PGA possibly infected with bitpayment

Posted on

Originally seen on BleepingComputer by: Lawrence Abrams on August 8, 2018 

If corporate America, government entities, and hospitals weren’t enough, now ransomware developers are attacking Golf!

According to a report from GolfWeek, computers at the PGA of America’s offices have been infected with ransomware. The victims learned they were infected on Tuesday when ransom notes started appearing on their screen.

“Your network has been penetrated,” the ransom note read according to Golfweek’s article. “All files on each host in the network have been encrypted with a strong algorythm [sic].”

Based on these strings and the misspelling of “algorithm”, PGA of America was most likely infected with the BitPaymer ransomware. This is the same type of ransomware that recently hit the Alaskan town of Matanuska-Susitna and forced them to use typewriters for a week.

BitPaymer becoming more active?

As already stated, based on the reported ransom note, PGA of America was most likely targeted by the BitPaymer Ransomware.  BitPaymer has been around for a while, but typically keeps a low profile.  There has been some moderate activity, though, with Bitpaymer over the last few weeks though as shown by the ID Ransomware chart below.

Like SamSam, BitPaymer tends to target organizations by hacking into Remote Desktop Services connected to the Internet.  Once inside a network, they traverse through it and encrypt every computer they can get access to.

Recent variants have been appending the .locked extension to encrypted files and dropping ransom notes of the same name as the encrypted files but with “.readme_txt” appended to it. For example, an encrypted file called test.jpg would also have a ransom note named test.jpg.readme_txt.

You can see an example ransom note for the BitPaymer Ransomware below. Notice the strings in the example below match those mentioned in the GolfWeek article.

Your network has been penetrated.

All files on each host in the network have been encrypted with a strong algorythm.

Backups were either encrypted or deleted or backup disks were formatted.

We exclusively have decryption software for your situation.

DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME the encrypted files.
DO NOT MOVE the encrypted files.
This may lead to the impossibility of recovery of the certain files.


To get info(pay-to-decrypt your files) contact us at:

[first_contact_email]
or
[second_contact_email]

BTC wallet:
[bitcoin_address]

To confirm our honest intentions.
Send 2 different random files and you will get it decrypted.
It can be from different computers on your network to be sure we decrypts everything.
Files should have .LOCK extension of each included.
2 files we unlock for free.

BitPaymer is also known to charge very large ransom amounts to decrypt computers. For example, one BitPaymer infection in the past asked for 53 bitcoins to decrypt an entire network.

Unfortunately, BitPaymer is a secure ransomware, which means either PGA of America is going to have to restore from backup or pay a hefty ransom payment.

Update 8/9/18: Article updated to clarify that the PGA of America’s computers were infected and not PGA Tour.

Advertisements

Cryptocurrency stealing malware

Posted on

Originally seen on securitynews on August 24, 2018

Over a billion worth of cryptocurrencies have been reportedly stolen this year so far and we continue to see reports of crypto theft daily. Every time a huge cyberheist is reported cryptocurrency prices slump but they remain attractive to cybercriminals looking to capitalize on its growth potential.

This week, the SonicWall Capture Labs Threat Research Team has come across a crypto-stealing malware which monitors the victim’s clipboard to watch out for cryptocurrency wallet addresses. Once detected, they will change the clipboard data with their own address. Unless the user is vigilant and carefully examines the address after they paste it, the transaction that happens after, will go to the cybercriminal’s address instead of the intended recipient.

Infection Cycle:

This malware purports to be an important document and uses the following filenames:

  • DOC_[*random numbers*].pdf
  • SCN_[*random numbers*].pdf
  • PDF_[*random numbers*].pdf

For more savvy users, looking at the file properties reveal that it pretends to be a text to speech application with an internal name of texttowav.exe.

It copies itself as drpbx.exe in the %APPDATA% directory. It also adds the following registry key to ensure persistence:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run drpbx %APPDATA%\drpbx\drpbx.exe

This malware was developed with Microsoft .NET framework and its assembly description shows it pretending to be a legitimate firefox file but misspelled “Mozzilla.”

To mislead the victim even more, upon execution it throws off a fake error.

During analysis, we noticed that this sample is packed using ConfuserEX and the main module is named “Bitcoinstealer” which establishes the real purpose of this malware.

Within its resource section is a subsection named “VanityAddresses.” This listed 10,000 different digital currency wallet addresses.

This malware’s method of stealing cryptocurrency is to monitor the clipboard data and match the contents using regex to identify whether a cryptocurrency wallet address has been copied, it then swaps that data with one from the 10,000 hardcoded addresses.

 

 

Victims Lose Access to Thousands of Photos as Instagram Hack Spreads

Posted on Updated on

Originally seen: August 14th, on threatpost by Tara Seals

In a probable quest to build a botnet, someone is hacking Instagram accounts, deleting handles, avatars and personal details, and linking them to a new email address.

An Instagram hack is spreading across the internet, with increasing numbers of victims finding their accounts hijacked and personal details altered — and account recovery so far impossible.

Starting in the beginning of the month, people started experiencing random log-outs on their accounts; from there, their handles, avatars and personal details like their bios have been deleted. On top of that, the accounts are linked to a new email address, thus subverting the account recovery process.

Oddly, prior, legitimate posts haven’t been deleted, nor have new posts appeared on the hijacked accounts’ timelines. This has led at least one security researcher to speculate that the malefactor is on a quest to build a botnet.

“Although no one seems to know for sure, I assume the hacked accounts were intended to be used as spambots,” said Paul Bischoff, privacy advocate at Comparitech.com, via email. “Even if some victims regain control of their accounts, many of those affected have likely quit the platform or just won’t go through the trouble, adding soldiers to the spambot army.”

The threat actor remains unknown; while the newly linked email address is a .ru Russian domain, that could be a red herring meant to point attribution away from the true perpetrator.

“Having a hacked account associated with a Russian email address may well signify that the attacker is a resident of that country, but it is certainly not a foregone conclusion – email addresses are easily spoofed, either to conceal identity or to encourage finger pointing toward the wrong place,” said Lee Munson, security researcher at Comparitech.com, in an email.

The situation, first reported by Mashable, seems to be worsening, with hundreds of complaints flooding the photo-sharing site’s Twitter feed, and many comments filtering into Reddit.

Many complain that they are getting no response from Instagram when they ask for help in gaining control of their accounts.

“@instagram this is the 6th time I’ve reached out and no response… my account has been hacked and I need it recovered!!,” said one disgruntled user, @brycehendrixx.

Others complained of deeper issues: “@instagram someone hacked my account and changed my username and pword but is keeping all of my pictures up as if it is them,” tweeted Alyssa Rogalski. “You rejected my report and said they did not violate any of your guidelines, so youre saying it’s ok if someone hacking and impersonating me?”

For its part, Instagram – which is owned by Facebook – issued a boilerplate media statement: “We work hard to provide the Instagram community with a safe and secure experience. When we become aware of an account that has been compromised, we shut off access to the account and the people who’ve been affected are put through a remediation process so they can reset their password and take other necessary steps to secure their accounts.”

However, as mentioned, account recovery doesn’t seem to be on the table for most victims.

“My account has been hacked for 3 days now and no one has reached out,” tweeted one affected user, Liz Teal. “Email, phone number, username and profile picture changed- so you cannot go through the steps they have in place on their FAQ page. Unbelievable!”

Threatpost has reached out to Instagram directly and will update this post with any further details or responses.

“There’s not much to go on now, and Instagram has not stated how or why these attacks occurred,” said Bischoff. “While it is possible that hackers breached Instagram to take over these accounts, I think it is more likely that the victims’ login credentials were stolen by malware or compromised in a phishing attempt. The original report does not specify whether victims are Android or iOS users, which would have helped to pinpoint the cause.”

Perhaps most perplexing, one victim told Mashable that he had two-factor authentication (2FA) enabled – and was still hacked. There could be straightforward explanations for this, according to researchers.

“While it’s unclear how these hackers defeated Instagram’s 2FA, it likely has to do with the spate of SIM hacking that has seen several prominent websites being hacked,” said Bill Evans, vice president at One Identity, via email. “To thwart this scenario, websites need to build support for app-based 2FA…It’s far less susceptible to hacking than SMS-based hacking, which depends on a second factor code being sent via SMS to the user’s phone. As previously reported, it appears that Instagram is moving in this direction – which is great.”

Comparitech.com’s Munson added: “While 2FA is a very good secondary line of defense, it is not infallible. Typically, it can be circumvented via phishing – either tricking someone into revealing the 2FA identifier or, far more likely, my getting them to login to a fake version of the site they were intending to visit. To protect against such account hijacks on Instagram, people should definitely employ two-factor authentication, but they should also be careful to only access the site through the app (only downloaded from an official app store) or by typing the URL directly into their browser.”

Recent App Issues Reveal Facebook’s Struggles to Temper Data Privacy Woes

Posted on

Originally Seen: August 23rd on Threatpost by Lindsey O’Donnell

Facebook has been struggling to keep its data privacy woes at bay this week, between banning apps on its social media platform – and pulling its own app from Apple’s store.

Facebook was hit with a double privacy punch regarding data privacy on Wednesday. First, Facebook acknowledged in a public post that one of the apps on its platform, myPersonality, inappropriately shared 4 million users’ data with researchers. Also on Wednesday, The Wall Street Journal reported that Facebook pulled its data security service, Onavo Protect, from Apple’s official App Store after Apple said that the app violated its data collection policies.

Facebook responded: “We will continue to investigate apps and make the changes needed to our platform to ensure that we are doing all we can to protect people’s information.”

The news comes as privacy experts are pushing the social media giant to double-down on its efforts around social media data privacy – especially on the heels of its backlash around the Cambridge Analytica scandal in March.

The recent incidents also reveal a behind-the-curtains look at how the giant is still struggling to navigate data privacy.

Facebook VP of Product Partnerships Ime Archibong said on Wednesday that the company will ban an app called myPersonality and notify the roughly 4 million impacted users after discovering that the app had misused information collected from them.

“Today we banned myPersonality — an app that was mainly active prior to 2012 — from Facebook for failing to agree to our request to audit and because it’s clear that they shared information with researchers as well as companies with only limited protections in place,” Archibong said in a post.

MyPersonality is a Facebook app, created in 2007, enabling users to participate in psychological research by filling in a personality questionnaire, and then also offered users feedback on their scores. David Stillwell, the creator of the app, did not respond to a request for comment on the situation from Threatpost.

“As well as the data from the tests, around 40% of the respondents also opted in to share data from their Facebook profile, resulting in one of the largest social science research databases in history,” according to the app project’s website. “The application was active until 2012 and collected data from over 6 million volunteers during this time. This data was anonymised and samples of it were shared with registered academic collaborators around the world through the myPersonality project, resulting in over 45 scientific publications in peer-reviewed journals.”

Facebook did not specify what specific data was passed to researchers, and where the specific violations occurred. There is no current evidence that myPersonality had accessed the Facebook “friends” of those impacted – though that may change, Facebook said.

But apps passing data to outside third parties is a sore spot for Facebook. In March, the company’s firestorm around data privacy and misuse started with an app developer violating the company’s platform policies by collecting data via an app under the pretense of using it for psychological research – and instead passing users’ personal information to Cambridge Analytica and its parent company SCL.

myPersonality is only one of many apps that the company has looked at – Facebook said that since March, it has investigated thousands of apps, and suspended 400 of those due to concerns around data misuse and user data privacy.

Interestingly, last week one of those initially suspended apps, Crimson Hexagon, announcedthat it has been un-suspended from Facebook’s platform.

Facebook, in July, said it had suspended Crimson Hexagon due to concerns about the collection and sharing of data. The company launched an investigation into the Boston-based company’s collection of public user data was a violation of its policies concerning using data for government surveillance.

Fast forward to last week, Crimson Hexagon announced that it has been re-instated on Facebook and its customer base will now be able to once again access those data sources.

“Several of Facebook’s questions focused on a small number of our government customers, which represent less than 5 percent of our business,” said Dan Shore, senior vice president with Crimson Hexagon in a post. “Historically, we have vetted potential government customers similar to our other customers — with a goal of understanding their proposed use of our platform in order to make them successful. To our knowledge, no government customer has used the Crimson Hexagon platform for surveillance of any individual or group.”

In another turn of events around data privacy, Facebook’s data security app Onavo Protect was pulled from Apple’s app store after the phone company said it violated its data policies, according to The Wall Street Journal report.

Onavo Protect is a mobile VPN app that encrypts users’ personal information and monitors their data to help customers manage their mobile data usage and limit apps that use lots of data.

Onavo Protect, which was acquired by Facebook in 2013 and alerts customers when they visit a potentially malicious website, was collecting and analyzing users’ behavior to understand customer activity outside of Facebook’s app, the report alleged.

Facebook confirmed to Threatpost that they pulled the app from Apple’s App Store, however: “We’ve always been clear when people download Onavo about the information that is collected and how it is used,” a spokesperson told us. “As a developer on Apple’s platform we follow the rules they’ve put in place.”

According to the report, Onavo Protect violates Apple’s developer agreement preventing apps from utilizing data that is not relevant to the their purpose. The app also did not follow new rules that Apple unveiled earlier this summer to limit developer data harvesting. Onavo Protect’s website shows that the app is still available on Android.

Between the Onavo Protect incident and its investigation of apps on its own platform, it’s clear that Facebook is struggling to navigate the data privacy policy landscape in an environment filled with data, experts say.

“The [March] Facebook breach made it clear: social media platforms need to be completely transparent and ask for double opt-in,” Andrew Avanessian, chief operations officer at Avecto told Threatpost. “We need these platforms to have different incentives than they have in the past and dedicate their companies to protecting user data. There needs to be a fundamental overhaul for social platforms.Data privacy is everyone’s issue and I think it will make developers stop and think about how they are using other people’s data.”

Morten Brøgger, CEO of Wire, agreed: “Every company and customer has the right to know where their data is going and how it is being used,” he said. “Businesses need to be choose which applications they use wisely, and should only allow those which are fully open sourced and independently audited to be used in the business setting.”

Hanging Up on Mobile in the Name of Security

Posted on

Originally seen: Krebsonsecurity on 8/16/18

An entrepreneur and virtual currency investor is suing AT&T for $224 million, claiming the wireless provider was negligent when it failed to prevent thieves from hijacking his mobile account and stealing millions of dollars in cryptocurrencies. Increasingly frequent, high-profile attacks like these are prompting some experts to say the surest way to safeguard one’s online accounts may be to disconnect them from the mobile providers entirely.

The claims come in a lawsuit filed this week in Los Angeles on behalf of Michael Terpin, who co-founded the first angel investor group for bitcoin enthusiasts in 2013. Terpin alleges that crooks stole almost $24 million worth of cryptocurrency after fraudulently executing a “SIM swap” on his mobile phone account at AT&T in early 2018.

A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

But SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target’s service to a new SIM card and mobile phone that the attackers control. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target’s password, as many banks and online services rely on text messages to send users a one-time code that needs to be entered in addition to a password for online authentication.

Terpin alleges that on January 7, 2018, someone requested an unauthorized SIM swap on his AT&T account, causing his phone to go dead and sending all incoming texts and phone calls to a device the attackers controlled. Armed with that access, the intruders were able to reset credentials tied to his cryptocurrency accounts and siphon nearly $24 million worth of digital currencies.

According to Terpin, this was the second time in six months someone had hacked his AT&T number. On June 11, 2017, Terpin’s phone went dead. He soon learned his AT&T password had been changed remotely after 11 attempts in AT&T stores had failed. At the time, AT&T suggested Terpin take advantage of the company’s “extra security” feature — a customer-specified six-digit PIN which is required before any account changes can be made.

Terpin claims an investigation by AT&T into the 2018 breach found that an employee at an AT&T store in Norwich, Conn. somehow executed the SIM swap on his account without having to enter his “extra security” PIN, and that AT&T knew or should have known that employees could bypass its customer security measures.

Terpin is suing AT&T for his $24 million worth of cryptocurrencies, plus $200 million in punitive damages. A copy of his complaint is here (PDF).

AT&T declined to comment on specific claims in the lawsuit, saying only in a statement that, “We dispute these allegations and look forward to presenting our case in court.”

AN ‘IDENTITY CRISIS’?

Mobile phone companies are a major weak point in authentication because so many companies have now built their entire procedure for authenticating customers on a process that involves sending a one-time code to the customer via SMS or automated phone call.

In some cases, thieves executing SIM swaps have already phished or otherwise stolen a target’s bank or email password. But many major social media platforms — such as Instagram — allow users to reset their passwords using nothing more than text-based (SMS) authentication, meaning thieves can hijack those accounts just by having control over the target’s mobile phone number.

Allison Nixon is director of security research at Flashpoint, a security company in New York City that has been closely tracking the murky underworld of communities that teach people how to hijack phone numbers assigned to customer accounts at all of the major mobile providers.

Nixon calls the current SIM-jacking craze “a major identity crisis” for cybersecurity on multiple levels.

Nixon calls the current SIM-jacking craze “a major identity crisis” for cybersecurity on multiple levels.

“Phone numbers were never originally intended as an identity document, they were designed as a way to contact people,” Nixon said. “But because of all these other companies are building in security measures, a phone number has become an identity document.”

In essence, mobile phone companies have become “critical infrastructure” for security precisely because so much is riding on who controls a given mobile number. At the same time, so little is needed to undo weak security controls put in place to prevent abuse.

“The infrastructure wasn’t designed to withstand the kind of attacks happening now,” Nixon said. “The protocols need to be changed, and there are probably laws affecting the telecom companies that need to be reviewed in light of how these companies have evolved.”

Unfortunately, with the major mobile providers so closely tied to your security, there is no way you can remove the most vulnerable chunks of this infrastructure — the mobile store employees who can be paid or otherwise bamboozled into helping these attacks succeed.

No way, that is, unless you completely disconnect your mobile phone number from any sort of SMS-based authentication you currently use, and replace it with Internet-based telephone services that do not offer “helpful” customer support — such as Google Voice.

Google Voice lets users choose a phone number that gets tied to their Google account, and any calls or messages to that number will be forwarded to your mobile number. But unlike phone numbers issued by the major mobile providers, Google Voice numbers can’t be stolen unless someone also hacks your Google password — in which case you likely have much bigger problems.

In this view of security, customer service becomes a customer disservice.

With Google Voice, there is no customer service person who can be conned over the phone into helping out. There is no retail-store employee who will sell access to your SIM information for a paltry $80 paydayIn this view of security, customer service becomes a customer disservice.

Mind you, this isn’t my advice. The above statement summarizes the arguments allegedly made by one of the most accomplished SIM swap thieves in the game today. On July 12, 2018, police in California arrested Joel Ortiz, a 20-year-old college student from Boston who’s accused of using SIM swaps to steal more than $5 million in cryptocurrencies from 40 victims.

Ortiz allegedly had help from a number of unnamed accomplices who collectively targeted high-profile and wealthy people in the cryptocurrency space. In one of three brazen attacks at a bitcoin conference this year, Ortiz allegedly used his SIM swapping skills to steal more than $1.5 million from a cryptocurrency entrepreneur, including nearly $1 million the victim had crowdfunded.

Ortiz reportedly was a core member of OGUsers[dot]com, a forum that’s grown wildly popular among criminals engaging in SIM swaps to steal cryptocurrency and hijack high-value social media accounts. OG is short for “original gangster,” and it refers to a type of “street cred” for possession of social media account names that are relatively short (between one and six characters). On ogusers[dot]com, Ortiz allegedly picked the username “j”. Short usernames are considered more valuable because they confer on the account holder the appearance of an early adopter on most social networks.

Discussions on the Ogusers forum indicate Ortiz allegedly is the current occupant of perhaps the most OG username on Twitter — an account represented by the number zero “0”. The alias displayed on that twitter profile is “j0”. He also apparently controls the Instagram account by the same number, as well as the Instagram account “t”, which lists its alias as “Joel.”

Shown below is a cached snippet from an Ogusers forum posting by “j” (allegedly Ortiz), advising people to remove their mobile phone number from all important multi-factor authentication options, and to replace it with something like Google Voice.

WHAT CAN YOU DO?

All four major wireless carriers — AT&T, SprintT-Mobile and Verizon — let customers add security against SIM swaps and related schemes by setting a PIN that needs to be provided over the phone or in person at a store before account changes should be made. But these security features can be bypassed by incompetent or corrupt mobile store employees.

Mobile store employees who can be bought or tricked into conducting SIM swaps are known as “plugs” in the Ogusers community, and without them SIM swapping schemes become much more difficult.

Last week, KrebsOnSecurity broke the news that police in Florida had arrested a 25-year-old man who’s accused of being part of a group of at least nine individuals who routinely conducted fraudulent SIM swaps on high-value targets. Investigators in that case say they have surveillance logs that show the group discussed working directly with mobile store employees to complete the phone number heists.

In May I wrote about a 27-year-old Boston man who had his three-letter Instagram account name stolen after thieves hijacked his number at T-Mobile. Much like Mr. Terpin, the victim in that case had already taken T-Mobile’s advice and placed a PIN on his account that was supposed to prevent the transfer of his mobile number. T-Mobile ultimately acknowledged that the heist had been carried out by a rogue T-Mobile store employee.

So consider establishing a Google Voice account if you don’t already have one. In setting up a new number, Google requires you to provide a number capable of receiving text messages. Once your Google Voice number is linked to your mobile, the device at the mobile number you gave to Google should notify you instantly if anyone calls or messages the Google number (this assumes your phone has a Wi-Fi or mobile connection to the Internet).

After you’ve done that, take stock of every major account you can think of, replacing your mobile phone number with your Google Voice number in every case it is listed in your profile.

Here’s where it gets tricky. If you’re all-in for taking the anti-SIM-hacking advice allegedly offered by Mr. Ortiz, once you’ve changed all of your multi-factor authentication options from your mobile number to your Google Voice number, you then have to remove that mobile number you supplied to Google from your Google Voice account. After that, you can still manage calls/messages to and from your Google Voice number using the Google Voice mobile app.

And notice what else Ortiz advises in the screen shot above to secure one’s Gmail and other Google accounts: Using a physical security key (where possible) to replace passwords. This post from a few weeks back explains what security keys are, how they can help harden your security posture, and how to use them. If Google’s own internal security processes count for anything, the company recently told this author that none of its 85,000 employees had been successfully phished for their work credentials since January 2017, when Google began requiring all employees to use physical security keys in place of one-time passwords sent to a mobile device.

Standard disclaimer: If the only two-factor authentication offered by a company you use is based on sending a one-time code via SMS or automated phone call, this is still better than relying on simply a password alone. But one-time codes generated by a mobile phone app such as Authy or Google Authenticator are more secure than SMS-based options because they are not directly vulnerable to SIM-swapping attacks.

The web site twofactorauth.org breaks down online service providers by the types of secondary authentication offered (SMS, call, app-based one-time codes, security keys). Take a moment soon to review this important resource and harden your security posture wherever possible.

Mobile fraud is increasing, attack rates rising 24% year-over-year

Posted on

Originally seen: Helpnetsecurity, 9/13/18

ThreatMetrix released new cybercrime insights from the first half of 2018, revealing a sharp rise in fraud attack levels on mobile transactions. As consumer behavior increasingly embraces mobile for virtually all online goods and services, fraudsters are starting to close the gap on this channel.

mobile fraud increase

Mobile becomes the go-to digital channel

The rise of mobile is undisputedly the key change agent in digital commerce currently. According to ThreatMetrix data, in the last three years the proportion of mobile transactions versus desktop has almost tripled. Mobile transactions, which include account creations, logins and payments, reached 58% of all traffic by the middle of 2018.

Mobile fraud rates have tended to lag behind the channel’s overall growth, however in the first half of 2018 mobile attack rates rose 24%, when compared to the first half of 2017. In the United States mobile attack rates experienced a far higher growth rate of 44% for the same period.

Globally, one third of all fraud attacks are now targeting mobile transactions. This means that although digital companies do need to prepare for increasing attacks, mobile remains the more secure channel compared to desktop.

Mobile offers organizations unique opportunities for accurately assessing user identity, thanks to highly personalized device attributes, geo-location and behavioral analysis. It offers strong customer authentication options that require no user intervention, including cryptographically binding devices for persistent authentication (“Strong ID”).

“Mobile is quickly becoming the predominant way people access online goods and services, and as a result organizations need to anticipate that the barrage of mobile attacks will only increase,” said Alisdair Faulkner, Chief Identity Officer at LexisNexis Risk Solutions. “The good news is that as mobile usage continues to increase, so too does overall customer recognition rates, as mobile apps offer a wealth of techniques to authenticate returning customers with a very high degree of accuracy. The key point of vulnerability, however, is at the app registration and account creation stage. To verify users at this crucial point, organizations need to tap into global intelligence that assesses true digital identity, compiled from the multiple channels that their customers transact on.”

Financial services under fire

Financial institutions were besieged with 81 million cybercrime attacks in the first half of 2018 on the ThreatMetrix global network. Of these, 27 million were targeting the mobile channel as fraudsters turn their attention to the success story that is mobile banking adoption.

Financial services mobile transactions are growing globally, with China, South East Asia and India showing the strongest regional growth. This indicates that the mobile channel is a key enabler for financial inclusion in emerging economies.

Overall, the biggest threat in financial services comes from device spoofing, as fraudsters attempt to trick banks into thinking multiple fraudulent log in attempts are coming from new customer devices, perhaps by repeatedly wiping cookies or using virtual machines.

Mule networks also continue to negatively impact the global banking ecosystem, particularly as financial crime becomes an ever-more sophisticated and hyper-connected beast. The challenge for financial institutions is detecting mule activity even when individual account behavior may not trigger red flags.

mobile fraud increase

Bot attacks illustrate the spread of stolen data to emerging economies

Throughout the first half of 2018 there was an unprecedented spike in the volume of bot attacks targeting digital transactions worldwide. The ThreatMetrix Digital Identity Network registered a 60% spike in bot attacks in the second quarter of the year, increasing from 1 billion bot attacks in Q1 to 1.6 billion in Q2. The sheer volume of this automated bot traffic impacts businesses worldwide because, without the correct measures in place, this slows order processing times and the ability to effectively identify good returning customers in real time. At peak times, individual organizations report these attacks account for more than half of all transactions.

Large retailers are the primary targets as fraudsters attempt to infiltrate good user accounts and access sensitive personal data and saved credit card information. A total of 170 million bot attacks came from mobile devices in 1H 2018.

This bot traffic in the first six months of the year predominantly originated from locations such as Vietnam and South Korea, illustrating the global trend of stolen identity data disseminating to growth regions and emerging economies.

Social networks are growing as gateway for cybercrime

Social networks and dating websites have the highest mobile footprint of all industries, reaching 85% of total transactions and 88% of account creations by the middle of 2018. This reflects usage patterns that virtually eschew desktop interactions and prioritize mobile app interactions. Given these sites’ often modest security requirements, attack rates are high as hackers use these platforms to test stolen identity credentials, as well as to steal sensitive personal data via account takeovers.

“Social networks are at risk of becoming a gateway to further organized crime”, says Rebekah Moody, Director of Fraud and Identity at ThreatMetrix. “Identity data is arguably as valuable a currency online as hard cash. Fraudsters funnel towards the easiest target to help test, augment and validate stolen identity data to make future attacks more successful: in many cases this is social networks. These organizations must start to deploy the same kind of defenses a user would expect elsewhere online, without introducing unnecessary friction.”

Identity spoofing is widespread, with the ThreatMetrix Q2 2018 Cybercrime Report revealing this as the top attack vector (13.3%) for this sector. IP spoofing is also prevalent, with fraudsters—predominantly from Vietnam, Ghana, Nigeria, U.S. and Philippines—using proxy servers to make it appear as though they are actually based in locations close to their intended victims.

Healthcare Lags Other Industries in Phishing Attack Resiliency Rate

Posted on

Originally Seen: September 18, 2018 on Thinkstock by Fred Donovan

Healthcare lags behind other major industries in its phishing attack resiliency rate, which measures the ratio between people who report a phish versus those who fall victim to one.

 Healthcare trails other major industries in its phishing attack resiliency rate, which measures the ratio between people who report a phish versus those who fall victim to one, according to a report released Sept. 17 by Cofense.

The healthcare resiliency rates for the last 12 months was 1.49, compared with an average resiliency score of 1.79 for all industries examined by Cofense (formerly PhishMe).

By comparison, the energy sector had a resiliency rate of 4.01, the insurance industry had a rate of 3.03, and the financial services had a rate of 2.52. The data is based on phishing simulations that Cofense uses to test employees at customer organizations.

“One factor that surely inhibits the industry’s resiliency: high turnover. With physicians, registered nurses, and administrative staff constantly churning, it’s hard to gain traction in the fight against phishing,” the report commented.

The top five phishing scenarios that healthcare workers most frequently clicked on were Requested Invoice, Manager Evaluation, Package Delivery, Halloween eCard Alert, and Beneficiary Change.

“The healthcare industry knows better than most that phishing is a serious problem. But the industry is still playing catch-up in phishing resiliency,” the report noted.

Unfortunately, phishing has become the preferred method for hackers to get access to healthcare organizations to steal valuable medical data.

The 2018 Verizon Data Breach Investigations Report (DBIR) found that phishing and financial pretexting represented 93 percent of all breaches investigated by Verizon, with email being the main entry point (96%).

Phishing is also a way attackers deploy ransomware, which has devastated the healthcare industry over the last couple of years. The Verizon report found that ransomware accounts for 85 percent of the malware in healthcare.

In a phishing campaign, an attacker poses as a legitimate person or entity in an email to get the target to provide valuable information, such as credentials, or click on a link that results in ransomware being downloaded on the victim’s machine.

It only takes one person to fall for the bait for an entire organization to be infiltrated.

According to an American Medical Association and Accenture survey of 1,300 US physicians, 83 percent of respondents had experienced a cyberattack and more than half of those said the attack came in the form of a phishing email.

Nearly two-thirds of all the physicians who experienced a cyberattack experienced up to four hours of downtime before they resumed operations, and approximately one-third of physicians in medium-sized practices that suffered a cyberattack said they experienced nearly a full day of downtime.

More than half of the physicians were very or extremely concerned about future cyberattacks in their practice. In addition, physicians were most concerned that future attacks could interrupt their clinical practices (74%), compromise the security of patient records (74%), or impact patient safety (53%).

Data from Wombat Security’s learning management system revealed that healthcare industry is one of the worst when it comes to data security knowledge, answering 23 percent of IT security best practice questions wrong on average.

The Wombat learning management system includes questions about avoiding ransomware attacks and identifying phishing threats, two topics dear to the heart of healthcare CISOs.

Alan Levine, a cybersecurity advisor to Wombat Security, told HealthITSecurity.com: “If an email purports to come from a person who seems to be an authority, then it is very likely that people who receive the email will not look for the specific things that may indicate that there is a potential risk with the email and will instead be more interested in promptly reacting to it.”

The primary purpose of a phishing attack is to gain a foothold inside the organization by infecting a computer or other endpoint.

“Then an attacker will use that individual platform that he now controls to do a variety of things,” Levine said. “He wants to move from PC to PC, within a subnet, and laterally across subnets in order to compromise or control as many other devices as possible. Now he has a base of operations.”

“By collecting information from an individual compromised asset,” he continued, “an attacker learns a great deal about the institution itself in which that compromised machine now operates. Maybe he gets a copy of the GAL, which is the global address list. Now he’s got a lot more email addresses he can send phishes to.”

To combat phishing, organizations need to train employees on how to spot and avoid phishing emails. They also need to adopt security best practices and deploy appropriate technology to lessen the chances that a phishing attack will succeed.

Health care cyber experts tout progress in vulnerability disclosure at BSides Vegas

Posted on

Written by  on 

 

The delicate process for disclosing software and hardware bugs in medical devices has made important strides in recent years, according to experts, as big manufacturers have set up disclosure programs and the threat of lawsuits against security researchers has receded. Health care cybersecurity hands are now looking to capitalize on what they say is growing trust between manufacturers and researchers to strengthen vulnerability disclosure in the industry.

“There’s still a lot of work to be done to make it better, but man, has it come a far way,” Jay Radcliffe, a cybersecurity researcher at medical device manufacturer Boston Scientific, said at the BSides Las Vegas conference Tuesday.  “And as a researcher, that makes me a lot more comfortable doing my disclosures and doing my research.”

Radcliffe, who is diabetic, told the story of a presentation he gave at Black Hat in 2011 on hacking insulin pumps.

“At that time, the state of disclosure was pretty chaotic,” he said. “I didn’t feel comfortable enough going to the manufacturer to disclose that before my talk” out of fear of getting sued.

The Digital Millennium Copyright Act, for example, could have been used to prosecute researchers for accessing copyrighted data on a device. But a three-year exemption to that DMCA provision for “good faith” research, instituted in October 2015, has helped lift the specter of lawsuits. And last year, Radcliffe said he worked hand-in-hand with a different manufacturer when he found the same type of vulnerability in an insulin pump.

“They said, ‘Great. We have a vulnerability intake program and we want to work with you and make sure that we address these issues correctly and safely,’” he recalled. That greater collaboration between researchers and manufacturers in health care mirrors the progress in vulnerability disclosure made in other sectors, such as the automotive industry.

Health care delivery organizations are demanding more secure devices, according to Radcliffe. “They actually are doing their homework and they’re asking lots of questions of us – of how we are testing these devices, how are we guaranteeing that these devices that they’re buying are going to be secure not only now, but secure going forward for the next five, 10, 15 years,” he said.

In recent years, industry heavyweights like Johnson & Johnson have set up vulnerability disclosure programs, while the Food and Drug Administration has advised manufacturers to “systematically” address cybersecurity risk, including through a coordinated disclosure process. Nonetheless, industry insiders say more work is needed to make these practices widespread.

Suzanne Schwartz, a top cybersecurity official at the FDA, said she would like to see wider adoption of vulnerability disclosure programs among medical device manufacturers beyond the “two handfuls” of companies that are leading the way. Within the next year, she said, industry groups will be identifying the concerns and challenges that may be keeping many manufacturers from setting up programs. The goal, she said at the BSides panel, is to ramp up the number of companies that have programs from roughly 15 today to, say, 100.

The maturing of vulnerability disclosure programs comes as the health care industry has grappled with the persistent threat of ransomware, with hackers looking to exploit health care facilities’ reliance on sensitive data. In January, for example, the SamSam ransomware struck an Indiana hospital’s computer network, and hospital officials paid hackers roughly $50,000 to unlock the data.

To prepare for attacks like that, Radcliffe said hospitals need to have a clearer understanding of their IT assets and how to make them more secure. “It makes me very nervous to see the amount of devices that go unpatched,” he said.

For her part, Schwartz said the FDA has been working with cybersecurity company MITRE and the states of Massachusetts and New York to produce “playbooks” in helping hospitals prepare for and respond to such cyberattacks.

Credit Freezes are Fee-Free

Posted on

Originally seen on KrebonSecurity, 9/10/18

Later this month, all of the three major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents. Maybe you’ve been holding off freezing your credit file because your home state currently charges a fee for placing or thawing a credit freeze, or because you believe it’s just not worth the hassle. If that accurately describes your views on the matter, this post may well change your mind.

A credit freeze — also known as a “security freeze” — restricts access to your credit file, making it far more difficult for identity thieves to open new accounts in your name.

Currently, many states allow the big three bureaus — EquifaxExperian and TransUnion — to charge a fee for placing or lifting a security freeze. But thanks to a federal law enacted earlier this year, after Sept. 21, 2018 it will be free to freeze and unfreeze your credit file and those of your children or dependents throughout the United States.

KrebsOnSecurity has for many years urged readers to freeze their files with the big three bureaus, as well as with a distant fourth — Innovis — and the NCTUE, an Equifax-operated credit checking clearinghouse relied upon by most of the major mobile phone providers.

There are dozens of private companies that specialize in providing consumer credit reports and scores to specific industries, including real estate brokers, landlords, insurers, debt buyers, employers, banks, casinos and retail stores. A handy PDF produced earlier this year by the Consumer Financial Protection Bureau (CFPB) lists all of the known entities that maintain, sell or share credit data on U.S. citizens.

The CFPB’s document includes links to Web sites for 46 different consumer credit reporting entities, along with information about your legal rights to obtain data in your reports and dispute suspected inaccuracies with the companies as needed. My guess is the vast majority of Americans have never heard of most of these companies.

Via numerous front-end Web sites, each of these mini credit bureaus serve thousands or tens of thousands of people who work in the above mentioned industries and who have the ability to pull credit and other personal data on Americans. In many cases, online access to look up data through these companies is secured by nothing more than a username and password that can be stolen or phished by cybercrooks and abused to pull privileged information on consumers.

In other cases, it’s trivial for anyone to sign up for these services. For example, how do companies that provide background screening and credit report data to landlords decide who can sign up as a landlord? Answer: Anyone can be a landlord (or pretend to be one).

SCORE ONE FOR FREEZES

The truly scary part? Access to some of these credit lookup services is supposed to be secured behind a login page, but often isn’t. Consider the service pictured below, which for $44 will let anyone look up the credit score of any American who hasn’t already frozen their credit files with the big three. Worse yet, you don’t even need to have accurate information on a target — such as their Social Security number or current address.

KrebsOnSecurity was made aware of this particular portal by Alex Holden, CEO of Milwaukee, Wisc.-based cybersecurity firm Hold Security LLC [full disclosure: This author is listed as an adviser to Hold Security, however this is and always has been a volunteer role for which I have not been compensated].

Holden’s wife Lisa is a mortgage broker, and as such she has access to a more full-featured version of the above-pictured consumer data lookup service (among others) for the purposes of helping clients determine a range of mortgage rates available. Mrs. Holden said the version of this service that she has access to will return accurate, current and complete credit file information on consumers even if one enters a made-up SSN and old address on an individual who hasn’t yet frozen their credit files with the big three.

“I’ve noticed in the past when I do a hard pull on someone’s credit report and the buyer gave me the wrong SSN or transposed some digits, not only will these services give me their credit report and full account history, it also tells you what their correct SSN is,” Mrs. Holden said.

With Mr. Holden’s permission, I gave the site pictured above an old street address for him plus a made-up SSN, and provided my credit card number to pay for the report. The document generated by that request said TransUnion and Experian were unable to look up his credit score with the information provided. However, Equifax not only provided his current credit score, it helpfully corrected the false data I entered for Holden, providing the last four digits of his real SSN and current address.

“We assume our credit report is keyed off of our SSN or something unique about ourselves,” Mrs. Holden said. “But it’s really keyed off your White Pages information, meaning anyone can get your credit report if they are in the know.”

I was pleased to find that I was unable to pull my own credit score through this exposed online service, although the site still charged me $44. The report produced simply said the consumer in question had requested that access to this information be restricted. But the real reason was simply that I’ve had my credit file frozen for years now.

Many media outlets are publishing stories this week about the one-year anniversary of the breach at Equifax that exposed the personal and financial data on more than 147 million people. But it’s important for everyone to remember that as bad as the Equifax breach was (and it was a total dumpster fire all around), most of the consumer data exposed in the breach has been for sale in the cybercrime underground for many years on a majority of Americans — including access to consumer credit reports. If anything, the Equifax breach may have simply helped ID thieves refresh some of those criminal data stores.

THE FEE-FREE FREEZE

According to the U.S. Federal Trade Commission, when the new law takes effect on September 21, EquifaxExperian and TransUnion must each set up a webpage for requesting fraud alerts and credit freezes.

The law also provides additional ID theft protections to minors. Currently, some state laws allow you to freeze a child’s credit file, while others do not. Starting Sept. 21, no matter where you live you’ll be able to get a free credit freeze for kids under 16 years old.

Identity thieves can and often do target minors, but this type of fraud usually isn’t discovered until the affected individual tries to apply for credit for the first time, at which point it can be a long and expensive road to undo the mess. As such, I would highly recommend that readers who have children or dependents take full advantage of this offering once it’s available for free nationwide.

In addition, the law requires the big three bureaus to offer free electronic credit monitoring services to all active duty military personnel. It also changes the rules for “fraud alerts,” which currently are free but only last for 90 days. With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert.

Under the new law, fraud alerts last for one year, but consumers can renew them each year. Bear in mind, however, that while lenders and service providers are supposed to seek and obtain your approval if you have a fraud alert on your file, they’re not legally required to do this.

A key unanswered question about these changes is whether the new dedicated credit bureau freeze sites will work any more reliably than the current freeze sites operated by the big three bureaus. The Web and social media are littered with consumer complaints — particularly over the past year — about the various freeze sites freezing up and returning endless error messages, or simply discouraging consumers from filing a freeze thanks to insecure Web site components.

It will be interesting to see whether these new freeze sites will try to steer consumers away from freezes and toward other in-house offerings, such as paid credit reports, credit monitoring, or “credit lock” services. All three big bureaus tout their credit lock services as an easier and faster alternative to freezes.

According to a recent post by CreditKarma.com, consumers can use these services to quickly lock or unlock access to credit inquiries, although some bureaus can take up to 48 hours. In contrast, they can take up to five business days to act on a freeze request, although in my experience the automated freeze process via the bureaus’ freeze sites has been more or less instantaneous (assuming the request actually goes through).

TransUnion and Equifax both offer free credit lock services, while Experian’s is free for 30 days and $19.99 for each additional month. However, TransUnion says those who take advantage of their free lock service agree to receive targeted marketing offers. What’s more, TransUnion also pushes consumers who sign up for its free lock service to subscribe to its “premium” lock services for a monthly fee with a perpetual auto-renewal.

Unsurprisingly, the bureaus’ use of the term credit lock has confused many consumers; this was almost certainly by design. But here’s one basic fact consumers should keep in mind about these lock services: Unlike freezes, locks are not governed by any law, meaning that the credit bureaus can change the terms of these arrangements when and if it suits them to do so.

If you’d like to go ahead with freezing your credit files now, this Q&A post from the Equifax breach explains the basics, and includes some other useful tips for staying ahead of identity thieves. Otherwise, check back here later this month for more details on the new free freeze sites.

HOW HACKED WATER HEATERS COULD TRIGGER MASS BLACKOUTS

Posted on

Originally Seen on Wired by: Andy Greenberg on 8/13/18

WHEN THE CYBERSECURITY industry warns about the nightmare of hackers causing blackouts, the scenario they describe typically entails an elite team of hackers breaking into the inner sanctum of a power utility to start flipping switches. But one group of researchers has imagined how an entire power grid could be taken down by hacking a less centralized and protected class of targets: home air conditioners and water heaters. Lots of them.

At the Usenix Security conference this week, a group of Princeton University security researchers will present a study that considers a little-examined question in power grid cybersecurity: What if hackers attacked not the supply side of the power grid, but the demand side? In a series of simulations, the researchers imagined what might happen if hackers controlled a botnet composed of thousands of silently hacked consumer internet of things devices, particularly power-hungry ones like air conditioners, water heaters, and space heaters. Then they ran a series of software simulations to see how many of those devices an attacker would need to simultaneously hijack to disrupt the stability of the power grid.

Their answers point to a disturbing, if not quite yet practical scenario: In a power network large enough to serve an area of 38 million people—a population roughly equal to Canada or California—the researchers estimate that just a one percent bump in demand might be enough to take down the majority of the grid. That demand increase could be created by a botnet as small as a few tens of thousands of hacked electric water heaters or a couple hundred thousand air conditioners.

“Power grids are stable as long as supply is equal to demand,” says Saleh Soltan, a researcher in Princeton’s Department of Electrical Engineering, who led the study. “If you have a very large botnet of IoT devices, you can really manipulate the demand, changing it abruptly, any time you want.”

Just a one percent bump in demand might be enough to take down the majority of the grid.

The result of that botnet-induced imbalance, Soltan says, could be cascading blackouts. When demand in one part of the grid rapidly increases, it can overload the current on certain power lines, damaging them or more likely triggering devices called protective relays, which turn off the power when they sense dangerous conditions. Switching off those lines puts more load on the remaining ones, potentially leading to a chain reaction.

“Fewer lines need to carry the same flows and they get overloaded, so then the next one will be disconnected and the next one,” says Soltan. “In the worst case, most or all of them are disconnected, and you have a blackout in most of your grid.”

Power utility engineers, of course, expertly forecast fluctuations in electric demand on a daily basis. They plan for everything from heat waves that predictably cause spikes in air conditioner usage to the moment at the end of British soap opera episodes when hundreds of thousands of viewers all switch on their tea kettles. But the Princeton researchers’ study suggests that hackers could make those demand spikes not only unpredictable, but maliciously timed.

The researchers don’t actually point to any vulnerabilities in specific household devices, or suggest how exactly they might be hacked. Instead, they start from the premise that a large number of those devices could somehow be compromised and silently controlled by a hacker. That’s arguably a realistic assumption, given the myriad vulnerabilities other security researchers and hackers have found in the internet of things. One talk at the Kaspersky Analyst Summit in 2016 described security flaws in air conditioners that could be used to pull off the sort of grid disturbance that the Princeton researchers describe. And real-world malicious hackers have compromised everything from refrigerators to fish tanks.

Given that assumption, the researchers ran simulations in power grid software MATPOWER and Power World to determine what sort of botnet would could disrupt what size grid. They ran most of their simulations on models of the Polish power grid from 2004 and 2008, a rare country-sized electrical system whose architecture is described in publicly available records. They found they could cause a cascading blackout of 86 percent of the power lines in the 2008 Poland grid model with just a one percent increase in demand. That would require the equivalent of 210,000 hacked air conditioners, or 42,000 electric water heaters.

The notion of an internet of things botnet large enough to pull off one of those attacks isn’t entirely farfetched. The Princeton researchers point to the Mirai botnet of 600,000 hacked IoT devices, including security cameras and home routers. That zombie horde hit DNS provider Dyn with an unprecedented denial of service attack in late 2016, taking down a broad collection of websites.

Building a botnet of the same size out of more power-hungry IoT devices is probably impossible today, says Ben Miller, a former cybersecurity engineer at electric utility Constellation Energy and now the director of the threat operations center at industrial security firm Dragos. There simply aren’t enough high-power smart devices in homes, he says, especially since the entire botnet would have to be within the geographic area of the target electrical grid, not distributed across the world like the Mirai botnet.

‘If you have a very large botnet of IoT devices, you can really manipulate the demand, changing it abruptly, any time you want.’

SALEH SOLTAN, PRINCETON UNIVERSITY

But as internet-connected air conditioners, heaters, and the smart thermostats that control them increasingly show up in homes for convenience and efficiency, a demand-based attack like the one the Princeton researchers describes could become more practical than one that targets grid operators. “It’s as simple as running a botnet. When a botnet is successful, it can scale by itself. That makes the attack easier,” Miller says. “It’s really hard to attack all the generation sites on a grid all at once. But with a botnet you could attack all these end user devices at once and have some sort of impact.”

The Princeton researchers modeled more devious techniques their imaginary IoT botnet might use to mess with power grids, too. They found it was possible to increase demand in one area while decreasing it in another, so that the total load on a system’s generators remains constant while the attack overloads certain lines. That could make it even harder for utility operators to figure out the source of the disruption.

If a botnet did succeed in taking down a grid, the researchers’ models showed it would be even easier to keep it down as operators attempted to bring it back online, triggering smaller scale versions of their attack in the sections or “islands” of the grid that recover first. And smaller scale attacks could force utility operators to pay for expensive backup power supplies, even if they fall short of causing actual blackouts. And the researchers point out that since the source of the demand spikes would be largely hidden from utilities, attackers could simply try them again and again, experimenting until they had the desired effect.

The owners of the actual air conditioners and water heaters might notice that their equipment was suddenly behaving strangely. But that still wouldn’t immediately be apparent to the target energy utility. “Where do the consumers report it?” asks Princeton’s Soltan. “They don’t report it to Con Edison, they report it to the manufacturer of the smart device. But the real impact is on the power system that doesn’t have any of this data.”

That disconnect represents the root of the security vulnerability that utility operators need to fix, Soltan argues. Just as utilities carefully model heat waves and British tea times and keep a stock of energy in reserve to cover those demands, they now need to account for the number of potentially hackable high-powered devices on their grids, too. As high-power smart-home gadgets multiply, the consequences of IoT insecurity could someday be more than just a haywire thermostat, but entire portions of a country going dark.