After the discovery of the banking Trojan known as Trickbot,
an Ohio school district was forced to cancel school since they were unable to
fully disinfect the networks before classes resumed the following Monday.
Preliminary reports have concluded that no students were responsible for the
attack, as it appears to have started its data-gathering on a computer
belonging to the district treasurer’s office. In order for classes to resume
normally, the IT staff for the district had to re-format nearly 1,000 affected computers.
GetCrypt Spreading Through RIG Exploit Kits
variant, GetCrypt, has been spotted in the
wild that spreads itself across systems by redirecting visitors to a
compromised website to a separate page hosting an exploit kit. After checking
for several Eastern European languages, the ransomware begins encrypting all
files on the system and displays a standard ransom note. In addition to
removing all available shadow copies from the computer, GetCrypt also appends
all encrypted files with a randomized, four-character string based on the CPUID
of the device itself.
Google Assistant Logs All Online Purchases
It was recently discovered that Google’s
Assistant, released last year, keeps a log of all online purchases for
which a receipt was sent to the user’s Gmail account. The “Payments” page on a
user’s Google account shows transactions, flight and hotel reservations, and
other purchases made up to several years prior, even showing the cost, date,
and time of the purchase.
Forbes Joins List of Magecart Victims
It was revealed late last week that Forbes
had fallen victim to a Magecart attack possibly affecting anyone who made a
purchase on the site during that time. Fortunately, the researcher who
discovered the attack quickly notified both Forbes and the domain owner,
resulting in a swift removal of the malicious payment card skimmer from the
highly-trafficked site. It’s likely that Forbes became a victim after another vendor
in their supply chain was compromised.
Australian IT Contractor Arrested for Cryptomining
An IT contractor working in Australia was arrested after
being caught running cryptomining
software on government-owned computers, which netted him over $9,000 in
cryptocurrency. The charges encompass misuse of government systems by making modifications
to critical functions and security measures for personal gain while in a
position of trust. By making these changes, this contractor could have exposed
a much larger portion of the network to malicious actors who take advantage of
misconfigured settings to access company data.
WhatsApp Exploited to Install Spyware through Calls
A serious flaw has been discovered in the messaging app WhatsApp
that would allow an attacker to install spyware on a victim’s device by
manipulating the packets being sent during the call. Further disguising the
attack, the malicious software could be installed without the victim answering
the call, and with access to the device the attacker could also delete the call
log. Fortunately, the Facebook-owned app was quick to respond and quickly
released an update for affected versions.
SIM Swapping Group Officially Charged
Nine men in their teens and 20s have been arrested and charged
for a SIM-swapping
operation that netted the group over $2 million in stolen cryptocurrency. The
group operated by illicitly gaining access to phone accounts by having the
phone swapped to a SIM card in their control. The group would then fraudulently
access cryptocurrency accounts by bypassing 2-factor authentication, since login
codes were sent to devices under their control. Three of the group were former
telecom employees with access to the systems needed to execute the scam.
Web Trust Seal Injected with Keylogger
A recent announcement revealed that scripts for the “Trust
Seals” provided by Best of the Web to highly-rated websites were
compromised and redesigned to capture keystrokes from site visitors. While Best
of the Web was quick to resolve the issue, at least 100 sites are still linking
customers to the compromised seals. This type of supply chain attack has risen
in popularity recently. Hackers have been seen injecting payment stealing
malware into several large online retailer’s websites since the beginning of
Fast Retailing Data Breach
The online vendor Fast
Retailing is currently investigating a data breach that gave attackers
full access to nearly half a million customer accounts for two of the brand’s
online stores. The attack took place within the last three weeks and targeted payment
information with names and addresses for customers of UNIQLO Japan and GU
Japan. Fast Retailing has since forced a password reset for all online
customers and delivered emails with further information for those affected by
Data Leak in Linksys Routers
Last week researchers discovered a flaw in over 25,000
Linksys routers that could give attackers access to not only the
device’s MAC address, but also device names and other critical settings that
could compromise the security of anyone using the router. Additionally, by
identifying the device’s IP address, attackers could even use geolocation to gauge
the approximate location of the exploited device, all without authentication.
Researchers recently discovered a new ransomware variant
that displays an ESET
AV removal screen once launched in order to divert the a victim’s attention
from the silent encryption taking place. Initially dropped by an email spam
campaign, the payload comes as a password protected zip archive, with the
password made available in the body of the email to entice curious readers. In
addition to the ESET removal instructions, the archive also contains a
traditional ransom demand with instructions for purchasing and transferring Bitcoin.
Binance Crypto-Exchange Hacked
At least 7,000 Bitcoin were illicitly removed from the hot
wallet of Binance,
an international cryptocurrency exchange, in a single transaction. By
compromising the personal API keys and bypassing two-factor authentication, the
hackers were able to access the wallet and steal roughly $41 million worth of
Bitcoin. The complete details of the breach are still unknown.
Global Malvertiser Sentenced in US
A man operating several fake companies distributing hundreds
of millions of malicious
ads across the globe has been arrested and is facing charges after his extradition
to the U.S. For nearly five years, Mr. Ivanov and his co-conspirators created
dozens of malvertising campaigns, usually starting a new one immediately after
the previous one was flagged by a legitimate ad network. While this is not the
only case of malvertising campaigns causing chaos on the web, it is one of the
first to see actual indictments.
Robbinhood Ransomware Shuts Down Two US Cities
Both Baltimore City Hall and the city of Amarillo, Texas,
were victims of a variant of Robbinhood
ransomware this week. Following the attack,
citizens of both cities will be seeing online bill payment options temporarily
offline as they work to restore networks that were damaged or disconnected to
stop the spread of the infection. This is the second cyber attack to hit both
cities within the past year, with Potter County, Texas recovering from a
similar attack just a couple weeks ago. Neither city has released more
information on the ransom amount or when the attack began.
Freedom Mobile Exposes Payment Credentials
An unencrypted database containing millions of customer
records for Freedom
Mobile, a Canadian telecom provider, was discovered to be left freely
available to the public. While the database was secured in less than a week, the
time it was left accessible to criminals is cause for concern. The data
contained full payment card information, including essentially everything a
criminal would need to commit identity fraud against millions of people. Though
Freedom Mobile claims the 15,000 were affected, it calls into question the
practices used to store their sensitive data.
A new email phishing
campaign has been making its way around the web that claims to be
from “FBI Director Christopher Wray,” who would love to assist with a massive
wire transfer to the victim’s bank account. Unfortunately for anyone hoping for
a quick payday, the $10 million check from Bank of America won’t be arriving
anytime soon, unless they are willing to enter more personal information and
send it to a Special FBI agent using a Yahoo email address. While most phishing
campaigns use scare tactics to scam victims, taking the opposite approach of
offering a large payout seems less likely to get results.
Magecart Skimming Script Works on Dozens of Sites
Following the many Magecart
attacks of recent years, a new payment skimming script has been
found that allows attackers to compromise almost any online checkout page without
the need to customize it for the specific site. The script currently works on
57 unique payment card gateways from around the world and begins injecting both
the loader and the exfiltration script when the keyword “checkout” is searched
for in the address bar.
Scammers Target Google Search Ads
Scammers are now turning towards Google Ads to post fake
phone numbers posing to be customer support for popular websites such as eBay
and Amazon. These phone
scammers will often tell those who call that there is something wrong with
their account and ask for a Google Play gift card code before they can help.
The ads will look as if they are legitimate which causes confusion to those who
call the phony numbers listed.
Citycomp Data Dumped After Blackmail Attempt
Shortly after discovering that their systems had been
announced they would not be paying a ransom for a large chunk of stolen client
data. Unfortunately for Citycomp, the hackers decided to make the data publicly
available after not receiving their requested $5,000. Amongst the stolen data
is financial and personal information for dozens of companies for which Citycomp
provides infrastructure services, though it may only be an initial dump and not
the entire collection.
Email Scam Robs Catholic Church of Over $1.7 Million
The Saint Ambrose Catholic Parish in Ohio recently fell
victim to email
scammers who took nearly $2 million from the church currently
undergoing a major renovation. The scammers targeted monthly transactions made
between the church and the construction company by providing “updated” bank
information for the payments and sending appropriate confirmations for each
transfer. The church was only made aware of the breach after the construction
company called to inquire about two months of missing payments.
Hackers Breach Private Keys to Steal Cryptocurrency
A possible coding error allowed hackers to compromise at
least 732 unique,
improperly secured private keys used in the Ethereum blockchain. By
exploiting a vulnerability, hackers have successfully stolen 38,000 Ethereum
coins so far, translating to over $54 million in stolen funds, though the
current number is likely much higher. While uncommon, such attacks do show that
the industry’s security and key-generation standards have plenty of room for
Prominent Malware Reverse Engineer Faces Jail Time
The malware researcher Marcus
Hutchins, who successfully reversed and stopped the WannaCry
ransomware attacks in 2017, is facing up to six years of jail time for prior
malware creation and distribution. Hutchins’ charges all tie back to his
involvement in the creation of Kronos, a widespread banking Trojan that’s caused
significant damage around the world.
Data Exposed for Thousands of Rehab Patients
Personally identifiable data belonging to nearly 145,000
patients of a Pennsylvania rehab facility have been found in a
publicly available database. After a Shodan search, researchers discovered the
database that contained roughly 4.9 million unique documents showing information
ranging from names and birthdays to specific medical services provided and
billing records, all of which could be used to to steal the identity of these thousands
Study Finds Password Security Still Lacking
After this year’s review of password
security it may come as no surprise that the top five passwords
still in use are simple and have remained at the top for some time. Using a
list generated from past data breaches, researchers found the password “123456”
was used over 23 million times, with similar variations rounding out the top five.
Several popular names, sports teams, and bands like blink182 and Metallica are
still in use for hundreds of thousands of accounts. While these passwords may
be easy to remember, they are exceedingly simple to guess. Stronger passwords should
include multiple words or numbers to increase the complexity.
Bodybuilding Site Breached through Phishing Campaign
The website bodybuilding.com has announced they were the
victim of a data breach stemming from an email
phishing campaign in July 2018 that could affect many of the site’s
clients. Fortunately, the site doesn’t store full payment card data, and the
data it does store is only stored at the customer’s request, leaving little
data for hackers to actually use. The site also forced a password reset for all
users issued a warning about suspicious emails coming from bodybuilding.com, noting
they may be part of another phishing campaign.
These are the places your digital tracks can be dug up. With a little sleuthing.
Experts have warned for years of the risks of using public computers such as those found in libraries, hotels, and airline lounges.
Many warnings focused on the potential for hackers to plant keystroke loggers, or intercept data as it flows across the internet. Indeed, in 2014, the National Cybersecurity and Communications Integration Center of the U.S. Secret Service issued an advisory for “owners, managers, and stakeholders in the hospitality industry” concerning data breaches. The text of the advisory claimed, “The attacks were not sophisticated, requiring little technical skill, and did not involve the exploit of vulnerabilities in browsers, operating systems or other software.” A 2014 announcement may seem to be an outdated reference, except that the recent Marriott data breach of over 300 million records was attributed to an attack in…wait for it…2014.)
But spyware and keyloggers aren’t the most common threat to the users of business center and other public computers. Forgetfulness, operating systems, applications, and temporary files are high up on the list. For several years I have searched public computers, mostly at hotels, to see what kinds of information people have left behind. It’s been an interesting passion project, to say the least.
Uncovering a Very Public Digital Paper Trail
The first places I look are the documents, downloads, desktop, and pictures folders. The pictures folder typically yields the least interesting information, usually pictures of groups of drunken people, group gatherings at restaurants, weddings, or cats.
The desktop, document, and occasionally downloads folders are where most documents are inadvertently left behind. Some interesting samples I’ve discovered include a spreadsheet of faculty merit raises at a university in Texas, including the names of professors, their departments, their current salaries, and their projected raises. Another was the assignment of a chief officer to a ship belonging to one of the largest shipping companies in the world. It included the officer’s name, address, phone number, vessel name, date of assignment, and contact information.
I have come across corporate audits and strategic business plans. Recently, I discovered a document called “closing arguments” created by a district attorney. When possible, I contact the owners of the information to help them understand the risks of using public computers for sensitive work. I rarely hear back, however the DA did thank and assure me the document was a training example.
The biggest menace, however, has been the temporary files folders, which include auto-saved documents and spreadsheets, as well as attachments. It is in the Temporary Internet Files folder that I have uncovered complete emails, and even a webpage including a bank statement detailing a large balance, the account holder’s name, sources of income, and the names and addresses of places he had done business. Of all of the temporary files I have discovered, documents belonging to businesses’ employees have been the most unsettling.
If you must, take precautions
There is some good news concerning the safety of public computers. Due to technology changes, I no longer find the contents of emails in the Temporary Internet Files folder. But we’re far from out of the woods. I have found my inbox cached, including pictures within emails and even a PDF that had not yet opened.
Deleting temporary internet files is a good habit, but there are multiple locations that temporary files are stored. Documents edited on public computers remain of particular concern. Due to auto-save features, it’s possible to open a document on a thumb drive and leave auto-saved documents behind on the computer. Now in normal operating circumstances and with current operating systems and Office applications, this is not likely to happen. But errors like OS and application crashes will leave these copies behind. Microsoft Word and Excel will even proactively offer these auto-saved documents to the next user of these applications
Other than finding and deleting information left behind, my use of public computers is limited to reading online articles, checking the weather, and performing internet searches. What personal information you are willing to leave behind on a public computer depends on your risk tolerance. But it’s important to note that accessing corporate data on public computers could result in an inadvertent violation of company policies involving confidential data.
Although I still find public computers running Windows XP, there is a growing shift in the hospitality industry to use Kiosk applications. These provide limited functionality combined with locked-down security configurations. Access to the start menu is not possible and functionality is limited to desktop applications. Printing of boarding passes is a common allowed application. Reading web email is sometimes allowed, though I don’t recommend it because it requires entering a password. The risk of password compromise may be low, but the value of practicing quality security habits leads me to advise against it. If you must, consider changing your email password the next time you log onto a private computer.
If you happen to be using a public computer without a Kiosk interface, would you be so kind as to copy this blog, paste it into a Word document, and save it on the public computer to help inform the next user? They may end up paying it forward.