Albany, NY, is coping with a ransomware attack

Posted on

Originally seen on: April 6th, 2019 by Kevin Collier

(CNN) When Albany, New York, patrolman Gregory McGee went to work last Sunday morning, he got the unpleasant news that hackers had rendered many of the internet-connected tools he relied on for work inoperable.

“We were crippled, essentially, for a whole day,” McGee, who’s vice president of the Albany Police Department’s union, told CNN.
“All of our incident reports, all of our crime reports, that’s all digitized,” McGee said, which meant cops had to write down everything that happened on paper. They showed up to work and had no access to staff schedules.
“We were like, who’s working today?” McGee said. “We have no idea what our manpower is, who’s supposed to be here.”
The culprit was the City of Albany getting infected last Saturday with ransomware, in which malicious software spreads across a network, rendering computers inaccessible, encrypting their files and demanding a fee to go away. The city had recently taken over management of most of the police department’s networks.
City Hall itself experienced a number of municipal service interruptions, too. Albany residents were told to go elsewhere to get birth certificates, death certificates or marriage licenses. Some residents complain that building and development applications haven’t been available via the city’s website, Councilwoman Judy Doesschate told CNN.

What ransomware does

Ransomware fundamentally works as an extortion scheme, encrypting computers and demanding an extortion fee to unlock them. In recent years it has become one of the most prominent problems in cybersecurity. It’s often deployed by criminal hackers simply seeking money, though the US has said the two most infamous strains, WannaCry and NotPetya, were authored by the North Korean and Russian governments, respectively.
That the ransomware hit on a Saturday is likely no coincidence, said Kelly Shortridge, the vice president of strategy at Capsule8, a New York cybersecurity company.
“By infecting an organization with ransomware on a weekend, defenders are more likely to be at a farmers market than looking at their security command center,” Shortridge said. “The heightened sense of panic and scrambling may lead to defenders being more willing to pay out higher costs for the decryption keys, as well.”
Albany declined to share additional details, including what type of ransomware it’s facing and whether it’s hired a third-party company to mitigate the problem, but a spokesperson for the New York State Office of Information Technology Services told CNN it is assisting.
There’s no indication yet who may have deployed the attack, and there are a number of active groups that use ransomware to extort funds. There is precedent for the US accusing individuals of infecting cities with ransomware, however. In November, the US Department of Justice charged two Iranian men with a campaign of targeted ransomware attacks whose more than 200 victims included hospitals, municipalities and public institutions, including the cities of Atlanta and Newark, New Jersey.

After the initial Albany hit

Things started to get better after the beginning of the week. On Monday afternoon, police were able to digitally file incident reports again. A spokesperson for the Albany Police Department said the department “has remained adequately staffed since the attack and there was never an interruption in police services to our community,” but declined further comment.
By Tuesday, the city was able to process marriage licenses again.
Birth and death certificates, however, are still unavailable from City Hall. As of the first week of the attack, at least 17 people from Albany had contacted the State Department of Health instead for birth or death certificates.
And the police department’s scheduling program was still unusable. McGee, scheduled to teach a safety class Friday, didn’t know who he would be teaching.
“Nobody knows who has training today,” he said. “We have no idea who’s actually going to be there.”
Doesschate, the councilwoman, told CNN that while the ransomware has been an inconvenience for constituents who haven’t been able to access certain information online, it was relative.
“Up until about 2 1/2 years ago, this information was not regularly posted online,” she said. “It is disappointing and a bit frustrating, but in the scheme of things, not horrible.”

ThreatList: Phishing Attacks Doubled in 2018

Posted on

Originally seen on March 12th, 2019 by: Lindsey O’Donnell

Scammers used both older, tested-and-true phishing tactics in 2018 – but also newer tricks, such as fresh distribution methods, according to a new report.

Phishing attempts more than doubled in 2018, as bad actors sought to trick victims into handing over their credentials. They used both old tricks – such as scams tied to current events – as well as other stealthy, fresher tactics.

Researchers with Kaspersky Lab said in a Tuesday report that during the course of 2018, they detected phishing redirection attempts 482.5 million times – up from the 246.2 million attempts detected in 2017. In total, 18.32 percent of users were attacked, researchers said.

“We have seen a steady increase in phishing attacks on cryptocurrency-related resources, and expect new scams to appear in 2019,” according to the report, by Maria Vergelis, Tatyana Shcherbakova and Tatyana Sidorina with Kaspersky Lab. “Despite the fall in value and the lean times for the cryptocurrency market as a whole, phishers and spammers will try to squeeze everything they can out of this.”

Bad actors continued to rely on an age-old trick in 2018 for phishing attacks: Using newsworthy events, such as new smartphone launches, sales seasonstax deadlines, and the EU General Data Protection Regulation (GDPR) to hook the victim.

Phishing report Kaspersky Lab

Phishing emails purporting to be about GDPR, for instance, boomed in the first few months of 2018, because during those months there was an upturn in legitimate GDPR mailings warning users of the transition to the new policies, which require stringent processes to store and process personal data of European citizens.

Attackers unsurprisingly took advantage of this with their own GDPR-related emails: “It was generally B2B spam — mostly invitations to paid seminars, webinars, and workshops promising to explain the ins and outs of the new regulation and its ramifications for business,” said researchers.

Other top events, such as the 2018 FIFA World Cup and the launch of the new iPhone sparked phishing attempts, including emails leading to fake FIFA partner websites for the former, and spam messages purporting to sell accessories and replica gadgets for the latter.

Despite the cryptocurrency market’s struggle in 2018, bad actors’ interest in cryptocurrencies appears far from waning. In fact, scammers utilized a number of methods to capitalize on victims’ interests in the cryptocurrency market, such as posing as a cryptocurrency exchange or fake Initial Coin Offering (ICO) bent on convincing victims into transferring money to cryptocurrency wallets.

“In 2018, our Anti-Phishing system prevented 410,786 attempts to redirect users to phishing sites imitating popular cryptocurrency wallets, exchanges and platforms,” researchers said. “Fraudsters are actively creating fake login pages for cryptocurrency services in the hope of getting user credentials.”

Spam and phishing attack report

When it came to ICOs, scammers extended invitations to victims for investing in various ICOs via email and social-media posts.

One such scam targeted a cryptocurrency called buzcoin; the scammers got ahold of the project mailing list and sent fake presale invitations to subscribers before the ICO began – eventually making away with $15,000, according to Kaspersky Lab.

There were also sextortion scams that coerced victims to send cryptocurrency in exchange for keeping quiet about their private online activities, with one campaign in July noted for using victims’ legitimate password in the email as a scare tactic; and another one in December hit victims with ransomware.

Researchers said they don’t expect attackers’ interests in cryptocurrency to die down any time soon: “In 2019, spammers will continue to exploit the cryptocurrency topic,” they said. “We expect to see more fraudulent mailings aimed at both extracting cryptocurrency and gaining access to personal accounts with various cryptocurrency services.”

In 2018, the number of malicious messages in spam was 1.2 times less than in 2017, according to researchers. Of those malicious messages, the most widely distributed malicious objects in email (Exploit.Win32, CVE-2017-11882), exploited a patched Microsoft vulnerability that allowed the attacker to perform arbitrary code-execution.

spam phishing email attack report

Despite this downturn in malicious emails, scammers appear to be looking to other sneaky tactics to avoid detection and still make off with victims’ credentials — in particular using non-typical formats for spam like ISO, IQY, PIF and PUB attachments.

“2018 saw a continuation of the trend for attention to detail in email presentation,” researchers said. “Cybercriminals imitated actual business correspondence using the companies’ real details, including signatures and logos.”

In addition, bad actors appeared to transition to new channels of content distribution beyond email – including social media sites, services like Spotify, or even Google Translate.

“Cybercriminals in 2018 used new methods of communication with their ‘audience,’ including instant messengers and social networks, releasing wave after wave of self-propagating malicious messages,” said researchers. “Hand-in-hand with this, as illustrated by [an] attack on universities, fraudsters are seeking not only new channels, but new targets as well.”

9 QUESTIONS FOR FACEBOOK AFTER ZUCKERBERG’S PRIVACY MANIFESTO

Posted on

Originally seen: March 7th, 2019 by Nicholas Thompson of Wired.

YESTERDAY AFTERNOON, MARK Zuckerberg presented an entirely new philosophy. For 15 years, the stated goal of Facebook has been to make the world more open and connected; the unstated goal was constructing a targeted advertising system built on nearly infinite data. Yesterday, though, Zuckerberg pronounced that the company is reversing course. The social network of the future won’t be one where everyone connects openly together, as in a town square; it will be one where more connections happen one to one, as in a living room. Instead of data permanence, data will disappear.

Facebook isn’t putting the current platform—worth roughly half a trillion dollars—in the garbage disposal. As Zuckerberg made clear in a Wednesday afternoon interview with WIRED, Facebook as we know it now will still exist. But it will change. And there will also just be something new.

It’s unclear the extent to which Facebook will ultimately push users toward privacy, and in what exact ways. But Zuckerberg controls Facebook, and his manifesto will make its gears start to turn in different directions. As that begins, here are nine important questions the company will have to think through.

1. Facebook knows how to make money in the town square. How does it make money in this new living room?

Private, encrypted messaging is hard to monetize. In our interview, Zuckerberg demurred when asked what the new business model will be after clamping down on the data firehose. The company would, he said, build the product first and figure out the financials later. Facebook does have nascent efforts in commerce and cryptocurrency, but there’s no question that figuring out revenue on the new platform will be a hard problem for Dave Wehner, Facebook’s chief financial officer. A former Facebook employee told me last night, “Mark is like a cartoon character who walks through a bunch of dangerous situations and always comes out on top. Dave is the guy running behind him catching the cat, stopping the ladder from tipping, deflecting the flying axe with a manhole cover.”

2. What does this do to safety on the platform?

Facebook rightly faces endless criticism for all the data it collects. But there are benefits to data collection as well. It can help stop bullies, or even potential suicides. Once those communications become private, Facebook no longer has the same powers to track and moderate. The public—from the media, to nonprofits, to academics, to individuals, to the government—also uses the public nature of Facebook to track bad behavior. If Russian intelligence operatives had just used private encrypted messaging to manipulate Americans, would they have been caught? As Facebook knows from running WhatsApp, which is already end-to-end encrypted, policing abuses gets ever harder as messages get more hidden.

In our interview, Zuckerberg explained that this, not fears about the business model, is what keeps him up at night. “There is just a clear trade-off here when you’re building a messaging system between end-to-end encryption, which provides world-class privacy and the strongest security measures on the one hand, but removes some of the signal that you have to detect really terrible things some people try to do, whether it’s child exploitation or terrorism or extorting people.” When asked whether he cared more about these fears than fears about his business model, he said yes. “I am much more worried about those trade-offs around safety.”

3. What does this do to the company’s efforts in artificial intelligence?

Facebook has spent the past several years building artificial intelligence systems to change the way almost every element of the company works. They are, for example, crucial in the work to eliminate toxic content. But AI, particularly the subset known as machine learning, requires training data, and the more the merrier. Facebook, of course, won’t be just wiping all of its machines as it implements Zuckerberg’s vision. But there will almost certainly be times when the company faces a tradeoff between living up to the ideals in the manifesto or storing something that will make the work of the AI teams easier.

4. What does this do the news industry?

One of the most vexed issues for Facebook is its relationship with the news business. The media industry relies on Facebook for distribution, but it deeply resents that Facebook has swallowed much of the advertising business. Facebook executives know that many people come to the platform to read news, but they hate most of the news written about the platform. News Feed will continue under whatever Facebook builds next, but it’s hard not to imagine that distribution for publishers on Facebook will decline, which may elicit even further media scrutiny. On the other hand, if Facebook is actually pivoting to a new business model, maybe advertising will return to media?

5. How does this change the way regulators react to the company?

Facebook is currently besieged by regulators of all stripes. There are German regulators going after the ad business, British parliamentarians publishing internal emails, American politicians talking about antitrust, and members of the Federal Trade Commission who may be about to fine the company billions of dollars. Much of the anger comes from Facebook’s loose attitudes toward privacy in the past; perhaps this new philosophy will help set people’s minds at ease. Or perhaps not. It is certainly the case, though, that one of Zuckerberg’s proposed moves—further integrating WhatsApp, Instagram, and the main app—will make it much harder to split the company apart in the way that scholars of antitrust have been proposing in recent months.

6. Relatedly, will Facebook now advocate for privacy laws?

Facebook has consistently run afoul of regulators focused on privacy. It has resisted, and sometimes quietly lobbied against, their efforts. Now, though, Zuckerberg has planted a flag in favor of privacy. Does that mean that he will turn, like Tim Cook—aka Tim Apple—into a public advocate for strong privacy legislation?

7. How much does this have to do with Facebook’s Blockchain initiative?

For the past year, Facebook has had a secret team working away in a building on some kind of blockchain initiative. They have been exploring payments, identity, and the creation of a new stablecoin. But no one outside of the company knows for sure what they’ll actually launch. Some insiders view the project as a ludicrous lark. Others think of it as crucial in the quest to redefine Facebook. It seems almost certain that the blockchain initiative informed Zuckerberg’s philosophy. And the connection may be even more direct, particularly if the company is indeed planning to launch a crypto payments system that will work across messaging platforms.

8. What does this do to the company’s chances of going into China?

In his manifesto, Zuckerberg talked about the need to keep servers out of authoritarian countries. As he added when talking to WIRED, “if you put a data center in a place, or you store people’s information in a country, then you’re giving that government the ability to use force to get that data.” In a way, this was a free moral stand. Facebook is already banned in China, by far the most important country where this is an issue. But no one knows how the dynamics between the United States and China will evolve in the next five years. By coming out so strongly in favor of encryption, and against authoritarianism, Facebook may be signaling that it’s giving up on its quest to connect the largest country on earth.

9. How much of this will actually happen?

To skeptics, Zuckerberg’s privacy manifesto was a bundle of naked cynicism and hypocrisy. The company, after all, developed a system to make his personal messages disappear long ago, only rolling it out more broadly under public pressure. But whatever the motives, and whatever the odds that one thinks Facebook will follow through, there’s no question that, inside of Facebook a new era of sorts starts today. Tradeoffs will have to be resolved in different ways. New problems will emerge. Different people will move to different teams. The public and the media, trained to distrust what Facebook says, will judge whether the company is living up to promises that the CEO just made very publicly. In our interview, I asked Zuckerberg how hard this is going to be. “You have no idea how hard it is,” he said laughing.

But, more important, he noted that this will be something rather different for Facebook. “This is a big opportunity, but it’s going to mean adopting and taking some positions on some of these big issues that involve some really big trade-offs and are frankly different from what we may have prioritized historically.”

Opening this image file grants hackers access to your Android phone

Posted on Updated on

Originally seen on: Zdnet by Charlie Osborne, February 7th, 2019

Be careful if you are sent an image from a suspicious source.

Opening a cute cat meme or innocent landscape photo may seem harmless enough, but if it happens to be in a .PNG format, your Android device could be critically compromised due to a new attack.

In Google’s Android security update for February, the tech giant’s advisory noted a critical vulnerability which exists in the Android operating system’s framework.

All it takes to trigger the bug is for attackers to send a crafted, malicious Portable Network Graphic (.PNG) file to a victim’s device. Should the user open the file, the exploit is triggered.

Remote attackers are then able to execute arbitrary code in the context of a privileged process, according to Google.

Android versions 7.0 to 9.0 are impacted.

The vulnerability was one of three bugs impacting Android Framework — CVE-2019-1986,  CVE-2019-1987, and CVE-2019-1988 — and is the most severe security issue in the February update.

There are no current reports of the vulnerability being exploited in the wild. However, given the ease in which the bug can be exploited, users should accept incoming updates to their Android builds as soon as possible.

As vendors utilizing the Android operating system roll out security patches and updates at different rates, Google has declined to reveal the technical details of the exploit to mitigate the risk of attack.

Google’s bulletin also outlined remote code execution flaws impacting the Android library, system files, and Nvidia components. Elevation of privilege and information disclosure security holes have also been resolved.

Source code patches for the .PNG issue, alongside other security problems raised in the bulletin, have also been released to the Android Open Source Project (AOSP) repository.

In January, researchers revealed the existence of a new malvertising group called VeryMal. The scammers specifically target Apple users and bury malicious code in digital images using steganography techniques to redirect users from legitimate websites to malicious domains controlled by the attackers.

The Scarlet Widow Gang Entraps Victims Using Romance Scams

Posted on Updated on

Originally seen on: Bleepingcomputer by Lawrence Abrams, Febraury 13th, 2019

We often hear about sextortion, business email compromise (BEC), and inheritance scams, but the often overlooked “Romance Scams” could be the most insidious of them all. Not only do victims lose money, but  the emotional entanglement ultimately leads to heartbreak.

Romance scams are months long, if not year long, campaigns where bad actors catfish, or pretend to be in love with, an unsuspecting victim in order to steal money from them. They do this by creating fake romantic relationships that the victims become invested in and are willing to help them with fake financial troubles.

In a report shared with BleepingComputer, the Agari Cyber Intelligence Division (ACID) outlines how a criminal gang out of Nigeria called “Scarlet Widow” targets those who are more likely to be lonely such as farmers, elderly, the disabled, and divorced.

This catfishing is done through the creation of fake personas that utilize stolen pictures of attractive people, fake names, personalities, and back stories where they were victimized in the past, but still believe that love is possible. They then create accounts on social media and dating sites, including ones that may attract those looking for love or are lonely such as Dating4Disabled.com, Farmers Dating Site, and DivorcedPeopleMeet.com.

For example, one of the fake personas discovered by Agari is a person named “U.S. Army Captain Michael” who is serving a tour of duty overseas, but is looking for love after he lost his wife.

“According to one of his fake dating site profiles, Captain Micheal is a 43-year-old Catholic man from Austin, Texas, who is currently serving a tour of duty overseas in Kabul, Afghanistan. His profile indicates that, like most of the other personas created by Scarlet Widow, he has lost a loved one in his past. In this case, Captain Micheal lost his wife, as his status describes him as “Widowed.” Since the death of his wife, he has been “searching for so long” for the perfect woman and hopes the women has a trusting mind to fall in love.”

The fake persona for Captain Michael was posted to dating sites such as MilitaryCupid.com and MarriedDateLink.com during a 6 month period in 2017.

Captain Michael Persona
Captain Michael Persona

Agari states that each of the personas created by Scarlet Widow have different personalities and ways of communicating that reflect their backstory and who they are targeting. For example, the researchers state that Captain Michael’s messages are usually short and to the point, while the gang’s female personas have a “softer, inquisitive, and more verbose tone”.

Example of email from Captain Michael
Example of email from Captain Michael

It’s all about the money

Ultimately, though, these scams are not about making true romance, but about stealing as much money from the victims as they can.

Once a “relationship” is established, the scammers tell their victims that they are having financial difficulty and need financial assistance. This assistance is usually in the form of money for plane tickets, travel assistance, or accommodations.

If the victim is shown to be willing to send money, then the scammers continue with their relationship while continuing to siphon money over a long period of time.

Such is the case with Texan man who was going through a painful divorce and met one of the gang’s fictitious characters named “Laura Cahill”. Over a period of one year, the Scarlet Widow persona was able to scam the individual out of $50,000.

This person was so firmly hooked that when the scammers didn’t reply to him in over a week, he sent a distraught email to her pleading for a reply.

Distraught email from victim
Distraught email from victim

It ultimately got so bad, that this individual stole $10,000 from his father to send to the scammers. This “relationship” ultimately ended when the scammers stopped replying, but it shows how deeply entrenched victims can get in these fake “relationships”.

While this sounds like something that few would fall for, according to Agari it is not that unusual.

“We are tracking a number of Nigerian scammer groups that continue to engage in romance scams and seek out new victims. In 2018, Agari documented a long-running, $500,000 swindle of a divorced American woman with children who refinanced her home to send money to the con artist. Eventually the creditors closed in, and she was forced to sell her house, pull her children out of school, and move the family in with a friend. She continued to believe he was real until Agari presented her with irrefutable evidence of the truth, enabling her to finally break free in 2018. “

Unfortunately, protecting yourself from scams like this can be difficult, especially if you are the type of person that they are targeting. That is because lonely people crave love and camaraderie in their life and may miss warning signs.

E-ticketing system exposes airline passengers’ personal information via email

Posted on Updated on

Originally seen on CYBERSCOOP by Jeff Stone: February 6, 2019

At least eight airlines, including Southwest, use e-ticketing systems that could allow hackers to access sensitive information about travelers merely by intercepting emails, according to research published Wednesday by the mobile security company Wandera.

The systems fail to secure customers’ personally identifiable information, including names, boarding passes, passport numbers and flight numbers, Wandera said.

The email vulnerabilities still exist, Wandera found, even though researchers notified affected companies weeks ago, and despite growing corporate awareness about the risks associated with sacrificing security for convenience.

The weakness is a check-in link that is emailed to customers, Wandera researchers found. Customer information is embedded in the links, allowing travelers to travel from their email to a website where they check in for a flight without needing to enter their username and password. However the links are unencrypted and re-usable, presenting a tempting target for hackers, according to Michael Covington, vice president of product at Wandera.

“The airlines, in an effort to make it easy for their passengers to check in, have taken shortcuts that have led to the potential exposure of personal information,” he said.

Affected airlines include Southwest, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa, Wandera found. Wandera has reported the vulnerability to each company and received responses, though none appear to have fixed the vulnerability, Covington said.

The airlines appear to be using unique servers for automated marketing that fail to protect user information.

“It’s not just the personal information they could get into, but the e-ticketing systems are basically allowing people in without authentication, which would allow you to change details about people like seat assignments and bags checked,” Covington said. “In some cases you can change existing bookings.”

There is no evidence outsiders have exploited the vulnerabilities.

Southwest Airlines is perhaps the best known low-cost airline operating in the U.S., with a 5 percent capacity growth planned for 2019, according to industry analysts at the Center for Aviation. Air France and KLM, which merged under a single holding company in 2004, jointly form one of the world’s largest airlines. Other companies named in the report — Vueling, Transavia and Air — are based in Europe. Thomas Cook is a British charter airline and Jetstar is a low-cost airline in Australia.

CyberScoop sought comment from each of the airlines named in this report. Several acknowledged receiving a request for comment. All except three failed to provide a statement or answer questions by press time.

In a statement, a Thomas Cook spokeswoman said, “We take the security of our customers’ data very seriously and have investigated this matter as a priority. We have looked into the questions raised and have taken immediate action to further increase the security of our customer data.” A Southwest spokesman said, “While we don’t have a comment on this specific issue, the safety and protection of our customers and their data privacy is our highest priority.”

A spokesperson for JetStar said the company takes data security and privacy “extremely seriously” and that the airline has “multiple layers of security in place.”

Air travelers anxious for a web connection in an airport, hotel or elsewhere on their journey are especially at risk because they could be more likely to connect to public WiFi, ignoring security precautions, Covington said.

“If you’re on a Wi-Fi network or a physical network that uses encryption, this would not be a problem,” he said.

“I can’t speak for the airlines individually,” he said. “We’re not a vulnerability testing company, and it’s not our business to go out and find this. But I can tell you the airlines we’ve engaged with have been keen to listen and are open to hearing more.”

Clever Phishing Attack Enlists Google Translate to Spoof Login Page

Posted on Updated on

Originally seen on ThreatPost by Lindsay O’Donnell: February 26th, 2019

A tricky two-stage phishing scam is targeting Facebook and Google credentials using a landing page that hides behind Google’s translate feature.

 

Recently-discovered phishing emails scoop up victims’ Facebook and Google credentials and hides its malicious landing page via a novel method – Google Translate.

The phishing campaign uses a two-stage attack to target both Google and Facebook usernames and passwords, according to researchers at Akamai who posted a Tuesday analysis. But in a tricky twist of events, the scam also evades detection through burying its landing page in a Google Translate page –  meaning that victims sees a legitimate Google domain and are more likely to input their credentials.

“When it comes to phishing, criminals put a lot of effort into making their attacks look legitimate, while putting pressure on their victims to take action,” Larry Cashdollar, with Akamai, said in a Tuesday post. “This is an interesting attack, as it uses Google Translate, and targets multiple accounts in one go.”

Cashdollar said that he first noticed the attack on Jan. 7 when an email notification on his phone informed him that his Google account had been accessed from a new Windows device.

The message, titled “Security Alert,” features an image branded with Google that says “A user has just signed in to your Google Account from a new Windows device. We are sending you this email to verify that it is you.” Then, there’s a “Consult the activity” button below the message.

phishing email

Interestingly, the message looked much more convincing in its condensed state on his mobile device, rather than on a desktop where the title of the email sender is more apparent, he said.

Upon closer look at the email, Cashdollar found that the “security alert” was sent from “facebook_secur[@]hotmail.com.”

That triggered two suspicions: Firstly, the email is from a Hotmail account, raising red flags – but also, the entire address had nothing to do with Google, instead referencing Facebook.

“Taking advantage of known brand names is a common phishing trick, and it usually works if the victim isn’t aware or paying attention,” he said. “Criminals conducting phishing attacks want to throw people off their game, so they’ll use fear, curiosity, or even false authority in order to make the victim take an action first, and question the situation later.”

When clicking on the “Consult the activity” button, Cashdollar was brought to a landing page that appeared to be a Google domain, prompting him to sign into his Google account.

However, one thing stuck out about the landing page – it was loading the malicious domain via Google Translate, Google’s service to help users translate webpages from one language to another.

phishing facebook google translate

Using Google Translate helps the bad actor hide any malicious attempts through several ways: Most importantly, the victim sees a legitimate Google domain which “in some cases… will help the criminal bypass endpoint defenses,” said Cashdollar.

Using Google Translate also means the URL bar is filled with random text. Upon further inspection of that text, victims could see the real, malicious domain, “mediacity,” being translated.

Luckily, “while this method of obfuscation might enjoy some success on mobile devices (the landing page is a near-perfect clone of Google’s older login portal), it fails completely when viewed from a computer,” said Cashdollar.

For those who fail to notice red flags regarding the landing page, their credentials (username and password) are collected – as well as other information including IP address and browser type – and emailed to the attacker.

“We are aware of the phishing attempts and have blocked all sites in question, on multiple levels,” a Google spokesperson told Threatpost. The spokesperson urged users to report them if they encounter a phishing site.

However, the attack didn’t stop there. The attacker then attempts to hit victims twice, by forwarding them to a different landing page that purports to be Facebook’s mobile login portal as part of the attack.

These type of two-stage attacks appear to be on the rise as bad actors look to take advantage of victims who already fell for the first part of the scam, Cashdollar told Threatpost: “It seems this is becoming more common as the attacker knows they’ve gained your trust and try to steal additional credentials.”

Like the Google page, this Facebook landing page has some red flags. It uses an older version of the Facebook mobile login form, for instance.

“This suggests that the kit is old, and likely part of a widely circulated collection of kits commonly sold or traded on various underground forums,” said Cashdollar.

Despite these mistakes, the two stages of the phishing attack suggest a certain level of sophistication on the part of the attacker.

“It isn’t every day that you see a phishing attack leverage Google Translate as a means of adding legitimacy and obfuscation on a mobile device. But it’s highly uncommon to see such an attack target two brands in the same session,” he said.

Phishing attacks have continued to grow over the past year – and this particular scam is only one example of how bad actors behind the scams are updating their methods to become trickier.

phishing attack google translate

According to a recent Proofpoint report, “State of the Phish,” 83 percent of respondents experienced phishing attacks in 2018 – up 5 percent from 2017.  That may not come as a surprise, as in the last year phishing has led to several massive hacks – whether it’s hijacking Spotify users’ accounts or large data breaches like the December San Diego Unified School District breach of 500,000.

Other methods of phishing have increased as well. Up to 49 percent of respondents said they have experienced “voice phishing” (when bad actors use social engineering over the phone to gain access to personal data) or “SMS/text phishing” tactics (when social engineering is used via texts to collect personal data) in 2018. That’s up from the 45 percent of those who experienced these methods in 2017.

Hyatt Hotels launches bug bounty program

Posted on

Originally seen on Zdnet.com by Charlie Osborne

The company has turned to external help to prevent data breaches from ever affecting its properties again

Hyatt Hotels has launched a bug bounty program in light of recent card-skimming attacks against the hospitality chain.

On Wednesday, the company said the new initiative will be hosted on bug bounty program HackerOne and is designed to allow Hyatt to “tap into the vast expertise of the security research community to accelerate identifying and fixing potential vulnerabilities.”

Ethical hackers can use the platform — as well as rival services such as Bugcrowd — to report vulnerabilities, security flaws, leaky servers and more before less well-intentioned individuals stumble across them, potentially leading to cyberattacks or data theft.

The bug bounty program is public and includes the main hyatt.com domain, m.hyatt.com, world.hyatt.com, and both the iOS and Android Hyatt mobile apps.

Novel origin IP address discovery, authentication bypass, back-end system access via front-end services, container escapes, SQL injections, cross-site request forgery, WAF bypass, and cross-site scripting (XSS) bugs will all be considered for rewards, among other issues.

Hyatt has chosen to use the Common Vulnerability Scoring Standard (CVSS) standard to evaluate the severity of security flaws found.

Researchers who report valid, high-severity flaws can expect rewards of up to $4,000; important bugs will earn them $1,200 and less severe vulnerabilities are worth between $300 and $600.

“At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day,” said Hyatt Chief Information Security Officer Benjamin Vaughn. “As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information.”

In a Q&A with HackerOne, Vaughn said an invitation-only program was launched first, which may account for the $5,650 in bug bounty rewards which have already been issued at the time of writing.

It is unfortunately quite common for hotel chains and others in the hospitality space to become the focus of cyberattacks due to the vast amount of valuable data these businesses process and store.

Hard Rock Hotels & Casinos, Loews Hotels, Radisson Hotel Group, the Trump Hotel CollectionMarriott, and Hyatt Hotels itself is on the list of organizations which have experienced successful cyberattacks in recent years.

In 2015, 250 properties managed by Hyatt across countries including the US, UK, China, Germany, Japan, Italy, France, Russia, and Canada were subject to a cyberattack. Information-stealing malware was implanted on systems, leading to the exposure of customer financial data including cardholder names, card numbers, expiration dates, and internal verification codes.

A second data breach occurred in 2017, in which 41 locations were affected and unauthorized access to payment card information was detected.

Chicago-based Hyatt Hotels manages over 750 properties in 55 countries.

Other organizations that use HackerOne to tap into a vast pool of security researchers include Google, Twitter, the US Department of Defense, GitHub, and Qualcomm.

Breaking Down Five 2018 Breaches — And What They Mean For Security In 2019

Posted on

Originally seen on ForbesForbes by Kate O’Flaherty

Big hacks and data leaks are nothing new, but this year has seen a surge in reported breaches. The reason for this might be simple: After the EU general update to data protection regulation (GDPR) came into place in May, firms are more likely to report attacks.

But it also demonstrates that the huge amounts of data collected by companies is not immune to hacking. And many firms aren’t doing enough to ensure they are secure. Let’s take a look back at five massive hacks of this year and examine what they mean for cybersecurity in 2019.

Facebook

Facebook has suffered several breaches this year, with the worst seeing at least 50 billion users compromised. The biggest breach, in late September enabled hackers to exploit a weakness in Facebook’s code to access the ‘View As’ privacy tool that allows users to see how their profile looks to other people.

Three major security incidents affected user data in 2018, says Lewis Henderson, VP threat intelligence at Glasswall Solutions – and these are just the ones we know about. “Having been caught playing fast and loose with their users’ data, further major security incidents demonstrate Facebook’s infrastructure was probably never designed to cope with this many subscribers. It simply doesn’t have security built in, nor has Facebook taken those companies who exploit subscriber data through a robust third-party security process.”

Facebook has a large security budget and a team that’s known throughout the industry as top-notch, says Joan Pepin, CISO at Auth0. “They should know what they’re doing – but they have a complicated product. The latest hack combined several features in concert, which QA never thought to test. It was a failure of imagination and an outcome of the incredible complexity of their product.”

At the end of November, hotel group Marriott admitted it had suffered a massive data breach affecting the records of up to 500 million customers. The firm revealed its Starwood division’s guest reservation database had been compromised by an unauthorized party. Information accessed included payment information, names, mailing addresses, phone numbers, email addresses and passport numbers.

“Regardless of who the finger is being pointed at, it’s clear this stealthy attack meant the perpetrator had unrestricted access, across multiple IT systems for a very long time,” says Glasswall’s Henderson. “Presumably with many elevated privileged accounts compromised, the attackers were clear to traverse customer data held in different locations and likely cleared their tracks as they went.”

And when people trust firms with their data, even cybersecurity experts aren’t immune. “I am a Marriott Platinum for Life customer: My data was hacked alongside that of millions,” says José Hernandez author of Broken Business.

He points out that good crisis management requires full, timely, and complete disclosure – alongside an independent investigation. “Beyond trust and good governance, with Europe’s GDPR, waiting two months to report a significant hack is likely to be met with significant fines and penalties.”

It’s not the data breach that will be most impactful to the company; it’s the regulatory and class actions that follow, says Ian Thornton Trump, head of cyber security at Amtrust International. “But the big question is, why was this data not encrypted while at rest? Why are passport numbers and details not required by law to be encrypted at rest? The Marriott breach was not just about failing to protect the data they have; it’s a failure of governments to insist identity documents are treated with the same requirements as credit card data.”

Quora

In December, Quora suffered a massive breach of user data. The intrusion, discovered on November 30, included up to 100 million users’ names, email addresses, IP addresses, user IDs, encrypted passwords, user account settings, personalization data, public actions and content such as questions, answers, comments, blog posts and upvotes.

“The breadth and potential value of the data compromised, like encrypted passwords and social media data, was notable,” says Andrew Tsonchev, director of technology, Darktrace Industrial.

Edward Whittingham, a former law enforcement officer who is MD of The Defence Works, agrees. “Quora’s data breach was pretty punchy, mainly because it exposed the names, email address and encrypted passwords, as well as data from social networks like Facebook and Twitter, to which people had connected their accounts,” he says.

“Perhaps most interesting, is how the cybercriminals might then go on to use the data, such as questions and answers posed on the platform.  I’d expect to see this information sold on the dark web and if there are any contentious questions or answers in there, the fraudsters will be sure to make use of this information and possibly look to hold some users to ransom.”

British Airways

On 6 September, British Airways informed its customers that details from around 380,000 booking transactions had been stolen, including bank card numbers, expiry dates and cvv codes. It took the firm just one day to announce it had been hit by a cyber-attack between 21 August and 5 September.

Soon afterwards, it was discovered the details were taken via a script designed to steal financial information by ‘skimming’ the payment page before it was submitted. Security researchers now think the perpetrator is the same group that breached Ticketmaster, Magecart.

“The credit card skimming campaign launched against hundreds of thousands of British Airways customers stood out due to its large scope and the effectiveness of the tactic employed: the modification of JavaScript code on BA’s website to effectively steal payment data while avoiding detection,” says Yonathan Klijnsma, head threat researcher at RiskIQ.  “By inserting just 22 lines of code, Magecart Group 6 was able to extract information entered into the airline’s online payment forms without disrupting the payment flow.”

The impact to affected customers was still being felt in November when it was discovered the Russian hacker group behind Magecart was selling the details in the dark web for around $10 a card.

“In the immediate aftermath, many banks and credit card companies issued replacements or warnings to their customers who may have been affected, netting the Russian group a possible $12m from the hack,” says Martin Jartelius, CSO at Outpost24.

“Aside from BA’s parent company’s shares taking a hit in the immediate aftermath, it’s likely that the company will be penalized under the GDPR legislation, with some experts stating the impact could be in the region £500m or 4% of its turnover, or – if IAG is held accountable – an even larger sum: reportedly around £800m.”

Ticketmaster

When the personal data of 40,000 Ticketmaster customers was stolen by hackers, it emerged that a third-party supplier was involved. The company, Inbenta Technologies, which operates a chatbot on the Ticketmaster site, customised its product by modifying a line of JavaScript code.

Without Inbenta’s knowledge, Ticketmaster used this code on its payments page, where it was discovered by hackers and modified to extract payment information. The scale isn’t as massive as some other breaches – but the impact was huge. Some customers reported their money had been stolen and others claimed their details had turned up for sale on the dark web. The culprit was apparently credit-card skimming criminals Magecart.

“Just one month after GDPR came into full effect, Ticketmaster announced 40,000 customers’ data was accessed due to a malicious hack on a third party solution,” says Guy Bunker, SVP of Products, Clearswift.

He points out that many security incidents occur as a result of the actions of customers, suppliers and partners. “It’s important to ensure that security measures are up to date across the entire network of companies. Ticketmaster was only as secure as its weakest link.”

Cyber security in 2019

After hitting Ticketmaster and BA, experts predict that Magecart will target more than credit card data in 2019. “In 2018, credit-card skimming criminals grouped under the Magecart label have been carrying out a full-scale assault on e-commerce. They show zero signs of stopping as we head into 2019, with the attacks only getting more traction as various groups learn how to become more effective,” says RiskIQ’s Klijnsma.

He predicts: “As web skimming can skim all sorts of information entered into a website, Magecart groups will surely expand to skimming more than just payment data, such as login credentials and other sensitive information.”

As nation state actors ramp up their campaigns, critical infrastructure will also likely be a target. These attacks are already on the rise, says Andrew Tsonchev, director of technology, Darktrace Industrial. “This year, the ports of San Diego and Barcelona were attacked with ransomware: compromising industrial devices can now allow criminals to ransom access to operational systems as well as data.”

Jake Moore, cyber security expert at ESET, predicts 2019 will see a new form of attack: GDPR bounty hunting. “GDPR bounties work effectively when the attacker extorts an organization by providing them with a copy of their data to prove that it has been breached.

“They then give the victim two options: pay the possibly eye watering ICO fine of up to €20m or 4% of their annual global turnover –  or pay the hackers’ chosen fee, which could be anything less than the maximum from the ICO. Hackers take advantage of the fact that some organizations will be tempted to choose the second option so they can avoid any reputational damage caused by a data breach.”

Be Aware, Be Alert Checklist

Posted on Updated on

The end of the year is a notoriously busy time for most organizations. Now that we are within the new year, take the time to focus on your security.  Please keep these reminders handy to help protect yourself against Cybercrime.

Most malicious attacks an organization will face, will be initiated via email, and can easily spread through an organization without the proper protection. Even a company with a dedicated IT department can still have these attacks slip through.

Be Aware:

  1. Phishing scammers lure their targets into a false sense of security by spoofing the familiar, trusted logos of established, legitimate companies. Or they pretend to be a friend or family member.
  2. Phishing scammers make it seem like they need your information or someone else’s, quickly – or something bad will happen. They might say your account will be frozen, you’ll fail to get a tax refund, your boss will get mad, even that a family member will be hurt or you could be arrested. They lie with the intent of obtaining you or your organizations confidential and financial information.

Be Alert:

  1. Never let your guard down.
  2. Never assume anything you receive via email is legit. If you are not 100% certain call the sender to verify.
  3. Do not allow yourself or your organization to complete financial transactions solely via email. There have been widespread bank wire fraud attacks. Please be extremely careful.
    • The best practice here, is to come up with a strict set of actions that are required for financial transactions, and stick to them. A phone call or face to face hand off should be at least one of the steps.

Be Proactive:

  1. Even the most careful users, are susceptible to this kind of fraud. This is why at ITG we urge our clients to take the necessary proactive measures. ITG has new products and recommendations that will further protect you from these types of security scams. We strongly recommend sending all of your users our Be Aware and Be Alert checklist from above.
  2. ITG services and our customized plans include full security coverage:
  3. Prevention – reduce the number of phishing and spam emails that make it through to the users.
  4. Training – user awareness is a critical part of the defense.
  5. Compliance – many organizations are now subject to either Federal or State security compliance rules. We are here to help you navigate these and build a security platform that will ensure you can meet and maintain compliance.

If you have any questions or would like to request additional information feel free to contact us today.