetya; we have to take a view on whether they count as cybercrime.The infrastructure supporting cybercrime, such as botnets, continues to evolve, and specific crimes such as premium-rate phone scams have evolved some interesting variants. The over-all picture is the same as in 2012: traditional offences that are now technically 'computercrimes' such as tax and welfare fraud cost the typical citizen in the low hundreds of Euros/dollars a year; payment frauds and similar offences, where the modus operandi has been completely changed by computers, cost in the tens; while the new computer crimes cost in the tens of cents. Defending against the platforms used to support the latter two types of crime cost citizens in the tens of dollars. Our conclusions remain broadly the same as in 2012:it would be economically rational to spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more on response. We are particularly bad at prosecuting criminals who operate infrastructure that other wrongdoers exploit. Given the growing realisation among policymakers that crime hasn't been falling over the past decade, merely moving online, we might reasonably hope for better funded and coordinated law-enforcement action.

Richard Clayton gave a presentation on this yesterday at WEIS. His final slide contained a summary.

  • Payment fraud is up, but credit card sales are up even more -- so we're winning.

  • Cryptocurrencies are enabling new scams, but the bit money is still being list in more traditional investment fraud.

  • Telcom fraud is down, basically because Skype is free.

  • Anti-virus fraud has almost disappeared, but tech support scams are growing very rapidly.

  • The big money is still in tax fraud, welfare fraud, VAT fraud, and so on.

  • We spend more money on cyber defense than we do on the actual losses.

  • Criminals largely act with impunity. They don't believe they will get caught, and mostly that's correct.

Bottom line: the technology has changed a lot since 2012, but the economic considerations remain unchanged.

The Guardian view on cybercrime: the law must be enforced | Editorial

Governments and police must take crime on the internet seriously. It is where we all live now

About half of all property crime in the developed world now takes place online. When so much of our lives, and almost all of our money, have been digitised, this is not surprising – but it has some surprising consequences. For one thing, the decline in reported property crimes trumpeted by successive British governments between 2005 and 2015 turns out to have been an illusion. Because banks were not required to report fraud to the police after 2005, they often didn’t. It would have made both banks and police look bad to have all that crime known and nothing done about it. The cost of the resulting ignorance was paid by the rest of government, and by the public, too, deprived of accurate and reliable knowledge. Since then, the total number of property crimes reported has risen from about 6m to 11m a year as the figures have taken computerised crime into account.

The indirect costs to society are very much higher than the hundreds of millions that individuals lose. One example is the proliferation of plagiarism software online, which developed an entire industry in poor, English-speaking countries like Kenya, serving idle or ignorant students in England and North America. The effort required by schools and universities to guard against such fraud has been considerable, and its cost entirely disproportionate to the gains made by the perpetrators.

Continue reading...

Leicester City Football Club disclosed a card breach

Leicester City Football Club disclosed a card breach that affected its website, hackers stole payment card data, including card numbers and CVVs.

Leicester City Football Club revealed that hackers have breached its website (https://shop.lcfc.com/) and stole credit card data of people that bought products disclosed a card breach that affected its website, hackers stole payment card data, including card numbers and CVVs.

leicester city

According to the club, the card breach affected some users between April 23 and May 4, the company already notified the supporters whose details were compromised.

The club also informed the authorities and the Information Commissioners Office (ICO), it also launched an immediate investigation.

“Upon discovery of the breach, the security of our retail platform was immediately restored and appropriate measures were taken to ensure the security of all other online assets.” reads the statement issued by the company.

Exposed data includes card number, name of card holder, expiry date and CVV.

“Technical investigations are still ongoing, but we can confirm that as a result of the incident your payment card information was compromised. This includes your card number, name of card holder, expiry date and CVV. We can confirm that your SecureCode was not compromised. That information is needed to attempt to conduct transactions using your account.” reads the email sent to the customers.

At the time of writing, there is information about the attack and the way hackers breached the website of the English club, it is also not clear how many supporters have been impacted.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Leicester City Football Club, card breach)

The post Leicester City Football Club disclosed a card breach appeared first on Security Affairs.

GandCrab operators are shutting down their operations

GandCrab first appeared in the threat landscape in early 2018 and continuously evolved over time. Now operators are shutting down their operations.

Early 2018, experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web. The GandCrab was advertised in Russian hacking community, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

In more than one year its operators released several versions with numerous enhancements, but now they are shutting down their operation and affiliates are being told to stop distributing the ransomware.

In October 2018, experts at the Cybaze Z-Lab have analyzed one of the latest iterations of the infamous GandCrab ransomware, the version 5.0.

Security researchers Damian and David Montenegro, who follow the evolution of the GandCrab since its appearance, the GandCrab operators announced their decision of shutting down their operation in a post in popular hacking forums:

The operators revealed they have generated more than $2 billion in ransom payments, earning on average of $2.5 million dollars per week. The operators revealed to have earned a net of $150 million that now have invested in legal activities.

GandCrab shutdown

Anyway, experts believe that the claims of $2 billion are not real, below an excerpt from a post published by Bleeping Computer:

“While the operators behind GandCrab most likely made many millions of dollars, the claims of $2 billion in ransom payments are very likely to be untrue.”

Operators will no more promote the GandCrab ransomware and asked the affiliates to stop distributing it within 20 days.

They are also warning victims that time is running out and they have to pay the ransom as soon as possible to avoid to lose their file forever.

It is not clear if the operators will release the keys after they will go out of the business.

Stay tuned …

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – GandCrab ransomware, malware)


The post GandCrab operators are shutting down their operations appeared first on Security Affairs.

Checkers double drive-thru restaurants chain discloses card breach

Checkers and Rally’s, one of the largest chains of double drive-thru restaurants in the United States, disclosed a credit card breach.

“We recently became aware of a data security issue involving malware at certain Checkers and Rally’s locations.” reads a breach notice published by the company. “After discovering the issue, we quickly engaged leading data security experts to conduct an extensive investigation and coordinated with affected restaurants and federal law enforcement authorities to address the matter.”

According to the security notice, crooks breached the systems of the company and planted a PoS malware in its payments processing system allowing an unauthorized party to siphon payment card data of some guests. The malware only infected the point-of-sale systems at some Checkers and Rally’s locations.

“The malware was designed to collect information stored on the magnetic stripe of payment cards, including cardholder name, payment card number, card verification code and expiration date.” continues the notice. “Based on the investigation, we have no evidence that other cardholder personal information was affected by this issue.”

The company provided a list of the affected locations and the estimated windows of exposure during which the PoS malware was used to steal the guests’ card data.

102 restaurants have been impacted, roughly 15% of all of the locations.

Most of the impacted locations have been infected with the PoS malware between early 2018 and 2019, the list also includes some locations compromised back in 2017, and one infection dates back September 2016.

Checkers declared that the malicious code was completely removed from the payment systems in April 2019.

The company reported the card breach to the authorities and hired third-party security experts to contain and remove the malware

“After identifying the incident, we promptly launched an extensive investigation and took steps to contain the issue. We also are working with federal law enforcement authorities and coordinating with the payment card companies in their efforts to protect cardholders,” reads the notice Checkers. “We encourage you to review your account statements and contact your financial institution or card issuer immediately if you identify an unauthorized charge on your card. The payment card brands’ policies provide that cardholders have zero liability for unauthorized charges that are reported in a timely manner.”

The company encourages potentially affected guests to review their account statements and contact their financial institution or card issuer immediately if they identify an unauthorized charge on card.

Clients are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies. 

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Checkers, card breach)

The post Checkers double drive-thru restaurants chain discloses card breach appeared first on Security Affairs.

Many are seeing the damage of cybercrime and identity theft firsthand

As massive data breaches continue to make international headlines and the Internet is an integral part of our daily lives, consumers are now grasping the risks they face. In a new F-Secure survey, 71% of respondents say they feel that they will become a victim of cybercrime or identity theft, while 73% expressed similar fears about their kids. “These findings are absolutely staggering and show many people are seeing the damage of cybercrime or identity … More

The post Many are seeing the damage of cybercrime and identity theft firsthand appeared first on Help Net Security.

When it comes to email-based threats, Emotet dominates

Emotet displaced credential stealers, stand-alone downloaders and RATs and became the most prominent threat delivered via email, Proofpoint has shared. According to the firm’s statistics, in Q1 2019 a whooping 61 percent of all malicious payloads distributed via email were Emotet. The nature of the malicious payloads Emotet started its life as a banking Trojan, but has morphed over time and became a malware multi-tool, capable of downloading additional malware, stealing passwords, performing brute-force attacks … More

The post When it comes to email-based threats, Emotet dominates appeared first on Help Net Security.

TA505 is expanding its operations

An attack against an Italian organization lead the experts at Yoroi-Cybaze ZLab to shed the light on ongoing operations attributed to TA505.

Introduction

In the last few days, during monitoring activities, Yoroi CERT noticed a suspicious attack against an Italian organization. The malicious email contains a highly suspicious sample which triggered the ZLAB team to investigate its capabilities and its possible attribution, discovering a potential expansion of the TA505 operation. The threat group is also known for its recent attack campaign against Bank and Retail business sectors, but the latest evidence indicates a potential expansion of its criminal operation to other industries too.

Technical Analysis

Hash0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc273
ThreatDropper
Brief DescriptionExcel file with malicious macro
Ssdeep3072:Mc38TehYTdeHVhjqabWHLtyeGxml8/dgzxXYhh3vVYwrq 8/P5HKuPF1+bkm13Kkf:B38TehYTdeHVhjqabWHLty/xml8/dgNr

Table 1. Information about initial dropper

The intercepted attack starts with a spear-phishing email embedding a spreadsheet. The document is weaponized with malicious macro code triggered when the user opens the document to see the content under the obfuscated view.

Figure 1. XLS document

To understand its capabilities, the macro code has been isolated and analyzed in detail. Part of the macro’s content is shown in the following figure.

Figure 2. Part of extracted macro

Surprisingly, the source code is composed by more than 1600 lines of code and it is highly obfuscated. Paying more attention during the code analysis, we discovered that it is full of junk instructions used to declare and initialize variables never used, as shown in Figure 2. Only a small portion of this code is actually used to start the infection, the rest is just junk code.

Figure 3. Example of junk instructions used in macro

Once the macro is executed, the malware downloads two files from “kentona[.su”, using an SSL encrypted communication, and stores them in “C:\Users\Public” path: “rtegre.exe” and “wprgxyeqd79.exe”.

Hashaafa83d5e0619e69e64fcac4626cfb298baac54c7251f479721df1c2eb16bee7
ThreatGeneric
Brief DescriptionTrojan/Downloader (Executable file)
Ssdeep12288:3gL3qJxG5hfNV6oYYbDRcY4KhbmwPMCchbjBxwhrVm HAyzNkyRJK7hRMCQ:3mqkhfzYZY4kmgsbdm2HAENk0K7Dm

Table 2. Information about “rtegre.exe” downloaded from “kentona[.su”

Hash6f1a8ee627ec2ed7e1d818d32a34a163416938eb13a97783a71f9b79843a80a2
ThreatTrojan
Brief DescriptionSFX (self-extracting archive) (Executable file)
Ssdeep49152:sIWB74MncmEWy4i1LkjoAwG2PI/mfqtftvMKcr+7Ao95 xQW1vB38PELaacVzWTV3:sICtHsJoMAwG

Table 3. Information about “wprgxyeqd79.exe” (SFX) downloaded from “kentona[.su”

Figure 4. Files contained in “wprgxyeqd79.exe” (SFX)

The “wprgxyeqd79.exe” sample actually is a Self Extracting Archive (SFX/SFA) containing four files designed to be extracted in the %TEMP% folder. After that, it executes “exit.exe” which launches the “i.cmd” batch script.  

Figure  5. “i.cmd” script contained in “pasmmm.exe”

This new script performs a ping to “www[.cloudflare[.com” for three times with a delay of 3000ms, testing the connectivity of the victim machine. If the host is successfully reached, the script renames a file named “kernel.dll”, obviously not the real one, in “uninstall.exe”, another misleading name. Then it invokes the renamed executable and runs it passing a series of parameter: “uninstall.exe x -pQELRatcwbU2EJ5 -y”

These parameters are needed to self-decrypt the “uninstall.exe” file which is again another SFX archive. The “-p” parameter, indeed, specify the password of the archive to be extracted. The crucial file, at this point of the infection, is the SFX executable named “uninstall.exe”. It has a structure similar to previous “wprgxyeqd79.exe” file: two of their files have the same name, but the content of this new SFX is extracted in the “%ALLUSERSPROFILE%\Windows Anytime Upgrade” directory.

Figure 6. Files contained in “uninstall.exe” (SFX)

Another time, the execution flow moves from “exit.exe to “i.cmd”. The script is quite different from the previous one: it guarantees its persistence on the victim machine through the setting of “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” registry key, creating a new entry named “Windows Anytime Upgrade” which points to “winserv.exe”, just stored into the same folder. Thus, the script provides to run “winserv.exe”.

Figure 7. “i.cmd” script contained in “uninstall.exe”

An interesting part of the script is the continuous killing of every “rundll32.exe” process running into the victim machine, generates a huge amount of noise, as visible in the following process explorer view.

:Repeat
taskkill /f /im “rundll32.exe” || goto :Repeat

Figure 8. List of malware’s processes

Anyway, just before the kill loop, the real malicious payload is executed: the  “winserv.exe” file. Analyzing it in depth, we discover it actually is the RMS (Remote Manipulator System) client by TektonIT, encrypted using the MPress PE compressor utility, a legitimate tool, to avoid antivirus detection.

Figure 9. Information about MPress packer used in “winserv.exe” payload

TektonIT RMS acts as a remote administration tool, allowing the attacker to gain complete access to the victim machine. Together with the RMS executable, there is another file named “settings.dat”containing the custom configuration prepared by the attacker. It contains information like:

  • Server address and port the client will connect to
  • The password chosen by the attacker for the remote access
  • The ID associated to the victim client

All these information are automatically loaded by the RMS executable and firstly stored in the registry key “HKCU\Software\tektonik\Remote MANIPULATOR System\Host\parameters”. At the next startup, the software will directly load the configuration from the just created key.

Figure 10. Registry key set by “winserv.exe” (on the left); “settings.dat” file (on the right)

The client establishes a new connection with the remote command and control server hosted on a Bulgarian remote host 217.12.201.159, part of a Virtual Dedicated Server subnet of the AS-21100, operated by ITL LLC.

Figure 11. C2’s parameters

The attack is composed by a complex flow we synthesize in the following scheme:

Figure 12. Complete infection chain

The TA505 Connection

After the reconstruction of the full infection chain, we noticed strong similarities with a recent spear-phishing attack campaign against an unspecified US retail company. The attack, as stated by CyberInt, leveraged a command and control server located in Germany related to the TA505 actor: a very active group involved in cyber-criminal operation all around the world, threatening a wide range of high profile companies, active since 2014.

Figure 13. Comparison between infection chains

The comparison of the infection chains reveals in both cases the attacker used a couple of SFX stages to deploy the “RMS” software: a legitimate remote administration tool produced by the Russian company “TektonIT”. The tool is able to grant remote access and full, direct control of the infected machine to the group. Also, some code pieces are directly re-used in the  analyzed campaigns, such as the “i.cmd” and “exit.exe” files, and, at the same time, some new components have been introduced, for instance the “rtegre.exe” and the “veter1605_MAPS_10cr0.exe” file.

During the analysis, we also noticed the “veter1605_MAPS_10cr0.exe” file slightly changed run after run, a few hours after the initial discovery the infection chain dropped it with different icons, different suffix, from “cr0” to “cr24”, and appendix from “veter1605_” to “veter2005_”. This may indicate the campaign is still ongoing.

Conclusion

The TA505 group is one of the most active threat groups operating since 2014, it has traditionally targeted Banking and Retail industries, as we recently documented during the analysis of the “Stealthy Email Stealer” part of their arsenal. The peculiarity of this recent attack wave is it actually hit a company not strictly in the Banking or Retail sector, as they recently did, suggesting the threat group could be potentially widening their current operations.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Technical details, including IoCs and Yara Rules, are available in the analysis published in the Yoroi blog.

https://blog.yoroi.company/research/gobrut-a-new-golang-botnet/

Pierluigi Paganini

(SecurityAffairs – TA505, hacking)

The post TA505 is expanding its operations appeared first on Security Affairs.

Police seized Bestmixer, the mixing service washed at least $200 million in a year

European law enforcement seized and shut down Bestmixer.io for reportedly laundering over $200 million in cryptocurrency.

This week the Europol has dealt another blow to cybercrime, the European police along with the Dutch Fiscal Information and Investigation Service (FIOD), and Luxembourg authorities shut down Bestmixer.io, on one of the world’s leading cryptocurrency mixing services.

A mixing service (aka cryptocurrency tumbler) mixes potentially identifiable or ‘tainted’ cryptocurrency funds with others, making hard to trail back to the fund’s original source. Operators behind mixing services maintain a fee from the original funds.

“A mixing service will cut up a sum of Bitcoins into hundreds of smaller transactions and mixes different transactions from other sources for obfuscation and will pump out the input amount, minus a fee, to a certain output address. Mixing Bitcoins that are obtained legally is not a crime but, other than the mathematical exercise, there no real benefit to it.” reads a blog post published by McAfee.

“The legality changes when a mixing service advertises itself as a success method to avoid various anti-money laundering policies via anonymity. This is actively offering a money laundering service.”

Back in 2018, FIOD launched an investigation, with the support of the security firm McAfee, that led in the seizure of six servers in the Netherlands and Luxembourg.

BestMixer.io

“Today, the Dutch Fiscal Information and Investigation Service (FIOD), in close cooperation with Europol and the authorities in Luxembourg, clamped down on one of the world’s leading cryptocurrency mixing service Bestmixer.io.” reads the press release published by the Europol.

Bestmixer.io

Bestmixer.io was launched in May 2018, it offered services for mixing the cryptocurrencies bitcoins, bitcoin cash, and litecoins.

Immediately after the launch, the police began investigating the activity of the mixing service.

The numbers behind the service are impressive, it reached a turnover of at least $200 million (approx. 27,000 bitcoins) in 12 months. Of course, the mixing service ensured the total anonymity of its customers.

“The investigation so far into this case has shown that many of the mixed cryptocurrencies on Bestmixer.io had a criminal origin or destination,” continues the Europol. “In these cases, the mixer was probably used to conceal and launder criminal flows of money.”

The Dutch FIOD is investigating data related to all the interactions on this service in the past year. Investigators obtained IP-addresses, transaction details, bitcoin addresses and chat messages associated with the interactions.

“This information will now be analysed by the FIOD in cooperation with Europol and intelligence packages will be shared with other countries.” concludes the press release.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Bestmixer .io, cybercrime)

The post Police seized Bestmixer, the mixing service washed at least $200 million in a year appeared first on Security Affairs.

How Hackers Access Direct Deposit Paycheck — And What to Do About It

Getting your paycheck deposited directly into your bank account seems like a handy solution but in some cases. hackers can access them.

Getting your paycheck deposited directly into your bank account seems like a handy solution because you don’t have to pick up the check from your workplace and take it to the bank to deposit it. It works well in many cases but is not immune to hackers.

Hackers Do a Payroll Diversion Through Phishing

A direct deposit paycheck hack involves getting the necessary details from the victim through a phishing scheme. According to a statement about from the FBI’s Internet Crime Complaint Center (IC3), cybercriminals orchestrate the phishing attempt — which the FBI calls a “payroll diversion” — to get the details for a person’s online payroll account.

Once successful, the hacker changes the account details for the direct deposit payments to an account they control. The FBI notes that the hacker’s account often connects to a prepaid credit card instead of a traditional bank account. Moreover, the cybercriminal applies a rule so that the rightful direct deposit recipient does not get a notification about the account change.

An Increasingly Attempted Hack

This method hackers use likely won’t come as a surprise when you consider a few recent statistics about phishing. When PhishLabs published findings from its most recent report, it revealed that phishing attacks in 2018 went up by 40.9%. Plus, in 83.9% of cases, hackers aimed to get user credentials for various services, including payment-related ones.

And, the PhishLabs report showed 98% of the phishing emails that made it past enterprise-level email security controls did not contain malware. A different phishing study from Barracuda explained why hackers don’t need malware to cause damage. Instead, they use social engineering to pose as a person or company that the victim knows and responds to without question.

Those efforts fall into the business email compromise (BEC) category. Barracuda’s study examined 3,000 such attacks. It found that 60% percent did not contain links. But, they often had personalized information such as the victim’s name or a question related to the person’s work.

Even worse, hackers tweaked the email addresses to make them appear as being from legitimate people in the company. Typically, the hackers set up accounts with free email services and create accounts containing a real employee’s name. That’s enough genuine information for the recipients to act without looking at the rest of the email address too closely.

Trustwave covered BEC payroll hacks in a blog post and mentioned that cybercriminals often make the phishing emails seem to originate from a company’s CEO and go to a human resources or accounting manager, or someone else with the ability to alter an employee’s direct deposit account information. The hackers also perform research to determine which parties have the authority to make such changes before sending the emails.

Payroll Companies and Employers Can Commit Fraud Too

Most of the content here focuses on cybercriminals going through the process to steal direct deposit details. But, that’s not the only kind of payroll fraud that could happen. Unfortunately, some payroll companies that enterprises work with have bad actors in them that figure out various ways to keep workers from their money. Or, the employers themselves give false information about the number of employees on the payroll.

One incident committed by a payroll company in Australia resulted in the equivalent of a $122.5 million USD tax fraud. That incident is a strong reminder that whether companies have employees only in the U.S. or working elsewhere in the world, it’s crucial to do business with a trustworthy vendor who knows the global business realm. Choosing a United States-headquartered company is also smart due to the security and protection that U.S. jurisdiction offers.

How to Stay Safe From Payroll Diversion Fraud

Statistics from 2016 indicate 82% of Americans receive their paychecks via direct deposit. So, it’s not surprising that hackers try this paycheck diversion tactic. Knowing the information here, what can you do to stay safe and increase the chances of having access to your money as expected?

Firstly, if you are in a position of authority and get a request from someone asking for a direct deposit account change, don’t respond to the email in an act of blind trust. If possible, contact that person through another method, such as by phone or approaching them in person to verify that they truly sent the message. Do the same if someone from payroll emails you asking for your direct deposit details to “update their records.”

Another thing you can do is check the structure of the email. As mentioned earlier, the emails used for this kind of BEC trick normally have at least one component that’s not quite right. For example, it may have a person’s name but come from a free email service instead of the company domain.

It’s also ideal at a company level if employees get educated about how to recognize this kind of fraud and get information about the steps they should go through if they receive suspicious emails of any kind. For example, they could forward any strange emails about payroll details or otherwise to the IT department for further review.

Think Before You Act

Getting paid on time is a top concern for most people. But, even if you get an email that insists you need to provide the requested details to avoid payment delays, it’s best to investigate further before responding.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

About the author

about paycheck

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her re

Pierluigi Paganini

(Security Affairs – Paycheck, cybercrime)



The post How Hackers Access Direct Deposit Paycheck — And What to Do About It appeared first on Security Affairs.

Cybercriminals continue to evolve the sophistication of their attack methods

Cybercriminals continue to evolve the sophistication of their attack methods, from tailored ransomware and custom coding for some attacks, to living-off-the-land (LoTL) or sharing infrastructure to maximize their opportunities, according to the Fortinet latest report. Pre- and post-compromise traffic Research to see if threat actors carry out phases of their attacks on different days of the week demonstrates that cybercriminals are always looking to maximize opportunity to their benefit. When comparing Web filtering volume for … More

The post Cybercriminals continue to evolve the sophistication of their attack methods appeared first on Help Net Security.

Fake Cryptocurrency Scammed 55,000 investors for over $200 million

The cryptocurrency crime cartel has been shut down after more than 55,000 investors were conned for more than $ 200 million. Brazilian police arrested 10 people suspected of operating an $ 850 million ($ 210 million) pyramid cryptocurrency scheme. This was reported by local media such as Correido Do Povo on May 21st.

As part of the Egyptian operation, to unveil unapproved financial schemes, the Brazilian tax authorities, together with the police, organized a crackdown against the figures on which the transaction was based and raised funds from 55,000 investors.

They attracted victims with the promise of a 15% payment the first month after investing in the crypto scheme.

In total, the investigation involved 13 individuals and five legal entities.

“The problem with this company is that it was acting without the authorization,” Correido Do Povo quotes Delegate Eduardo Dalmolin Boliis of the federal police’s Office of Corruption and Financial Crimes as saying.

On the basis of a traditional financial pyramid, seizures of the assets of those involved showed that the company could not honor all the withdrawals of its investors at the same time.

They also invested in luxury goods, including 30 cars and gems, which were subsequently confiscated.

The news comes in the same week when the United States is acting against a Ponzi scheme linked to a cryptocurrency allegedly backed by diamonds. In this case, the network operators would have persuaded domestic and foreign customers spend about $ 30 million over several years.

The use of cryptocurrency is not illegal in Brazil. Police are trying to repeat the impetus for the raid on the contracts, which is based on the lack of legality of the company.

Related Resources:

The Impact of Cryptocurrency Attacks on Cryptocurrency Exchange

4 Effective Ways on How to Prevent Cryptocurrency Mining Infection

Macos Malware Targets Cryptocurrency Exchanges

Cryptocurrency Mining Service Coinhive Set to Shut Down

The post Fake Cryptocurrency Scammed 55,000 investors for over $200 million appeared first on .

The Satan Ransomware adds new exploits to its arsenal

A variant of the Satan ransomware recently observed includes exploits to its arsenal and targets machines leveraging additional flaws.

Experts at FortiGuard Labs have discovered a new variant of the Satan ransomware that includes new exploits to its portfolio and leverages additional vulnerabilities to infect as many machines as possible.

The Satan ransomware first appeared in the threat landscape in January 2017 when the independent malware research @Xylit0l discovered it. The ransomware belongs to the Gen:Trojan.Heur2.FU family and was offered as a RaaS (Ransomware-as-a-Service).


The Satan ransomware used RSA-2048 and AES-256 cryptography, it appends the names of encrypted files with the “.stn” extension.

Satan Ransomware

Since its discovery, the malware was costantly updated, in one of the campaigns monitored by Fortinet, it utilized a cryptominer as an additional payload to maximize its profits.

The Satan ransomware targets both Linux and Windows machines, it attempts to exploit a large number of vulnerabilities to propagate itself through public and external networks. 

The initial spreader can propagate via both private and public networks. The Windows component there were no specific changes and the ransomware still leverages the NSA EternalBlue exploit
In order to target public IPs, the spreader retrieves the list of targets from the C2 server and iterates through all of them. All the attacks observed by Fortinet originated from IP addresses located in China.

“Its initial spreader, conn.exe on Windows and conn32/64 on Linux, is capable of propagating through both private and public networks. In older campaigns, its Linux component (conn32/64) only propagates through non-Class A type private networks. However, it has recently been updated and now supports both private and public network propagation.” reads the analysis published by Fortinet. “For the Windows component (conn.exe), nothing much has really changed, and it even still carries the EternalBlue exploit (from the NSA) and the open-source application Mimikatz.”

The Satan ransomware attempt to exploits a long list of known vulnerabilities, including JBoss default configuration vulnerability (CVE-2010-0738), Tomcat arbitrary file upload vulnerability (CVE-2017-12615), WebLogic arbitrary file upload vulnerability (CVE-2018-2894), WebLogic WLS component vulnerability (CVE-2017-10271), Windows SMB remote code execution vulnerability (MS17-010), and Spring Data Commons remote code execution vulnerability (CVE-2018-1273). 

Both Windows and Linux recent variants observed by the experts include several web application remote code execution exploits. Below the list of new vulnerabilities targeted by the recently discovered varant.

The propagation method implemented performs IP address traversal and attempts to scan and execute its entire list of exploits on every IP address
encountered, along with the corresponding hardcoded port list.

“It performs IP address traversal and attempts to scan and execute its entire list of exploits on every IP address encountered, along with its corresponding hardcoded port list that is described below.” continues the analysis. “To be more efficient, it implements multi-threading, in which separate threads are spawned for every propagation attempt for every targeted IP and port. “

Experts also observed that Satan ransomware attempts to scan some applications, including Drupal, XML-RPC, Adobe, and notifies the server if an application exists, likely for statistic purpose.

“Satan Ransomware is becoming more and more aggressive with its spreading. By expanding the number of vulnerable web services and applications it targets, it increases its chance of finding another victim and generating more profits.” Fortinet concludes. “In addition, Satan Ransomware has also already adopted the Ransomware-as-a-Service scheme, opening it up to use by more threat actors, which means more attacks and more revenue,”


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Satan Ransomware, malware)

The post The Satan Ransomware adds new exploits to its arsenal appeared first on Security Affairs.

Emsisoft released a free Decrypter for JSWorm 2.0

Good news for the victims of the JSWorm 2.0 ransomware, thanks to experts at Emsisoft they can decrypt their file for free.

Experts at Emsisoft malware research team released a decrypter for a recently discovered ransomware tracked as JSWorm 2.0.

JSWorm 2.0 is written in C++ and implements Blowfish encryption. The first version of the malware was written in C# and used the “.JSWORM” extension. Researchers believe both versions were developed by the same author.

Researchers found notable callouts in two different malware samples naming ID Ransomware and several prominent malware researchers:

“:HI SIRI, DEMONSLAY AND AMIIIIGO!!! HOW ARE YOU?”

and

“:ID-RANSOMWARE, IT’S JUST THE BEGINING [sic] OF SOMETHING NEW…”

Experts pointed out that there have been multiple confirmed submissions to the online service ID Ransomware that allows victims to upload their encrypted files to identify the ransomware that infected their machines. Since January 2019, experts observed encrypted files uploaded from South Africa, Italy, France, Iran, Vietnam, Argentina, United States, and other countries.

“Its files have the “.[ID-<numbers>][<email>].JSWORM” extension and the ransom note file named “JSWORM-DECRYPT.txt.”” reads the post published by Emsisoft.

Once infected a computer, the JSWorm 2.0 ransomware will perform the following actions:

  • Sets the “EnableLinkedConnections” registry key, which allows it to attack mapped drives when ran as admin.
  • Restarts SMB services (lanmanworkstation) to take effect (we are investigating if there’s more to the SMB vector).
  • Stops services for databases (MSSQL, MySQL, QuickBooks), kills shadow copies, disables recovery mode.

Victims of the JSWorm ransomware have to follow the instructions below to decrypt their files for free:

  1. Download the Emsisoft JSWorm 2.0 Decrypter.
  2. Run the executable and confirm the license agreement when asked.
  3. Click “Browse” and select the ransom note file on your computer.
  4. Click “Start” to decrypt your files. Note that this may take a while.
JSWorm decrypter

Done!

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – JSWorm 2.0. ransomware)

The post Emsisoft released a free Decrypter for JSWorm 2.0 appeared first on Security Affairs.

Group-IB blocked more than 180,000 links to pirated copies of Game of Thrones

Since April 2019, Group-IB has successfully blocked more than 43,000 links to pirated copies of the Game of Thrones Season 8 on pirate websites, forums, and social media

As the Game of Thrones saga came to a close (no spoilers here), Group-IB has summed up the results of its anti-piracy campaign during Season 8 of the Game of Thrones – one of the biggest franchises in the TV history. Since April 2019, when the final season premiered, Group-IB Anti-Piracy team has successfully blocked more than 43,000 links to pirated copies of the GOT Season 8 on pirate websites, forums, and social media. Group-IB’s Anti-Piracy team was brought in to protect Game of Thrones against online pirates back in 2015. Since that time, the company’s specialists have blocked more than 180,000 links to illegal copies of Game of Thrones in Russian.

The final GOT Season 8 premiered on 14 April and became one of the show’s most popular seasons not only among fans all over the world, but also among online pirates. Group-IB’s Anti-Piracy team discovered and blocked 43,711 links to pirated Season 8 episodes in Russian. Illegal copies surfaced on pirate websites, forums, and social media. Pirated copies of the GOT Season 8 episodes were spotted on 1,098 different websites, 94 of which were designed exclusively for the distribution of pirated GOT copies.

More than 30,000 unique links to pirated GOT episodes have been removed from the search results of the Russian search engine Yandex. In response to the blocking, online pirates struck back by creating mirrors on a daily basis – copies of their websites with new but very similar domain names. For instance, one of the pirates created more than 20 mirrors on their subdomains. However, according to the pirates’ forum posts, the owners of pirate websites were not ready for the “attack” on them: “Looks like somebody just wiped the links out. Some of the pages disappeared… some of them do not appear in search results”. It is also interesting that some of the groups on VK.com, a Russian social network, removed pirated episodes after receiving complaints and turned into GOT fan pages.

The streaming service Amediateka holds exclusive distribution rights for the Game of Thrones in Russia and since April 2015, when Season 5 premiered, has used the services of Group-IB to fight online pirates distributing illegal copies of the GOT in Russian. Season after season, online pirates’ interest in the show has only been increasing. For example, while Season 5 was broadcast, Group-IB’s Anti-Piracy team detected and removed 2,067 links to illegal copies. Season 7 saw an increase, reaching 12,540 links to pirated episodes detected and blocked. Season 8 set a record of 43,711 links. For the past 4 years, Group-IB detected and blocked more than 180,000 links, including links detected and blocked between the seasons’ airings.

Game of Thrones Season 8

GOT is not the only Amediateka’s show that Group-IB’s Anti-Piracy team protects, but it turned out to be pirates’ favorite one. Pirates’ other top targets include True Detective, with 23,473 pirated links detected and blocked, Billions (20,303 links), The Good Wife (14,541 links), and Westworld, with  12,229 links detected and blocked by Group-IB Anti-Piracy team.

“For us the battle against online pirates, trying to profit off the illegal distribution of the Game of Thrones in Russian, was as fierce as for George R.R. Martin’s characters,” commented Andrey Busargin, Director of Anti-Piracy and Brand Protection at Group-IB. “I would also like to highlight Amediateka’s commitment to counter online piracy in Russia: they brought in Group-IB Anti-Piracy team ahead of time and have been making continuous efforts to popularize legal viewership of the Game of Thrones making it available on its website, in movie theaters all over the country and even on the stadium.”

Group-IB‘s fight against digital piracy started in 2011, when the Anti-Piracy Department was established. Group-IB’s Anti-Piracy team uses unique machine-learning technologies applied in complex investigations of cyberattacks to detect pirate websites, find their owners and block illegal content. Group-IB’s Anti-Piracy system monitors 100,000+ resources in all languages ranging from torrent trackers and streaming services to social media groups and pirate platforms in the DarkNet. The average time to detect the first pirated copy on the Internet is 30 minutes. 80% of pirated links are successfully blocked by Group-IB team within 24 hours of their appearance on the Internet.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

About the author: Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection.

The report published by Group-IB is available here:

https://www.group-ib.com/resources/threat-research/js-sniffers.html

Pierluigi Paganini

(SecurityAffairs – piracy, Game of Thrones)

The post Group-IB blocked more than 180,000 links to pirated copies of Game of Thrones appeared first on Security Affairs.

Defiant Tech firm who operated LeakedSource pleads guilty

The Royal Canadian Mounted Police (RCMP), announced that the company behind LeakedSource, Defiant Tech Inc., pleads guilty in Canada.

Defiant Tech Inc., the company behind the LeakedSource.com website, pleaded guilty in Canada.

The LeakedSource website was launched in late 2015, in January 2017 the popular data breach notification website has been raided by feds.

It reported some of the largest data breaches, including the ones that affected Last.fmRambler.ruFriendFinder NetworksLinkedIn, and MySpace.

LeakedSource

In December 2017, the Canadian man Jordan Evan Bloom (27) was charged with data leak of 3 billion hacked accounts, the man was running a website to collect personal data and login credentials from the victims.

The man was charged as part of an investigation dubbed “Project Adoration,” aiming at trafficking in personal data, unauthorized use of computers, and possession of an illicitly obtained property.

The RCMP alleges that Bloom was the administrators of the LeakedSource.com website that operated through his company Defiant Tech.

LeakedSource offered for sale access to data gathered data from the victims of security breaches, sometimes buying it from hackers.

For $2 a day, a subscriber at LeakedSource, had the possibility to obtain the details on individuals by entering his email address or username. LeakedSource was also cracking the associated passwords when it was possible. The website was very popular among the users of the HackForums.net.

“A guilty plea was entered in court today by Defiant Tech Inc., to the charges of Trafficking In Identity Information and Possession of Property Obtained By Crime a year and a half after charges were laid into the RCMP’s cybercrime investigation dubbed Project “Adoration”. ” reads the press release published by RCMP.

“LeakedSource.com had a database of approximately three billion personal identity records and associated passwords that could be purchased for a small fee. Defiant Tech Inc. was operating the LeakedSource.com website and the company earned approximately $247,000 from trafficking identity information. “

The arrest of Bloom is the result of a joint effort of Canadian authorities, FBI and Dutch National Police.

According to the Royal Canadian Mounted Police, Defiant Tech made around CAN$247,000 (US$183,000) from his illegal activities.

“We are pleased with this latest development,” said Superintendent Mike Maclean, Officer in Charge Criminal Operations of the RCMP National Division. “I am immensely proud of this outcome as combatting cybercrime is an operational priority for us.”

According to the experts, Bloom didn’t operate the website alone, at least another US citizen was involved, but none was charged for this.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – cybercrime, LeakedSource)

The post Defiant Tech firm who operated LeakedSource pleads guilty appeared first on Security Affairs.

Phishing targeting SaaS and webmail services increased to 36% of all phishing attacks

Users of Software-as-a-Service (SaaS) and webmail services are being targeted with increasing frequency, according to the APWG Q1 2019 Phishing Activity Trends Report. The category became the biggest target in Q1, accounting for 36 percent of all phishing attacks, for the first time eclipsing the payment-services category which suffered 27 percent of attacks recorded in the quarter. Online SaaS applications have become fundamental business tools, since they are convenient to use and cost-effective. SaaS services … More

The post Phishing targeting SaaS and webmail services increased to 36% of all phishing attacks appeared first on Help Net Security.

Past, present, and future of the Dark Web

Which is the difference between the Deep Web and Dark Web? Considerations about past, present, and future of the Dark Web.

These are intense days for the Dark Web. Operations conducted by law enforcement agencies lad to the arrests of many individuals and the closure of the most popular Black Marketplaces, many of which remained alive over the years.

Operators behind the principal black markets made a lot of money, let’s think of managers of the Wall Street Market and Valhalla recently seized by feds. These are historic points of aggregations where it was possible to buy drugs, weapons, and any kind of hacking tools.

The icing on the cake was a US research that decreed how the size of the Dark Web was significantly lower than previously thought. This isn’t a novelty for the experts that are studying dark web and its evolution.

Unfortunately there is too much confusion between the term deep web and dark web, many videos on YouTube channels provide wrong information. Misinterpretation, superficiality, some times simple profits, these are the root cause of the confusion. This misinformation is extremely dangerous for kids, first consumers of videos published on the principal social media platform. Some videos show that is very simple to buy drugs securely or explain how to hack a website. Describing these phenomena, some journalists have been labeled “as experts on the dark web”.

The Dark Web is just a portion of the Deep Web, its access is quite simple and doesn’t require any specific technological skill. It is very easy to access to the Tor network or browse content on other anonymizing networks like I2P.

I started this research on September 2016, when I started writing my my book, “The Prison of the Humanity – from the deep web to 4.0 the new digital prisons”.

THE ICEBERG

Dark Web 1

An Iceberg has always been used as a visual representation of the Internet world. The visible peak, which represents the smallest part of the iceberg, that many have mistakenly associated with the clear web: is the part reachable by search engines.

Even a child could easily wonder: how can billions of sites visible to internet users represent 5% of the internet itself?

Exactly, how?

The Deep Web is composed of the content of the www that is not indexed by search engines. Try to imagine the site of a Provider that offers voice or connectivity services to millions of people, families and companies. Its files are not indexable by search engines. Try to think of a banking site with millions of account holders who keep the history of transactions, deposits, investments for years and years, without obviously being accessible to the entire web population.

Let’s also include all information by the IOT devices that are connected online by that that cannot be accessed for obvious reasons.

Well, not you can have an idea about the dimension of the deep web.

THE DARK WEB

What is the Dark Web? It is a non-indexed subset of the Deep Web. Accessible through TOR and other software, it has a size that is incalculable if we use imagination. In fact, there could be many .onion sites, an extension of the domains inside the TOR network, which are not indicated by the Hidden Wiki, a sort of Wikipedia of onion Links. Furthermore, each website can have sublevels that could reach infinity.

But here we talk about legends. We go into the merits of my research which is based on the facts and experience of three years of journalistic navigation in the Dark Web where not only do you have browsed dozens of Directories, but you have visited at least 100,000 sites.

My search is based on 100,000 sites that I have personally visited and that can be easily classified into very few categories that I will explain to you with brief descriptions:

Information:

The spirit of the Dark Web includes precisely the freedom of expression with portals that give “uncomfortable” or “alternative” news in countries where there is censorship. There are many sites in multiple languages ​​that refer to ideological and collective movements, due to the greater number of Anarchist derivations, but there are also movements that promote the defense of online privacy. So there is so much counter-information and the most obvious example that I always carry forward is the version of the Bible translated into the languages ​​of the countries where it is strictly prohibited.

Black Markets:

They are the heart of the Dark Web in economic terms, needless to say that it is impossible to count them verify their reliability, but they are certainly the points of aggregation for several million users and unscrupulous sellers that offer drugs, weapons, medicines requiring medical prescription, bank credential and personal data of unsuspecting users, steroids and hacking guides.

Empty or non-functional web pages:

Empty pages, typical errors displaying code 404 that feed the list of the .onion domains in the directories.

Scam

There are many sites that promise the same services as Black Markets, including hitman services, hacking services, money laundering services… but they are only services operated by scammers.

Directories – Search Engines

There are many directories that offer the same links, Hidden Wiki services that offer a guide to the principal links in the Dark Web, but it is clear that the hidden Wiki is one and the original not only reports the links to the sites but also provides an “obscure and forbidden” encyclopedia service similar to the best known Wikipedia. The presence of search engines that are similar to Google are also frequent, but they do not always find the result that they hope for.

Child pornography-pornography-violence on animals-GORE

There are many pornographic sites on the clear web, but pornography in the dark web takes on gruesome tones. Violence, child abuse, snuff movies and extreme sex are very common. The sites that belong to these categories are divided into different types: chat rooms, traditional websites or service containers. The chats are usually open and there is a remarkable exchange of multimedia files for free. Then there are the forums that need registration, they offer audio/video content or images, and also provide suggestions on how to kill people or how to eat them in ritual cannibalism. Furthermore, there are many child pornography sites on the dark web that point to the largest online sharing platforms, such as Satoshi box or Megaupload, where it is possible to pay to download packages of illegal content.

Websites – Forums

They are normal websites that deal with different topics, including forums that represent meeting points for users that discuss legal and non-legal issues. There are many blogs that for the greater part deal with issues of cybersecurity and the rights of the digital population in terms of consumer protection and privacy.

Honeypots

Consider sites belonging to the above categories, in many cases they are traps set up by the law enforcement agencies to attempt to identify criminals. The dark web is full of honeypots.

CONCLUSIONS

Let’s conclude with some statistic on the composition of the Dark Web:

  • Not Working: 45%
  • Scam: 44%
  • Websites – Forums: 6%
  • Child pornography – Gore: 4%
  • Directories – search engines: 0.5%
  • Information: 0.3%
  • Black Markets: 0.2%

At this time, it is not possible to determine the exact number of Black Markets, anyway, it is really limited. Terrorism is an irrelevant phenomenon in terms of propaganda. It is also impossible to determine the diffusion of honeypots.

The real question is not how big is the Dark Web, but what will happen after the operations conducted law enforcement?

Who will be its users? Will Black Markets still exist?

Or is the Dark Web itself a honeypot for criminals, anarchists, terrorists and. pedophiles?

These doubts are legitimate, given that the military origins of the most popular anonymizing network.

About the Author: Livio Varriale

Pierluigi Paganini

(SecurityAffairs – Dark Web, crime)



The post Past, present, and future of the Dark Web appeared first on Security Affairs.

A joint operation by international police dismantled GozNym gang

A joint effort by international law enforcement agencies from 6 different countries has dismantled the crime gang behind the GozNym banking malware.

GozNym banking malware is considered one of the most dangerous threats to the banking industry, experts estimated it allowed to steal nearly $100 million from over 41,000 victims across the globe for years.

“An unprecedented, international law enforcement operation has dismantled a complex, globally operating and organised cybercrime network.” reads the press release published by the Europol. “The criminal network used GozNym malware in an attempt to steal an estimated $100 million from more than 41 000 victims, primarily businesses and their financial institutions.”

GozNym

The GozNym banking malware was first spotted in April 2015 by researchers from the  IBM X-Force Research, it combines the best features of Gozi ISFB and Nymaim malware.

The GozNym has been seen targeting banking institutions, credit unions, and retail banks. Among the victims of the GozNym Trojan there are 24 financial institutions in North America and organizations in Europe, including a Polish webmail service providers, investment banking and consumer accounts at 17 banks in Poland and one bank in Portugal.

Now the Europol announced the unprecedented, international law enforcement operation that allowed to dismantled the complex, globally operating and organised cybercrime network.

Europol with the help of law enforcement agencies from Bulgaria, Germany, Georgia, Moldova, Ukraine, and the United States identified and 0 individuals alleged members of the GozNym network.

5 defendants were arrested during several coordinated searches conducted in Bulgaria, Georgia, Moldova, and Ukraine, the remaining ones are Russians citizens and are still on the run, including the expert who developed the banking malware.

The cybercrime organization has been described by the Europol as a highly specialised and international criminal network.

One of the members that encrypted GozNym malware to avoid detection by security solutions, was arrested and is being prosecuted in the Republic of Moldova.

Operators behind the GozNym malware used the Avalanche network to spread the malware.

“Bulletproof hosting services were provided to the GozNym criminal network by an administrator of the “Avalanche” network.  The Avalanche network provided services to more than 200 cybercriminals, and hosted more than twenty different malware campaigns, including GozNym.” continues the press release published by Europol. Through the coordinated efforts being announced today, this alleged cybercriminal is now facing prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal network.  The prosecution will be conducted by the Prosecutor General’s Office of Ukraine and the National Police of Ukraine.

The members of the gang used banking malware to infect victims’ computers and steal their online banking credentials.

“A criminal Indictment returned by a federal grand jury in Pittsburgh, USA charges ten members of the GozNym criminal network with conspiracy to commit the following:

  • infecting victims’ computers with GozNym malware designed to capture victims’ online banking login credentials;
  • using the captured login credentials to fraudulently gain unauthorised access to victims’ online bank accounts;
  • stealing money from victims’ bank accounts and laundering those funds using U.S. and foreign beneficiary bank accounts controlled by the defendants.

The defendants are well known on Russian underground, they advertised their specialized technical skills and services in Russian-speaking online criminal forums. Through these forums the leader of the GozNym network recruited them.

“The leader of the GozNym criminal network, along with his technical assistant, are being prosecuted in Georgia by the Prosecutor’s Office of Georgia and the Ministry of Internal Affairs of Georgia.” continues the Europol.

Below the advisory published by the FBI:

GOZNYM

Pierluigi Paganini

(SecurityAffairs – GozNym, malware)

The post A joint operation by international police dismantled GozNym gang appeared first on Security Affairs.

Privacy Awareness Week 2019 – Are You In The Dark About Your Online Privacy?

If you haven’t given your online privacy much attention lately then things need to change. In our era of weekly data breaches, the ‘I’ve got nothing to hide’ excuse no longer cuts it. In my opinion, ensuring your privacy is protected online is probably more important than protecting your home and car! A sloppy approach to online privacy can have devastating ramifications to your financial health, your career and even your physical wellbeing.

This week is Privacy Awareness Week in Australia – a great reminder to give our online privacy a ‘check-up’ and work out what we can do to ensure the information we share online (and who sees it) is locked down.

What Do We Need to Protect?

When we think about online privacy, we often think about protecting our password and financial data online. But it’s a little more complicated. There are 2 categories of information that we share in our online life that requires protection.

  1. Personally Identifying Information (PII) – this includes our name, birthdate, address and Medicare number
  2. Non-Personally Identifying Information – this includes the information about what we do online. It’s a combination of the websites we visit, what we buy online, our online searches and the pages we like on our social media profiles. Our online activity creates a digital folder about ourselves and many companies just love this data so they can send targeted ads your way. Ever wondered why you receive ads about holiday destinations after a few wishful holiday Google searches?

Without adequate online privacy, all the information about our online activities can be collected and analysed by third parties. In fact, data collected (legally) about you by websites can be very lucrative! Companies, known as data brokers, collect and maintain data on millions on people and charge handsomely for their services!

Why Do I Need To Worry About My Online Privacy?

Just think for a moment about some of the information that is stored about you online…

  • Your PII is stored in the background of probably every online account you have including social media, news and banking
  • Your online banking and superannuation sites contain details of all your accounts and your net worth
  • Your health and taxation records maybe accessible online which may contain sensitive information you would prefer not to be shared
  • If you haven’t disabled location services on your phone, your whereabouts can be tracked by clever parties on a daily basis
  • Your pictures and videos

While some of this information is stored without your control, there are steps you can take to tighten up access.

Now, think about your daily online activity…

  • Anything you order online via your web browser can be recorded
  • Anytime you send an email with sensitive information, there is a risk this will also be shared
  • Anytime you pay on the go using a facility like Apple Pay, your purchase will be tracked
  • Anything you search for, the articles you read, the movie tickets you buy and even your weekly online grocery order can be tracked

If this comes as a shock to you then you’re not alone. Many Aussies have been in the dark about what information is available about them online. But, don’t throw the towel in – there are strategies to tighten up your online privacy.

How To Get Your Online Privacy Under Control

There are a few simple steps you can take to lock down your valuable online information. So, make yourself a nice cuppa and let’s get to work:

  1. Manage Your Passwords

Your online passwords are as important as your house keys. In fact, in many cases, it is the only thing stopping cybercriminals from accessing our vital information that we have saved online. So, if you want to tighten up access to your online banking, your social media platforms and your favourite online shopping sites then you need to think carefully about how you manage your passwords.

Passwords need to be complex and unique with at least 8-10 characters and a combination of letters, numbers and symbols. And each of your online accounts should have a separate password which should be changed regularly. Too hard? Consider a Password Manager which creates and manages complex passwords for each of your online accounts – a complete no brainer!! McAfee’s Total Protection software includes a Password Manager which stores, auto-fills and generates unique passwords for all your online accounts. All you need to do is remember one master password! Easy!

And don’t forget, if one of your online accounts is affected by a data breach, then you need to change that password ASAP. If you have a password manager, simply have it generate another password for you.

  1. Use Public Wi-Fi With Caution

If you are serious about your online privacy then you need to use public Wi-Fi sparingly. Unsecured public Wi-Fi is a very risky business. Anything you share could easily find its way into the hands of cybercriminals. So, please avoid sharing any sensitive or personal information while using public Wi-Fi. If you travel regularly or spend the bulk of your time on the road then consider investing in a VPN. A VPN (Virtual Private Network) encrypts your activity which means your login details and other sensitive information is protected. McAfee has a great VPN product called Safe Connect. An excellent insurance policy!

  1. Use 2-Factor Authentication

Adding an additional layer of security to protect yourself when accessing your online accounts is another great way of guarding your online privacy. Turn on two-factor authentication for Google, Dropbox, Facebook and whatever other site offers it. For those new to this option, this means that in addition to your password, you will need to provide another form of identification to ensure you are who you say you are. Most commonly, this is a code sent to your mobile phone or generated by a smart phone app.

  1. Keep Your Software Updated

Software updates and patches are often designed to address a security vulnerability so ALWAYS install them so the bad guys can’t take advantage of security hole in your system. If it all becomes to hard, why not automate the updates?

  1. Invest in Security Software for ALL Your Devices

Installing comprehensive security software on all your devices including laptops, tablets and smartphones adds another layer of protection to your vital online information. Check out McAfee’s Total Protection software that will ensure you and your devices are protected against viruses, malware spyware and ransomware.

  1. Consider a Search Engine that Doesn’t Track Your Every Move Online

If you would prefer that your search engines didn’t collect and store the information you enter then consider an alternative ‘privacy focussed’ search engine. Check out DuckDuckGo that doesn’t profile users or track or sell your information to third parties.

  1. Delete All Cookies

Cookies are another way your online activity can be tracked. While some are harmless and used to simply remember things about you such as your login information and language, others known as  tracking cookies remain permanently constantly gathering information about your behaviour and what you click on. So, let’s get rid of them! Head into your web browser’s Privacy settings and clean them out.

So, let’s get our online privacy under control this Privacy Awareness Week. But don’t forget about your kids and elderly relatives too! Proactively managing one’s online privacy needs to be a priority for everyone. Why not start a conversation at the dinner table? Perhaps give the family a daily privacy related task every day during Privacy Awareness Week? For example:

Monday – Clean up your passwords or set up a Password Manager

Tuesday –  Research a VPN

Wednesday – Set up 2 factor authentication

Thursday – Ensure all your software is up to date and set up auto-updates where possible

Friday – Research privacy focussed search engines and delete all cookies

Over to you mums and dads. Would love to hear how you go.

Alex xx

 

 

The post Privacy Awareness Week 2019 – Are You In The Dark About Your Online Privacy? appeared first on McAfee Blogs.

Avoid a Security Endgame: Learn About the Latest “Avengers” Scam

Marvel Studio’s $2.2 billion box-office hit “Avengers: Endgame” has quickly risen to the second-highest grossing film of all time in its first two weekends. Not surprisingly, cybercriminals have wasted no time in capitalizing on the movie’s success by luring victims with free digital downloads of the film. How? By tempting users with security shortcuts so they can watch the film without worrying about spoilers or sold-out movie tickets.

When a victim goes to download the movie from one of the many scam sites popping up around the web, the streaming appears to begin automatically. What the user doesn’t know is that the footage being streamed is just from the movie’s trailer. Soon after, a message pops up stating that the user needs to create an account to continue with the download. The “free” account prompts the user to create a username and password in advance, which could potentially be useful for cybercriminals due to the common practice of password reuse. Once a victim creates an account, they are asked for billing information and credit card details in order to “verify location” and make sure the service is “licensed to distribute” the movie in the victim’s region. These crooks are then able to scrape the victim’s personal and financial data, potentially leading to online account hacks, stolen funds, identity theft, and more.

Luckily, Marvel fans can protect their online data to avoid a cybersecurity endgame by using the following tips:

  • Look out for potential scam activity. If it seems too good to be true, then it probably is. Be wary of websites promising free movie downloads, especially for movies that are still in theaters.
  • Shield your financial data. Be suspicious of “free downloads” that still require you to fill out billing information. If an unknown website asks for your credit card information or your bank account data, it’s best to avoid the site altogether.
  • Make sure your credentials are unique. With this scam, threat actors could use the login credentials provided by the victim to access their other accounts if they didn’t have a unique login. Avoiding username and password reuse makes it a lot harder for cybercriminals to hack into your other online accounts if they gain access to one.
  • Assemble a team of comprehensive security tools. Using a tool like McAfee WebAdvisor can help you avoid dangerous websites and links and will warn you in the event that you do accidentally click on something malicious.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Avoid a Security Endgame: Learn About the Latest “Avengers” Scam appeared first on McAfee Blogs.

Cybercrime and Fraud Part 1: Modern Tales of Piracy and Plunder

Calico Jack, Captain Blood, and Blackbeard. So many recognizable stories, books, and movies have been made about the period of stealing and looting exemplified by the golden age of piracy. Time will tell whether we see such romanticized stories of dashing rogues based on this new golden age of criminality that we now live in. In fact, if you look at the FBI’s statistics, the internet has enabled cybercriminals to increase their ill-gotten gains by 700% in 10 years (2007-2017). To put that in perspective, when pirates looted and plundered their way across the seven seas, the top 20 pirates ever stole about $615.5 million when adjusted to 2017 dollars. Flash forward several hundred years and compare that to the takings from cybercrime in the US alone, where the FBI has just released new estimate losses exceeding $2.7 billion in 2018!

In this series of blogs, I’ll be exploring cybercrime and fraud, outlining some of the strategies that you can adopt to help mitigate risk, and how you can use Cisco products and technologies to help implement those strategies.

So, let’s delve into this golden age of criminality in a little more detail. First, it’s important to realize that the scale of this illicit profit has brought with it a tremendous amount of professionalism. This is illustrated by the fact that while losses have increased 700%, the number of incidents has only increased by 50%, resulting in a much higher loss per incident. Of course, the FBI only has a US-centric view, so how representative is it globally? If we consider research from the Center for Strategic and International Studies (CSIS), the estimated global cost of cybercrime is 0.59% to 0.8% of GDP ($445 billion to $608 billion). Furthermore, if we then compare that to the value that the UN Office on Drugs and Crime (UNODC) assigns to the global cost of the illicit drugs trade of 0.5% to 0.6% of GDP, you realize that the cybercrime market is at least as big, if not bigger, than the global trade in illicit drugs! With such profits obtained at risks that are fractional compared to other criminal enterprises, it’s easy to see why cybercrime remains an attractive and growing area for professional criminals.

So how much could it continue to grow? Are we already at peak cybercrime? In October 2017, BITKOM (German Association for Information Technology, Telecommunications and New Media) published a survey that showed 49% of German internet users had been a victim of cybercrime. Furthermore, if we compare this to an analysis from the US Department of Justice looking at the Lifetime Likelihood of Victimization that estimated that 99% of people would be a victim of robbery at least once and that 87% of people would be a victim 3 or more times, and you can see that, depressingly, there appears to remain a significant growth prospect for cybercrime.

So what’s driving this explosive growth in cybercrime? Interestingly enough, it’s actually a new form of a very old crime: Fraud. And by old, I mean really old! They say the earliest recorded form of fraud is the story of Hegestratos in 300 BC! Hegestratos took out a large loan for cargo secured against the value of his ship. When the ship arrived, and the cargo was sold, the lender would be repaid with interest. If the loan was not repaid, the lender had security in the form of the ship. However, if the ship sank, the lender lost both the loan and the security. Needless to say, Hegestratos figured it was easier to sink the ship, save the cargo and sell it and pocket the loan for good measure! What’s remarkable is how, since those days, fraud has evolved as time, technology, and most importantly, the law has advanced. After all, why even bother going to all the trouble of having a ship if you can just pretend to have one? This was made an offense in the UK by as early as 1541 (obtaining property by false or counterfeit token). Once again, fraud evolved so that by 1757 the law would need to be updated to the broader concept of false representation. In the US, with its larger geography, the symbiotic evolution of fraud, technology, and the law are even more clear where counterfeiting laws of 1797 evolved into false claims in 1863, mirroring the evolution of the law in the UK before then having to add mail fraud in 1872 and then wire fraud in 1952. At each stage you can see how criminals are the first to adapt and exploit the opportunities new technology provides for fraud before the defenders can catch up.

Today, little has changed as we continue to see the same scenarios playing out. According to the German Federal Police Division responsible for Crime, the Bundeskriminalamt (BKA), 99.4% of all recorded cybercrime loses come from fraud. The emphasis here is on recorded losses as the BKA makes some great points about the difficulties in truly quantifying cybercrime losses, especially intangible losses such as reputational or brand impact. Therefore, if we cross reference these numbers with the annual Internet Crime Report from the FBI Internet Crime Complaint Center (IC3) and some quick addition reveals that all forms of fraud accounted for approximately 85% of the overall number, validating the BKA’s approach. In fact, they specifically call out the losses associated with two specific forms of fraud known as Business Email Compromise (BEC) and Email Account Compromise (EAC). These are two variations on a fraud in which the criminals use social engineering, deception, or other intrusion techniques to conduct unauthorized transfers of funds.

The classic example of this is when the person responsible for the finance or payment of suppliers receives an email purportedly from the Chief Executive Officer (CEO) demanding the urgent payment of a supplier via wire transfer. Of course, the email isn’t from the CEO and the account details are nothing more than an account being held by another unsuspecting person who will transfer it on again. By the time the fraud has been identified, the money has moved several times through various accounts and potentially countries and will rarely be recovered. Emphasizing the earlier point regarding the professional nature of this type of crime, the FBI said the perpetrators of this are “transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers” who “may spend weeks or months studying the organization’s vendors, billing systems, and the CEO’s style of e-mail communication and even his or her travel schedule.” The gains for the criminal are staggering, in its 2016, 2017 and 2018 reports, the FBI IC3 identified it as a hot topic and estimated the losses in 2018 were nearly $1.4 billion.

How does this compare with losses from other forms of cybercrime? Well, in 2018, the FBI statistic for losses due to another popular from of cybercrime, the classic corporate data breach, was $117.7 million or 8% of the loss due to BEC/EAC. Looking at the state of California within the FBI statistics, we see that BEC/EAC is the single biggest cause of losses, accounting for 33% of the overall losses due to any form of cybercrime. So, has this risk peaked? Well, examining a survey from credit agency, Experian, you can see that they identified that 72% of businesses have a growing concern about fraud in 2017 and 63% of them have experienced the same or higher losses due to fraud pointing to a real and growing risk. It’s worth bearing in mind that despite the FBI’s estimated total losses from BEC/EAC now exceeding $5 billion, the losses increased 78% between 2016 and 2017 and again by 92% between 2017 and 2018. Bad as it is, things may continue to get a lot worse.

So, what is to be done? In the next blog post, I’ll be talking about some of the strategies, products, and technologies that can help address and mitigate the issues I discussed in this blog. Of course, I welcome your thoughts, comments and feedback so please do take the time to let me know your thoughts!

The post Cybercrime and Fraud Part 1: Modern Tales of Piracy and Plunder appeared first on Cisco Blog.

German police shut down one of world’s biggest dark web sites

Arrests in Germany, Brazil and US relate to sale of drugs, stolen data and malicious software

German police have shut down one of the world’s largest illegal online markets in the so-called dark web and arrested the three men allegedly running it, prosecutors said on Friday.

The “Wall Street Market” (WSM) site enabled trade in cocaine, heroin, cannabis and amphetamines as well as stolen data, fake documents and malicious software.

Related: Dark web blamed for rise in drugs sent by post from Netherlands

Continue reading...

It’s World Password Day – the Perfect Excuse to give your Passwords an Overhaul!

How much of your personal data is stored online? Well, if you are anything like the ‘average Jo’ – the answer is a lot! In 2019, the vast majority of us bank and shop online, have official documentation stored online, have all sorts of personal information stored in our emails and let’s not forget about our photos and videos.

And the scary thing – the only thing that is stopping cybercriminals from accessing our vital information that is saved online is our passwords.

Today is World Password Day – a perfect opportunity to give our password strategy a health check.  Because if we are serious about protecting our vital data that is stored online then we need to get SUPER serious about managing our passwords!

So, let’s give your passwords an overhaul. Why not schedule some time in your calendar to ensure your passwords are in the best shape? Here are my top tips on what you can do today to ensure you are doing all you can to protect your private online data.

How To Give Your Passwords A Health Check:

1. Check To See Whether Your Passwords Have Been Exposed

The first step is to see whether your passwords have been compromised in a data breach. Check out  www.haveibeenpwned.com.au to see whether cybercriminals have already discovered your passwords. If so, then they need to be changed wherever they are used ASAP.

2. Commit to Not Using Common Passwords

Using common passwords such as ‘password’, ‘123456’ or ‘qwerty’ is quite frankly, a waste of time. It would take cybercriminals a matter of seconds to unlock your online banking data. Also avoid using simple personal details within your passwords such as your birthday, name or kids and pet names as a quick scan of your social media accounts would allow cybercriminals to find this in just seconds. Always make your passwords random and obscure. Why not consider a nonsensical sentence?

3. Add Numbers and Symbols to Your Passwords

When you are setting up a new online account, many organisations will require you to add a number or symbol to your proposed password to give it additional ‘password strength’. Passwords that include a variety of capital and lowercase letters, numbers and symbols are far harder to crack so get creative and layer up your passwords.

4. Ensure Every Password Is Unique

Many people use the same password across all of their online accounts. And while this makes life easier, it increases your risk of your vital online data being compromised big time. Remember, if a hacker discovers just one of your passwords – and it’s the only one you use – all of your online personal information is at risk! Therefore, it is crucial to ensure all your passwords are different! I know, it sounds like a lot of work and brain power!

5. Simplify Your Life with a Password Manager

If the idea of creating individual complex passwords for each of your online accounts – oh, and changing them every 2 months, is giving you palpitations, then I have a solution – a password manager!

McAfee’s Total Protection includes Password Manager, which stores, auto-fills and even generates unique passwords. Creating and remembering (!) complex password for each online account is taken care off. All you need to do is remember one master password in order to access the rest of the passwords! And if there is a data breach, it’s super easy to quickly change a password too.

6. Set up Two-Factor Authentication Where Possible

If you have the option to enable two-factor or multi-factor authentication with any of your online accounts, then do it!! In simple terms, this will mean that you need to provide more than one way of identifying yourself before gaining access to your account. Often it is your password plus a code sent to your smartphone or even your fingerprint. It’s an absolute no-brainer as it adds another layer of security making it harder to cybercriminals to access your vital online data.

Now, if you are thinking about skipping out of your password overhaul, then please think again! Passwords are the first line of defence to protect your vital online data from cybercriminals. So, put the kettle on and make today the day!

Till next time!

Alex xx

 

The post It’s World Password Day – the Perfect Excuse to give your Passwords an Overhaul! appeared first on McAfee Blogs.

Digital Parenting: ‘Eat Your Veggies, Brush Your Teeth, Strengthen Your Passwords’

strong password

strong passwordAs adults, we know the importance of strong passwords, and we’ve likely preached the message to our kids. But let’s rewind for a minute. Do our kids understand why strong passwords are important and why it needs to become a habit much like personal health and hygiene?

If we want the habit to stick, the reason why can’t be simply because we told them so. We’ve got to make it personal and logical.

Think about the habits you’ve already successfully instilled and the reasoning you’ve attached to them.

Brush your teeth to prevent disease and so they don’t fall out.
Eat a balanced diet so you have fuel for the day and to protect yourself from illness and disease.
Get enough sleep to restore your body and keep your mind sharp for learning.
Bathe and groom to wash away germs (and to keep people from falling over when you walk by). 

The same reasoning applies to online hygiene: We change our passwords (about every three months) to stay as safe as possible online and protect what matters. When talking to kids, the things that matter include our home address, our school name, our personal information (such as a parent’s credit card information, our social security number, or other account access).

Kids Targeted

We falsely believe that an adult’s information is more valuable than a child’s. On the contrary, given a choice, 10 out of 10 hackers would mine a child’s information over an adult’s because it’s unblemished. Determined identity thieves will use a child’s Social Security number to apply for government benefits, open bank, and credit card accounts, apply for a loan or utility service or rent an apartment. Also, once a child’s information is hacked, a thief can usually get to a parent’s information.

How to Stay Safe

It’s a tall task to prevent some of the massive data breaches in the news that target kids’ information. However, what is in our control, the ability to practice and teach healthy password habits in our home.

Tips for Families

strong passwordShake it up. According to McAfee Chief Consumer Security Evangelist Gary Davis, to bulletproof your passwords, make sure they are at least 12 characters long and include numbers, symbols, and upper and lowercase letters. Consider substituting numbers and symbols for letters, such as zero for “O” or @ for “A”.

Encourage kids to get creative and create passwords or phrases that mean something to them. For instance, advises Gary, “If you love crime novels you might pick the phrase: ILoveBooksOnCrime
Then you would substitute some letters for numbers and characters, and put a portion in all caps to make it even stronger, such as 1L0VEBook$oNcRIM3!”

Three random words. Password wisdom has morphed over the years as we learn more and more about hacking practices. According to the National Cyber Security Centre, another way to create a strong password is by using three random words (not birthdates, addresses, or sports numbers) that mean something to you. For instance: ‘lovepuppypaws’ or ‘drakegagacardib’ or ‘eatsleeprepeat’ or ‘tacospizzanutella’.

More than one password. Creating a new password for each account will head off cybercriminals if any of your other passwords are cracked. Consider a password manager to help you keep track of your passwords.

Change product default passwords immediately. If you purchase products for kids such as internet-connected gaming devices, routers, or speakers, make sure to change the default passwords to something unique, since hackers often know the manufacturer’s default settings.

When shopping online, don’t save info. Teach kids that when shopping on their favorite retail or gaming sites, not to save credit card information. Saving personal information to different accounts may speed up the checkout process. However, it also compromises data.

Employ extra protection. Comprehensive security software can protect you from several threats such as viruses, identity theft, privacy breaches, and malware designed to grab your data. Security software can cover your whole family as well as multiple devices.

Web Advisor. Keep your software up-to-date with a free web advisor that helps protect you from accidentally typing passwords into phishing sites.

strong password

Use unique passwords and MFA. This is also called “layering up.” 1) Use unique passwords for each of your accounts. By using different passwords, you avoid having all of your accounts become vulnerable if you are hacked (think domino effect). 2) MFA is Multi-Factor Authentication (also called two-step verification or authentication ). MFA confirms a user’s identity only after presenting two or more pieces of evidence. Though not 100% secure, this practice adds a layer of security to an account.

Keep it private. Kids love to show one another loyalty by sharing passwords and giving one another access to their social network accounts. DO NOT encourage this behavior. It’s reckless and could carry some serious privacy consequences. (Of course, sharing with parents, is recommended).

Credential Cracking

According to the Identity Theft Resource Center® (ITRC), the reported number of consumer records exposed containing sensitive personally identifiable information jumped 126 percent in 2018. The report explicitly stated password cracking as an issue: “The exploitation of usernames and passwords by nefarious actors continues to be a ripe target due to the increase in credential cracking activities – not to mention the amount of data that can be gleaned by accessing accounts that reuse the same credentials.”

May 2 is World Password Day and the perfect time to consider going over these password basics with your family.

The post Digital Parenting: ‘Eat Your Veggies, Brush Your Teeth, Strengthen Your Passwords’ appeared first on McAfee Blogs.

Marcus Hutchins: UK ransomware ‘hero’ pleads guilty to US hacking charges

Hutchins says he regrets his actions and will continue ‘keeping people safe from malware attacks’

A British computer security researcher once hailed as a “hero” for helping stem a ransomware outbreak and later accused of creating malware to attack the banking system said on Friday he had pleaded guilty to US criminal charges.

Marcus Hutchins, whose arrest in 2017 stunned the computer security community, acknowledged in a statement pleading guilty to criminal charges linked to his activity in 2014 and 2015.

Related: UK hacker jailed for six years for blackmailing pornography site users

Continue reading...

UK hacker jailed for six years for blackmailing pornography site users

Zain Qaiser targeted millions of computers with ransomware demanding large sums

A hacker who blackmailed users of pornography websites in what investigators say is the UK’s most serious cybercrime case has been jailed for six years and five months.

Zain Qaiser targeted millions of computers with malicious browser-locking software that demanded payment of up to $1,000 (£765) to unfreeze screens, Kingston crown court heard.

Continue reading...

Cybercriminals Feast on Earl Enterprises Customer Data Exposed in Data Breach

Most people don’t think about their credit card information being stolen and sold over the dark web while they’re enjoying a night out at an Italian restaurant. However, many people are experiencing this harsh reality. Earl Enterprises, the parent company of Buca di Beppo, Planet Hollywood, Earl of Sandwich, and Mixology 101 in LA, confirmed that the company was involved in a massive data breach, which exposed the credit card information of 2.15 million customers.

The original discovery was made by cybersecurity researcher Brian Krebs, who found the underground hacking forum where the credit card information had been posted for sale. He determined that the data first surfaced on Joker’s Stash, an underground shop that sells large batches of freshly-stolen credit and debit cards on a regular basis. In late February, Joker’s Stash moved a batch of 2.15 million stolen cards onto their system. This breach involved malware remotely installed on the company’s point-of-sale systems, which allowed cybercrooks to steal card details from customers between May 23, 2018, and March 18, 2019. This malicious software was able to capture payment card details including card numbers, expiration dates, and, in some cases, cardholder names. With this information, thieves are able to clone cards and use them as counterfeits to purchase expensive merchandise such as high-value electronics.

It appears that all 67 Buca di Beppo locations in the U.S., a handful of the 31 Earl of Sandwich locations, and the Planet Hollywood locations in Las Vegas, New York, and Orlando were impacted during this breach. Additionally, Tequila Taqueria in Las Vegas, Chicken Guy! in Disney Springs, and Mixology 101 in Los Angeles were also affected by this breach. Earl Enterprises states that online orders were not affected.

While large company data breaches such as this are difficult to avoid, there are a few steps users can take to better protect their personal data from malicious thieves. Check out the following tips:

  • Keep an eye on your bank account. One of the simplest ways to determine whether someone is fraudulently using your credit card information is to monitor your bank statements. If you see any charges that you did not make, report it to the authorities immediately.
  • Check to see if you’ve been affected. If you know you’ve made purchases at an Earl Enterprises establishment in the last ten months, use this tool to check if you could have been potentially affected.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Cybercriminals Feast on Earl Enterprises Customer Data Exposed in Data Breach appeared first on McAfee Blogs.

Social Media: Where Cybercrime Lurks in the Shadows

When you think of cybercrime, the first thing that comes to mind is most likely cybercriminals operating on the dark web. Last year, however, cybercriminals made the jump over to social media and cashed in big – $3 billion worth, as a matter of fact. With approximately 2.77 billion people using one social media account or more, it’s no wonder these bad actors have followed the masses. While the average user distrusts the dark web, they do trust their chosen social media platforms. Whether it’s sharing birthdates or a current location, or accepting a follow or message request from strangers, users in front of a screen feel secure. Although, as the line between social platforms and the dark web quickly blurs, the events behind the screen are the real issue.

Since 2017, cryptomining malware has exploded on a global scale, with over half of the identified strains found on social media sites. Utilizing apps, advertisements, and malicious links, cybercriminals were able to deliver these attacks and earn $250 million per year. Not only are social media platforms being used to distribute cryptomining malware, but they are also used as a major source for spreading other types of malware – malvertisments, faulty plug-ins, and apps – that draw users in by offering “too good to be true” deals. Once clicked on, the malware attacks. From there, cybercriminals can obtain data, establish keyloggers, dispense ransomware, and lurk in the shadows of social media accounts in wait for the next opportunity.

That next opportunity could also be on a completely different social media platform. As these sites unknowingly make it easier for malware to spread from one site to another. Many social media accounts interconnect with one another across platforms, which enables “chain exploitation,” or where malware can jump from one account to the next.

In short, social media is a cash cow for cybercriminals, and they are showing no sign of slowing down. What it really comes down to is social platforms, like Instagram and Facebook, attract a significant number of users and are going to draw in a criminal component too. However, if you take the proper security precautions ahead of time, you can fight off bad actors and continuously scroll with confidence. Here are some tips to help you get started:

  • Limit the amount of personal information shared in the first place. Avoid posting home addresses, full birth dates, and employer information, as well as exact location details of where you are.
  • Be wary of messages and follow requests from strangers. Avoid clicking on links sent by someone you don’t know personally.
  • Report any spam posts or messages you encounter to the social media platform. Then they can stop the threat from spreading to other accounts.
  • Always use comprehensive security software. To help protect you from viruses, spyware, and other digital threats that may emerge from social media sites, consider McAfee Total Protection or McAfee Mobile Security.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Social Media: Where Cybercrime Lurks in the Shadows appeared first on McAfee Blogs.

Hidden & Fake Apps: How Hackers Could Be Targeting Your Connected Home

Like most parents, before you go to sleep each night, you take extra care to lock doors and windows to keep your family safe from any outside threats. The only thing you may have overlooked is the smartphone illuminated on your nightstand. And if you were to add up the smartphones humming all over your house, suddenly you’d have a number of unlocked doors that a determined criminal could enter through. Maybe not tonight — but eventually.

Digital Ecosystem

Over time you’ve purchased and plugged in devices throughout your home. You might have a voice assistant, a baby monitor, a thermostat, a treadmill, a gaming system, a fitness watch, smart TVs, a refrigerator, and many other fun, useful gadgets. Each purchase likely connects to your smartphone. Take stock: You now have a digital ecosystem growing all around you. And while you rarely stop to take notice of this invisible power grid around you, hackers can’t stop thinking about it.

This digital framework that pulsates within your home gives cybercriminals potential new entryways into your life and your data. Depending on your devices, by accessing your smartphone, outsiders may be able to unlock your literal doors while you are away (via your home security system), eavesdrop on your family conversations and collect important information (via your voice assistant), access financial information (via your gaming system, tablet, or laptop).

What you can do:

  • Change factory security settings. Before you fire up that smart TV, drone, or sound system, be sure to change each product’s factory settings and replace it with a bulletproof password to put a layer of protection between you and would-be hackers.
  • Protect your home network. We are connected people living in connected homes. So, part of the wired lifestyle is taking the lead on doing all we can to protect it. One way to do that is at the router level with built-in network security, which can help secure your connected devices.
  • Stay on top of software updates. Cybercrooks rely on consumers to ignore software updates; it makes their job so much easier. So be sure to install updates to your devices, security software, and IoT products when alerted to do so.

Smartphone = Front Gate

The most common entry point to all of these connected things is your smartphone. While you’ve done a lot of things to protect your phone — a lock screen, secure passwords on accounts, and system updates — there are hacking tactics you likely know nothing about. According to McAfee’s recent  Mobile Threat Report, you don’t know because the scope and complexity of mobile hacks are increasing at alarming rates.

Hidden Apps

The latest statistics report that the average person has between 60-90 apps installed on their phones. Multiply that between all the users in your home, and you are looking at anywhere from 200-500 apps living under your digital roof. Hackers gravitate toward digital trends. They go where the most people congregate because that’s where they can grab the most money. Many of us control everything in our homes from our apps, so app downloads are off the charts, which is why crooks have engineered some of their most sophisticated schemes specifically around app users.

Hidden apps are a way that crooks trick users into letting them inside their phones. Typically, hidden apps (such as TimpDoor) get to users via Google Play when they download games or customized tools. TimpDoor will then directly communicate with users via a text with a link to a voice message that gives detailed instructions to enable apps from unknown sources. That link downloads malware which will run in the background after the app closes. Users often forget they’ve downloaded this and go on with life while the malware runs in the background and can access other internal networks on the smartphone.

What you can do:

  • Stay alert. Don’t fall for the traps or click links to other apps sent via text message.
  • Stay legit. Only download apps hosted by the original trusted stores and verified partner sites.
  • Avoid spam. Don’t click on any email links, pop-ups, or direct messages that include suspicious links, password prompts, or fake attachments. Delete and block spam emails and texts.
  • Disable and delete. If you are not using an app, disable it. And, as a safety habit, remove apps from your phone, tablet, or laptop you no longer use.

Fake Apps

Again, crooks go where the most people congregate, and this year it is the 60 million+ downloaded game Fortnite. The Fortnite craze has lead hackers to design fake Fortnite apps masquerading as the real thing. The fraudulent app designers go to great lengths to make the download look legitimate. They offer enticing downloads and promise users a ton of free perks and add ons. Once users download the fake app, crooks can collect money through ads, send text messages with more bad app links, crypto jack users, or install malware or spyware.

What you can do:

  • Don’t install apps from unknown sources. Not all gaming companies distribute via Google Play or the App Store. This makes it even harder for users to know that the app they are downloading is legit. Do all you can to verify the legitimacy of the site you are downloading from.
  • Delete suspicious acting apps. If you download an app and it begins to request access to anything outside of its service, delete it immediately from your device.
  • Update devices regularly. Keep new bugs and threats at bay by updating your devices automatically.
  • Monitor bank statements. Check statements regularly to monitor the activity of the card linked to your Fortnite account. If you notice repeat or multiple transactions from your account or see charges that you don’t recognize, alert your bank immediately.
  • Be a savvy app user. Verify an app’s legitimacy. Read other user reviews and be discerning before you download anything. This practice also applies to partner sites that sell game hacks, credits, patches, or virtual assets players use to gain rank within a game. Beware of “free” downloads and avoid illegal file-sharing sites. Free downloads can be hotbeds for malware. Stick with the safer, paid options from a reputable source.

The post Hidden & Fake Apps: How Hackers Could Be Targeting Your Connected Home appeared first on McAfee Blogs.

How to Safeguard Your Family Against A Medical Data Breach

Medical Data BreachThe risk to your family’s healthcare data often begins with that piece of paper on a clipboard your physician or hospital asks you to fill out or in the online application for healthcare you completed.

That data gets transferred into a computer where a patient Electronic Health Record (EHR) is created or added to. From there, depending on the security measures your physician, healthcare facility, or healthcare provider has put in place, your data is either safely stored or up for grabs.

It’s a double-edged sword: We all need healthcare but to access it we have to hand over our most sensitive data armed only with the hope that the people on the other side of the glass window will do their part to protect it.

Breaches on the Rise

Feeling a tad vulnerable? You aren’t alone. The stats on medical breaches don’t do much to assuage consumer fears.

A recent study in the Journal of the American Medical Association reveals that the number of annual health data breaches increased 70% over the past seven years, with 75% of the breached, lost, or stolen records being breached by a hacking or IT incident at a cost close to consumers at nearly $6 billion.

The IoT Factor

Medical Data Breach

Not only are medical facilities vulnerable to hackers, but with the growth of the Internet of Things (IoT) consumer products — which, in short, means everything is digitally connected to everything else — also provide entry points for hackers. Wireless devices at risk include insulin pumps and monitors, Fitbits, scales, thermometers, heart and blood pressure monitors.

To protect yourself when using these devices, experts recommend staying on top of device updates and inputting as little personal information as possible when launching and maintaining the app or device.

The Dark Web

The engine driving healthcare attacks of all kinds is the Dark Web where criminals can buy, sell, and trade stolen consumer data without detection. Healthcare data is precious because it often includes a much more complete picture of a person including social security number, credit card/banking information, birthdate, address, health care card information, and patient history.

With this kind of data, many corrupt acts are possible including identity theft, fraudulent medical claims, tax fraud, credit card fraud, and the list goes on. Complete medical profiles garner higher prices on the Dark Web.

Some of the most valuable data to criminals are children’s health information (stolen from pediatrician offices) since a child’s credit records are clean and more useful tools in credit card fraud.

According to Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research, predictions for 2019 include criminals working even more diligently in the Dark Web marketplace to devise and launch more significant threats.

“The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before,” Says Samani.

Medical Data Breach

Healthcare professionals, hospitals, and health insurance companies, while giving criminals an entry point, though responsible, aren’t the bad guys. They are being fined by the government for breaches and lack of proper security, and targeted and extorted by cyber crooks, while simultaneously focusing on patient care and outcomes. Another factor working against them is the lack of qualified cybersecurity professionals equipped to protect healthcare practices and facilities.

Protecting ourselves and our families in the face of this kind of threat can feel overwhelming and even futile. It’s not. Every layer of protection you build between you and a hacker, matters. There are some things you can do to strengthen your family’s healthcare data practices.

Ways to Safeguard Medical Data

Don’t be quick to share your SSN. Your family’s patient information needs to be treated like financial data because it has that same power. For that reason, don’t give away your Social Security Number — even if a medical provider asks for it. The American Medical Association (AMA) discourages medical professionals from collecting patient SSNs nowadays in light of all the security breaches.

Keep your healthcare card close. Treat your healthcare card like a banking card. Know where it is, only offer it to physicians when checking in for an appointment, and report it immediately if it’s missing.

Monitor statements. The Federal Trade Commission recommends consumers keep a close eye on medical bills. If someone has compromised your data, you will notice bogus charges right away. Pay close attention to your “explanation of benefits,” and immediately contact your healthcare provider if anything appears suspicious.

Ask about security. While it’s not likely you can change your healthcare provider’s security practices on the spot, the more consumers inquire about security standards, the more accountable healthcare providers are to following strong data protection practices.

Pay attention to apps, wearables. Understand how app owners are using your data. Where is the data stored? Who is it shared with? If the app seems sketchy on privacy, find a better one.

How to Protect IoT Devices

Medical Data Breach

According to the Federal Bureau of Investigation (FBI), IoT devices, while improving medical care and outcomes, have their own set of safety precautions consumers need to follow.

  • Change default usernames and passwords
  • Isolate IoT devices on their protected networks
  • Configure network firewalls to inhibit traffic from unauthorized IP addresses
  • Implement security recommendations from the device manufacturer and, if appropriate, turn off devices when not in use
  • Visit reputable websites that specialize in cybersecurity analysis when purchasing an IoT device
  • Ensure devices and their associated security patches are up-to-date
  • Apply cybersecurity best practices when connecting devices to a wireless network
  • Invest in a secure router with appropriate security and authentication practices

The post How to Safeguard Your Family Against A Medical Data Breach appeared first on McAfee Blogs.

How to Steer Clear of Tax Season Scams

*This blog contains research discovered by Elizabeth Farrell

It’s that time of year again – tax season! Whether you’ve already filed in the hopes of an early refund or have yet to start the process, one thing is for sure: cybercriminals will certainly use tax season as a means to get victims to give up their personal and financial information. This time of year is advantageous for malicious actors since the IRS and tax preparers are some of the few people who actually need your personal data. As a result, consumers are targeted with various scams impersonating trusted sources like the IRS or DIY tax software companies. Fortunately, every year the IRS outlines the most prevalent tax scams, such as voice phishing, email phishing, and fake tax software scams. Let’s explore the details of these threats.

So, how do cybercriminals use voice phishing to impersonate the IRS? Voice phishing, a form of criminal phone fraud, uses social engineering tactics to gain access to victims’ personal and financial information. For tax scams, criminals will make unsolicited calls posing as the IRS and leave voicemails requesting an immediate callback. The crooks will then demand that the victim pay a phony tax bill in the form of a wire transfer, prepaid debit card or gift card. In one case outlined by Forbes, victims received emails in their inbox that allegedly contained voicemails from the IRS. The emails didn’t actually contain any voicemails but instead directed victims to a suspicious SharePoint URL. Last year, a number of SharePoint phishing scams occurred as an attempt to steal Office 365 credentials, so it’s not surprising that cybercriminals are using this technique to access taxpayers’ personal data now as well.

In addition to voice phishing schemes, malicious actors are also using email to try and get consumers to give up their personal and financial information. This year alone, almost 400 IRS phishing URLs have been reported. Even back in December, we saw a surge of new email phishing scams trying to fool consumers into thinking the message was coming from the IRS or other members of the tax community. In a typical email phishing scheme, scammers try to obtain personal tax information like usernames and passwords by using spoofed email addresses and stolen logos. In many cases, the emails contain suspicious hyperlinks that redirect users to a fake site or PDF attachments that may download malware or viruses. If a victim clicks on these malicious links or attachments, they can seriously endanger their tax data by giving identity thieves the opportunity to steal their refund. What’s more, cybercriminals are also using subject lines like “IRS Important Notice” and “IRS Taxpayer Notice” and demanding payment or threatening to seize the victim’s tax refund.

Cybercriminals are even going so far as to impersonate trusted brands like TurboTax for their scams. In this case, DIY tax preparers who search for TurboTax software on Google are shown ads for pirated versions of TurboTax. The victims will pay a fee for the software via PayPal, only to have their computer infected with malware after downloading the software. You may be wondering, how do victims happen upon this malicious software through a simple Google search? Unfortunately, scammers have been paying to have their spoofed sites show up in search results, increasing the chances that an innocent taxpayer will fall victim to their scheme.

Money is a prime motivator for many consumers, and malicious actors are fully prepared to exploit this. Many people are concerned about how much they might owe or are predicting how much they’ll get back on their tax refund, and scammers play to both of these emotions. So, as hundreds of taxpayers are waiting for a potential tax return, it’s important that they navigate tax season wisely. Check out the following tips to avoid being spoofed by cybercriminals and identity thieves:

  • File before cybercriminals do it for you. The easiest defense you can take against tax seasons schemes is to get your hands on your W-2 and file as soon as possible. The more prompt you are to file, the less likely your data will be raked in by a cybercriminal.
  • Obtain a copy of your credit report. FYI – you’re entitled to a free copy of your credit report from each of the major bureaus once a year. So, make it a habit to request a copy of your file every three to four months, each time from a different credit bureau. That way, you can keep better track of and monitor any suspicious activity and act early if something appears fishy.
  • Beware of phishing attempts. It’s clear that phishing is the primary tactic crooks are leveraging this tax season, so it’s crucial you stay vigilant around your inbox. This means if any unfamiliar or remotely suspicious emails come through requesting tax data, double check their legitimacy with a manager or the security department before you respond. Be wary of strange file attachment names such as “virus-for-you.doc.” Remember: the IRS only contacts people by snail mail, so if you get an email from someone claiming to be from the IRS, stay away.
  • Watch out for spoofed websites. Scammers have extremely sophisticated tools that help disguise phony web addresses for DIY tax software, such as stolen company logos and site designs. To avoid falling for this, go directly to the source. Type the address of a website directly into the address bar of your browser instead of following a link from an email or internet search. If you receive any suspicious links in your email, investigating the domain is usually a good way to tell if the source is legitimate or not.
  • Consider an identity theft protection solution. If for some reason your personal data does become compromised, be sure to use an identity theft solution such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protect their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post How to Steer Clear of Tax Season Scams appeared first on McAfee Blogs.

Don’t Take the Bait! How to Steer Clear of Tax Time Scams

tax time scamsFor cybercriminals tax time is the most wonderful time of the year. They are in the shadows giddy, eager, and methodically setting a variety of digital traps knowing that enough taxpayers take the bait to render their efforts worthwhile.

Indeed, with the frenzy of online tax filings, personal information (and money) moving through mailboxes, and hardworking people eagerly awaiting tax refunds, crooks are perfectly positioned for big returns this year.

So let’s be wiser and let’s be ready.

Last year, the IRS noted a 60 percent spike in bogus email schemes seeking to steal money or tax information. This year its a surge in phishing scams, says the IRS, that should have taxpayers on alert.

“The holidays and tax season present great opportunities for scam artists to try stealing valuable information through fake emails,” said IRS Commissioner Chuck Rettig. “Watch your inbox for these sophisticated schemes that try to fool you into thinking they’re from the IRS or our partners in the tax community. Taking a few simple steps can protect yourself during the holiday season and at tax time.”

Scams to Look For

According to the IRS, phishing emails are circulating with subjects such as “IRS Important Notice,” “IRS Taxpayer Notice” and other iterations of that message. The fraudulent emails may demand payment with the threat of seizing the recipient’s tax refund or even jail time.

tax time scams

Attacks may also use email or malicious links to solicit tax or financial information by posing as a trustworthy organization or even a personal friend or business associate of the recipient.

While some emails may have obvious spelling errors or grammar mistakes, some scammers have gone to great lengths to piece together a victim’s personal information to gain their trust. These emails look legitimate, have an authentic tone, and are crafted to get even skeptics to compromise personal data using malicious web links.

Scams include emails with hyperlinks that take users to a fake site or PDF attachments that may download malware or viruses designed to grab sensitive information off your devices. With the right data in hand such as a social security number, crooks can file fake returns and claim your tax return, open credit cards, or run up medical bills.

Other tax scams include threatening phone calls from bogus IRS agents demanding immediate payment of past due tax bills and robocalls that leave urgent callback messages designed to scare victims into immediate payment.

Remember, the IRS will NOT:

  • Call to demand immediate payment over the phone, nor will the agency call about taxes owed without first having mailed you several bills.
  • Call or email you to verify your identity by asking for personal and financial information.tax time scams
  • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
  • Require you to use a specific payment method for your taxes, such as a prepaid debit card.
  • Ask for credit or debit card numbers over the phone or
    e-mail.
  • Threaten to immediately bring in local police or other law-enforcement groups to have you arrested for not paying.

How to Protect Yourself

Be hyper-aware. Never open a link or attachment from an unknown or suspicious source. In fact, approach all emails with caution even those from people you know. Scams are getting more sophisticated. According to the IRS, thieves can compromise a friend’s email address, or they may be spoofing the address with a slight change in the email text that is hard to recognize.

Reduce your digital footprint. Now is a great time to go through your social accounts and online profiles, posts, and photos and boost your family’s privacy. Edit out any personal information such as your alma mater, your address, birthdate, pet names, children’s names, or mother’s maiden name. Consider making your social profiles private and filtering your friends’ list to actual people you know.

Have a strong password strategy. Cybercrooks count on their victims using the same password for multiple accounts. Lock them out by using unique passwords for separate accounts. Also, consider using two-factor authentification that requires a security code (sent to your phone) to access your account.

Install security software. Phishing emails carry malware and viruses designed to infect your devices and grab your family’s sensitive data or even seize your computer via ransomware. Crooks aren’t messing around so neither should you. Meet fire with fire by investing in comprehensive security software to protect your devices.

If you are the victim of tax fraud or identity theft, take the proper reporting steps. If you receive any unsolicited emails claiming to be from the IRS, forward them to phishing@irs.gov  (then delete the emails).

The post Don’t Take the Bait! How to Steer Clear of Tax Time Scams appeared first on McAfee Blogs.

The Risks of Public Wi-Fi and How to Close the Security Gap

public wi-fi risksAs I write this blog post, I’m digitally exposed, and I know it. For the past week, I’ve had to log on to a hospital’s public Wi-Fi each day to work while a loved one recuperates.

What seems like a routine, casual connection to the hospital’s Wi-Fi isn’t. Using public Wi-Fi is a daily choice loaded with risk. Sure, I’m conducting business and knocking out my to-do list like a rock star but at what cost to my security?

The Risks

By using public Wi-Fi, I’ve opened my online activity and personal data (via my laptop) up to a variety of threats including eavesdropping, malware distribution, and bitcoin mining. There’s even a chance I could have logged on to a malicious hotspot that looked like the hospital network.

Like many public Wi-Fi spots, the hospital’s network could lack encryption, which is a security measure that scrambles the information sent from my computer to the hospital’s router so other people can’t read it. Minus encryption, whatever I send over the hospital’s network could potentially be intercepted and used maliciously by cybercriminals.

Because logging on to public Wi-Fi is often a necessity — like my situation this week — security isn’t always the first thing on our minds. But over the past year, a new normal is emerging. A lot of us are thinking twice. With data breaches, privacy concerns, the increase in the market for stolen credentials, and increasingly sophisticated online scams making the headlines every day, the risks of using public Wi-Fi are front and center.

Rising Star: VPNpublic wi-fi risks

The solution to risky public Wi-Fi? A Virtual Private Network (VPN). A VPN allows users to securely access a private network and share data remotely through public networks. Much like a firewall protects the data on your computer, a VPN protects your online activity by encrypting your data when you connect to the internet from a remote or public location. A VPN also conceals your location, IP address, and online activity.

Using a VPN helps protect you from potential hackers using public Wi-Fi, which is one of their favorite easy-to-access security loopholes.

Who Needs a VPN?

If you (or your family members) travel and love to shop online, access your bank account, watch movies, and do everyday business via your phone or laptop, a VPN would allow you to connect safely and encrypt your data no matter where you are.

A VPN can mask, or scramble, your physical location, banking account credentials, and credit card information.

Also, if you have a family data plan you’ve likely encouraged your kids to save data by connecting to public Wi-Fi whenever possible. Using a VPN, this habit would be secured from criminal sniffers and snoopers.

A VPN allows you to connect to a proxy server that will access online sites on your behalf and enables a secure connection most anywhere you go. A VPN also allows hides your IP address and allows you to browse anonymously from any location.

How VPNs work

To use a VPN you subscribe to VPN service, download the app onto your desktop or phone, set up your account, and then log onto a VPN server to conduct your online activity privately.

If you are still logging on to public Wi-Fi, here are a few tips to keep you safe until VPNs become as popular as Wi-Fi.

Stay Safe on Public Wi-Fi 

Verify your connection. Fake networks that mine your data abound. If you are logging on to Wi-Fi in a coffee shop, hotel, airport, or library, verify the exact name of the network with an employee. Also, only use Wi-Fi that requires a password to log on.public wi-fi risks

Don’t get distracted. For adults, as well as kids, it’s easy to get distracted and absorbed with our screens — this is risky when on public Wi-Fi, according to Diana Graber, author of Raising Humans in a Digital World. “Knowing how to guard their personal information online is one of the most important skills parents need to equip their young kids with today,” says Graber. “Lots of young people visit public spaces, like a local coffee shop or library, and use public Wi-Fi to do homework, for example. It’s not uncommon for them to get distracted by something else online or even tempted to buy something, without realizing their personal information (or yours!) might be at risk.”

Disable auto Wi-Fi connect. If your phone automatically joins surrounding networks, you can disable this function in your settings. Avoid linking to unknown or unrecognized networks.

Turn off Wi-Fi when done. Your computer or phone can still transmit data even when you are not using it. Be sure to disable your Wi-Fi from the network when you are finished using it.

Avoid financial transactions. If you must use public Wi-Fi, don’t conduct a sensitive transaction such as banking, shopping, or any kind of activity that requires your social security or credit card numbers or password use. Wait until you get to a secured home network to conduct personal business.

Look for the HTTPS. Fake or unsecured websites will not have the HTTPS in their address. Also, look for the little lock icon in the address bar to confirm a secure connection.

Secure your devices. Use a personal VPN as an extra layer of security against hackers and malware.

The post The Risks of Public Wi-Fi and How to Close the Security Gap appeared first on McAfee Blogs.

Valentine’s Alert: Don’t Let Scammers Break Your Heart or Your Bank Account

Online Dating ScamsIt’s hard to believe that as savvy as we’ve become about our tech, people are still getting catfished, scammed, and heartbroken in their pursuit of love online.

The dinner conversation between bystanders goes something like this: “How could anyone be so dumb? Seriously? If they are going to be that reckless and uninformed, then maybe they deserve what they got!”

Some friends and I recently had a similar conversation about online dating scams. I noticed, however, that one friend, Sarah*, wasn’t so eager to jump into the conversation. She shrunk back in the booth and quietly sipped her margarita. Only later did she share her story with me.

The power of love

A single mom in her late 40s, well-educated, and attractive, Sarah’s teenager had convinced her to join a dating site the year before. She was especially lonely after her divorce three years earlier, so she agreed to create a profile on a popular dating app. After a handful of dates fell flat, she found Scott. He was charismatic, kind. “We had an instant connection,” according to Sarah. They spent hours on the phone sharing their deepest secrets and even started imagining a future together. But after about three months, Scott fell on hard times. At first, he needed to borrow $400 to pay for airfare to visit a dying relative, which he paid back immediately. Over the next few months, the numbers grew to $1,000 for rent and $3,000 for a business venture.

Online Dating Scams

Before long, Sarah had loaned her new love over $8,500. When she pressed him to repay the money, Scott ghosted Sarah online, moved out of town, and she never saw him again. My friend didn’t share her story with many people. She didn’t report it. She was too embarrassed and humiliated and even became depressed following what she calls “the Scott scam.” Her trust in other people and in love itself has been obliterated.

Sarah’s story doesn’t just echo that of desperate, clueless people, or lonely older women. Scammers are targeting good people who still believe in and value love and companionship. The pursuit of love online extends to adults as well as teens.

Confidence Fraud

Law enforcement calls these kinds of online romance scams confidence fraud because scammers will take a considerable amount of time gaining the trust and confidence of their victims. They will appear empathetic and supportive as they gather personal information they can use over time to carry out their scam.

According to the Federal Bureau of Investigation (FBI) confidence fraud has jumped 20% in the past year despite reports and warnings — especially around this time of year.

The FBI’s Internet Crime Complaint Center (IC3) reports that romance scams top all other financial online crimes. In 2016, people reported almost 15,000 romance scams to IC3 (nearly 2,500 more than the previous year), with losses exceeding $230 million.

Tips for Safe Online Dating

Never send money. Be it a romantic relationship you’ve engaged with or a phishing email, no matter the sob story, do not send money to anyone online. If you do send money, put a loan agreement in place that is legally enforceable should one party default.

Suspicious behavior. If someone promises to meet you somewhere but keeps canceling or if he or she refuses to video chat, those are red flags. Technology means anyone from anywhere in the world can successfully maintain a scam.Online Dating Scams

Take things slow. If someone is pushing the pace of a relationship or too quick to declare love and talk about the future, pause and assess the situation.

Do a background check. Love is a powerful force and can easily cloud a person’s correct understanding of reality. If you dare to create a dating profile, make a deal with yourself that you will extend the same courage to doing a background check on someone.

Be a sleuth. Don’t be afraid to gather facts on someone you’ve met online. Simple steps such as Googling the person’s name or dropping their photo in Google’s Reverse Image Search will help you get a better understanding of a person. Have faith: Good, legitimate people do exist. However, if there’s anything dubious, it’s best to find it out earlier rather than later. Part of doing your homework is tracking down mutual friends and making inquiries about the person you are talking with online.

Keep your social profiles private. Experts agree that you should edit your online footprint before you start dating people you’ve met online. Making your Instagram, Twitter, and Facebook private will guard you against potential.

Never send racy photos. Some scammers gain the confidence of their victims with every intention of extorting them in the future. They will threaten to send any racy photos with your family, friends, or business associates. The best way to avoid this is to never, ever send racy photos to anyone.Online Dating Scams

Google yourself, restrict info. Google yourself to see if there are any digital breadcrumbs that give away your home address or phone number. If possible, delete or revise that info. Likewise, go through your social accounts and remove any personal information you’ve shared in the past. Digital stalking is a risk for people who date online so turn off GPS on your dating apps and make sure your profile information is vague. Even if you get comfortable online with others, never get too comfortable since apps have privacy loopholes that can easily be exploited by hackers.

Take solid precautions. Enlist at least one friend as your dating safety pal. This will be the person who knows where you are going, who you will be with, and the background on the person you are meeting. Ask that person to check in with you during the date and carry pepper spray or a taser for physical protection. Go the extra step and turn on your Friend Finder or a location app that allows safety friend to track your whereabouts during a date.

*Names have been changed

The post Valentine’s Alert: Don’t Let Scammers Break Your Heart or Your Bank Account appeared first on McAfee Blogs.

Safer Internet Day 2019 – Together for a Better Internet

What You Can Do Today to Help Create a Better Internet

 

Today is Safer Internet Day (SID) – an annual worldwide event to encourage us all to work together to create a better internet. Celebrated globally in over 130 countries, SID is an opportunity for millions of people worldwide to come together to inspire positive change and raise awareness about the importance of online safety.

The theme for 2019 is: ‘Together for a Better Internet’ which I believe is a timely reminder of the importance of us all working together if we are serious about making the internet a safer place. Whether we are parents, carers, teachers or just avid users, we all have a part to play.

The 4R’s of Online Safety

In order to make a positive change to our online world, this year we are being encouraged to focus on four critical skills that many experts believe will help us all (especially our kids) better navigate the internet and create a more positive online environment. Let’s call them the 4R’s of online safety: Respect, Responsibility, Reasoning and Resilience. So, here is my advice on what we can do to try and incorporate these four important skills into our family’s digital lives

  1. Respect – ‘I treat myself and others the way I like to be treated’

I firmly believe that having respect for others online is critical if we are going to foster a safer and more supportive internet for our children and future generations. While many parents realise that our constant reminders about the importance of good manners and respect must also now be extended to include the online world, not everyone is on the same page.

Keyboard warriors who fire off abusive comments online, or harass and troll others clearly do not have any notion of online respect. Online actions can have serious real-world implications. In fact, online actions can often have more significant implications as the dialogue is not just contained to a few, rather it is witnessed by everyone’s online friends which could stretch into the 1000’s. Such public exchanges then create the opportunity for commentary which often further magnifies the hurt and fallout.

It is therefore essential that we have very direct conversations with our children about what is and isn’t appropriate online. And if there is even any confusion, always revert to one of my favourite lessons from my Sunday School days: treat others how you would like to be treated yourself.

  1. Responsibility – ‘I am accountable for my actions and I take a stand when I feel something is wrong’

In my opinion, teaching our kids online responsibility is another important step in making the internet a better place. Ensuring our kids understand that they are not only responsible but accountable for their behaviour is essential. If they harass or bully others online, or are involved in sending inappropriate pics, there are consequences that could quite possible include interactions with the police department.

But being responsible online also means getting involved if you feel something isn’t right. Whether a mate is on the receiving end of online harassment or a cruel joke, getting involved and telling the perpetrator that their behaviour ‘isn’t cool’ is essential.

  1. Reasoning – ‘I question what is real’

Teaching our kids to think critically is an essential survival skill for our kids in our content-driven online world. We need our kids to question, analyse and verify online content. They need to be able to identify reputable and credible sources and think carefully before they share and digest information.

The best thing we can do as parents is challenge our kids and get them thinking! If for example, your child is researching online for a school assignment then get them thinking. Ask them what agenda the author of the article has. Ask them whether there is a counter argument to the one laid out in the article. Ask them whether the source sharing the information is trustworthy. The aim is to teach them to question and not take anything they find online at face value.

  1. Resilience – ‘I get back up from tough situations’

Unfortunately, the chances that your child will experience some challenges online is quite high. Whether someone posts a mean comment, they are harassed, or worst case, cyberbullied – these nasty online interactions can really hurt.

Ensuring your kids know that they can come to you about any issue they experience is essential. And you need to repeat this to them regularly, so they don’t forget! And if your child does come to you with a problem they experienced online, the worst thing you can do is threaten to disconnect them. If you do this, I guarantee you that they will never share anything else with you again.

In 2014, Parent Zone, one of the UK’s leading family digital safety organisations collaborated with the Oxford Internet Institute to examine ways to build children’s online resilience. The resulting report, A Shared Responsibility: Building Children’s Online Resilience, showed that unconditional love and respect from parents, a good set of digital skills plus the opportunity for kids to take risks and develop strategies in the online world – without being overly micro-managed by their parents – were key to building online resilience.

So, love them, educate them and give them some independence so they can start to take some small risks online and start developing resilience.

What Can You Do this Safer Internet Day?

Why not pledge to make one small change to help make the internet a better place this Safer Internet Day? Whether it’s modelling online respect, reminding your kids of their online responsibilities, challenging them to demonstrate reasoning when assessing online content or working with them to develop online resilience, just a few small steps can make a positive change.

 

 

 

 

 

The post Safer Internet Day 2019 – Together for a Better Internet appeared first on McAfee Blogs.

How Safe is Your Child’s School WiFi?

School WiFi. For many of our digital natives, school WiFi may even be a more important part of their daily life than the canteen!! And that is saying something…

You’d be hard pressed to find a child who rocked up to school without a device in their backpack in our digital age. The vast majority of schools have embraced the many positive learning benefits that internet-connected devices offer our kids. The traditional blackboard and textbook lessons that were confined to the four walls of the classroom are gone. Instead our kids can research, discover, collaborate, create and most importantly, learn like never before.

But in order for this new learning to occur, our kids need to be internet connected. And this is where school WiFi comes into play.

Do Parents Need to Be Concerned About School WiFi?

As parents, we have a responsibility to ensure our kids are safe and not at risk – and that includes when they are using the WiFi at school. Ideally, your child’s school should have a secure WiFi network but unfortunately, that doesn’t mean that they do. School budgets are tight and top-notch secure WiFi networks are expensive, so in some cases, security maybe jeopardised.

The other factor we shouldn’t ignore is that our batch of digital natives are very tech literate. The possibility that one of them may choose to cause some mayhem to their school WiFi network should also not be ignored!!

At the end of the day, the security of a WiFi network is all about whether it has tight access controls. If it allows only approved devices and people to connect via a secure login then it is more secure than public WiFi. However, if it is open to anyone or easy for anyone to connect to it, then you need to treat it like public WiFi.

What Are the Risks?

An unsecured school WiFi network is as risky as public WiFi which, according to the Harvard Business Review, is as risky as rolling a dice,

Students and staff who use an unsecured WiFi network are at risk of receiving phishing emails, being the victim of a ransomware attack or even having their data or personal details stolen. There is also a risk that the entire school’s operations could be disrupted and possibly even closed down through a DDOS – a Denial of Service Attack.

What Can Parents Do to Ensure Their Kids Are Safe Using School WiFi?

There are several steps parents can take to minimise the risks when their offspring use school WiFi.

  1. Talk To Your School

The first thing to do is speak to your child’s school to understand exactly how secure their network is. I’d recommend asking who has access to the network, what security practices they have in place and how they manage your child’s private data.

  1. Install Security Software

Operating a device without security software is no different to leaving your front door unlocked. Installing security software on all devices, including smartphones, will provide protection against viruses, online threats, risky websites and dangerous downloads. Check out McAfee’s Total Protection security software for total peace of mind!

  1. Keep Device Software Up To Date

Software updates are commonly designed to address security issues. So ensuring ALL your devices are up to date is a relatively easy way of minimising the risk of being hacked.

  1. Schedule Regular Data Back Up

If you are the victim of a ransomware attack and your data is backed up then you won’t even have to consider paying the hefty fee to retrieve your (or your child’s) data. Backing up data regularly should be not negotiable however life can often get in the way. Why not schedule automatic backups? I personally love online backup options such as Dropbox and Google Drive however you may choose to invest in a hard drive.

  1. Public Wi-Fi Rules?

If after talking to your school, you aren’t convinced that your child’s school WiFi network is secure, then I recommend that your kids should treat it as if it was public WiFi. This means that they should NEVER conduct any financial transactions using it and never share any personal details. But the absolute best way of ensuring your child is safe using an unsecured WiFi network, is to use a Virtual Private Network (VPN). A VPN like McAfee’s Safe Connect creates an encrypted tunnel so anything that is shared over WiFi is completely safe.

As a mum of 4, I am very keen to ensure my kids are engaged with their learning. And in our digital times, this means devices and WiFi. So, let’s support our kids and their teachers in their quest for interactive, digital learning but please don’t forget to check in and ensure your kids are as safe as possible while using WiFi at school.

Take Care

Alex xx

The post How Safe is Your Child’s School WiFi? appeared first on McAfee Blogs.