The Scarlet Widow Gang Entraps Victims Using Romance Scams

Posted on Updated on

Originally seen on: Bleepingcomputer by Lawrence Abrams, Febraury 13th, 2019

We often hear about sextortion, business email compromise (BEC), and inheritance scams, but the often overlooked “Romance Scams” could be the most insidious of them all. Not only do victims lose money, but  the emotional entanglement ultimately leads to heartbreak.

Romance scams are months long, if not year long, campaigns where bad actors catfish, or pretend to be in love with, an unsuspecting victim in order to steal money from them. They do this by creating fake romantic relationships that the victims become invested in and are willing to help them with fake financial troubles.

In a report shared with BleepingComputer, the Agari Cyber Intelligence Division (ACID) outlines how a criminal gang out of Nigeria called “Scarlet Widow” targets those who are more likely to be lonely such as farmers, elderly, the disabled, and divorced.

This catfishing is done through the creation of fake personas that utilize stolen pictures of attractive people, fake names, personalities, and back stories where they were victimized in the past, but still believe that love is possible. They then create accounts on social media and dating sites, including ones that may attract those looking for love or are lonely such as, Farmers Dating Site, and

For example, one of the fake personas discovered by Agari is a person named “U.S. Army Captain Michael” who is serving a tour of duty overseas, but is looking for love after he lost his wife.

“According to one of his fake dating site profiles, Captain Micheal is a 43-year-old Catholic man from Austin, Texas, who is currently serving a tour of duty overseas in Kabul, Afghanistan. His profile indicates that, like most of the other personas created by Scarlet Widow, he has lost a loved one in his past. In this case, Captain Micheal lost his wife, as his status describes him as “Widowed.” Since the death of his wife, he has been “searching for so long” for the perfect woman and hopes the women has a trusting mind to fall in love.”

The fake persona for Captain Michael was posted to dating sites such as and during a 6 month period in 2017.

Captain Michael Persona
Captain Michael Persona

Agari states that each of the personas created by Scarlet Widow have different personalities and ways of communicating that reflect their backstory and who they are targeting. For example, the researchers state that Captain Michael’s messages are usually short and to the point, while the gang’s female personas have a “softer, inquisitive, and more verbose tone”.

Example of email from Captain Michael
Example of email from Captain Michael

It’s all about the money

Ultimately, though, these scams are not about making true romance, but about stealing as much money from the victims as they can.

Once a “relationship” is established, the scammers tell their victims that they are having financial difficulty and need financial assistance. This assistance is usually in the form of money for plane tickets, travel assistance, or accommodations.

If the victim is shown to be willing to send money, then the scammers continue with their relationship while continuing to siphon money over a long period of time.

Such is the case with Texan man who was going through a painful divorce and met one of the gang’s fictitious characters named “Laura Cahill”. Over a period of one year, the Scarlet Widow persona was able to scam the individual out of $50,000.

This person was so firmly hooked that when the scammers didn’t reply to him in over a week, he sent a distraught email to her pleading for a reply.

Distraught email from victim
Distraught email from victim

It ultimately got so bad, that this individual stole $10,000 from his father to send to the scammers. This “relationship” ultimately ended when the scammers stopped replying, but it shows how deeply entrenched victims can get in these fake “relationships”.

While this sounds like something that few would fall for, according to Agari it is not that unusual.

“We are tracking a number of Nigerian scammer groups that continue to engage in romance scams and seek out new victims. In 2018, Agari documented a long-running, $500,000 swindle of a divorced American woman with children who refinanced her home to send money to the con artist. Eventually the creditors closed in, and she was forced to sell her house, pull her children out of school, and move the family in with a friend. She continued to believe he was real until Agari presented her with irrefutable evidence of the truth, enabling her to finally break free in 2018. “

Unfortunately, protecting yourself from scams like this can be difficult, especially if you are the type of person that they are targeting. That is because lonely people crave love and camaraderie in their life and may miss warning signs.

E-ticketing system exposes airline passengers’ personal information via email

Posted on Updated on

Originally seen on CYBERSCOOP by Jeff Stone: February 6, 2019

At least eight airlines, including Southwest, use e-ticketing systems that could allow hackers to access sensitive information about travelers merely by intercepting emails, according to research published Wednesday by the mobile security company Wandera.

The systems fail to secure customers’ personally identifiable information, including names, boarding passes, passport numbers and flight numbers, Wandera said.

The email vulnerabilities still exist, Wandera found, even though researchers notified affected companies weeks ago, and despite growing corporate awareness about the risks associated with sacrificing security for convenience.

The weakness is a check-in link that is emailed to customers, Wandera researchers found. Customer information is embedded in the links, allowing travelers to travel from their email to a website where they check in for a flight without needing to enter their username and password. However the links are unencrypted and re-usable, presenting a tempting target for hackers, according to Michael Covington, vice president of product at Wandera.

“The airlines, in an effort to make it easy for their passengers to check in, have taken shortcuts that have led to the potential exposure of personal information,” he said.

Affected airlines include Southwest, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa, Wandera found. Wandera has reported the vulnerability to each company and received responses, though none appear to have fixed the vulnerability, Covington said.

The airlines appear to be using unique servers for automated marketing that fail to protect user information.

“It’s not just the personal information they could get into, but the e-ticketing systems are basically allowing people in without authentication, which would allow you to change details about people like seat assignments and bags checked,” Covington said. “In some cases you can change existing bookings.”

There is no evidence outsiders have exploited the vulnerabilities.

Southwest Airlines is perhaps the best known low-cost airline operating in the U.S., with a 5 percent capacity growth planned for 2019, according to industry analysts at the Center for Aviation. Air France and KLM, which merged under a single holding company in 2004, jointly form one of the world’s largest airlines. Other companies named in the report — Vueling, Transavia and Air — are based in Europe. Thomas Cook is a British charter airline and Jetstar is a low-cost airline in Australia.

CyberScoop sought comment from each of the airlines named in this report. Several acknowledged receiving a request for comment. All except three failed to provide a statement or answer questions by press time.

In a statement, a Thomas Cook spokeswoman said, “We take the security of our customers’ data very seriously and have investigated this matter as a priority. We have looked into the questions raised and have taken immediate action to further increase the security of our customer data.” A Southwest spokesman said, “While we don’t have a comment on this specific issue, the safety and protection of our customers and their data privacy is our highest priority.”

A spokesperson for JetStar said the company takes data security and privacy “extremely seriously” and that the airline has “multiple layers of security in place.”

Air travelers anxious for a web connection in an airport, hotel or elsewhere on their journey are especially at risk because they could be more likely to connect to public WiFi, ignoring security precautions, Covington said.

“If you’re on a Wi-Fi network or a physical network that uses encryption, this would not be a problem,” he said.

“I can’t speak for the airlines individually,” he said. “We’re not a vulnerability testing company, and it’s not our business to go out and find this. But I can tell you the airlines we’ve engaged with have been keen to listen and are open to hearing more.”

Clever Phishing Attack Enlists Google Translate to Spoof Login Page

Posted on Updated on

Originally seen on ThreatPost by Lindsay O’Donnell: February 26th, 2019

A tricky two-stage phishing scam is targeting Facebook and Google credentials using a landing page that hides behind Google’s translate feature.


Recently-discovered phishing emails scoop up victims’ Facebook and Google credentials and hides its malicious landing page via a novel method – Google Translate.

The phishing campaign uses a two-stage attack to target both Google and Facebook usernames and passwords, according to researchers at Akamai who posted a Tuesday analysis. But in a tricky twist of events, the scam also evades detection through burying its landing page in a Google Translate page –  meaning that victims sees a legitimate Google domain and are more likely to input their credentials.

“When it comes to phishing, criminals put a lot of effort into making their attacks look legitimate, while putting pressure on their victims to take action,” Larry Cashdollar, with Akamai, said in a Tuesday post. “This is an interesting attack, as it uses Google Translate, and targets multiple accounts in one go.”

Cashdollar said that he first noticed the attack on Jan. 7 when an email notification on his phone informed him that his Google account had been accessed from a new Windows device.

The message, titled “Security Alert,” features an image branded with Google that says “A user has just signed in to your Google Account from a new Windows device. We are sending you this email to verify that it is you.” Then, there’s a “Consult the activity” button below the message.

phishing email

Interestingly, the message looked much more convincing in its condensed state on his mobile device, rather than on a desktop where the title of the email sender is more apparent, he said.

Upon closer look at the email, Cashdollar found that the “security alert” was sent from “facebook_secur[@]”

That triggered two suspicions: Firstly, the email is from a Hotmail account, raising red flags – but also, the entire address had nothing to do with Google, instead referencing Facebook.

“Taking advantage of known brand names is a common phishing trick, and it usually works if the victim isn’t aware or paying attention,” he said. “Criminals conducting phishing attacks want to throw people off their game, so they’ll use fear, curiosity, or even false authority in order to make the victim take an action first, and question the situation later.”

When clicking on the “Consult the activity” button, Cashdollar was brought to a landing page that appeared to be a Google domain, prompting him to sign into his Google account.

However, one thing stuck out about the landing page – it was loading the malicious domain via Google Translate, Google’s service to help users translate webpages from one language to another.

phishing facebook google translate

Using Google Translate helps the bad actor hide any malicious attempts through several ways: Most importantly, the victim sees a legitimate Google domain which “in some cases… will help the criminal bypass endpoint defenses,” said Cashdollar.

Using Google Translate also means the URL bar is filled with random text. Upon further inspection of that text, victims could see the real, malicious domain, “mediacity,” being translated.

Luckily, “while this method of obfuscation might enjoy some success on mobile devices (the landing page is a near-perfect clone of Google’s older login portal), it fails completely when viewed from a computer,” said Cashdollar.

For those who fail to notice red flags regarding the landing page, their credentials (username and password) are collected – as well as other information including IP address and browser type – and emailed to the attacker.

“We are aware of the phishing attempts and have blocked all sites in question, on multiple levels,” a Google spokesperson told Threatpost. The spokesperson urged users to report them if they encounter a phishing site.

However, the attack didn’t stop there. The attacker then attempts to hit victims twice, by forwarding them to a different landing page that purports to be Facebook’s mobile login portal as part of the attack.

These type of two-stage attacks appear to be on the rise as bad actors look to take advantage of victims who already fell for the first part of the scam, Cashdollar told Threatpost: “It seems this is becoming more common as the attacker knows they’ve gained your trust and try to steal additional credentials.”

Like the Google page, this Facebook landing page has some red flags. It uses an older version of the Facebook mobile login form, for instance.

“This suggests that the kit is old, and likely part of a widely circulated collection of kits commonly sold or traded on various underground forums,” said Cashdollar.

Despite these mistakes, the two stages of the phishing attack suggest a certain level of sophistication on the part of the attacker.

“It isn’t every day that you see a phishing attack leverage Google Translate as a means of adding legitimacy and obfuscation on a mobile device. But it’s highly uncommon to see such an attack target two brands in the same session,” he said.

Phishing attacks have continued to grow over the past year – and this particular scam is only one example of how bad actors behind the scams are updating their methods to become trickier.

phishing attack google translate

According to a recent Proofpoint report, “State of the Phish,” 83 percent of respondents experienced phishing attacks in 2018 – up 5 percent from 2017.  That may not come as a surprise, as in the last year phishing has led to several massive hacks – whether it’s hijacking Spotify users’ accounts or large data breaches like the December San Diego Unified School District breach of 500,000.

Other methods of phishing have increased as well. Up to 49 percent of respondents said they have experienced “voice phishing” (when bad actors use social engineering over the phone to gain access to personal data) or “SMS/text phishing” tactics (when social engineering is used via texts to collect personal data) in 2018. That’s up from the 45 percent of those who experienced these methods in 2017.

Hyatt Hotels launches bug bounty program

Posted on

Originally seen on by Charlie Osborne

The company has turned to external help to prevent data breaches from ever affecting its properties again

Hyatt Hotels has launched a bug bounty program in light of recent card-skimming attacks against the hospitality chain.

On Wednesday, the company said the new initiative will be hosted on bug bounty program HackerOne and is designed to allow Hyatt to “tap into the vast expertise of the security research community to accelerate identifying and fixing potential vulnerabilities.”

Ethical hackers can use the platform — as well as rival services such as Bugcrowd — to report vulnerabilities, security flaws, leaky servers and more before less well-intentioned individuals stumble across them, potentially leading to cyberattacks or data theft.

The bug bounty program is public and includes the main domain,,, and both the iOS and Android Hyatt mobile apps.

Novel origin IP address discovery, authentication bypass, back-end system access via front-end services, container escapes, SQL injections, cross-site request forgery, WAF bypass, and cross-site scripting (XSS) bugs will all be considered for rewards, among other issues.

Hyatt has chosen to use the Common Vulnerability Scoring Standard (CVSS) standard to evaluate the severity of security flaws found.

Researchers who report valid, high-severity flaws can expect rewards of up to $4,000; important bugs will earn them $1,200 and less severe vulnerabilities are worth between $300 and $600.

“At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day,” said Hyatt Chief Information Security Officer Benjamin Vaughn. “As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information.”

In a Q&A with HackerOne, Vaughn said an invitation-only program was launched first, which may account for the $5,650 in bug bounty rewards which have already been issued at the time of writing.

It is unfortunately quite common for hotel chains and others in the hospitality space to become the focus of cyberattacks due to the vast amount of valuable data these businesses process and store.

Hard Rock Hotels & Casinos, Loews Hotels, Radisson Hotel Group, the Trump Hotel CollectionMarriott, and Hyatt Hotels itself is on the list of organizations which have experienced successful cyberattacks in recent years.

In 2015, 250 properties managed by Hyatt across countries including the US, UK, China, Germany, Japan, Italy, France, Russia, and Canada were subject to a cyberattack. Information-stealing malware was implanted on systems, leading to the exposure of customer financial data including cardholder names, card numbers, expiration dates, and internal verification codes.

A second data breach occurred in 2017, in which 41 locations were affected and unauthorized access to payment card information was detected.

Chicago-based Hyatt Hotels manages over 750 properties in 55 countries.

Other organizations that use HackerOne to tap into a vast pool of security researchers include Google, Twitter, the US Department of Defense, GitHub, and Qualcomm.

Breaking Down Five 2018 Breaches — And What They Mean For Security In 2019

Posted on

Originally seen on ForbesForbes by Kate O’Flaherty

Big hacks and data leaks are nothing new, but this year has seen a surge in reported breaches. The reason for this might be simple: After the EU general update to data protection regulation (GDPR) came into place in May, firms are more likely to report attacks.

But it also demonstrates that the huge amounts of data collected by companies is not immune to hacking. And many firms aren’t doing enough to ensure they are secure. Let’s take a look back at five massive hacks of this year and examine what they mean for cybersecurity in 2019.


Facebook has suffered several breaches this year, with the worst seeing at least 50 billion users compromised. The biggest breach, in late September enabled hackers to exploit a weakness in Facebook’s code to access the ‘View As’ privacy tool that allows users to see how their profile looks to other people.

Three major security incidents affected user data in 2018, says Lewis Henderson, VP threat intelligence at Glasswall Solutions – and these are just the ones we know about. “Having been caught playing fast and loose with their users’ data, further major security incidents demonstrate Facebook’s infrastructure was probably never designed to cope with this many subscribers. It simply doesn’t have security built in, nor has Facebook taken those companies who exploit subscriber data through a robust third-party security process.”

Facebook has a large security budget and a team that’s known throughout the industry as top-notch, says Joan Pepin, CISO at Auth0. “They should know what they’re doing – but they have a complicated product. The latest hack combined several features in concert, which QA never thought to test. It was a failure of imagination and an outcome of the incredible complexity of their product.”

At the end of November, hotel group Marriott admitted it had suffered a massive data breach affecting the records of up to 500 million customers. The firm revealed its Starwood division’s guest reservation database had been compromised by an unauthorized party. Information accessed included payment information, names, mailing addresses, phone numbers, email addresses and passport numbers.

“Regardless of who the finger is being pointed at, it’s clear this stealthy attack meant the perpetrator had unrestricted access, across multiple IT systems for a very long time,” says Glasswall’s Henderson. “Presumably with many elevated privileged accounts compromised, the attackers were clear to traverse customer data held in different locations and likely cleared their tracks as they went.”

And when people trust firms with their data, even cybersecurity experts aren’t immune. “I am a Marriott Platinum for Life customer: My data was hacked alongside that of millions,” says José Hernandez author of Broken Business.

He points out that good crisis management requires full, timely, and complete disclosure – alongside an independent investigation. “Beyond trust and good governance, with Europe’s GDPR, waiting two months to report a significant hack is likely to be met with significant fines and penalties.”

It’s not the data breach that will be most impactful to the company; it’s the regulatory and class actions that follow, says Ian Thornton Trump, head of cyber security at Amtrust International. “But the big question is, why was this data not encrypted while at rest? Why are passport numbers and details not required by law to be encrypted at rest? The Marriott breach was not just about failing to protect the data they have; it’s a failure of governments to insist identity documents are treated with the same requirements as credit card data.”


In December, Quora suffered a massive breach of user data. The intrusion, discovered on November 30, included up to 100 million users’ names, email addresses, IP addresses, user IDs, encrypted passwords, user account settings, personalization data, public actions and content such as questions, answers, comments, blog posts and upvotes.

“The breadth and potential value of the data compromised, like encrypted passwords and social media data, was notable,” says Andrew Tsonchev, director of technology, Darktrace Industrial.

Edward Whittingham, a former law enforcement officer who is MD of The Defence Works, agrees. “Quora’s data breach was pretty punchy, mainly because it exposed the names, email address and encrypted passwords, as well as data from social networks like Facebook and Twitter, to which people had connected their accounts,” he says.

“Perhaps most interesting, is how the cybercriminals might then go on to use the data, such as questions and answers posed on the platform.  I’d expect to see this information sold on the dark web and if there are any contentious questions or answers in there, the fraudsters will be sure to make use of this information and possibly look to hold some users to ransom.”

British Airways

On 6 September, British Airways informed its customers that details from around 380,000 booking transactions had been stolen, including bank card numbers, expiry dates and cvv codes. It took the firm just one day to announce it had been hit by a cyber-attack between 21 August and 5 September.

Soon afterwards, it was discovered the details were taken via a script designed to steal financial information by ‘skimming’ the payment page before it was submitted. Security researchers now think the perpetrator is the same group that breached Ticketmaster, Magecart.

“The credit card skimming campaign launched against hundreds of thousands of British Airways customers stood out due to its large scope and the effectiveness of the tactic employed: the modification of JavaScript code on BA’s website to effectively steal payment data while avoiding detection,” says Yonathan Klijnsma, head threat researcher at RiskIQ.  “By inserting just 22 lines of code, Magecart Group 6 was able to extract information entered into the airline’s online payment forms without disrupting the payment flow.”

The impact to affected customers was still being felt in November when it was discovered the Russian hacker group behind Magecart was selling the details in the dark web for around $10 a card.

“In the immediate aftermath, many banks and credit card companies issued replacements or warnings to their customers who may have been affected, netting the Russian group a possible $12m from the hack,” says Martin Jartelius, CSO at Outpost24.

“Aside from BA’s parent company’s shares taking a hit in the immediate aftermath, it’s likely that the company will be penalized under the GDPR legislation, with some experts stating the impact could be in the region £500m or 4% of its turnover, or – if IAG is held accountable – an even larger sum: reportedly around £800m.”


When the personal data of 40,000 Ticketmaster customers was stolen by hackers, it emerged that a third-party supplier was involved. The company, Inbenta Technologies, which operates a chatbot on the Ticketmaster site, customised its product by modifying a line of JavaScript code.

Without Inbenta’s knowledge, Ticketmaster used this code on its payments page, where it was discovered by hackers and modified to extract payment information. The scale isn’t as massive as some other breaches – but the impact was huge. Some customers reported their money had been stolen and others claimed their details had turned up for sale on the dark web. The culprit was apparently credit-card skimming criminals Magecart.

“Just one month after GDPR came into full effect, Ticketmaster announced 40,000 customers’ data was accessed due to a malicious hack on a third party solution,” says Guy Bunker, SVP of Products, Clearswift.

He points out that many security incidents occur as a result of the actions of customers, suppliers and partners. “It’s important to ensure that security measures are up to date across the entire network of companies. Ticketmaster was only as secure as its weakest link.”

Cyber security in 2019

After hitting Ticketmaster and BA, experts predict that Magecart will target more than credit card data in 2019. “In 2018, credit-card skimming criminals grouped under the Magecart label have been carrying out a full-scale assault on e-commerce. They show zero signs of stopping as we head into 2019, with the attacks only getting more traction as various groups learn how to become more effective,” says RiskIQ’s Klijnsma.

He predicts: “As web skimming can skim all sorts of information entered into a website, Magecart groups will surely expand to skimming more than just payment data, such as login credentials and other sensitive information.”

As nation state actors ramp up their campaigns, critical infrastructure will also likely be a target. These attacks are already on the rise, says Andrew Tsonchev, director of technology, Darktrace Industrial. “This year, the ports of San Diego and Barcelona were attacked with ransomware: compromising industrial devices can now allow criminals to ransom access to operational systems as well as data.”

Jake Moore, cyber security expert at ESET, predicts 2019 will see a new form of attack: GDPR bounty hunting. “GDPR bounties work effectively when the attacker extorts an organization by providing them with a copy of their data to prove that it has been breached.

“They then give the victim two options: pay the possibly eye watering ICO fine of up to €20m or 4% of their annual global turnover –  or pay the hackers’ chosen fee, which could be anything less than the maximum from the ICO. Hackers take advantage of the fact that some organizations will be tempted to choose the second option so they can avoid any reputational damage caused by a data breach.”

Be Aware, Be Alert Checklist

Posted on Updated on

The end of the year is a notoriously busy time for most organizations. Now that we are within the new year, take the time to focus on your security.  Please keep these reminders handy to help protect yourself against Cybercrime.

Most malicious attacks an organization will face, will be initiated via email, and can easily spread through an organization without the proper protection. Even a company with a dedicated IT department can still have these attacks slip through.

Be Aware:

  1. Phishing scammers lure their targets into a false sense of security by spoofing the familiar, trusted logos of established, legitimate companies. Or they pretend to be a friend or family member.
  2. Phishing scammers make it seem like they need your information or someone else’s, quickly – or something bad will happen. They might say your account will be frozen, you’ll fail to get a tax refund, your boss will get mad, even that a family member will be hurt or you could be arrested. They lie with the intent of obtaining you or your organizations confidential and financial information.

Be Alert:

  1. Never let your guard down.
  2. Never assume anything you receive via email is legit. If you are not 100% certain call the sender to verify.
  3. Do not allow yourself or your organization to complete financial transactions solely via email. There have been widespread bank wire fraud attacks. Please be extremely careful.
    • The best practice here, is to come up with a strict set of actions that are required for financial transactions, and stick to them. A phone call or face to face hand off should be at least one of the steps.

Be Proactive:

  1. Even the most careful users, are susceptible to this kind of fraud. This is why at ITG we urge our clients to take the necessary proactive measures. ITG has new products and recommendations that will further protect you from these types of security scams. We strongly recommend sending all of your users our Be Aware and Be Alert checklist from above.
  2. ITG services and our customized plans include full security coverage:
  3. Prevention – reduce the number of phishing and spam emails that make it through to the users.
  4. Training – user awareness is a critical part of the defense.
  5. Compliance – many organizations are now subject to either Federal or State security compliance rules. We are here to help you navigate these and build a security platform that will ensure you can meet and maintain compliance.

If you have any questions or would like to request additional information feel free to contact us today.

Ransomware Losses Top $1.5M Each Minute

Posted on

cyber security

A new report has found that 1.5 organizations fall victim to ransomware attacks every minute — and more than $1 million is lost each minute due to cybercrime.

RiskIQ’s 2018 “The Evil Internet Minute” investigated the cyber threats that organizations and internet users face every minute.

“With businesses expanding their online presence to create more touchpoints with customers, employees and partners, the boundaries between what’s inside the firewall and what’s outside become less and less discernible, opening a whole new front in the battle between attackers and security teams,” the company wrote in a blog post. “These attackers target brands and consumers on the open web with tactics like phishing, spinning up malicious mobile apps, hacking third-party suppliers and directly compromising websites.”

The report found that cybercrime costs businesses $600 billion each year, with ransomwarespecifically costing corporations $8 billion per year, or more than $15,000 per minute.

In addition, there are 1,274 new malware variants released each minute, 22.9 phishing email attacks per minute and 2.9 billion record leaks from publicly disclosed incidents each day (that’s more than 5,000 each minute). The data also showed .17 blacklisted mobile apps, .21 new phishing domains, .07 incidents of the Magecart credit card skimmer, .1 new sites running the CoinHive cryptocurrency mining script and four potentially vulnerable web components discovered during the evaluation process.

“This data shows that as organizations continue to roll out new digital strategies and initiatives, the new digital assets they create are subject to scores of malware, malvertising, phishing and crypto mining efforts on a massive scale, while rogue apps, domain and brand infringement, and social impersonation cause business disruption and material loss,” according to RiskIQ.

The company noted that the instances of these cybercrimes have gotten worse since last year, showing that companies need to do more to protect themselves and their clients.

“When brands understand what they look like from the outside-in, they can begin developing a digital threat management strategy that allows them to discover everything associated with their organization on the internet, both legitimate and malicious, and monitor it for potentially devastating cyberattacks. However, bringing the massive scope of an organization’s attack surface into focus is no easy task,” the company added.

Were You Attacked Today With Yesterday’s Hacking Technique?

Posted on

Originally seen: by Itzik Kotler on August 22, 2018


We’re all familiar with the idea of recycling as a means of reducing the waste stream. Most of us are in the habit of separating our paper, plastic, glass and metal trash from other garbage. What you may not know is that recycling is a major trend in the hacker community, too. Many of the data breaches that have struck in recent years were accomplished using software that has been around for a long time — today’s hack, yesterday’s technique.

Tools that have been proven effective at fooling users and sneaking past network defenses are regularly reused by hackers. Whether the software was developed specifically for hacking or as a tool with a legitimate purpose that has been adapted for a less savory one, the hacker community has become expert at extracting value from what already exists. As with commercial software development, it takes time and money for hackers to write and test their code, and in order to maximize their profits, it makes sense to recycle what works. Often, these tried-and-true products are packaged and sold to others, furthering their potential to do harm.

This large-scale recycling program means there is an abundance of bad actors spreading an abundance of viruses, trojan horses, ransomware and other junk intended to wreak havoc and steal money and intellectual property. One recent example of recycled software getting heavy use by the hacker community is Mimikatz, a tool used to capture passwords, user credentials and other sensitive information from Windows-based operating systems.

Mimikatz was first created in 2007 and since then has been instrumental in a number of large-scale malware attacks, including the NotPetya campaign that disrupted networks and commerce during the summer of 2017, costing affected companies hundreds of millions of dollars according to the tech journal eWeek. Mimikatz was also used in the PinkKite attack that infected retail point-of-sale (POS) systems, primarily throughout Europe and North America, stealing credit card data used in consumer transactions.

There are other common tools, many of which were developed for legitimate purposes, that have been co-opted by the hacker community in many malicious hacking campaigns. Microsoft originally created PowerShell to automate administrative tasks in Windows. Now PowerShell is available as open source code, supporting Linux and macOS, and available to the developer community — including hackers. PowerShell has been a key component in attacks using stolen passwords and digital credentials to give hackers access to and control of networks. PowerShell was used in the REDLeaves attack, discovered in 2016, targeting the health care and energy industries. PowerShell was also part of a state-sponsored attack targeting teams participating in the 2018 Winter Olympics.

Likewise, macros are small, code-based shortcuts developed for the Microsoft Office suite of products and are used to execute larger, more complex functions. Macros make life easier for Office users, but they have been adapted for spam attacks where they are embedded in attachments that look like legitimate files. Once clicked, the macro downloads malware to the victim’s computer, infecting it with whatever code the adversary wants. Macros were behind the Locky ransomware attack that bedeviled hospitals in the U.S. and elsewhere in 2016 by encoding important files that the hackers would only release upon receipt of payment in bitcoin.

While this illicit activity has contributed to the relentless assault on personal and corporate networks, it has one major flaw that chief information security officers (CISOs) can exploit to protect their networks and endpoints. Because so many hackers conduct campaigns using recycled code, mass-marketed malware and reused techniques, the number of attacks has increased. But that also makes it possible, with the right security strategy, to identify the key signatures in those campaigns and thwart such attacks before they are successful.

The NotPetya and PinkKite campaigns targeted two different kinds of systems. Both used Mimikatz because it worked well for the job it was designed to perform. There was no reason to invent, test and try a new tool for stealing the credentials essential for their hacks because Mimikatz was already available. Because both NotPetya and PinkKite used Mimikatz, defenses configured to detect their telltale signatures would have been able to detect its presence. Security teams which used such defenses were alerted to an attack and with this knowledge could have quickly intervened to thwart the campaign and prevent infection.

This is not revelatory. I previously wrote about an entire information/cybersecurity industry sector built on the collection, analysis and use of this information known as threat intelligence, as a key part of a cyber-defense strategy. Knowing this, why aren’t more organizations taking advantage of this major flaw in the hackers’ use of recycled and open-source code? The information security industry may be too focused on generating fear, uncertainty and doubt than in helping companies establish the security priorities needed to bring to bear all the capabilities available to them.

Because of the adversary’s reuse of hacking tools, CISOs should make sure their systems are calibrated to not only detect the newest zero-day threats but also thwart the malware and methods that continue to wreak havoc on their networks. The information security industry is turning the corner in its fight against the global hacker community, and keeping pace with the threat means building on what we already know. After all, the key to stopping tomorrow’s hack can often be found in the lessons learned from yesterday’s attack.

PGA possibly infected with bitpayment

Posted on

Originally seen on BleepingComputer by: Lawrence Abrams on August 8, 2018 

If corporate America, government entities, and hospitals weren’t enough, now ransomware developers are attacking Golf!

According to a report from GolfWeek, computers at the PGA of America’s offices have been infected with ransomware. The victims learned they were infected on Tuesday when ransom notes started appearing on their screen.

“Your network has been penetrated,” the ransom note read according to Golfweek’s article. “All files on each host in the network have been encrypted with a strong algorythm [sic].”

Based on these strings and the misspelling of “algorithm”, PGA of America was most likely infected with the BitPaymer ransomware. This is the same type of ransomware that recently hit the Alaskan town of Matanuska-Susitna and forced them to use typewriters for a week.

BitPaymer becoming more active?

As already stated, based on the reported ransom note, PGA of America was most likely targeted by the BitPaymer Ransomware.  BitPaymer has been around for a while, but typically keeps a low profile.  There has been some moderate activity, though, with Bitpaymer over the last few weeks though as shown by the ID Ransomware chart below.

Like SamSam, BitPaymer tends to target organizations by hacking into Remote Desktop Services connected to the Internet.  Once inside a network, they traverse through it and encrypt every computer they can get access to.

Recent variants have been appending the .locked extension to encrypted files and dropping ransom notes of the same name as the encrypted files but with “.readme_txt” appended to it. For example, an encrypted file called test.jpg would also have a ransom note named test.jpg.readme_txt.

You can see an example ransom note for the BitPaymer Ransomware below. Notice the strings in the example below match those mentioned in the GolfWeek article.

Your network has been penetrated.

All files on each host in the network have been encrypted with a strong algorythm.

Backups were either encrypted or deleted or backup disks were formatted.

We exclusively have decryption software for your situation.

DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME the encrypted files.
DO NOT MOVE the encrypted files.
This may lead to the impossibility of recovery of the certain files.

To get info(pay-to-decrypt your files) contact us at:


BTC wallet:

To confirm our honest intentions.
Send 2 different random files and you will get it decrypted.
It can be from different computers on your network to be sure we decrypts everything.
Files should have .LOCK extension of each included.
2 files we unlock for free.

BitPaymer is also known to charge very large ransom amounts to decrypt computers. For example, one BitPaymer infection in the past asked for 53 bitcoins to decrypt an entire network.

Unfortunately, BitPaymer is a secure ransomware, which means either PGA of America is going to have to restore from backup or pay a hefty ransom payment.

Update 8/9/18: Article updated to clarify that the PGA of America’s computers were infected and not PGA Tour.

Cryptocurrency stealing malware

Posted on

Originally seen on securitynews on August 24, 2018

Over a billion worth of cryptocurrencies have been reportedly stolen this year so far and we continue to see reports of crypto theft daily. Every time a huge cyberheist is reported cryptocurrency prices slump but they remain attractive to cybercriminals looking to capitalize on its growth potential.

This week, the SonicWall Capture Labs Threat Research Team has come across a crypto-stealing malware which monitors the victim’s clipboard to watch out for cryptocurrency wallet addresses. Once detected, they will change the clipboard data with their own address. Unless the user is vigilant and carefully examines the address after they paste it, the transaction that happens after, will go to the cybercriminal’s address instead of the intended recipient.

Infection Cycle:

This malware purports to be an important document and uses the following filenames:

  • DOC_[*random numbers*].pdf
  • SCN_[*random numbers*].pdf
  • PDF_[*random numbers*].pdf

For more savvy users, looking at the file properties reveal that it pretends to be a text to speech application with an internal name of texttowav.exe.

It copies itself as drpbx.exe in the %APPDATA% directory. It also adds the following registry key to ensure persistence:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run drpbx %APPDATA%\drpbx\drpbx.exe

This malware was developed with Microsoft .NET framework and its assembly description shows it pretending to be a legitimate firefox file but misspelled “Mozzilla.”

To mislead the victim even more, upon execution it throws off a fake error.

During analysis, we noticed that this sample is packed using ConfuserEX and the main module is named “Bitcoinstealer” which establishes the real purpose of this malware.

Within its resource section is a subsection named “VanityAddresses.” This listed 10,000 different digital currency wallet addresses.

This malware’s method of stealing cryptocurrency is to monitor the clipboard data and match the contents using regex to identify whether a cryptocurrency wallet address has been copied, it then swaps that data with one from the 10,000 hardcoded addresses.