Category Archives: Cybercrime

Targeted online messaging dissuading young gamers from getting involved in cybercrime

Highly-targeted messaging campaigns from law enforcement can be surprisingly effective at dissuading young gamers from getting involved in cybercrime, a new study has suggested. Law enforcement interventions The study, by researchers from the University of Cambridge and University of Strathclyde, looked at four different types of law enforcement interventions, the first evaluation of the their effectiveness for this particular type of cybercrime. They found that while high-profile arrests and sentencing of cybercriminals only lead to … More

The post Targeted online messaging dissuading young gamers from getting involved in cybercrime appeared first on Help Net Security.

Deepfakes and voice as the next data breach

Deepfake technology, which uses deep learning to create fake or altered video and audio content, continues to pose a major threat to businesses, consumers, and society as a whole. In the lead up to the 2020 U.S. presidential election, government officials have expressed concerns about potential deepfake attacks to spread misinformation, and evidence suggests that while this technology is advancing rapidly, governments and tech companies are still ill-prepared to detect and combat it. Deepfakes caught … More

The post Deepfakes and voice as the next data breach appeared first on Help Net Security.

Want Your Kids to Care More About Online Safety? Try These 7 Tips

The topics parents need to discuss with kids today can be tough compared to even a few years ago. The digital scams are getting more sophisticated and the social culture poses new, more inherent risks. Weekly, we have to breach very adult conversations with our kids. Significant conversations about sexting, bullying, online scams, identity fraud, hate speech, exclusion, and sextortion — all have to be covered but we have to do it in ways that matter to kids.

With 95% of teens now having access to a smartphone and 45% online ”almost constantly,” it’s clear we can’t monitor conversations, communities, and secret apps around the clock. So the task for parents is to move from a mindset of ”protect” to one of ”prepare” if we hope to get kids to take charge of their privacy and safety online.

Here are a few ideas on how to get these conversations to stick.

  1. Bring the headlines home. A quick search of your local or regional headlines should render some examples of kids who have risked and lost a lot more than they imagined online. Bringing the headlines closer to home — issues like reputation management, sex trafficking, kidnapping, sextortion, and bullying — can help your child personalize digital issues. Discussing these issues with honesty and openness can bring the reality home that these issues are real and not just things that happen to other people.
  2. Netflix and discuss. Hollywood has come a long way in the last decade in making films for tweens and teens that spotlight important digital issues. Watching movies together is an excellent opportunity to deepen understanding and spark conversation about critical issues such as cyberbullying, teen suicide, sextortion, catfishing, stalking, and examples of personal courage and empathy for others. Just a few of the movies include Cyberbully, 13 Reasons Why (watch with a parent), Eighth Grade, Searching, Bully, Disconnect. Character building movies: Dumplin’, Tall Girl, Wonder, Girl Rising, The Hate U Give, Mean Girls, and the Fat Boy Chronicles, among many others.
  3. Remove phones. Sometimes absence makes that heart grow appreciative, right? Owning a phone (or any device) isn’t a right. Phone ownership and internet access is a privilege and responsibility. So removing a child’s phone for a few days can be especially effective if your child isn’t listening or exercising wise habits online. One study drives this phone-dependency home. Last year researchers polled millennials who said they’d rather give up a finger than their smartphones. So, this tactic may prove to be quite effective.
  4. Define community. Getting kids to be self-motivated about digital safety and privacy may require a more in-depth discussion on what “community” means. The word is used often to describe social networks, but do we really know and trust people in our online “communities?” No. Ask your child what qualities he or she values in a friend and who they might include in a trusted community. By defining this, kids may become more aware of who they are letting in and what risks grow when our digital circles grow beyond trusted friends.
  5. Assume they are swiping right. Dating has changed dramatically for tweens and teens. Sure there are apps like MeetMe and Tinder that kids explore, but even more popular ways to meet a significant other are everyday social networks like Snapchat, WhatsApp, and Instagram, where kids can easily meet “friends of friends” and start “talking.” Study the pros and cons of these apps. Talk to your kids about them and stress the firm rule of never meeting with strangers.
  6. Stay curious. Stay interested. If you, as a parent, show little interest in online risks, then why should your child? By staying curious and current about social media, apps, video games, your kids will see that you care about — and can discuss — the digital pressures that surround them every day. Subscribe to useful family safety and parenting blogs and consider setting up Google Alerts around safety topics such as new apps, teens online, and online scams.
  7. Ask awesome questions. We know that lectures and micromanaging don’t work in the long run, so making the most of family conversations is critical. One way to do this is to ask open-ended questions such as “What did you learn from this?” “What do you like or dislike about this app?” “Have you ever felt unsafe online?” and “How do you handle uncomfortable or creepy encounters online?” You might be surprised at where the conversations can go and the insight you will gain.

Make adjustments to your digital parenting approach as needed. Some things will work, and others may fall flat. The important thing is to keep conversation a priority and find a rhythm that works for your family. And don’t stress: No one has all the answers, no one is a perfect parent. We are all learning a little more each day and doing the best we can to keep our families safe online.

Be Part of Something Big

October is National Cybersecurity Awareness Month (NCSAM). Become part of the effort to make sure that our online lives are as safe and secure as possible. Use the hashtags #CyberAware, #BeCyberSafe, and #NCSAM to track the conversation in real-time.

The post Want Your Kids to Care More About Online Safety? Try These 7 Tips appeared first on McAfee Blogs.

Emsisoft released a free decryption tool for the STOP (Djvu) ransomware

Emsisoft firm has released a new free decryption tool the STOP (Djvu) ransomware, in the last months the research team helped victims of many other threats.

STOP (Djvu) ransomware has 160 variants that infected more hundreds of thousands of victims worldwide. Experts estimated a total number of 460,000 victims, that makes this threat the most active and widespread ransomware today.

According to data included in Emsisoft Ransomware Statistics report for Q2 and Q3 2019, Djvu ransomware accounts for more than half of all the ransomware submissions throughout the world.

For the first time, a decryptor used a side-channel attack on the ransomware’s keystream.

“We’ll be breaking STOP’s encryption via a side-channel attack on the ransomware’s keystream. As far as we know, it’s the first time this method has been used to recover ransomware-encrypted files on such a large scale.” reads the post published by Emsisoft.

The Divu ransomware encrypts victim’s files with Salsa20, and appends one of dozens of extensions to filenames, such as “.djvu”, “.rumba”, “.radman”, “.gero”, etc.

The price of the private key and decrypt software is $980, victims can receive a 50% discount if they contact the crooks in the first 72 hours.

The Djvu ransomware is mainly delivered through key generators and cracks, experts pointed out that some versions of STOP also bundle additional malicious payloads, including password-stealers.

The decryptor released by Emsisoft can recover for free files encrypted by 148 of the 160 variants, this means that approximately 70% of victims will be able to recover their data. Unfortunately, currently it is not possible to decrypt files encrypted by the remaining 12 variants.

Below key findings shared by the company:

  • The tool will recover files encrypted by 148 of the 160 known STOP variants and will enable approximately 70% of victims to recover their data without paying the ransom.
  • STOP has claimed more victims than any other currently active ransomware: 116k confirmed and 460K estimated.
  • The encryption is being broken via a side-channel attack on the keystream. This will be the first time ransomware has been decrypted this way on such a large scale (as far as we know). 
  • Because of the number of victims, we will not be able to provide one-on-one help for those who need assistance using the tool. The volunteer community at Bleeping Computer has, however, agreed to act as an unofficial support channel for this tool and will be providing help to those who need it. We greatly appreciate their efforts and willingness to help. Some words from Bleeping Computer’s Lawrence Abrams are below. 

Download the STOP Djvu Decryptor here

Pierluigi Paganini

(SecurityAffairs – Djvu ransomware, malware)

The post Emsisoft released a free decryption tool for the STOP (Djvu) ransomware appeared first on Security Affairs.

1 in 5 SMBs have fallen victim to a ransomware attack

Ransomware remains the most common cyber threat to SMBs, according to a Datto survey of more than 1,400 MSP decision makers that manage the IT systems for small-to-medium-sized businesses. SMBs are a prime target While it is used against businesses of all sizes, SMBs have become a prime target for attackers. The report uncovered a number of ransomware trends specifically impacting the SMB market: Ransomware attacks are pervasive. The number of ransomware attacks against SMBs … More

The post 1 in 5 SMBs have fallen victim to a ransomware attack appeared first on Help Net Security.

WAV files spotted delivering malicious code

Attackers have embedded crypto-mining and Metasploit code into WAV audio files to stymie threat detection solutions. “All WAV files discovered adhere to the format of a legitimate WAV file (i.e., they are all playable by a standard audio player),” Josh Lemos, VP of Research and Intelligence at BlackBerry Cylance, told Help Net Security. “One WAV file contained music with no indication of distortion or corruption and the others contained white noise. One of the WAV … More

The post WAV files spotted delivering malicious code appeared first on Help Net Security.

Fake mobile app fraud tripled in first half of 2019

In Q2 2019, RSA Security identified 57,406 total fraud attacks worldwide. Of these, phishing attacks were the most prevalent (37%), followed by fake mobile apps (usually apps posing as those of popular brands). But while phishing went up by just 6 percent when the numbers from 1H 2019 are compared to those from 2H 2018, attacks via financial malware and rogue mobile apps have increased significantly (80 and 191 percent, respectively). “The fact that fraud … More

The post Fake mobile app fraud tripled in first half of 2019 appeared first on Help Net Security.

What is the Future of Cybersecurity?

We all know of the exponential growth of cybercrimes. The question now is, how do we stay ahead of a possible data breach? Some experts in the commercial real estate have their say on what’s in store for cybersecurity.

We’ve heard of the recent Capital One hacking. A person was able to access its 100 million credit card applications and customer accounts single handedly. Various real estate executives started scrutinizing their systems and data to determine how safe they are against cyber intrusions. By 2021, cybercrime damages can reach trillions around the world, so businesses need to be on top of the situation.

The acceleration of building processes and functions automation also increased the need for cybersecurity. The continuous takeover of the Internet of Things also pushed more information to the cloud. However, machine learning and artificial intelligence have become more efficient, thus decreasing the potential of human error. Consequently, they also increased the possibility of cyber threats. Since building technology changes each day, what then happens to cybersecurity?

Cybersecurity isn’t only a concern for computers and smartphones; but, of the entire infrastructure. The commercial real estate industry often overlooks the security of their physical assets and focuses on the interconnected devices of their employees only. Building cyber invasions have been occurring rampantly, and many operators and owners only decide to spend money on cybersecurity when hackers wreak havoc on their business.

A hacker can change the security systems, open or lock some doors, or shut down the electricity. Building owners prioritize cybersecurity when it’s too late. In the 2019 Cost of a Data Breach Report by IBM, it reported that it takes about 279 days to determine and control a breach. On the other hand, the lifecycle of a cyber-attack takes around 314 days.

Today, hackers perform sophisticated attacks and not only infiltrate technology and machines. Phishing schemes are after high-level deal makers and executives. A cybercriminal may write to a manager to inform him that they haven’t received the payment for a transaction he closed recently. Organizations may not be liable in this example, but the scenario is a poor reflection on them. They may have future problems handling transactions.

In the recent Commercial Real Estate Outlook released by Deloitte, it found out that the top three effects of cybersecurity breaches are:

  • damage to reputation
  • financial fraud and theft
  • identity theft.

What’s missing?

According to experts, the only way to reduce the cyber-attack risks on businesses and assets is to invest in an appropriate cybersecurity program. IBM estimated the total cost of a data breach to about $3.9 million. Forming an incident response team and using encryption can lessen the impact of a massive hack by about $360,000.

The success of a cybersecurity program relies on having a sustainable plan to address specific risks to the organization. Although real estate companies aren’t in the business of cybersecurity, they still must determine the risks, limitations, and budgets in countering any cyber-attacks. 

In a Deloitte survey, respondents reported the top three challenges of cybersecurity management:

  • rising complexities and accelerated IT changes
  • lack of administration detailed response
  • ineffective security fixes due to interoperability and functionality issues

Extensive prevention programs don’t need to be complicated. Executives must see cybersecurity as a timeline and not as a simple one-time incident.

Conventional IT organizations always assess different industries, but no one talks about the operational technology of buildings and their risks. Moreover, operators and owners must be proactive instead of reactive in their efforts to prepare against cyber-attacks, so cybersecurity standards must conform to the continually evolving building technology. Therefore, board members and leaders must be in the loop to create a close alignment with the business strategy. Also, they need to conduct cyber risk assessments and scenario planning and ensure employee awareness of their responsibilities. Everyone must practice vigilance.

The significance of cybersecurity will continue to evolve as a threat, and business scenarios continue to become more complex. Moreover, regulatory oversight and functions can take a more active role and must cut across geographies.

The Cybersecurity Outlook

The compelling question is, “who should be the most responsible for the cybersecurity of a real estate company?” Other people articulate that the data property owners collect from their tenants is an enormous issue because the protection of sensitive information and system data must be paramount. The staff of building management must be accountable for any specific events that can occur. On the other hand, some experts point to the IT department as the primary group that must put in place a robust cybersecurity program together with its IT infrastructure.

Building owners and operators must be aware of the risks and understand that the involvement of all functions and departments must be present in preventing or mitigating these risks of cyber-attacks.

The aptest answer lies in the middle. Many experts believe that building operators and owners must discuss with outside vendors and their internal IT providers for every property they have. They must draft a plan to protect the physical assets and the network. The solution lies when the puzzle pieces fit together. It may be the integration of a technology system into real estate or vice versa.

Excellent cyber hygiene begins with data governance. In a building organization, cybersecurity isn’t an IT issue, but a risk mitigation issue. Each individual and department has a significant role to play in thwarting any cybersecurity attacks.

Final Remarks

Cybersecurity is an issue that concerns everyone in the commercial real estate industry. Hackers and cybercriminals perform coordinated and sophisticated attacks to ruin the most secured IT infrastructure. Therefore, organizations must take brave steps to counter them. They lose more money if they aren’t earnest in protecting their infrastructure and physical assets. This predicament isn’t the only issue that they must overcome. They also lose credibility, and their reputation suffers when they become victims of malicious and fraudulent attacks. Therefore, the significance of instituting a robust cybersecurity program is now a requirement and not just a whim.

The post What is the Future of Cybersecurity? appeared first on .

15 Easy, Effective Ways to Start Winning Back Your Online Privacy

NCSAM

NCSAM

Someone recently asked me what I wanted for Christmas this year, and I had to think about it for a few minutes. I certainly don’t need any more stuff. However, if I could name one gift that would make me absolutely giddy, it would be getting a chunk of my privacy back.

Like most people, the internet knows way too much about me — my age, address, phone numbers and job titles for the past 10 years, my home value, the names and ages of family members  — and I’d like to change that.

But there’s a catch: Like most people, I can’t go off the digital grid altogether because my professional life requires me to maintain an online presence. So, the more critical question is this:

How private do I want to be online?  

The answer to that question will differ for everyone. However, as the privacy conversation continues to escalate, consider a family huddle. Google each family member’s name, review search results, and decide on your comfort level with what you see. To start putting new habits in place, consider these 15 tips.

15 ways to reign in your family’s privacy

  1. Limit public sharing. Don’t share more information than necessary on any online platform, including private texts and messages. Hackers and cyber thieves mine for data around the clock.
  2. Control your digital footprint. Limit information online by a) setting social media profiles to private b) regularly editing friends lists c) deleting personal information on social profiles d) limiting app permissions someone and browser extensions e) being careful not to overshare.NCSAM
  3. Search incognito. Use your browser in private or incognito mode to reduce some tracking and auto-filling.
  4. Use secure messaging apps. While WhatsApp has plenty of safety risks for minors, in terms of data privacy, it’s a winner because it includes end-to-end encryption that prevents anyone in the middle from reading private communications.
  5. Install an ad blocker. If you don’t like the idea of third parties following you around online, and peppering your feed with personalized ads, consider installing an ad blocker.
  6. Remove yourself from data broker sites. Dozens of companies can harvest your personal information from public records online, compile it, and sell it. To delete your name and data from companies such as PeopleFinder, Spokeo, White Pages, or MyLife, make a formal request to the company (or find the opt-out button on their sites) and followup to make sure it was deleted. If you still aren’t happy with the amount of personal data online, you can also use a fee-based service such as DeleteMe.com.
  7. Be wise to scams. Don’t open strange emails, click random downloads, connect with strangers online, or send money to unverified individuals or organizations.
  8. Use bulletproof passwords. When it comes to data protection, the strength of your password, and these best practices matter.
  9. Turn off devices. When you’re finished using your laptop, smartphone, or IoT devices, turn them off to protect against rogue attacks.NCSAM
  10. Safeguard your SSN. Just because a form (doctor, college and job applications, ticket purchases) asks for your Social Security Number (SSN) doesn’t mean you have to provide it.
  11. Avoid public Wi-Fi. Public networks are targets for hackers who are hoping to intercept personal information; opt for the security of a family VPN.
  12. Purge old, unused apps and data. To strengthen security, regularly delete old data, photos, apps, emails, and unused accounts.
  13. Protect all devices. Make sure all your devices are protected viruses, malware, with reputable security software.
  14. Review bank statements. Check bank statements often for fraudulent purchases and pay special attention to small transactions.
  15. Turn off Bluetooth. Bluetooth technology is convenient, but outside sources can compromise it, so turn it off when it’s not in use.

Is it possible to keep ourselves and our children off the digital grid and lock down our digital privacy 100%? Sadly, probably not. But one thing is for sure: We can all do better by taking specific steps to build new digital habits every day.

~~~

Be Part of Something Big

October is National Cybersecurity Awareness Month (NCSAM). Become part of the effort to make sure that our online lives are as safe and secure as possible. Use the hashtags #CyberAware, #BeCyberSafe, and #NCSAM to track the conversation in real-time.

The post 15 Easy, Effective Ways to Start Winning Back Your Online Privacy appeared first on McAfee Blogs.

Cybercrime is maturing, shifting its focus to larger and more profitable targets

Cybercrime is continuing to mature and becoming more and more bold, shifting its focus to larger and more profitable targets as well as new technologies. Data is the key element in cybercrime, both from a crime and an investigate perspective. These key threats demonstrate the complexity of countering cybercrime and highlight that criminals only innovate their criminal behavior when existing modi operandi have become unsuccessful or more profitable opportunities emerge. In essence, new threats do … More

The post Cybercrime is maturing, shifting its focus to larger and more profitable targets appeared first on Help Net Security.

RCMP charges two in Montreal over Bell customer data theft

RCMP arrested two Montrealers on charges of stealing Bell customer data. Nana Koranteng and Jesiah Russel-Francis were arrested by RCMP on Oct. 8th, 2019, on charges of unauthorized use of a computer, fraud over $5000, conspiracy to commit fraud, laundering proceeds of crime, identity theft, and identity fraud. In 2018, RCMP initiated an investigation after…

BEC explodes as attackers exploit email’s identity crisis

850,000 domains worldwide now have DMARC records, a 5x increase since 2016, according to Valimail. However, less than 17% of global DMARC records are at enforcement — meaning fake emails that appear to come from those domains are still arriving in recipients’ inboxes. Among large companies, only one in five enterprise DMARC records is at enforcement, a significant factor in the wild success of business email compromise (BEC) attacks, which has produced more than $26 … More

The post BEC explodes as attackers exploit email’s identity crisis appeared first on Help Net Security.

Stay Smart Online Week 2019

Let’s Reverse the Threat of Identity Theft!!

Our online identities are critical. In fact, you could argue that they are our single most unique asset. Whether we are applying for a job, a mortgage or even starting a new relationship, keeping our online identity protected, secure and authentic is essential.

This week is Stay Smart Online Week in Australia – an initiative by the Australian Government to encourage us all to all take a moment and rethink our online safety practices. This year the theme is ‘Reverse the Threat’ which is all about encouraging Aussies to take proactive steps to control their online identity and stop the threat of cybercrime.

What Actually Is My Online Identity?

On a simple level, your online identity is the reputation you have generated for yourself online – both intentionally or unintentionally. So, an accumulation of the pics you have posted, the pages you have liked and the comments you have shared. Some will often refer to this as your personal brand. Proactively managing this is critical for employments prospects and possibly even potential relationship opportunities.

However, there is another layer to your online identity that affects more than just your job or potential career opportunities. And that’s the transactional component. Your online identity also encompasses all your online movements since the day you ‘joined’ the internet. So, every time you have registered for an online account; given your email address to gain access or log in; joined a social media platform; undertaken a web search; or made a transaction, you have contributed to your digital identity.

What Are Aussies Doing to Protect Their Online Identities?

New research from McAfee shows Aussies have quite a relaxed attitude to managing their online identities. In fact, a whopping two thirds (67%) of Aussies admit to being embarrassed by the content that appears on their social media profiles. And just to make the picture even more complicated, 34% of Aussies admit to never increasing the privacy on their accounts from the default privacy settings despite knowing how to.

Why Does My Online Identity Really Matter?

As well as the potential to hurt career or future relationship prospects, a relaxed attitude to managing our online identities could be leaving the door open for cybercriminals. If you are posting about recent purchases, your upcoming holidays and ‘checking-in’ at your current location then you are making it very easy for cybercriminals to put together a picture of you and possibly steal your identity. And having none or even default privacy settings in place effectively means you are handing this information to cybercrims on a platter!!

Is Identity Theft Really Big Problem?

As at the end of June, the Australian Competition and Consumer Commission claims that Aussies have lost at least $16 million so far this year through banking scams and identity theft. And many experts believe that this statistic could represent the ‘tip of the iceberg’ as it often takes victims some time to realise that their details are being used by someone else.

Whether it’s phishing scams; texts impersonating banks; fake online quizzes; phoney job ads, or information skimmed from social media, cybercriminals have become very savvy at developing novel ways of stealing online identities.

What Can You Do to ‘Reverse the Threat’ and Protect Your Online Identity?

With so much at stake, securing your online identity is more important than ever. Here are my top tips on what you can do to give yourself every chance of securing your digital credentials:

  1. Passwords, Passwords, Passwords

As the average consumer manages a whopping 11 online accounts – social media, shopping, banking, entertainment, the list goes on – updating our passwords is an important ‘cyber hygiene’ practice that is often neglected.

Creating long and unique passwords using a variety of upper and lowercase numbers, letters and symbols is an essential way of protecting yourself and your digital assets online. And if that all feels too complicated, why not consider a password management solution? Password managers help you create, manage and organise your passwords. Some security software solutions include a password manager such as McAfee Total Protection.

  1. Turn on Two-Factor Authentication Wherever Possible!

Enabling two-factor authentication for your accounts will add an extra layer of defence against cybercriminals. Two-factor authentication is simply a security process in which the user provides 2 different authentication factors to verify themselves before gaining access to an online account. As one of the verification methods is usually an extra password or one-off code delivered through a separate personal device like a smartphone, it makes it much harder for cybercriminals to gain access to a person’s device or online accounts.

  1. Lock Down Privacy and Security Settings

Leaving your social media profiles on ‘public’ setting means anyone who has access to the internet can view your posts and photos whether you want them to or not. While you should treat everything you post online as public, turning your profiles to private will give you more control over who can see your content and what people can tag you in.

  1. Use Public Wi-Fi With Caution

If you are serious about managing your online identity, then you need to use public Wi-Fi sparingly. Unsecured public Wi-Fi is a very risky business. Anything you share could easily find its way into the hands of cybercriminals. So, avoid sharing any sensitive or personal information while using public Wi-Fi. If you travel regularly or spend the bulk of your time on the road then consider investing in a VPN such as McAfee Safe Connect. A VPN (Virtual Private Network) encrypts your activity which means your login details and other sensitive information is protected. A great insurance policy!

Thinking it all sounds a little too hard? Don’t! Identity theft happens to Aussies every day with those affected experiencing real distress and financial damage. So, do your homework and take every step possible to protect yourself, for as Benjamin Franklin said: ‘An ounce of prevention is worth a pound of cure’.

Alex xx

The post Stay Smart Online Week 2019 appeared first on McAfee Blogs.

Massive uptick in eCrime campaigns, retail among top targeted industries

There has been a massive uptick in eCrime cyber activity, a CrowdStrike report reveals. As Gartner states in the 2019 Magic Quadrant for Endpoint Protection Platform, “The skills requirement of EDR solutions compounded by the skills gap in most organizations is an impediment to the adoption of EDR in the mainstream market. “As a result, product vendors are increasingly offering a fusion of products and services ranging from light incident response and monitoring through full … More

The post Massive uptick in eCrime campaigns, retail among top targeted industries appeared first on Help Net Security.

Aussies Fear Snakes, Spiders and Getting Hacked

Fears and phobias. We all have them. But what are your biggest ones? I absolutely detest snakes but spiders don’t worry me at all. Well, new research by McAfee shows that cybercriminals and the fear of being hacked are now the 5th greatest fear among Aussies.

With news of data breaches and hacking crusades filling our news feed on a regular basis, many of us are becoming more aware and concerned about the threats we face in our increasingly digital world. And McAfee’s latest confirms this with hackers making their way into Australia’s Top 10 Fears.

According to research conducted by McAfee, snakes are the top phobia for Aussies followed by spiders, heights and sharks. Cybercriminals and the fear of being hacked come in in 5th place beating the dentist, bees, ghosts, aeroplane travel and clowns!

Aussie Top 10 Fears and Phobias

  1. Snakes
  2. Spiders
  3. Heights
  4. Sharks
  5. Hackers/Cybercriminals
  6. The dentist
  7. Bees or wasps
  8. Ghosts
  9. Aeroplane travel
  10. Clowns

Why Do We Have Phobias?

Fears and phobias develop when we perceive that we are at risk of pain, or worse, still, death. And while almost a third of respondents nominated snakes as their number one fear, there is less than one-in-fifty thousand chance of being bitten badly enough by a snake to warrant going to hospital in Australia, according to research from the Internal Medicine Journal.

In contrast, McAfee’s analysis of more than 108 billion potential online threats between October and December 2018, identified 202 million of these threats as genuine risks. With a global population of 7.5 billion, that means there is approximately a one in 37 chance of being targeted by cybercrime. Now while this is not a life-threatening situation, these statistics show that chance of us being affected by an online threat is very real.

What Are Our Biggest Cyber Fears?

According to the research, 82% of Aussies believe that being hacked is a growing or high concern. And when you look at the sheer number of reported data breaches so far this year, these statistics make complete sense. Data breaches have affected Bunnings staff, Federal Parliament staff, Marriott guests, Victorian Government staff, QLD Fisheries members, Skoolbag app users and Big W customers plus many more.

Almost 1 in 5 (19%) of those interviewed said their top fear at work is doing something that will result in a data security breach, they will leak sensitive information or infect their corporate IT systems.

The fear that we are in the midst of a cyberwar is another big concern for many Aussies. Cyberwar can be explained as a computer or network-based conflict where parties try to disrupt or take ownership of the activities of other parties, often for strategic, military or cyberespionage purposes. 55% of Aussies believe that a cyberwar is happening right now but we just don’t know about it. And a fifth believe cyber warfare is the biggest threat to our nation.

What Can We Do to Address Our Fear of Being Hacked?

Being proactive about protecting your online life is the absolute best way of reducing the chances of being hacked or being affected by a data breach. Here are my top tips on what you can now to protect yourself:

  1. Be Savvy with Your Passwords

Using a password manager to create unique and complex passwords for each of your online accounts will definitely improve your online safety. If each on your online accounts has a unique password and you are involved in a breach, the hacker won’t be able to use the stolen password details to log into any of your other accounts.

  1. Stop AutoFill on Chrome

Storing your financial data within your browser and being able to populate online forms quickly within seconds makes the autofill function very attractive however it is risky. Autofill will automatically fill out all forms on a page regardless of whether you can see all the boxes. You may just think you are automatically entering your email address into an online form however a savvy hacker could easily design an online form with hidden boxes designed to capture your financial information. So remove all your financial information from Autofill. I know this means you will have to manually enter information each time you purchase but your personal data will be better protected.

  1. Think Before You Click

One of the easiest ways for a cybercriminal to compromise their victim is by using phishing emails to lure consumers into clicking links for products or services that could lead to malware, or a phoney website designed to steal personal information. If the deal seems too good to be true, or the email was not expected, always check directly with the source.

  1. Stay Protected While You Browse

It’s important to put the right security solutions in place in order to surf the web safely. Add an extra layer of security to your browser with McAfee WebAdvisor.

  1. Always Connect with Caution

I know public Wi-Fi might seem like a good idea, but if consumers are not careful, they could be unknowingly exposing personal information or credit card details to cybercriminals who are snooping on the network. If you are a regular Wi-Fi user, I recommend investing in a virtual private network or (VPN) such as McAfee’s Safe Connect which will ensure your connection is completely secure and that your data remains safe.

While it is tempting, putting our head in the sand and pretending hackers and cybercrime don’t exist puts ourselves and our families at even more risk! Facing our fears and making an action plan is the best way of reducing our worry and stress. So, please commit to being proactive about your family’s online security. Draw up a list of what you can do today to protect your tribe. And if you want to receive regular updates about additional ways you can keep your family safe online, check out my blog.

‘till next time.

Alex x

 

 

 

The post Aussies Fear Snakes, Spiders and Getting Hacked appeared first on McAfee Blogs.

Danish company Demant expects to suffer huge losses due to cyber attack

Danish hearing health care company Demant has estimated it will lose between $80 and $95 million due to a recent “cyber-crime” attack. Though the company has yet to share details about the “IT infrastructure incident”, it is widely believed to be the work of ransomware-wielding attackers. What is known? The attack started on September 2 and, apparently, the company quickly decided to shut down IT systems across multiple sites and business units: Still, the reaction … More

The post Danish company Demant expects to suffer huge losses due to cyber attack appeared first on Help Net Security.

Darknet hosting provider busted in underground NATO bunker

Police overcame not only digital defenses of the "bulletproof" provider CyberBunker but also barbed wire fences and surveillance cams.

German police arrest suspects in raid network hosting Darknet marketplaces

German police have shut down a network hosting Darknet marketplaces focused on the trading of drugs, stolen data and child pornography.

German police announced to have shut down a network hosting Darknet black marketplaces trading drugs, stolen data, and child pornography.

The black marketplaces were also offering stolen data and fake documents, and other illegal goods.

Authorities conducted an investigation on the operators of the “Bulletproof Hoster” service that was provided through servers hidden in a former NATO bunker, the so-called “Cyber Bunker.”

Law enforcement arrested seven suspects were arrested in a series of raids, four Dutch citizens, two Germans and one Bulgarian.

“Thursday’s raids involved hundreds of officers and came after years of following up on leads in cooperation with other agencies. Police believe that the data center was involved in a hack attack three years ago on the national communications provider, Telekom.” reported the DW agency.

“Officials said the server seized on Thursday had also hosted the second-largest darknet trading platform, Wall Street Market.  Authorities in the European Union and the US shut that platform down in May, claiming it was used to traffick stolen data, forged documents, computer malware and illicit drugs.”

According to prosecutors, the criminal ring behind the illegal network was composed at least thirteen members, 12 men and one woman, aged from 20 to 59. The suspects ran the powerful servers inside the former NATO bunker in the town of Traben-Trarbach in Rhineland-Palatinate state.

The operation involved hundred police agents in Germany and other European countries, they seized 200 servers, numerous data carriers and mobile phones and a large sum of cash.

The police also confirmed that the popular “Wall Street Market” black marketplace was hosted on the seized server. In May, the German police, with the support of Europol, Dutch police and the FBI, has shut down one of the world’s largest black marketplace in the darkweb, the ‘Wall Street Market,’ and arrested three operators allegedly running it. The three German nation suspects were arrested on April 23 and 24 in the states of Hesse, Baden-Wuerttemberg and North Rhine-Westphalia.

The operation also allowed to arrest of two major suppliers of illegal narcotics in the United States.

Prosecutors also revealed that the same cyber bunker was used to host the C2 behind a botnet involved in a massive attack that hit the German provider Deutsche Telekom in November 2016.

Pierluigi Paganini

(SecurityAffairs – darknet, hacking)

The post German police arrest suspects in raid network hosting Darknet marketplaces appeared first on Security Affairs.

Cybercriminals plan to make L7 routers serve card stealing code

One of the Magecart cybercriminal groups is testing a new method for grabbing users’ credit card info: malicious skimming code that can be loaded into files used by L7 routers. What is Magecart? Magecart is an umbrella label for a growing number of cybercriminals groups that perform JavaScript-based credit card skimming attacks, usually by: Compromising individual e-commerce sites Compromising third-party sources of scripts that online shop owners use to add various functionalities or serve ads … More

The post Cybercriminals plan to make L7 routers serve card stealing code appeared first on Help Net Security.

Employees are mistakenly confident that they can spot phishing emails

While a majority (79%) of people say they are able to distinguish a phishing message from a genuine one, nearly half (49%) also admit to having clicked on a link from an unknown sender while at work, according to a Webroot survey. Further, nearly half (48%) of respondents said their personal or financial data had been compromised by a phishing message. However, of that group more than a third (35%) didn’t take the basic step … More

The post Employees are mistakenly confident that they can spot phishing emails appeared first on Help Net Security.

Older vulnerabilities and those with lower severity scores still being exploited by ransomware

Almost 65% of top vulnerabilities used in enterprise ransomware attacks targeted high-value assets like servers, close to 55% had CVSS v2 scores lower than 8, nearly 35% were old (from 2015 or earlier), and the vulnerabilities used in WannaCry are still being used today, according to RiskSense. The data was gathered from a variety of sources including RiskSense proprietary data, publicly available threat databases, as well as findings from RiskSense threat researchers and penetration testers. … More

The post Older vulnerabilities and those with lower severity scores still being exploited by ransomware appeared first on Help Net Security.

Campbell County Memorial Hospital in Wyoming hit by ransomware attack

Campbell County Memorial Hospital in Gilette, Wyoming is facing service disruptions after a ransomware attack hit its computer systems on Friday.

On Friday, the Campbell County Memorial Hospital in Gilette, Wyoming, suffered a ransomware attack that is still causing service disruptions.

“Campbell County Health has been the victim of a ransomware attack. All CCH computer systems have been affected, which impacts the organization’s ability to provide patient care,” reads a statement published by the Campbell County Health.

All updates are available at: www.cchwyo.org/sd. Public Update 9/22/19, 2:30 pm: Campbell County Health continues to…

Gepostet von Campbell County Health am Freitag, 20. September 2019

The ransomware attack is having a dramatic impact con the operations at the hospital, the staff has canceled some surgeries, as well as respiratory therapy and radiology exams and procedures. The hospital has temporarily halted new inpatient admissions.

“Campbell County Health continues to have service disruptions, however, the Emergency Medical Services (EMS), the Emergency Department, Maternal Child (OB) and the Walk-in Clinic are open to assess patients and treat or transfer patients as appropriate.” reads an update published by the hospital. “It is advised to call to confirm your appointment prior to going in. All patients are also asked to bring medication bottles with them to their appointment.”

Immediately after the discovery of the attack, the hospital announced that that the patients presenting to the emergency department and walk-in clinic would be assessed and transferred to an appropriate care facility if needed.

“We are working with regional facilities to transfer patients to if we are not able to provide safe care. The Emergency Department is open and staffed with our expert team of physicians and nursing to assess and evaluate patient care needs,” announced the Campbell County Health.

According to the management at the Campbell County Health hospital, patient and employee data was not accessed in the ransomware attack.

The organization reported the incident to the authorities that still investigating the security breach.

“At this point in time, there is no evidence that any patient data has been accessed or misused. The investigation is ongoing, and we will provide updates when more information becomes available. We are working diligently to restore complete access to our services,” Campbell County Health added.

As on Sunday, the majority of the services at the hospital was restored, however, patients are invited to call in advance to confirm their appointments.

Recently several US cities have suffered ransomware attacks, in August at least 23 Texas local governments were targeted by coordinated attacks.

Some cities in Florida were also victims of hackers, including Key Biscayne, Riviera Beach and Lake City. In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

The list of ransomware attacks is long and includes schools in Louisiana and Alabama.

Health organizations weren’t spared either, LabCorp and Hancock Health being only two of the most recently affected.

Pierluigi Paganini

(SecurityAffairs – Campbell County Memorial Hospital, hacking)

The post Campbell County Memorial Hospital in Wyoming hit by ransomware attack appeared first on Security Affairs.

Portugues hacker faces hundreds of Charges in Football Leaks case

An alleged Portuguese hacker faces 154 charges connected with the publication of internal documents in the Football Leaks case.

An alleged Portuguese hacker, Rui Pinto, faces 154 charges connected with the publication of internal documents of top European clubs and soccer officials in the Football Leaks case.

The attorney general’s office confirmed last week that Rui Pinto, who is in custody in Lisbon after being extradited from Hungary, is accused of numerous alleged crimes connected to the leak of sensitive financial document financial of Top European clubs.

Rui Pinto, 30, was arrested in January in Hungary following a warrant issued by the Portuguese authorities.

At the time of the arrest, Pinto’s lawyers described him as “a young Portuguese man who loves football and who, out of disgust at practices that he gradually became aware of, decided to reveal to the world the extent of criminal practices which not only affect the football world but do grave damage to its image”.

Authorities accused Pinto of several crimes, including attempted extortion.

The alleged hacker published secret information about players’ and coaches’ contracts and transfer fees on the Football Leaks website.

The Football Leaks website was launched in 2015 and over the year published several confidential documents of the football sector.

“The statement says the Football Leaks website published confidential information about players’ and coaches’ contracts and transfer fees, among other things.” reported the AP News.

At the time of writing, authorities still haven’t fixed a trial date.

Pierluigi Paganini

(SecurityAffairs – data leak, hacking)

The post Portugues hacker faces hundreds of Charges in Football Leaks case appeared first on Security Affairs.

One of the hackers behind EtherDelta hack also involved in TalkTalk hack

US authorities have indicted two men for hacking the exchange EtherDelta in December 2017, one of them was also accused of TalkTalk hack.

US authorities have indicted two men, Elliot Gunton and Anthony Tyler Nashatka, for hacking the cryptocurrency exchange EtherDelta in 2017.

In December 2017, the popular cryptocurrency exchange EtherDelta was hacked, attackers conducted a DNS attack that allowed to steal at least 308 ETH ($266,789 at the time of the hack) as well as a large number of tokens.

According to ZDNet, one of the suspects, the Briton Elliott Gunton(20) aka “Glubz, was also accused of TalkTalk hack.

The other suspect is Anthony Tyler Nashatka, aka “psycho,” from New York city. The duo hacked the EtherDelta systems using employee data (phone number, email address) purchased on the black market.

“The two, over the course of just a week, went from buying an EtherDelta’s employee phone number off the black market to stealing funds from thousands of EtherDelta users.” reported ZDNet.

Court documents obtained by ZDNet in exclusive refer the employee was Z.C., experts believe he is the EtherDelta’s CEO. Clearly the access to the CEO account allowed the hacker to breach the company.

The employee’s data were acquired by Nashatka that asked Gunton to help him in hijacking both EtherDelta’s Cloudflare and Dreamhost accounts.

Six days later, on December 19, 2017. Gunton tricked a mobile telco’s operator into adding a call forwarding number to Coburn’s mobile account.

In this way, any incoming calls were silently forwarded to a Google Voice number operated by the two hackers including two-factor authentication (2FA) messages for the EtherDelta account.

On December 20, the two hackers modified DNS settings in the G Suite portal of EtherDelta and redirected Gmail traffic through a server under their control allowing them to reset the password on EtherDelta’s Cloudflare account. Once gained the access the Cloudflare account they were able to lock out any other employee of the company.

At this point, the duo changed EtherDelta’s DNS records associating the EtherDelta domain to a server under their control that was hosting a copy of the legitimate site used to trick victims into providing their credentials.

The DNS redirection was discovered in a few hours, but it was enough for the hackers to steal more than $800,000 from the accounts of the EtherDelta users.

According to ZDNet, the indictment was filed on August 13, in San Francisco, a few days before Gunton was sentenced to 20 months in prison in the UK. He was also ordered to pay back £407,359 and given a three-and-a-half-year community order, which restricts his internet and software use.

Pierluigi Paganini

(SecurityAffairs – TalkTalk, hacking)

The post One of the hackers behind EtherDelta hack also involved in TalkTalk hack appeared first on Security Affairs.

5 Hidden Hashtag Risks Every Parent Needs Know

Adding hashtags to a social post has become second nature. In fact, it’s so common, few of us stop to consider that as fun and useful as hashtags can be, they can also have consequences if we misuse them.

But hashtags are more than add-ons to a post, they are power tools. In fact, when we put the pound (#) sign in front of a word, we turn that word into a piece of metadata that tags the word, which allows a search engine to index and categorize the attached content so anyone can search it. Looking for advice parenting an autistic child? Then hashtags like #autism #spectrum, or #autismspeaks will connect you with endless content tagged the same way.

Hashtags have become part of our lexicon and are used by individuals, businesses, and celebrities to extend digital influence. Social movements — such as #bekind and #icebucketchallenge — also use hashtags to educate and rally people around a cause. However, the power hashtags possess also means it’s critical to use them with care. Here are several ways people are using hashtags in harmful ways.

5 hidden hashtag risks

Hashtags can put children at risk. Unfortunately, innocent hashtags commonly used by proud parents such as #BackToSchool, #DaddysGirl, or #BabyGirl can be magnets for a pedophile. According to the Child Rescue Coalition, predators troll social media looking for hashtags like #bathtimefun, #cleanbaby, and #pottytrain, to collect images of children. CRC has compiled a list of hashtags parents should avoid using.

Hashtags can compromise privacy. Connecting a hashtag to personal information such as your hometown, your child’s name, or even #HappyBirthdayToMe can give away valuable pieces of your family’s info to a cybercriminal on the hunt to steal identities.

Hashtags can be used in scams. Scammers can use popular hashtags they know people will search to execute several scams. According to NBC News, one popular scam on Instagram is scammers who use luxury brand hashtags like #Gucci or #Dior or coded hashtags such as #mirrorquality #replica and #replicashoes to sell counterfeit goods. Cybercriminals will also search hashtags such as #WaitingToAdopt to target and run scams on hopeful parents.

Hashtags can have hidden meanings. Teens use code or abbreviation hashtags to reference drugs, suicide, mental health, and eating disorders. By searching the hashtag, teens band together with others on the same topic. Some coded hashtags include: #anas (anorexics) #mias (bulimics) #sue (suicide), #cuts (self-harm), #kush and #420 (marijuana).

Hashtags can be used to cyberbully. Posting a picture on a social network and adding mean hashtags is a common way for kids to bully one another. They use hashtags such as #whatnottowear, #losr, #yousuck, #extra, #getalife, #tbh (to be honest) and #peoplewhoshouldoffthemselves on photo captions bully or harass peers. Kids also cyberbully by making up hashtags like #jackieisacow and asking others to use it too. Another hashtag is #roastme in which kids post a photo of themselves and invite others to respond with funny comments only the humor can turn mean very quickly.

When it comes to understanding the online culture, taking the time to stay informed, pausing before you post, and trusting your instincts are critical. Also, being intentional to monitor your child’s social media (including reviewing hashtags) can help you spot potential issues such as bullying, mental health problems, or drug abuse.

The post 5 Hidden Hashtag Risks Every Parent Needs Know appeared first on McAfee Blogs.

Magecart attackers target mobile users of hotel chain booking websites

Trend Micro researchers reported that a Magecart group has hacked the websites of two hotel chains to inject scripts targeting Android and iOS users.

Researchers discovered a series of incidents involving software credit card skimmer used by Magecart to hit the booking websites of hotel chains.

In early September, the researchers discovered a JavaScript code onto two hotel websites belonging to different hotel chains. The JavaScript code was used to load a remote script on their payment page since August 9. 

“When we first checked the script’s link, it downloaded a normal JavaScript code. However, we found that the same link could also download a different script when we requested it from mobile devices like Android or iOS phones.” reads the analysis published by Trend Micro. “The downloaded script for mobile devices is a credit card skimmer which can steal the information entered on the hotel booking page and send it to a remote server.”

Experts noticed that the link would deliver a credit card skimmer script only when users visited the websites using mobile devices, suggesting that the attackers aimed at targeting only mobile users.

Trend Micro noticed that infected websites were developed by Roomleader, a firm that designs online booking websites. Threat actors injected the malicious code in the Roomleader module “viewedHotels.”

Although the module was only used for two websites of two different hotel chains, the number of potential victims is very high, as one of these brands has 107 hotels in 14 countries, while the other has 73 hotels in 14 countries.

“Despite the seemingly small number of affected sites, we still consider the attack significant given that one of the brands has 107 hotels in 14 countries while the other has 73 hotels in 14 countries. Note that we have reached out to Roomleader regarding this issue.” continues the analysis.

Magecart

The code injected in the websites first checks if an HTML element containing the ID “customerBookingForm” is present on the webpage to verify that it is running on the hotel’s booking page.

If the code detects the booking page, it will check if the browser debugger is closed and then load another JavaScript from the URL hxxps://googletrackmanager[.]com/gtm[.]js that contains the card skimmer code.

The skimmer hooks the JavaScript events that are triggered when customers make a payment or submit a booking. When these events happen, the skimmer checks if the browser debugger is closed, then copies the name and value from “input” or “select” HTML elements on the booking page.

The skimmer script used in these attacks collects customers’ data, including names, email addresses, telephone numbers, hotel room preferences, and of course, credit card details.

The script encrypts data with RC4 using a hardcoded key, encoded using XOR, and then sent via HTTP POST to “https://googletrackmanager[.]com/gtm.php?id=.” The scripts appens the random string used to encode the data at the end.

The software skimmer replaces the original credit card form on the booking page, in this way attackers could require customers to submit all credit card data, including the CVC number that is not required in some booking pages. This trick also works to collect all customers data when the websites use secure iframes to load the credit card form from a different domain.

Magecart attackers created fake credit card forms in English, Spanish, Italian, French, German, Portuguese, Russian, and Dutch.

Trend Micro pointed out the network infrastructure and the scripts used in this attack could not be strongly linked to previous Magecart attacks.

“We were unable to find any strong connections to previous Magecart groups based on the network infrastructure or the malicious code used in this attack. However, it’s possible that the threat actor behind this campaign was also involved in previous campaigns.” concludes Trend Micro.

Pierluigi Paganini

(SecurityAffairs – Magecart, hacking)

The post Magecart attackers target mobile users of hotel chain booking websites appeared first on Security Affairs.

Old Magecart domains are finding new life in fresh threat campaigns

Magecart has so radically changed the threat landscape, victimizing hundreds of thousands of sites and millions of users, that other cybercriminals are building campaigns to monetize their handiwork, a RiskIQ research reveals. These secondary actors know that websites breached by Magecart are likely still making calls to domains once used for skimming and exfiltrating credit card data. Once registrars bring these campaigns back online after they were sinkholed or otherwise deactivated, these scavengers buy them … More

The post Old Magecart domains are finding new life in fresh threat campaigns appeared first on Help Net Security.

Skidmap Linux miner leverages kernel-mode rootkits to evade detection

Trend Micro researchers spotted a piece of Linux cryptocurrency miner, dubbed Skidmap that leverages kernel-mode rootkits to evade the detection.

Skidmap is a new piece of crypto-miner detected by Trend Micro that target Linux machines, it uses kernel-mode rootkits to evade the detection.

This malware outstands similar miners because of the way it loads malicious kernel modules to evade the detection.

The crypto-miner set up a secret master password that uses to access any user account on the system.

“These kernel-mode rootkits are not only more difficult to detect compared to its user-mode counterparts — attackers can also use them to gain unfettered access to the affected system. A case in point: the way Skidmap can also set up a secret master password that gives it access to any user account in the system.” states the analysis published by TrendMicro. “Conversely, given that many of Skidmap’s routines require root access, the attack vector that Skidmap uses — whether through exploits, misconfigurations, or exposure to the internet — are most likely the same ones that provide the attacker root or administrative access to the system.”

Experts noticed that several routines implemented by Skidmap require root access, suggesting that its attack vector is the same that provided the attackers with root or administrative access to the system.

The infection chain sees the Skidmap miner installing itself via crontab, then the malicious code downloads and executes the main binary. The malware decreases the security settings of the target systems by configuring the Security-Enhanced Linux (SELinux) module to the permissive mode or by disabling the SELinux policy and setting selected processes to run in confined domains. The miner also set up backdoor access to the infected system.

Skidmap also provides attackers with backdoor access to the infected machine.

Skidmap also sets up a way to gain backdoor access to the machine. It does this by having the binary add the public key of its handlers to the authorized_keys file, which contains keys needed for authentication.” continues the report.

“Besides the backdoor access, Skidmap also creates another way for its operators to gain access to the machine. The malware replaces the system’s pam_unix.so file (the module responsible for standard Unix authentication) with its own malicious version”

The main binary checks whether the system runs on Debian or RHEL/CentOS, then drops the miner and other for the specific Linux distro.

Trend Micro experts revealed that the Skidmap miner has notable components designed to obfuscate its activities and ensure that they continue to run. Samples of these components are:

A fake “” binary that replaces the original, once executed it will randomly set up a malicious cron job to download and execute a file.

Another component is “kaudited,” s file installed as /usr/bin/kaudited that drops and installs several loadable kernel modules (LKMs). The kaudited binary also drops a watchdog component used to monitor the mining process.

Trend Micro also described the “iproute” module that hooks the system call getdents that is normally used to read the contents of a directory, with the intent of hiding specific files.

The last component is “netlink,” a rootkit that can fake the network traffic statistics and CPU-related statistics to hide the activity of the malware.

Skidmap uses fairly advanced methods to ensure that it and its components remain undetected. For instance, its use of LKM rootkits — given their capability to overwrite or modify parts of the kernel — makes it harder to clean compared to other malware.” Trend Micro concludes. “In addition, Skidmap has multiple ways to access affected machines, which allow it to reinfect systems that have been restored or cleaned up,”

Pierluigi Paganini

(SecurityAffairs – Skidmap miner, Linux)

The post Skidmap Linux miner leverages kernel-mode rootkits to evade detection appeared first on Security Affairs.

Businesses facing post breach financial fallout by losing customer trust

44% of Americans, 38% of Brits, 33% of Australians, and 37% of Canadians have been the victim of a data breach, according to newly released research conducted by PCI Pal. The findings suggest that a combination of recent high-profile data breaches in each region, the development of assorted laws and regulations to protect consumer data privacy (e.g. the California Consumer Privacy Act, Europe’s General Data Protection Regulations, Canada’s Personal Information Protection and Electronic Documents Act, … More

The post Businesses facing post breach financial fallout by losing customer trust appeared first on Help Net Security.

Phishing attacks up, especially against SaaS and webmail services

Phishing attacks continued to rise into the summer of 2019 with cybercrime gangs’ focus on branded webmail and SaaS providers remaining very keen, according to the APWG report. The report also documents how criminals are increasingly perpetrating business email compromise (BEC) attacks by using gift card cash-out schemes. The number of phishing attacks observed in the second quarter of 2019 eclipsed the number seen in the three quarters before. The total number of phishing sites … More

The post Phishing attacks up, especially against SaaS and webmail services appeared first on Help Net Security.

Only one quarter of retail banks have adopted an integrated approach to financial crime systems

Most banks plan to integrate their fraud and financial crime compliance systems and activities in response to new criminal threats and punishing fines, with the U.K. leading the pack, according to a survey by Ovum, on behalf of FICO. Responses show that U.S. systems are less integrated than Canada’s – only 25 percent of U.S. banks have a common reporting line for both fraud and compliance, versus 60 percent for Canada. The survey also found … More

The post Only one quarter of retail banks have adopted an integrated approach to financial crime systems appeared first on Help Net Security.

Are Cash Transfer Apps Safe to Use? Here’s What Your Family Needs to Know

cash appsI can’t recall the last time I gave my teenage daughter cash for anything. If she needs money for gas, I Venmo it. A Taco Bell study break with the roommates? No problem. With one click, I transfer money from my Venmo account to hers. She uses a Venmo credit card to make her purchase. To this mom, cash apps may be the best thing to happen to parenting since location tracking became possible. But as convenient as these apps may be, are they safe for your family to use?

How do they work?

The research company, eMarketer, estimates that 96.0 million people used Peer-to-Peer (P2P) payment services this year (that’s 40.4% of all mobile phone users), up from an estimated 82.5 million last year.

P2P technology allows you to create a profile on a transfer app and link your bank account or credit card to it. Once your banking information is set up, you can locate another person’s account on the app (or invite someone to the app) and transfer funds instantly into their P2P account (without the hassle of getting a bank account number, email, or phone number). That person can leave the money in their app account, move it into his or her bank account, or use a debit card issued by the P2P app to use the funds immediately. If the app offers a credit card (like Venmo does), the recipient can use the Venmo card like a credit card at retailers most anywhere. 

Some of the more popular P2P apps include Venmo, Cash App, Zelle, Apple Pay, Google Wallet, PayPal.me, Facebook Messenger, and Snapcash, among others. Because of the P2P platform’s rapid growth, more and more investors are entering the market each day to introduce new cash apps, which is causing many analysts to speculate on need for paper check transactions in the future.

Are they safe?

While sending your hard-earned money back and forth through cyberspace on an app doesn’t sound safe, in general, it is. Are there some exceptions? Always. 

Online scam trends often follow consumer purchasing trends and, right now, the hot transaction spot is P2P platforms. Because P2P money is transferred instantly (and irreversibly), scammers exploit this and are figuring out how to take people’s money. After getting a P2P payment, scammers then delete their accounts and disappear — instantly

In 2018 Consumer Reports (CR) compared the potential financial and privacy risks of five mobile P2P services with a focus on payment authentication and data privacy. CR found all the apps had acceptable encryption but some were dinged for not clearly explaining how they protected user data. The consumer advocacy group ranked app safety strength in this order: Apple Pay, Venmo, Cash App, Facebook Messenger, and Zelle. CR also noted they “found nothing to suggest that using these products would threaten the security of your financial and personal data.”

While any app’s architecture may be deemed safe, no app user is immune from scams, which is where app safety can make every difference. If your family uses P2P apps regularly, confirm each user understands the potential risks. Here are just a few of the schemes that have been connected to P2P apps.

cash apps

Potential scams

Fraudulent sellers. This scam targets an unassuming buyer who sends money through a P2P app to purchase an item from someone they met online. The friendly seller casually suggests the buyer “just Venmo or Cash App me.” The buyer sends the money, but the item is never received, and the seller vanishes. This scam has been known to happen in online marketplaces and other trading sites and apps.

Malicious emails. Another scam is sending people an email telling them that someone has deposited money in their P2P account. They are prompted to click a link to go directly to the app, but instead, the malicious link downloads malware onto the person’s phone or computer. The scammer can then glean personal information from the person’s devices. To avoid a malware attack, consider installing comprehensive security software on your family’s computers and devices.

Ticket scams. Beware of anyone selling concert or sporting event tickets online. Buyers can get caught up in the excitement of scoring tickets for their favorite events, send the money via a P2P app, but the seller leaves them empty-handed.

Puppy and romance scams. In this cruel scam, a pet lover falls in love with a photo of a puppy online, uses a P2P app to pay for it, and the seller deletes his or her account and disappears. Likewise, catfish scammers gain someone’s trust. As the romantic relationship grows, the fraudulent person eventually asks to borrow money. The victim sends money using a P2P app only to have their love interest end all communication and vanish.  

P2P safety: Talking points for families

Only connect with family and friends. When using cash apps, only exchange money with people you know. Unlike an insured bank, P2P apps do not refund the money you’ve paid out accidentally or in a scam scenario. P2P apps hold users 100% responsible for transfers. 

Verify details of each transfer. The sender is responsible for funds, even in the case of an accidental transfer. So, if you are paying Joe Smith your half of the rent, be sure you select the correct Joe Smith, (not Joe Smith_1, or Joe Smithe) before you hit send. There could be dozens of name variations to choose from in an app’s directory. Also, verify with your bank that each P2P transaction registers.

Avoid public Wi-Fi transfers. Public Wi-Fi is susceptible to hackers trying to access valuable financial and personal information. For this reason, only use a secure, private Wi-Fi network when using a P2P payment app. If you must use public Wi-Fi, consider using a Virtual Private Network (VPN).

cash apps

Don’t use P2P apps for business. P2P apps are designed to be used between friends and include no-commercial-use clauses in their policies. For larger business transactions such as buying and selling goods or services use apps like PayPal. 

Lock your app. When you have a P2P app on your phone, it’s like carrying cash. If someone steals your phone, they can go into an unlocked P2P app and send themselves money from your bank account. Set up extra security on your app. Most apps offer PINs, fingerprint IDs, and two-factor authentication. Also, always lock your device home screen.

Adjust privacy settings. Venmo includes a feed that auto shares when users exchange funds, much like a social media feed. To avoid a stranger seeing that you paid a friend for Ed Sheeran tickets (and won’t be home that night), be sure to adjust your privacy settings. 

Read disclosures. One way to assess an app’s safety is to read its disclosures. How does the app protect your privacy and security? How does the app use your data? What is the app’s error-resolution policy? Feel secure with the app you choose.

We’ve learned that the most significant factor in determining an app’s safety comes back to the person using it. If your family loves using P2P apps, be sure to take the time to discuss the responsibility that comes with exchanging cash through apps. 

The post Are Cash Transfer Apps Safe to Use? Here’s What Your Family Needs to Know appeared first on McAfee Blogs.

Fabricated Voice Used in Financial Fraud

This seems to be an identity theft first:

Criminals used artificial intelligence-based software to impersonate a chief executive's voice and demand a fraudulent transfer of €220,000 ($243,000) in March in what cybercrime experts described as an unusual case of artificial intelligence being used in hacking.

Another news article.

How To Practise Good Social Media Hygiene

Fact – your social media posts may affect your career, or worse case, your identity!

New research from the world’s largest dedicated cybersecurity firm, McAfee, has revealed that two thirds (67%) of Aussies are embarrassed by the content that appears on their social media profiles. Yikes! And just to make the picture even more complicated, 34% of Aussies admit to never increasing the privacy on their accounts from the default privacy settings despite knowing how to.

So, next time these Aussies apply for a job and the Human Resources Manager decides to ‘check them out online’, you can guess what the likely outcome will be…

Proactively Managing Social Media Accounts Is Critical For Professional Reputation

For many Aussies, social media accounts operate as a memory timeline of their social lives. Whether they are celebrating a birthday, attending a party or just ‘letting their hair down’ – many people will document their activities for all to see through a collection of sometimes ‘colourful’ photos and videos. But sharing ‘good times’ can become a very big problem when social media accounts are not proactively managed. Ensuring your accounts are set to the tightest privacy settings possible and curating them regularly for relevance and suitability is essential if you want to keep your digital reputation in-tact. However, it appears that a large proportion of Aussies are not taking these simple steps.

McAfee’s research shows that 28% of Aussies admit to either never or not being able to recall the last time they checked their social media timeline. 66% acknowledge that they have at least one inactive social media account. 40% admit that they’ve not even thought about deleting inactive accounts or giving them a clear-out and concerningly, 11% don’t know how to adjust their privacy settings! So, I have no doubt that some of the Aussies that fall into these groups would have NOT come up trumps when they were ‘checked out online’ by either their current or future Human Resources Managers!!

What Social Media Posts Are Aussies Most Embarrassed By?

As part of the research study, Aussies were asked to nominate the social media posts that they have been most embarrassed by. Here are the top 10:

  1. Drunken behaviour
  2. Comment that can be perceived as offensive
  3. Wearing an embarrassing outfit
  4. Wardrobe malfunction
  5. In their underwear
  6. Throwing up
  7. Swearing
  8. Kissing someone they shouldn’t have been
  9. Sleeping somewhere they shouldn’t
  10. Exposing themselves on purpose

Cybercriminals Love Online Sharers

As well as the potential to hurt career prospects, relaxed attitudes to social media could be leaving the door open for cybercriminals. If you are posting about recent purchases, your upcoming holidays and ‘checking-in’ at your current location then you are making it very easy for cybercriminals to put together a picture of you and possibly steal your identity. And having none or even default privacy settings in place effectively means you are handing this information to cybercriminals on a platter!!

Considering how much personal information and images most social media accounts hold, it’s concerning that 16 per cent of Aussies interviewed admitted that they don’t know how to close down their inactive social media accounts and a third (34%) don’t know the passwords or no longer have access to the email addresses they used to set them up – effectively locking them out!

What Can We Do To Protect Ourselves?

The good news is that there are things we can do TODAY to improve our social media hygiene and reduce the risk of our online information getting into the wrong hands. Here are my top tips:

  1. Clean-up your digital past. Sift through your old and neglected social media accounts. If you are not using them – delete the account. Then take some time to audit your active accounts. Delete any unwanted tags, photos, comments and posts so they don’t come back to haunt your personal or professional life.

  1. Lockdown privacy and security settings. Leaving your social media profiles on the ‘public’ setting means anyone who has access to the internet can view your posts and photos whether you want them to or not. While you should treat anything you post online as public, turning your profiles to private will give you more control over who can see your content and what people can tag you in.

 

  1. Never reuse passwords. Use unique passwords with a combination of lower and upper case letters, numbers and symbols for each one of your accounts, even if you don’t think the account holds a lot of personal information. If managing all your passwords seems like a daunting task, look for security software that includes a password manager.

 

  1. Avoid Sharing VERY Personal Information Online. The ever-growing body of information you share online could possibly be used by cybercriminals to steal your identity. The more you share, the greater the risk. Avoid using your full name, date of birth, current employer, names of your family members, your home address even the names of your pets online – as you could be playing straight into the hands of identity thieves and hackers.
  1. Think before you post. Think twice about each post you make. Will it have a negative impact on you or someone you know now or possibly in the future? Does it give away personal information that someone could use against you? Taking a moment to think through the potential consequences BEFORE you post is the best way to avoid serious regrets in the future.

 

  1. Employ extra protection across all your devices. Threats such as viruses, identity theft, privacy breaches, and malware can all reach you through your social media. Install comprehensive security software to protect you from these nasties.

 

If you think you (or one of your kids) might just identify with the above ‘relaxed yet risky’ approach to managing your social media, then it’s time to act. Finding a job is hard enough in our crowded job market without being limited by photos of your latest social gathering! And no-one wants to be the victim of identity theft which could possibly affect your financial reputation for the rest of your life! So, make yourself a cuppa and get to work cleaning up your digital life! It’s so worth it!!

Alex xx

 

 

The post How To Practise Good Social Media Hygiene appeared first on McAfee Blogs.

Are IoT Threats Discussed In The Cybercriminal Underground?

With IoT devices expected to reach tens of billions in the next few years, is it any wonder that cybercriminals are looking for ways to take advantage of this massive attack surface to generate illicit money?

A number of Trend Micro researchers from around the globe decided to look into this and launched a research project to dive into five different cybercriminal undergrounds (Russia, Portuguese, English, Arabic, and Spanish) to identify what conversations are occurring, what attacks and threats are being utilized, and the reasons for using IoT by members of these undergrounds. A detailed report can be downloaded here for those who want to read up on their findings.

I’d like to give you my three key takeaways from the research:

  1. Not all Undergrounds are alike: Russia has the most experienced membership and are the best at monetizing IoT attacks. Portuguese is next with the other three still very early in their abilities to monetize attacks. A lot of undergrounds include tutorials to help educate members on many different areas of IoT threats. We think this collaboration will improve their abilities quickly and turn this threat into a significant one in the near future.
  2. Monetization is mainly through botnets: Most of the money today is made through attacks perpetrated by already infected devices that have been turned into botnets. From DDoS to VPN Exit Nodes, malicious actors infect many devices and utilize the power of many to turn their limited computing power into a collective powerhouse. Other actors sell their services to peers who don’t have the knowledge or don’t have the resources to perpetrate an attack.
  3. Routers are a primary target: In our analysis, many of the attacks and threats being distributed within the undergrounds target routers, mainly consumer routers. Routers are a good target as they access many devices within the network behind it which can then be used to launch attacks against others.

There is no doubt that IoT devices are being used more and more in attacks or as the target of an attack, and there is a lot of chatter within multiple undergrounds around the world to raise awareness and interest around this attack surface.Our report is intended to give information on what cybercriminals are doing now or will be doing with IoT in the future and show it is a global phenomenon.

For consumers and organizations, be aware that devices you own are a likely target for attacks, and most likely today to be added into an existing botnet. Mirai is the dominant IoT threat today and will likely continue as malicious actors create variants of this malware.

Check out our report for more details on what our researchers found and for more information about IoT and how to protect devices, visit our IoT Security section on the web.

The post Are IoT Threats Discussed In The Cybercriminal Underground? appeared first on .

Data breach may affect 50,000 Australian university students using ‘Get’ app

Students using events app Get, previously known as Qnect, may have had their personal data exposed online

The personal details of an estimated 50,000 students involved in university clubs and societies around Australia may have been exposed online, in the second breach of its kind for the company holding the data.

Get, previously known as Qnect, is an app built for university societies and clubs to facilitate payments for events and merchandise. The app operates in four countries with 159,000 active student users, and 453 clubs using it.

Continue reading...

3 Things You [Probably] Do Online Every Day that Jeopardize Your Family’s Privacy

Even though most of us are aware of the potential risks, we continue to journal and archive our daily lives online publically. It’s as if we just can’t help it. Our kids are just so darn cute, right? And, everyone else is doing it, so why not join the fun?

One example of this has become the digital tradition of parents sharing first-day back-to-school photos. The photos feature fresh-faced, excited kids holding signs to commemorate the big day. The signs often include the child’s name, age, grade, and school. Some back-to-school photos go as far as to include the child’s best friend’s name, favorite TV show, favorite food, their height, weight, and what they want to be when they grow up.

Are these kinds of photos adorable and share-worthy? Absolutely. Could they also be putting your child’s safety and your family’s privacy at risk? Absolutely.

1. Posting identifying family photos

Think about it. If you are a hacker combing social profiles to steal personal information, all those extra details hidden in photos can be quite helpful. For instance, a seemingly harmless back-to-school photo can expose a home address or a street sign in the background. Cyber thieves can zoom in on a photo to see the name on a pet collar, which could be a password clue, or grab details from a piece of mail or a post-it on the refrigerator to add to your identity theft file. On the safety side, a school uniform, team jersey, or backpack emblem could give away a child’s daily location to a predator.

Family Safety Tips
  • Share selectively. Facebook has a private sharing option that allows you to share a photo with specific friends. Instagram has a similar feature.
  • Private groups. Start a private Family & Friends Facebook group, phone text, or start a family chat on an app like GroupMe. This way, grandma and Aunt June feel included in important events, and your family’s personal life remains intact.
  • Photo albums. Go old school. Print and store photos in a family photo album at home away from the public spotlight.
  • Scrutinize your content. Think before you post. Ask yourself if the likes and comments are worth the privacy risk. Pay attention to what’s in the foreground or background of a photo.
  • Use children’s initials. Instead of using your child’s name online, use his or her initials or even a digital nickname when posting. Ask family members to do the same.

2. Using trendy apps, quizzes & challengesfamily privacy

It doesn’t take much to grab our attention or our data these days. A survey recently conducted by the Center for Data Innovation found that 58 percent of Americans are “willing to share their most sensitive personal data” (including medical and location data) in return for using apps and services.

If you love those trendy face-morphing apps, quizzes that reveal what celebrity you look like, and taking part in online challenges, you are likely part of the above statistic. As we learned just recently, people who downloaded the popular FaceApp to age their faces didn’t realize the privacy implications. Online quizzes and challenges (often circulated on Facebook) can open you up to similar risk.

Family Safety Tips

  • Slow down. Read an app’s privacy policy and terms. How will your content or data be used? Is this momentary fun worth exchanging my data?
  • Max privacy settings. If you download an app, adjust your device settings to control app permissions immediately.
  • Delete unused apps. An app you downloaded five years ago and forgot about can still be collecting data from your phone. Clean up and delete apps routinely.
  • Protect your devices. Apps, quizzes, and challenges online can be channels for malicious malware. Take the extra step to ensure your devices are protected.

3. Unintentionally posting personal details

Is it wrong to want an interesting Facebook or Instagram profile? Not at all. But be mindful you are painting a picture with each detail you share. For instance: It’s easy to show off your new dog Fergie and add your email address and phone number to your social profile so friends can easily stay in touch. It’s natural to feel pride in your hometown of Muskogee, to celebrate Katie Beth‘s scholarship and Justin‘s home run. It’s natural to want to post your 23rd anniversary to your beloved Michael (who everyone calls Mickey Dee) on December 15. It’s also common to post about a family reunion with the maternal side of your family, the VanDerhoots.

family privacyWhile it may be common to share this kind of information, it’s still unwise since this one paragraph just gave a hacker 10+ personal details to use in figuring out your passwords.

Family Safety Tips

  • Use, refresh strong passwords. Change your passwords often and be sure to use a robust and unique password or passphrase (i.e., grannymakesmoonshine or glutenfreeformeplease) and make sure you vary passwords between different logins. Use two-factor authentication whenever possible.
  • Become more mysterious. Make your social accounts private, use selective sharing options, and keep your profile information as minimal as possible.
  • Reduce your friend lists. Do you know the people who can daily view your information? To boost your security, consider curating your friend lists every few months.
  • Fib on security questions. Ethical hacker Stephanie Carruthers advises people who want extra protection online to lie on security questions. So, when asked for your mother’s maiden name, your birthplace, or your childhood friend, answer with Nutella, Disneyland, or Dora the Explorer.

We’ve all unwittingly uploaded content, used apps, or clicked buttons that may have compromised our privacy. That’s okay, don’t beat yourself up. Just take a few hours and clean up, lockdown, and streamline your social content. With new knowledge comes new power to close the security gaps and create new digital habits.

The post 3 Things You [Probably] Do Online Every Day that Jeopardize Your Family’s Privacy appeared first on McAfee Blogs.

This Week in Security News: Ransomware Campaigns Persist with WannaCry as Most Common

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how a total of 118 new ransomware families emerged in the first half of 2018, but only 47 new ones debuted in the first six months of this year, according to Trend Micro’s 2019 Mid-Year security report. Also, read on about how Trend Micro was once again named a Leader in Gartner’s 2019 Magic Quadrant.

Read on:

Trend Micro Named a Leader in 2019 Gartner Magic Quadrant for Endpoint Protection Platforms

Trend was named a Leader in Gartner, Inc.’s 2019 Magic Quadrant for Endpoint Protection Platforms in evaluation of its Apex One endpoint security solution. Trend has been named a Leader in every Gartner Magic Quadrant for this category since 2002.

Three Common Email Security Mistakes that MSPs Make

MSPs can generate recurring revenue by being proactive about educating customers about email threats and how to defeat them—if they avoid three common mistakes: failing to educate customers, placing too much faith on end-user training and leaving service revenue on the table.

WannaCry Remains No. 1 Ransomware Weapon

According to Trend Micro’s 2019 mid-year security report, WannaCry remains the most commonly detected ransomware by far: about 10 times as many machines were found targeted by WannaCry in the first half of this year than all other ransomware variants combined. Bill Malik, vice president of infrastructure strategies at Trend Micro, discusses the prevalence of this ransomware and how it works.

TA505 at it Again: Variety is the Spice of ServHelper and FlawedAmmyy

TA505 continues to show that they intend to wreak as much havoc while maximizing potential profits. Just like in previous operations, this cybercriminal group continues to make small changes for each campaign such as targeting other countries, entities, or the combination of techniques used for deployment.

‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information

Heatstroke demonstrates how far phishing techniques have evolved — from merely mimicking legitimate websites and using diversified social engineering tactics — with its use of more sophisticated techniques such as steganography. 

Hackers to Stress-Test Facebook Portal at Hacking Contest

Hackers will soon be able to stress-test the Facebook Portal at the annual Pwn2Own hacking contest, following the introduction of the social media giant’s debut hardware device last year. Introducing the Facebook Portal is part of a push by Trend Micro’s Zero Day Initiative, which runs the contest, to expand the range of home automation devices available to researchers in attendance.

Fortnite Players Targeted by Ransomware via Fake Cheat Tool

An open-source ransomware variant called “Syrk,” based on the source code of the Hidden-Cry ransomware, was found pretending to be a cheat tool that improves the accuracy of a player’s aim and provides visibility over other players’ location on the map. Upon infection, a ransom note will demand payment from victims in exchange for a decryption password.

Cybercriminal Group Silence Has Reportedly Stolen US$4.2 Million from Banks So Far

Contrary to their moniker, the Silence cybercriminal group has been reported to be actively targeting banks and financial institutions in more than 30 countries. Silence reportedly stole US$4.2 million from June 2016 to August 2019. 

US Cyberattack Damaged Iran’s Ability to Target Oil Tankers, Report Says

A database used by Iran’s paramilitary arm to devise attacks against oil tankers was wiped out by a US cyberattack in June, temporarily reducing Tehran’s means of targeting Persian Gulf shipping traffic.

Nemty Ransomware Possibly Spreads through Exposed Remote Desktop Connections

A new ransomware family dubbed “Nemty” for the extension it adds to encrypted files has recently surfaced. According to a report from Bleeping Computer, New York-based reverse engineer Vitali Kremez posits that Nemty is possibly delivered through exposed remote desktop connections.

Abuse of WS-Discovery Protocol Can Lead to Large-Scale DDoS Attacks

Security researchers have discovered that attackers can abuse the Web Services Dynamic Discovery (WS-Discovery) protocol to launch massive distributed denial of service (DDoS) campaigns. These researchers have issued a warning after seeing cybercriminals abuse the WS-Discovery protocol in different DDoS campaigns over the past few months.

Phishing Attack Tricks Instagram Users via Fake 2-Factor Authentication

Although 2FA remains a valid and highly useful tool, Instagram users should not be complacent and rely on it alone, especially when fake 2FA notifications can be used for malicious purposes. In this blog, Trend Micro recommends some best practices users can combine with their existing security tools to help protect against phishing.

Q&A: In a Cloud-Connected World, Cybersecurity is Key

Cloud computing is becoming a critical tool for business, in terms of storing an assessing data. With the increases use of the cloud comes greater security risks. Mark Nunnikhoven, vice president of cloud research at Trend Micro, assesses the solutions.


Will you be following Trend’s best protection practices when playing Fortnite or using Instagram? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Ransomware Campaigns Persist with WannaCry as Most Common appeared first on .

7 Questions to Ask Your Child’s School About Cybersecurity Protocols

Just a few weeks into the new school year and, already, reports of malicious cyberattacks in schools have hit the headlines. While you’ve made digital security strides in your home, what concerns if any should you have about your child’s data being compromised at school?

There’s a long and short answer to that question. The short answer is don’t lose sleep (it’s out of your control) but get clarity and peace of mind by asking your school officials the right questions. 

The long answer is that cybercriminals have schools in their digital crosshairs. According to a recent report in The Hill, school districts are becoming top targets of malicious attacks, and government entities are scrambling to fight back. These attacks are costing school districts (taxpayers) serious dollars and costing kids (and parents) their privacy.


Prime Targets

According to one report, a U.S. school district becomes the victim of cyberattack as often as every three days. The reason for this is that cybercriminals want clean data to exploit for dozens of nefarious purposes. The best place to harvest pure data is schools where social security numbers are usually unblemished and go unchecked for years. At the same time, student data can be collected and sold on the dark web. Data at risk include vaccination records, birthdates, addresses, phone numbers, and contacts used for identity theft. 

Top three cyberthreats

The top three threats against schools are data breaches, phishing scams, and ransomware. Data breaches can happen through phishing scams and malware attacks that could include malicious email links or fake accounts posing as acquaintances. In a ransomware attack, a hacker locks down a school’s digital network and holds data for a ransom. 

Over the past month, hackers have hit K-12 schools in New Jersey, New York, Wisconsin, Virginia, Oklahoma, Connecticut, and Louisiana. Universities are also targeted.

In the schools impacted, criminals were able to find loopholes in their security protocols. A loophole can be an unprotected device, a printer, or a malicious email link opened by a new employee. It can even be a calculated scam like the Virginia school duped into paying a fraudulent vendor $600,000 for a football field. The cybercrime scenarios are endless. 

7 key questions to ask

  1. Does the school have a data security and privacy policy in place as well as cyberattack response plan?
  2. Does the school have a system to educate staff, parents, and students about potential risks and safety protocols? 
  3. Does the school have a data protection officer on staff responsible for implementing security and privacy policies?
  4. Does the school have reputable third-party vendors to ensure the proper technology is in place to secure staff and student data?
  5. Are data security and student privacy a fundamental part of onboarding new school employees?
  6. Does the school create backups of valuable information and store them separately from the central server to protect against ransomware attacks?
  7. Does the school have any new technology initiatives planned? If so, how will it address student data protection?

The majority of schools are far from negligent. Leaders know the risks, and many have put recognized cybersecurity frameworks in place. Also, schools have the pressing challenge of 1) providing a technology-driven education to students while at the same time, 2) protecting student/staff privacy and 3) finding funds to address the escalating risk.

Families can add a layer of protection to a child’s data while at school by making sure devices are protected in a Bring Your Own Device (BYOD) setting. Cybersecurity is a shared responsibility. While schools work hard to implement safeguards, be sure you are taking responsibility in your digital life and equipping your kids to do the same. 

 

The post 7 Questions to Ask Your Child’s School About Cybersecurity Protocols appeared first on McAfee Blogs.

Three Common Email Security Mistakes That MSPs Make

MSPs can generate recurring revenue by being proactive about educating customers about email threats and how to defeat them—if they avoid three common mistakes.

Businesses have come to rely on cloud email and file-sharing applications for communication and productivity. But, too often, they assume these platforms’ built-in security delivers enough protection against email-borne threats.

The reality is quite different.

While the built-in protection of platforms such as Microsoft Office 365 and Google Drive catches some threats, it is not designed to detect the myriad unknown dangers that amount to 95% of all cyber threats in the wild, according to Trend Micro research.

Businesses need an added layer of protection for email and file-sharing platforms. But most organizations don’t realize this need until it’s too late and their systems have already been breached.

That’s why MSPs and IT service providers should be proactive in educating customers about email threats–and how to defeat them. In so doing, providers position themselves to generate new recurring revenue. But they must avoid three common mistakes providers make regarding email security:

1. Failing to educate customers

Surprisingly, not all MSPs and IT service providers are aware of the need to add a layer of protection to cloud email platforms. Like their customers, many believe built-in controls get the job done.

This being the case, providers fail to educate customers on the dangers of email-born threats, leaving them susceptible to malware infections through phishing and spam, fraud, spying and information theft. Providers must make clear that an attack caused by one user’s bad decision to click an infected URL or attachment can bring an organization to its knees and have long-term repercussions: Atlanta is still reeling from a 2018 ransomware attack that cost the city $2.7 million.

2. Placing too much faith on end-user training

There’s no question users need education on safe security practices to avoid infecting their own computers and their network. Phishing is effective because it preys on users’ trust and curiosity to deliver ransomware and other forms of malware: Consider that in 2018, credential phishing tactics accounted for 40 percent of all high-risk email threats. But you can’t stop phishing by merely telling users not to click a link or attachment; someone is always going to do it.

Because training alone cannot fully address security risks, providers should introduce solutions to customers that stop threats before they reach users. They should also teach users to spot threats before clicking infected links and attachments.

3. Leaving service revenue on the table

Providers can build various services around security, including assessments that show how many threats their cloud platforms miss, as well as simulations that determine how many end users fall for phishing scams.

Assessments can lead to other, ongoing services, including awareness and training programs to help users avoid and report email threats. These services create new revenue streams and stickiness with customers.

Trend Micro’s Approach

Increased customer reliance on cloud email makes these platforms a bigger target for hackers. MSPs can minimize the target with the right solutions and services to protect customers. Trend Micro’s email security solution is easy to set up; it has direct APIs for various cloud applications, and it employs advanced features such as machine learning and Writing Style DNA to identify and stop phishing and other threats. Secure your email–and your company’s future–today.

 

The post Three Common Email Security Mistakes That MSPs Make appeared first on .

How to Spring Clean Your Digital Life

With winter almost gone, now is the perfect time to start planning your annual spring clean. When we think about our yearly sort out, most of us think about decluttering our chaotic linen cupboards or the wardrobes that we can’t close. But if you want to minimise the opportunities for a hacker to get their hands on your private online information then a clean-up of your digital house (aka your online life) is absolutely essential.

Not Glamourous but Necessary

I totally accept that cleaning up your online life isn’t exciting but let me assure you it is a must if you want to avoid becoming a victim of identity theft.

Think about how much digital clutter we have accumulated over the years? Many of us have multiple social media, messaging and email accounts. And don’t forget about all the online newsletters and ‘accounts’ we have signed up for with stores and online sites? Then there are the apps and programs we no longer use.

Well, all of this can be a liability. Holding onto accounts and files you don’t need exposes you to all sorts of risks. Your devices could be stolen or hacked or, a data breach could mean that your private details are exposed quite possibly on the Dark Web. In short, the less information that there is about you online, the better off you are.

Digital clutter can be distracting, exhausting to manage and most importantly, detrimental to your online safety. A thorough digital spring clean will help to protect your important, online personal information from cybercriminals.

What is Identity Theft?

Identity theft is a serious crime that can have devastating consequences for its victims. It occurs when a person’s personal information is stolen to be used primarily for financial gain. A detailed set of personal details is often all a hacker needs to access bank accounts, apply for loans or credit cards and basically destroy your credit rating and reputation.

How To Do a Digital Spring Clean

The good news is that digital spring cleaning doesn’t require nearly as much elbow grease as scrubbing down the microwave! Here are my top tips to add to your spring-cleaning list this year:

  1. Weed Out Your Old Devices

Gather together every laptop, desktop computer, tablet and smartphone that lives in your house. Now, you need to be strong – work out which devices are past their use-by date and which need to be spring cleaned.

If it is finally time to part ways with your first iPad or the old family desktop, make sure any important documents or holiday photos are backed up in a few places (on another computer, an external hard drive AND in cloud storage program such as Dropbox and or iCloud) so you can erase all remaining data and recycle the device with peace of mind. Careful not to get ‘deleting’ confused with ‘erasing,’ which means permanently clearing data from a device. Deleted files can often linger in a device’s recycling folder.

  1. Ensure Your Machines Are Clean!

It is not uncommon for viruses or malware to find their way onto your devices through outdated software so ensure all your internet-connected devices have the latest software updates including operating systems and browsers. Ideally, you should ensure that you are running the latest version of apps too. Most software packages do auto-update but please take the time to ensure this is happening on all your devices.

  1. Review and Consolidate Files, Applications and Services

Our devices play such a huge part in our day to day lives so it is inevitable that they become very cluttered. Your kids’ old school assignments, outdated apps and programs, online subscriptions and unused accounts are likely lingering on your devices.

The big problem with old accounts is that they get hacked! And they can often lead hackers to your current accounts so it’s a no-brainer to ensure the number of accounts you are using is kept to a minimum.

Once you have decided which apps and accounts you are keeping, take some time to review the latest privacy agreements and settings so you understand what data they are collecting and when they are collecting it. You might also discover that some of your apps are using far more of your data than you realised! Might be time to opt-out!

  1. Update Passwords and Enable Two-Factor Authentication

As the average consumer manages a whopping 11 online accounts – social media, shopping, banking, entertainment, the list goes on – updating our passwords is an important ‘cyber hygiene’ practice that is often neglected. Why not use your digital spring cleaning as an excuse to update and strengthen your credentials?

Creating long and unique passwords using a variety of upper and lowercase numbers, letters and symbols is an essential way of protecting yourself and your digital assets online. And if that all feels too complicated, why not consider a password management solution? Password managers help you create, manage and organise your passwords. Some security software solutions include a password manager such as McAfee Total Protection.

Finally, wherever possible, you should enable two-factor authentication for your accounts to add an extra layer of defense against cyber criminals. Two-factor authentication is where a user is verified by opt-out password or one-off code through a separate personal device like a smart phone.

Still not convinced? If you use social media, shop online, subscribe to specialist newsletters then your existence is scattered across the internet. By failing to clean up your ‘digital junk’ you are effectively giving a set of front door keys to hackers and risking having your identity stolen. Not a great scenario at all. So, make yourself a cuppa and get to work!

Til Next Time

Alex xx

 

 

 

 

The post How to Spring Clean Your Digital Life appeared first on McAfee Blogs.

Chinese cyberhackers ‘blurring line between state power and crime’

Cybersecurity firm FireEye says ‘aggressive’ APT41 group working for Beijing is also hacking video games to make money

A group of state-sponsored hackers in China ran activities for personal gain at the same time as undertaking spying operations for the Chinese government in 14 different countries, the cybersecurity firm FireEye has said.

In a report released on Thursday, the company said the hacking group APT41 was different to other China-based groups tracked by security firms in that it used non-public malware typically reserved for espionage to make money through attacks on video game companies.

Related: Australia joins condemnation of 'huge, audacious' Chinese hacking plot

Continue reading...

Capital One Data Breach: How Impacted Users Can Stay More Secure

Capital One is one of the 10 largest banks based on U.S. deposits. As with many big-name brands, cybercriminals see these companies as an ideal target to carry out large-scale attacks, which has now become a reality for the financial organization. According to CNN, approximately 100 million Capital One users in the U.S. and 6 million in Canada have been affected by a data breach exposing about 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 bank account numbers, and more.

According to the New York Post, the alleged hacker claimed the data was obtained through a firewall misconfiguration. This misconfiguration allowed command execution with a server that granted access to data in Capital One’s storage space at Amazon. Luckily, Capital One stated that it “immediately fixed the configuration vulnerability.”

This breach serves as a reminder that users and companies alike should do everything in their power to keep personal information protected. If you think you might have been affected by this breach, follow these tips to help you stay secure:

  • Check to see if you’ve been notified by Capital One. The bank will notify everyone who was affected by the breach and offer them free credit monitoring and identity protection services. Be sure to take advantage of the services and check out the website Capital One set up for information on this breach.
  • Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible. Capital One will allow you to freeze your card so purchases can no longer be made.
  • Change your credentials. Err on the side of caution and change your passwords for all of your accounts. Taking extra precautions can help you avoid future attacks.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Capital One Data Breach: How Impacted Users Can Stay More Secure appeared first on McAfee Blogs.

Briton who helped stop 2017 WannaCry virus spared jail over malware charges

  • Marcus Hutchins pleaded guilty to two malware charges
  • 25-year-old ‘incredibly thankful’ to be sentenced to time served

The British computer expert who helped shut down the WannaCry cyberattack on the NHS said he is “incredibly thankful” after being spared jail in the US for creating malware.

Marcus Hutchins was hailed as a hero in May 2017 when he found a “kill switch” that slowed the effects of the WannaCry virus affecting more than 300,000 computers in 150 countries.

Related: FTSE 250 firms exposed to possible cyber-attacks, report finds

Continue reading...

Hacked forensic firm pays ransom after malware attack

Largest private provider Eurofins hands over undisclosed fee to regain control of systems

Britain’s largest private forensics provider has paid a ransom to hackers after its IT systems were brought to a standstill by a cyber-attack, it has been reported.

Eurofins, which is thought to carry out about half of all private forensic analysis, was targeted in a ransomware attack on 2 June, which the company described at the time as “highly sophisticated”. Three weeks later the company said its operations were “returning to normal”, but did not disclose whether or not a ransom had been paid.

Continue reading...

#Verified or Phishing Victim? 3 Tips to Protect Your Instagram Account

If you’re an avid Instagram user, chances are you’ve come across some accounts with a little blue checkmark next to the username. This little blue tick is Instagram’s indication that the account is verified. While it may seem insignificant at first glance, this badge actually means that Instagram has confirmed that the account is an authentic page of a public figure, celebrity, or global brand. In today’s world of social media influencers, receiving a verified badge is desirable so other users know you’re a significant figure on the platform. However, cybercriminals are taking advantage of the appeal of being Instagram verified as a way to convince users to hand over their credentials.

So, how do cybercriminals carry out this scheme? According to security researcher Luke Leal, this scam was distributed as a phishing page through Instagram. The page resembled a legitimate Instagram submission page, prompting victims to apply for verification. After clicking on the “Apply Now” button, victims were taken to a series of phishing forms with the domain “Instagramforbusiness[.]info.” These forms asked users for their Instagram logins as well as confirmation of their email and password credentials. However, if the victim submitted the form, their Instagram credentials would make their way into the cybercriminal’s email inbox. With this information, the cybercrooks would have unauthorized access to the victim’s social media page. What’s more, since this particular phishing scam targets a user’s associated email login, hackers would have the capability of resetting and verifying ownership of the victim’s account.

Whether you’re in search of an Instagram verification badge or not, it’s important to be mindful of your cybersecurity. And with Social Media Day right around the corner, check out these tips to keep your online profiles protected from phishing and other cyberattacks:

  • Exercise caution when inspecting links. If you examine the link used for this scam (Instagramforbusiness[.]info), you can see that it is not actually affiliated with Instagram.com. Additionally, it doesn’t use the secure HTTPS protocol, indicating that it is a risky link. Always inspect a URL before you click on it. And if you can’t tell whether a link is malicious or not, it’s best to avoid interacting with it altogether.
  • Don’t fall for phony pages. If you or a family member is in search of a verified badge for their Instagram profile, make sure they are familiar with the process. Instagram users should go into their own account settings and click on “Request on verification” if they are looking to become verified. Note that Instagram will not ask for your email or password during this process, but will send you a verification link via email instead.
  • Reset your password. If you suspect that a hacker is attempting to gain control of your account, play it safe by resetting your password.

And, as usual, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post #Verified or Phishing Victim? 3 Tips to Protect Your Instagram Account appeared first on McAfee Blogs.

The Guardian view on cybercrime: the law must be enforced | Editorial

Governments and police must take crime on the internet seriously. It is where we all live now

About half of all property crime in the developed world now takes place online. When so much of our lives, and almost all of our money, have been digitised, this is not surprising – but it has some surprising consequences. For one thing, the decline in reported property crimes trumpeted by successive British governments between 2005 and 2015 turns out to have been an illusion. Because banks were not required to report fraud to the police after 2005, they often didn’t. It would have made both banks and police look bad to have all that crime known and nothing done about it. The cost of the resulting ignorance was paid by the rest of government, and by the public, too, deprived of accurate and reliable knowledge. Since then, the total number of property crimes reported has risen from about 6m to 11m a year as the figures have taken computerised crime into account.

The indirect costs to society are very much higher than the hundreds of millions that individuals lose. One example is the proliferation of plagiarism software online, which developed an entire industry in poor, English-speaking countries like Kenya, serving idle or ignorant students in England and North America. The effort required by schools and universities to guard against such fraud has been considerable, and its cost entirely disproportionate to the gains made by the perpetrators.

Continue reading...

Click It Up: Targeting Local Government Payment Portals

FireEye has been tracking a campaign this year targeting web payment portals that involves on-premise installations of Click2Gov. Click2Gov is a web-based, interactive self-service bill-pay software solution developed by Superion. It includes various modules that allow users to pay bills associated with various local government services such as utilities, building permits, and business licenses. In October 2017, Superion released a statement confirming suspicious activity had affected a small number of customers. In mid-June 2018, numerous media reports referenced at least seven Click2Gov customers that were possibly affected by this campaign. Since June 2018, additional victims have been identified in public reporting. A review of public statements by these organizations appear to confirm compromises associated with Click2Gov.

On June 15, 2018, Superion released a statement describing their proactive notification to affected customers, work with a third-party forensic firm (not Mandiant), and deployment of patches to Click2Gov software and a related third-party component. Superion then concluded that there was no evidence that it is unsafe to make payments utilizing Click2Gov on hosted or secure on-premise networks with recommended patches and configurations.

Mandiant forensically analyzed compromised systems and recovered malware associated with this campaign, which provided insight into the capabilities of this new attacker. As of this publication, the discussed malware families have very low detection rates by antivirus solutions, as reported by VirusTotal.

Attack Overview

The first stage of the campaign typically started with the attacker uploading a SJavaWebManage webshell to facilitate interaction with the compromised Click2Gov webserver. Through interaction with the webshell, the attacker enabled debug mode in a Click2Gov configuration file causing the application to write payment card information to plaintext log files. The attacker then uploaded a tool, which FireEye refers to as FIREALARM, to the webserver to parse these log files, retrieve the payment card information, and remove all log entries not containing error messages. Additionally, the attacker used another tool, SPOTLIGHT, to intercept payment card information from HTTP network traffic. The remainder of this blog post dives into the details of the attacker's tactics, techniques, and procedures (TTPs).

SJavaWebManage Webshell

It is not known how the attacker compromised the Click2Gov webservers, but they likely employed an exploit targeting Oracle Web Logic such as CVE-2017-3248, CVE-2017-3506, or CVE-2017-10271, which would provide the capability to upload arbitrary files or achieve remote access. After exploiting the vulnerability, the attacker uploaded a variant of the publicly available JavaServer Pages (JSP) webshell SJavaWebManage to maintain persistence on the webserver. SJavaWebManage requires authentication to access four specific pages, as depicted in Figure 1, and will execute commands in the context of the Tomcat service, by default the Local System account.


Figure 1: Sample SJavaWebManage interface

  • EnvsInfo: Displays information about the Java runtime, Tomcat version, and other information about the environment.
  • FileManager: Provides the ability to browse, upload, download (original or compressed), edit, delete, and timestomp files.
  • CMDS: Executes a command using cmd.exe (or /bin/sh if on a non-Windows system) and returns the response.
  • DBManage: Interacts with a database by connecting, displaying database metadata, and executing SQL commands.

The differences between the publicly available webshell and this variant include variable names that were changed to possibly inhibit detection, Chinese characters that were changed to English, references to SjavaWebManage that were deleted, and code to handle updates to the webshell being removed. Additionally, the variant identified during the campaign investigation included the ability to manipulate file timestamps on the server. This functionality is not present in the public version. The SJavaWebManage webshell provided the attacker a sufficient interface to easily interact with and manipulate the compromised hosts.

The attacker would then restart a module in DEBUG mode using the SJavaWebManage CMDS page after editing a Click2Gov XML configuration file. With the DEBUG logging option enabled, the Click2Gov module would log plaintext payment card data to the Click2Gov log files with naming convention Click2GovCX.logYYYY-MM-DD.

FIREALARM

Using interactive commands within the webshell, the attacker uploaded and executed a datamining utility FireEye tracks as FIREALARM, which parses through Click2Gov log files to retrieve payment card data, format the data, and print it to the console.

FIREALARM is a command line tool written in C/C++ that accepts three numbers as arguments; Year, Month, and Day, represented in a sample command line as: evil.exe 2018 09 01. From this example, FIREALARM would attempt to open and parse logs starting on 2018-09-01 until the present day. If the log files exists, FIREALARM copies the MAC (Modified, Accessed, Created) times to later timestomp the corresponding file back to original times. Each log file is then read line by line and parsed. FIREALARM searches each line for the following contents and parses the data:

  • medium.accountNumber
  • medium.cvv2
  • medium.expirationDate.year
  • medium.expirationDate.month
  • medium.firstName
  • medium.lastName
  • medium.middleInitial
  • medium.contact.address1
  • medium.contact.address2
  • medium.contact.city
  • medium.contact.state
  • medium.contact.zip.code

This data is formatted and printed to the console. The malware also searches for lines that contain the text ERROR -. If this string is found, the utility stores the contents in a temporary file named %WINDIR%\temp\THN1080.tmp. After searching every line in the Click2GovCX log file, the temporary file THN1080.tmp is copied to replace the respective Click2GovCX log file and the timestamps are replaced to the original, copied timestamps. The result is that FIREALARM prints payment card information to the console and removes the payment card data from each Click2GovCX log file, leaving only the error messages. Finally, the THN1080.tmp temporary file is deleted. This process is depicted in Figure 2.


Figure 2: FIREALARM workflow

  1. Attacker traverses Tor or other proxy and authenticates to SjavaWebManage.
  2. Attacker launches cmd prompt via webshell.
  3. Attacker runs FIREALARM with parameters.
  4. FIREALARM verifies and iterates through log files, copies MAC times, parses and prints payment card data to the console, copies error messages to THN1080.tmp, overwrites the original log file and timestomps with orginal times.
  5. THN1080.tmp is deleted.

SPOTLIGHT

Later, during attacker access to the compromised system, the attacker used the webshell to upload a network sniffer FireEye tracks as SPOTLIGHT. This tool offered the attacker better persistence to the host and continuous collection of payment card data, ensuring the mined data would not be lost if Click2GovCX log files were deleted by an administrator. SPOTLIGHT is also written in C/C++ and may be installed by command line arguments or run as a service.  When run as a service, its tasks include ensuring that two JSP files exist, and monitoring and logging network traffic for specific HTTP POST request contents.

SPOTLIGHT accepts two command line arguments:

  • gplcsvc.exe -i  Creates a new service named gplcsvc with the display name Group Policy Service
  • gplcsvc.exe -u  Stops and deletes the service named gplcsvc

Upon installation, SPOTLIGHT will monitor two paths on the infected host every hour:

  1. C:\bea\c2gdomain\applications\Click2GovCX\scripts\validator.jsp
  2. C:\bea\c2gdomain\applications\ePortalLocalService\axis2-web\RightFrame.jsp

If either file does not exist, the malware Base64 decodes an embedded SJavaWebManage webshell and writes the same file to either path. This is the same webshell installed by the attacker during the initial compromise.

Additionally, SPOTLIGHT starts a socket listener to inspect IPv4 TCP traffic on port 80 and 7101. According to a Superion installation checklist, TCP port 7101 is used for application resolution from the internal network to the Click2Gov webserver. As long as the connection contents do not begin with GET /, the malware begins saving a buffer of received packets. The malware continues saving packet contents to an internal buffer until one of two conditions occurs – the buffer exceeds the size 102399 or the packet contents begin with the string POST /OnePoint/services/OnePointService. If either of these two conditions occur, the internal buffer data is searched for the following tags:

  • <op:AccountNum>
  • <op:CSC>
  • <op:ExpDate>
  • <op:FirstName>
  • <op:LastName>
  • <op:MInitial>
  • <op:Street1>
  • <op:Street2>
  • <op:City>
  • <op:State>
  • <op:PostalCode>

The contents between the tags are extracted and formatted with a `|`, which is used as a separator character. The formatted data is then Base64 encoded and appended to a log file at the hard-coded file path: c:\windows\temp\opt.log. The attacker then used SJavaWebManage to exfiltrate the Base64 encoded log file containing payment card data. FireEye has not identified any manipulation of a compromised host’s SSL configuration settings or redirection of SSL traffic to an unencrypted port. This process is depicted in Figure 3.


Figure 3: SPOTLIGHT workflow

  1. SPOTLIGHT verifies webshell file on an hourly basis, writing SJavaWebManage if missing.
  2. SPOTLIGHT inspects IPv4 TCP traffic on port 80 or 7101, saving a buffer of received packets.
  3. A user accesses Click2Gov module to make a payment.
  4. SPOTLIGHT parses packets for payment card data, Base64 encodes and writes to opt.log.
  5. Attacker traverses Tor or other proxy and authenticates to SJavaWebManage and launches File Manager.
  6. Attacker exfiltrates opt.log file.

Attribution

Based on the available campaign information, the attacker doesn’t align with any financially motivated threat groups currently tracked by FireEye. The attacker’s understanding of the Click2Gov host requirements, process logging details, payment card fields, and internal communications protocols demonstrates an advanced knowledge of the Click2Gov application.  Given the manner in which underground forums and marketplaces function, it is possible that tool development could have been contracted to third parties and remote access to compromised systems could have been achieved by one entity and sold to another. There is much left to be uncovered about this attacker.  

While it is also possible the attack was conducted by a single individual, FireEye assesses, with moderate confidence, that a team was likely involved in this campaign based on the following requisite skillsets:

  • Ability to locate Click2Gov installations and identify exploitable vulnerabilities.
  • Ability to craft or reuse an exploit to penetrate the target organization’s network environment.
  • Basic JSP programming skills.
  • Advanced knowledge of Click2Gov payment processes and software sufficient to develop moderately sophisticated malware.
  • Proficient C/C++ programming skills.
  • General awareness of operational security.
  • Ability to monetize stolen payment card information.

Conclusion

In addition to a regimented patch management program, FireEye recommends that organizations consider implementing a file integrity monitoring solution to monitor the static content and code that generates dynamic content on e-commerce webservers for unexpected modifications.  Another best practice is to ensure any web service accounts run at least privilege.

Although the TTPs observed in the attack lifecycle are generally consistent with other financially motivated attack groups tracked by FireEye, this attacker demonstrated ingenuity in crafting malware exploiting Click2Gov installations, achieving moderate success. Although it may transpire in a new form, FireEye anticipates this threat actor will continue to conduct interactive and financially motivated attacks.

Detection

FireEye’s Adversary Pursuit Team from Technical Operations & Reverse Engineering – Advanced Practices works jointly with Mandiant Consulting and FireEye Labs Advanced Reverse Engineering (FLARE) during investigations assessed as directly supporting a nation-state or financial gains intrusions targeting organizations and involving interactive and focused efforts. The synergy of this relationship allows FireEye to rapidly identify new activity associated with currently tracked threat groups, as well as new threat actors, advanced malware, or TTPs leveraged by threat groups, and quickly mitigate them across the FireEye enterprise.

FireEye detects the malware documented in this blog post as the following:

  • FE_Tool_Win32_FIREALARM_1
  • FE_Trojan_Win64_SPOTLIGHT_1
  • FE_Webshell_JSP_SJavaWebManage_1
  • Webshell.JSP.SJavaWebManage

Indicators of Compromise (MD5)

SJavaWebManage

  • 91eaca79943c972cb2ca7ee0e462922c          
  • 80f8a487314a9573ab7f9cb232ab1642         
  • cc155b8cd261a6ed33f264e710ce300e           (Publicly available version)

FIREALARM

  • e2c2d8bad36ac3e446797c485ce8b394

SPOTLIGHT

  • d70068de37d39a7a01699c99cdb7fa2b
  • 1300d1f87b73d953e20e25fdf8373c85
  • 3bca4c659138e769157f49942824b61f

Locky is Back Asking for Unpaid Debts

On June 21, 2016, FireEye’s Dynamic Threat Intelligence (DTI) identified an increase in JavaScript contained within spam emails. FireEye analysts determined the increase was the result of a new Locky ransomware spam campaign.

As shown in Figure 1, Locky spam activity was uninterrupted until June 1, 2016, when it stopped for nearly three weeks. During this period, Locky was the most dominant ransomware distributed in spam email. Now, Locky distribution has returned to the level seen during the first half of 2016.

Figure 1. Locky spam activity in 2016

Figure 2 shows that the majority of Locky spam email detections between June 21 and June 23 of this year were recorded in Japan, the United States and South Korea.

Figure 2. Locky spam by country from June 21 to June 23 of this year

The spam email – a sample shown is shown in Figure 3 – purports to contain an unpaid invoice in an attached ZIP archive. Instead of an invoice, the ZIP archive contains a Locky downloader written in JavaScript.

Figure 3. Locky spam email

JavaScript based Downloader Updates

In this campaign, few updates were seen in both the JavaScript based downloader and the Locky payload.

The JavaScript downloader does the following:

  1. Iterates over an array of URLs hosting the Locky payload.
  2. If a connection to one of the URLs fails, the JavaScript sleeps for 1,000 ms before continuing to iterate over the array of URLs.
  3. Uses a custom XOR-based decryption routine to decrypt the Locky payload.
  4. Ensures the decrypted binary is of a predefined size. In Figure 4 below, the size of the decrypted binary had to be greater than 143,360 bytes and smaller than 153,660 bytes to be executed.

Figure 4. Payload download function in JavaScript

5.     Checks (Figure 5) that the first two bytes of the binary contain the “MZ” header signature.

Figure 5: MZ header check

6.     Executes the decrypted payload by passing it the command line parameter, “123”.

Locky Payload Updates

The Locky ransomware downloaded in this campaign requires a command line argument to properly execute. This command line parameter, “123” in the analyzed sample, is passed to the binary by the first stage JavaScript-based downloader. This command line parameter value is used in the code unpacking stage of the ransomware. Legitimate binaries typically verify the number of arguments passed or compare the command line parameter with the expected value and gracefully exit if the check fails. However in the case of this Locky ransomware, the program does not exit (Figure 6) and the value received as a command line parameter is added to a constant value defined in the binary. The sum of the constant and the parameter value is used in the decryption routine (Figure 7). If no command line parameter is passed, it adds zero to the constant.

Figure 6. Command line parameter check

Figure 7. Decryption routine

If no command line parameter is passed, then the constant for the decryption routine is incorrect. This results in program crash as the decrypted code is invalid. In Figure 8 and Figure 9, we can see the decrypted code sections with and without the command line parameter, respectively.

Figure 8. Correct decrypted code

Figure 9. Incorrect decrypted code

By using this technique, Locky authors have created a dependency on the first stage downloader for the second stage to be executed properly. If a second stage payload such as this is directly analyzed, it will result in a crash.

Conclusion

As of today, the Locky spam campaign is still ongoing, with an added anti-analysis / sandbox evasion technique. We expect to see additional Locky spam campaigns and will remain vigilant in order to protect our customers.

Email Hashes

2cdf62f8aae20026418f143895c769a2009e6b9b3ac59bfa8fc79ca2f326b93a

1fd5c1f0ecc1d54324f3bdc327e7893032482a13c0914ef6f531bd93caef0a06

0ea7d59d7f1494fce8f45a1f35abb07a456de6d8d65327eca8ff84f307a49a06

22645be8553628574a7af3c32a45178e201e9af33b20b36d29b9c012b731da4c

198d8d1a89221c575d957c1f4342741f3675ebb10f95ffe3371150e124f4850e