Ransomware Losses Top $1.5M Each Minute

Posted on

cyber security

A new report has found that 1.5 organizations fall victim to ransomware attacks every minute — and more than $1 million is lost each minute due to cybercrime.

RiskIQ’s 2018 “The Evil Internet Minute” investigated the cyber threats that organizations and internet users face every minute.

“With businesses expanding their online presence to create more touchpoints with customers, employees and partners, the boundaries between what’s inside the firewall and what’s outside become less and less discernible, opening a whole new front in the battle between attackers and security teams,” the company wrote in a blog post. “These attackers target brands and consumers on the open web with tactics like phishing, spinning up malicious mobile apps, hacking third-party suppliers and directly compromising websites.”

The report found that cybercrime costs businesses $600 billion each year, with ransomwarespecifically costing corporations $8 billion per year, or more than $15,000 per minute.

In addition, there are 1,274 new malware variants released each minute, 22.9 phishing email attacks per minute and 2.9 billion record leaks from publicly disclosed incidents each day (that’s more than 5,000 each minute). The data also showed .17 blacklisted mobile apps, .21 new phishing domains, .07 incidents of the Magecart credit card skimmer, .1 new sites running the CoinHive cryptocurrency mining script and four potentially vulnerable web components discovered during the evaluation process.

“This data shows that as organizations continue to roll out new digital strategies and initiatives, the new digital assets they create are subject to scores of malware, malvertising, phishing and crypto mining efforts on a massive scale, while rogue apps, domain and brand infringement, and social impersonation cause business disruption and material loss,” according to RiskIQ.

The company noted that the instances of these cybercrimes have gotten worse since last year, showing that companies need to do more to protect themselves and their clients.

“When brands understand what they look like from the outside-in, they can begin developing a digital threat management strategy that allows them to discover everything associated with their organization on the internet, both legitimate and malicious, and monitor it for potentially devastating cyberattacks. However, bringing the massive scope of an organization’s attack surface into focus is no easy task,” the company added.

Were You Attacked Today With Yesterday’s Hacking Technique?

Posted on

Originally seen: Forbes.com by Itzik Kotler on August 22, 2018


We’re all familiar with the idea of recycling as a means of reducing the waste stream. Most of us are in the habit of separating our paper, plastic, glass and metal trash from other garbage. What you may not know is that recycling is a major trend in the hacker community, too. Many of the data breaches that have struck in recent years were accomplished using software that has been around for a long time — today’s hack, yesterday’s technique.

Tools that have been proven effective at fooling users and sneaking past network defenses are regularly reused by hackers. Whether the software was developed specifically for hacking or as a tool with a legitimate purpose that has been adapted for a less savory one, the hacker community has become expert at extracting value from what already exists. As with commercial software development, it takes time and money for hackers to write and test their code, and in order to maximize their profits, it makes sense to recycle what works. Often, these tried-and-true products are packaged and sold to others, furthering their potential to do harm.

This large-scale recycling program means there is an abundance of bad actors spreading an abundance of viruses, trojan horses, ransomware and other junk intended to wreak havoc and steal money and intellectual property. One recent example of recycled software getting heavy use by the hacker community is Mimikatz, a tool used to capture passwords, user credentials and other sensitive information from Windows-based operating systems.

Mimikatz was first created in 2007 and since then has been instrumental in a number of large-scale malware attacks, including the NotPetya campaign that disrupted networks and commerce during the summer of 2017, costing affected companies hundreds of millions of dollars according to the tech journal eWeek. Mimikatz was also used in the PinkKite attack that infected retail point-of-sale (POS) systems, primarily throughout Europe and North America, stealing credit card data used in consumer transactions.

There are other common tools, many of which were developed for legitimate purposes, that have been co-opted by the hacker community in many malicious hacking campaigns. Microsoft originally created PowerShell to automate administrative tasks in Windows. Now PowerShell is available as open source code, supporting Linux and macOS, and available to the developer community — including hackers. PowerShell has been a key component in attacks using stolen passwords and digital credentials to give hackers access to and control of networks. PowerShell was used in the REDLeaves attack, discovered in 2016, targeting the health care and energy industries. PowerShell was also part of a state-sponsored attack targeting teams participating in the 2018 Winter Olympics.

Likewise, macros are small, code-based shortcuts developed for the Microsoft Office suite of products and are used to execute larger, more complex functions. Macros make life easier for Office users, but they have been adapted for spam attacks where they are embedded in attachments that look like legitimate files. Once clicked, the macro downloads malware to the victim’s computer, infecting it with whatever code the adversary wants. Macros were behind the Locky ransomware attack that bedeviled hospitals in the U.S. and elsewhere in 2016 by encoding important files that the hackers would only release upon receipt of payment in bitcoin.

While this illicit activity has contributed to the relentless assault on personal and corporate networks, it has one major flaw that chief information security officers (CISOs) can exploit to protect their networks and endpoints. Because so many hackers conduct campaigns using recycled code, mass-marketed malware and reused techniques, the number of attacks has increased. But that also makes it possible, with the right security strategy, to identify the key signatures in those campaigns and thwart such attacks before they are successful.

The NotPetya and PinkKite campaigns targeted two different kinds of systems. Both used Mimikatz because it worked well for the job it was designed to perform. There was no reason to invent, test and try a new tool for stealing the credentials essential for their hacks because Mimikatz was already available. Because both NotPetya and PinkKite used Mimikatz, defenses configured to detect their telltale signatures would have been able to detect its presence. Security teams which used such defenses were alerted to an attack and with this knowledge could have quickly intervened to thwart the campaign and prevent infection.

This is not revelatory. I previously wrote about an entire information/cybersecurity industry sector built on the collection, analysis and use of this information known as threat intelligence, as a key part of a cyber-defense strategy. Knowing this, why aren’t more organizations taking advantage of this major flaw in the hackers’ use of recycled and open-source code? The information security industry may be too focused on generating fear, uncertainty and doubt than in helping companies establish the security priorities needed to bring to bear all the capabilities available to them.

Because of the adversary’s reuse of hacking tools, CISOs should make sure their systems are calibrated to not only detect the newest zero-day threats but also thwart the malware and methods that continue to wreak havoc on their networks. The information security industry is turning the corner in its fight against the global hacker community, and keeping pace with the threat means building on what we already know. After all, the key to stopping tomorrow’s hack can often be found in the lessons learned from yesterday’s attack.

PGA possibly infected with bitpayment

Posted on

Originally seen on BleepingComputer by: Lawrence Abrams on August 8, 2018 

If corporate America, government entities, and hospitals weren’t enough, now ransomware developers are attacking Golf!

According to a report from GolfWeek, computers at the PGA of America’s offices have been infected with ransomware. The victims learned they were infected on Tuesday when ransom notes started appearing on their screen.

“Your network has been penetrated,” the ransom note read according to Golfweek’s article. “All files on each host in the network have been encrypted with a strong algorythm [sic].”

Based on these strings and the misspelling of “algorithm”, PGA of America was most likely infected with the BitPaymer ransomware. This is the same type of ransomware that recently hit the Alaskan town of Matanuska-Susitna and forced them to use typewriters for a week.

BitPaymer becoming more active?

As already stated, based on the reported ransom note, PGA of America was most likely targeted by the BitPaymer Ransomware.  BitPaymer has been around for a while, but typically keeps a low profile.  There has been some moderate activity, though, with Bitpaymer over the last few weeks though as shown by the ID Ransomware chart below.

Like SamSam, BitPaymer tends to target organizations by hacking into Remote Desktop Services connected to the Internet.  Once inside a network, they traverse through it and encrypt every computer they can get access to.

Recent variants have been appending the .locked extension to encrypted files and dropping ransom notes of the same name as the encrypted files but with “.readme_txt” appended to it. For example, an encrypted file called test.jpg would also have a ransom note named test.jpg.readme_txt.

You can see an example ransom note for the BitPaymer Ransomware below. Notice the strings in the example below match those mentioned in the GolfWeek article.

Your network has been penetrated.

All files on each host in the network have been encrypted with a strong algorythm.

Backups were either encrypted or deleted or backup disks were formatted.

We exclusively have decryption software for your situation.

DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME the encrypted files.
DO NOT MOVE the encrypted files.
This may lead to the impossibility of recovery of the certain files.

To get info(pay-to-decrypt your files) contact us at:


BTC wallet:

To confirm our honest intentions.
Send 2 different random files and you will get it decrypted.
It can be from different computers on your network to be sure we decrypts everything.
Files should have .LOCK extension of each included.
2 files we unlock for free.

BitPaymer is also known to charge very large ransom amounts to decrypt computers. For example, one BitPaymer infection in the past asked for 53 bitcoins to decrypt an entire network.

Unfortunately, BitPaymer is a secure ransomware, which means either PGA of America is going to have to restore from backup or pay a hefty ransom payment.

Update 8/9/18: Article updated to clarify that the PGA of America’s computers were infected and not PGA Tour.

Cryptocurrency stealing malware

Posted on

Originally seen on securitynews on August 24, 2018

Over a billion worth of cryptocurrencies have been reportedly stolen this year so far and we continue to see reports of crypto theft daily. Every time a huge cyberheist is reported cryptocurrency prices slump but they remain attractive to cybercriminals looking to capitalize on its growth potential.

This week, the SonicWall Capture Labs Threat Research Team has come across a crypto-stealing malware which monitors the victim’s clipboard to watch out for cryptocurrency wallet addresses. Once detected, they will change the clipboard data with their own address. Unless the user is vigilant and carefully examines the address after they paste it, the transaction that happens after, will go to the cybercriminal’s address instead of the intended recipient.

Infection Cycle:

This malware purports to be an important document and uses the following filenames:

  • DOC_[*random numbers*].pdf
  • SCN_[*random numbers*].pdf
  • PDF_[*random numbers*].pdf

For more savvy users, looking at the file properties reveal that it pretends to be a text to speech application with an internal name of texttowav.exe.

It copies itself as drpbx.exe in the %APPDATA% directory. It also adds the following registry key to ensure persistence:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run drpbx %APPDATA%\drpbx\drpbx.exe

This malware was developed with Microsoft .NET framework and its assembly description shows it pretending to be a legitimate firefox file but misspelled “Mozzilla.”

To mislead the victim even more, upon execution it throws off a fake error.

During analysis, we noticed that this sample is packed using ConfuserEX and the main module is named “Bitcoinstealer” which establishes the real purpose of this malware.

Within its resource section is a subsection named “VanityAddresses.” This listed 10,000 different digital currency wallet addresses.

This malware’s method of stealing cryptocurrency is to monitor the clipboard data and match the contents using regex to identify whether a cryptocurrency wallet address has been copied, it then swaps that data with one from the 10,000 hardcoded addresses.



Victims Lose Access to Thousands of Photos as Instagram Hack Spreads

Posted on Updated on

Originally seen: August 14th, on threatpost by Tara Seals

In a probable quest to build a botnet, someone is hacking Instagram accounts, deleting handles, avatars and personal details, and linking them to a new email address.

An Instagram hack is spreading across the internet, with increasing numbers of victims finding their accounts hijacked and personal details altered — and account recovery so far impossible.

Starting in the beginning of the month, people started experiencing random log-outs on their accounts; from there, their handles, avatars and personal details like their bios have been deleted. On top of that, the accounts are linked to a new email address, thus subverting the account recovery process.

Oddly, prior, legitimate posts haven’t been deleted, nor have new posts appeared on the hijacked accounts’ timelines. This has led at least one security researcher to speculate that the malefactor is on a quest to build a botnet.

“Although no one seems to know for sure, I assume the hacked accounts were intended to be used as spambots,” said Paul Bischoff, privacy advocate at Comparitech.com, via email. “Even if some victims regain control of their accounts, many of those affected have likely quit the platform or just won’t go through the trouble, adding soldiers to the spambot army.”

The threat actor remains unknown; while the newly linked email address is a .ru Russian domain, that could be a red herring meant to point attribution away from the true perpetrator.

“Having a hacked account associated with a Russian email address may well signify that the attacker is a resident of that country, but it is certainly not a foregone conclusion – email addresses are easily spoofed, either to conceal identity or to encourage finger pointing toward the wrong place,” said Lee Munson, security researcher at Comparitech.com, in an email.

The situation, first reported by Mashable, seems to be worsening, with hundreds of complaints flooding the photo-sharing site’s Twitter feed, and many comments filtering into Reddit.

Many complain that they are getting no response from Instagram when they ask for help in gaining control of their accounts.

“@instagram this is the 6th time I’ve reached out and no response… my account has been hacked and I need it recovered!!,” said one disgruntled user, @brycehendrixx.

Others complained of deeper issues: “@instagram someone hacked my account and changed my username and pword but is keeping all of my pictures up as if it is them,” tweeted Alyssa Rogalski. “You rejected my report and said they did not violate any of your guidelines, so youre saying it’s ok if someone hacking and impersonating me?”

For its part, Instagram – which is owned by Facebook – issued a boilerplate media statement: “We work hard to provide the Instagram community with a safe and secure experience. When we become aware of an account that has been compromised, we shut off access to the account and the people who’ve been affected are put through a remediation process so they can reset their password and take other necessary steps to secure their accounts.”

However, as mentioned, account recovery doesn’t seem to be on the table for most victims.

“My account has been hacked for 3 days now and no one has reached out,” tweeted one affected user, Liz Teal. “Email, phone number, username and profile picture changed- so you cannot go through the steps they have in place on their FAQ page. Unbelievable!”

Threatpost has reached out to Instagram directly and will update this post with any further details or responses.

“There’s not much to go on now, and Instagram has not stated how or why these attacks occurred,” said Bischoff. “While it is possible that hackers breached Instagram to take over these accounts, I think it is more likely that the victims’ login credentials were stolen by malware or compromised in a phishing attempt. The original report does not specify whether victims are Android or iOS users, which would have helped to pinpoint the cause.”

Perhaps most perplexing, one victim told Mashable that he had two-factor authentication (2FA) enabled – and was still hacked. There could be straightforward explanations for this, according to researchers.

“While it’s unclear how these hackers defeated Instagram’s 2FA, it likely has to do with the spate of SIM hacking that has seen several prominent websites being hacked,” said Bill Evans, vice president at One Identity, via email. “To thwart this scenario, websites need to build support for app-based 2FA…It’s far less susceptible to hacking than SMS-based hacking, which depends on a second factor code being sent via SMS to the user’s phone. As previously reported, it appears that Instagram is moving in this direction – which is great.”

Comparitech.com’s Munson added: “While 2FA is a very good secondary line of defense, it is not infallible. Typically, it can be circumvented via phishing – either tricking someone into revealing the 2FA identifier or, far more likely, my getting them to login to a fake version of the site they were intending to visit. To protect against such account hijacks on Instagram, people should definitely employ two-factor authentication, but they should also be careful to only access the site through the app (only downloaded from an official app store) or by typing the URL directly into their browser.”

Recent App Issues Reveal Facebook’s Struggles to Temper Data Privacy Woes

Posted on

Originally Seen: August 23rd on Threatpost by Lindsey O’Donnell

Facebook has been struggling to keep its data privacy woes at bay this week, between banning apps on its social media platform – and pulling its own app from Apple’s store.

Facebook was hit with a double privacy punch regarding data privacy on Wednesday. First, Facebook acknowledged in a public post that one of the apps on its platform, myPersonality, inappropriately shared 4 million users’ data with researchers. Also on Wednesday, The Wall Street Journal reported that Facebook pulled its data security service, Onavo Protect, from Apple’s official App Store after Apple said that the app violated its data collection policies.

Facebook responded: “We will continue to investigate apps and make the changes needed to our platform to ensure that we are doing all we can to protect people’s information.”

The news comes as privacy experts are pushing the social media giant to double-down on its efforts around social media data privacy – especially on the heels of its backlash around the Cambridge Analytica scandal in March.

The recent incidents also reveal a behind-the-curtains look at how the giant is still struggling to navigate data privacy.

Facebook VP of Product Partnerships Ime Archibong said on Wednesday that the company will ban an app called myPersonality and notify the roughly 4 million impacted users after discovering that the app had misused information collected from them.

“Today we banned myPersonality — an app that was mainly active prior to 2012 — from Facebook for failing to agree to our request to audit and because it’s clear that they shared information with researchers as well as companies with only limited protections in place,” Archibong said in a post.

MyPersonality is a Facebook app, created in 2007, enabling users to participate in psychological research by filling in a personality questionnaire, and then also offered users feedback on their scores. David Stillwell, the creator of the app, did not respond to a request for comment on the situation from Threatpost.

“As well as the data from the tests, around 40% of the respondents also opted in to share data from their Facebook profile, resulting in one of the largest social science research databases in history,” according to the app project’s website. “The application was active until 2012 and collected data from over 6 million volunteers during this time. This data was anonymised and samples of it were shared with registered academic collaborators around the world through the myPersonality project, resulting in over 45 scientific publications in peer-reviewed journals.”

Facebook did not specify what specific data was passed to researchers, and where the specific violations occurred. There is no current evidence that myPersonality had accessed the Facebook “friends” of those impacted – though that may change, Facebook said.

But apps passing data to outside third parties is a sore spot for Facebook. In March, the company’s firestorm around data privacy and misuse started with an app developer violating the company’s platform policies by collecting data via an app under the pretense of using it for psychological research – and instead passing users’ personal information to Cambridge Analytica and its parent company SCL.

myPersonality is only one of many apps that the company has looked at – Facebook said that since March, it has investigated thousands of apps, and suspended 400 of those due to concerns around data misuse and user data privacy.

Interestingly, last week one of those initially suspended apps, Crimson Hexagon, announcedthat it has been un-suspended from Facebook’s platform.

Facebook, in July, said it had suspended Crimson Hexagon due to concerns about the collection and sharing of data. The company launched an investigation into the Boston-based company’s collection of public user data was a violation of its policies concerning using data for government surveillance.

Fast forward to last week, Crimson Hexagon announced that it has been re-instated on Facebook and its customer base will now be able to once again access those data sources.

“Several of Facebook’s questions focused on a small number of our government customers, which represent less than 5 percent of our business,” said Dan Shore, senior vice president with Crimson Hexagon in a post. “Historically, we have vetted potential government customers similar to our other customers — with a goal of understanding their proposed use of our platform in order to make them successful. To our knowledge, no government customer has used the Crimson Hexagon platform for surveillance of any individual or group.”

In another turn of events around data privacy, Facebook’s data security app Onavo Protect was pulled from Apple’s app store after the phone company said it violated its data policies, according to The Wall Street Journal report.

Onavo Protect is a mobile VPN app that encrypts users’ personal information and monitors their data to help customers manage their mobile data usage and limit apps that use lots of data.

Onavo Protect, which was acquired by Facebook in 2013 and alerts customers when they visit a potentially malicious website, was collecting and analyzing users’ behavior to understand customer activity outside of Facebook’s app, the report alleged.

Facebook confirmed to Threatpost that they pulled the app from Apple’s App Store, however: “We’ve always been clear when people download Onavo about the information that is collected and how it is used,” a spokesperson told us. “As a developer on Apple’s platform we follow the rules they’ve put in place.”

According to the report, Onavo Protect violates Apple’s developer agreement preventing apps from utilizing data that is not relevant to the their purpose. The app also did not follow new rules that Apple unveiled earlier this summer to limit developer data harvesting. Onavo Protect’s website shows that the app is still available on Android.

Between the Onavo Protect incident and its investigation of apps on its own platform, it’s clear that Facebook is struggling to navigate the data privacy policy landscape in an environment filled with data, experts say.

“The [March] Facebook breach made it clear: social media platforms need to be completely transparent and ask for double opt-in,” Andrew Avanessian, chief operations officer at Avecto told Threatpost. “We need these platforms to have different incentives than they have in the past and dedicate their companies to protecting user data. There needs to be a fundamental overhaul for social platforms.Data privacy is everyone’s issue and I think it will make developers stop and think about how they are using other people’s data.”

Morten Brøgger, CEO of Wire, agreed: “Every company and customer has the right to know where their data is going and how it is being used,” he said. “Businesses need to be choose which applications they use wisely, and should only allow those which are fully open sourced and independently audited to be used in the business setting.”

Hanging Up on Mobile in the Name of Security

Posted on

Originally seen: Krebsonsecurity on 8/16/18

An entrepreneur and virtual currency investor is suing AT&T for $224 million, claiming the wireless provider was negligent when it failed to prevent thieves from hijacking his mobile account and stealing millions of dollars in cryptocurrencies. Increasingly frequent, high-profile attacks like these are prompting some experts to say the surest way to safeguard one’s online accounts may be to disconnect them from the mobile providers entirely.

The claims come in a lawsuit filed this week in Los Angeles on behalf of Michael Terpin, who co-founded the first angel investor group for bitcoin enthusiasts in 2013. Terpin alleges that crooks stole almost $24 million worth of cryptocurrency after fraudulently executing a “SIM swap” on his mobile phone account at AT&T in early 2018.

A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

But SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target’s service to a new SIM card and mobile phone that the attackers control. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target’s password, as many banks and online services rely on text messages to send users a one-time code that needs to be entered in addition to a password for online authentication.

Terpin alleges that on January 7, 2018, someone requested an unauthorized SIM swap on his AT&T account, causing his phone to go dead and sending all incoming texts and phone calls to a device the attackers controlled. Armed with that access, the intruders were able to reset credentials tied to his cryptocurrency accounts and siphon nearly $24 million worth of digital currencies.

According to Terpin, this was the second time in six months someone had hacked his AT&T number. On June 11, 2017, Terpin’s phone went dead. He soon learned his AT&T password had been changed remotely after 11 attempts in AT&T stores had failed. At the time, AT&T suggested Terpin take advantage of the company’s “extra security” feature — a customer-specified six-digit PIN which is required before any account changes can be made.

Terpin claims an investigation by AT&T into the 2018 breach found that an employee at an AT&T store in Norwich, Conn. somehow executed the SIM swap on his account without having to enter his “extra security” PIN, and that AT&T knew or should have known that employees could bypass its customer security measures.

Terpin is suing AT&T for his $24 million worth of cryptocurrencies, plus $200 million in punitive damages. A copy of his complaint is here (PDF).

AT&T declined to comment on specific claims in the lawsuit, saying only in a statement that, “We dispute these allegations and look forward to presenting our case in court.”


Mobile phone companies are a major weak point in authentication because so many companies have now built their entire procedure for authenticating customers on a process that involves sending a one-time code to the customer via SMS or automated phone call.

In some cases, thieves executing SIM swaps have already phished or otherwise stolen a target’s bank or email password. But many major social media platforms — such as Instagram — allow users to reset their passwords using nothing more than text-based (SMS) authentication, meaning thieves can hijack those accounts just by having control over the target’s mobile phone number.

Allison Nixon is director of security research at Flashpoint, a security company in New York City that has been closely tracking the murky underworld of communities that teach people how to hijack phone numbers assigned to customer accounts at all of the major mobile providers.

Nixon calls the current SIM-jacking craze “a major identity crisis” for cybersecurity on multiple levels.

Nixon calls the current SIM-jacking craze “a major identity crisis” for cybersecurity on multiple levels.

“Phone numbers were never originally intended as an identity document, they were designed as a way to contact people,” Nixon said. “But because of all these other companies are building in security measures, a phone number has become an identity document.”

In essence, mobile phone companies have become “critical infrastructure” for security precisely because so much is riding on who controls a given mobile number. At the same time, so little is needed to undo weak security controls put in place to prevent abuse.

“The infrastructure wasn’t designed to withstand the kind of attacks happening now,” Nixon said. “The protocols need to be changed, and there are probably laws affecting the telecom companies that need to be reviewed in light of how these companies have evolved.”

Unfortunately, with the major mobile providers so closely tied to your security, there is no way you can remove the most vulnerable chunks of this infrastructure — the mobile store employees who can be paid or otherwise bamboozled into helping these attacks succeed.

No way, that is, unless you completely disconnect your mobile phone number from any sort of SMS-based authentication you currently use, and replace it with Internet-based telephone services that do not offer “helpful” customer support — such as Google Voice.

Google Voice lets users choose a phone number that gets tied to their Google account, and any calls or messages to that number will be forwarded to your mobile number. But unlike phone numbers issued by the major mobile providers, Google Voice numbers can’t be stolen unless someone also hacks your Google password — in which case you likely have much bigger problems.

In this view of security, customer service becomes a customer disservice.

With Google Voice, there is no customer service person who can be conned over the phone into helping out. There is no retail-store employee who will sell access to your SIM information for a paltry $80 paydayIn this view of security, customer service becomes a customer disservice.

Mind you, this isn’t my advice. The above statement summarizes the arguments allegedly made by one of the most accomplished SIM swap thieves in the game today. On July 12, 2018, police in California arrested Joel Ortiz, a 20-year-old college student from Boston who’s accused of using SIM swaps to steal more than $5 million in cryptocurrencies from 40 victims.

Ortiz allegedly had help from a number of unnamed accomplices who collectively targeted high-profile and wealthy people in the cryptocurrency space. In one of three brazen attacks at a bitcoin conference this year, Ortiz allegedly used his SIM swapping skills to steal more than $1.5 million from a cryptocurrency entrepreneur, including nearly $1 million the victim had crowdfunded.

Ortiz reportedly was a core member of OGUsers[dot]com, a forum that’s grown wildly popular among criminals engaging in SIM swaps to steal cryptocurrency and hijack high-value social media accounts. OG is short for “original gangster,” and it refers to a type of “street cred” for possession of social media account names that are relatively short (between one and six characters). On ogusers[dot]com, Ortiz allegedly picked the username “j”. Short usernames are considered more valuable because they confer on the account holder the appearance of an early adopter on most social networks.

Discussions on the Ogusers forum indicate Ortiz allegedly is the current occupant of perhaps the most OG username on Twitter — an account represented by the number zero “0”. The alias displayed on that twitter profile is “j0”. He also apparently controls the Instagram account by the same number, as well as the Instagram account “t”, which lists its alias as “Joel.”

Shown below is a cached snippet from an Ogusers forum posting by “j” (allegedly Ortiz), advising people to remove their mobile phone number from all important multi-factor authentication options, and to replace it with something like Google Voice.


All four major wireless carriers — AT&T, SprintT-Mobile and Verizon — let customers add security against SIM swaps and related schemes by setting a PIN that needs to be provided over the phone or in person at a store before account changes should be made. But these security features can be bypassed by incompetent or corrupt mobile store employees.

Mobile store employees who can be bought or tricked into conducting SIM swaps are known as “plugs” in the Ogusers community, and without them SIM swapping schemes become much more difficult.

Last week, KrebsOnSecurity broke the news that police in Florida had arrested a 25-year-old man who’s accused of being part of a group of at least nine individuals who routinely conducted fraudulent SIM swaps on high-value targets. Investigators in that case say they have surveillance logs that show the group discussed working directly with mobile store employees to complete the phone number heists.

In May I wrote about a 27-year-old Boston man who had his three-letter Instagram account name stolen after thieves hijacked his number at T-Mobile. Much like Mr. Terpin, the victim in that case had already taken T-Mobile’s advice and placed a PIN on his account that was supposed to prevent the transfer of his mobile number. T-Mobile ultimately acknowledged that the heist had been carried out by a rogue T-Mobile store employee.

So consider establishing a Google Voice account if you don’t already have one. In setting up a new number, Google requires you to provide a number capable of receiving text messages. Once your Google Voice number is linked to your mobile, the device at the mobile number you gave to Google should notify you instantly if anyone calls or messages the Google number (this assumes your phone has a Wi-Fi or mobile connection to the Internet).

After you’ve done that, take stock of every major account you can think of, replacing your mobile phone number with your Google Voice number in every case it is listed in your profile.

Here’s where it gets tricky. If you’re all-in for taking the anti-SIM-hacking advice allegedly offered by Mr. Ortiz, once you’ve changed all of your multi-factor authentication options from your mobile number to your Google Voice number, you then have to remove that mobile number you supplied to Google from your Google Voice account. After that, you can still manage calls/messages to and from your Google Voice number using the Google Voice mobile app.

And notice what else Ortiz advises in the screen shot above to secure one’s Gmail and other Google accounts: Using a physical security key (where possible) to replace passwords. This post from a few weeks back explains what security keys are, how they can help harden your security posture, and how to use them. If Google’s own internal security processes count for anything, the company recently told this author that none of its 85,000 employees had been successfully phished for their work credentials since January 2017, when Google began requiring all employees to use physical security keys in place of one-time passwords sent to a mobile device.

Standard disclaimer: If the only two-factor authentication offered by a company you use is based on sending a one-time code via SMS or automated phone call, this is still better than relying on simply a password alone. But one-time codes generated by a mobile phone app such as Authy or Google Authenticator are more secure than SMS-based options because they are not directly vulnerable to SIM-swapping attacks.

The web site twofactorauth.org breaks down online service providers by the types of secondary authentication offered (SMS, call, app-based one-time codes, security keys). Take a moment soon to review this important resource and harden your security posture wherever possible.

Mobile fraud is increasing, attack rates rising 24% year-over-year

Posted on

Originally seen: Helpnetsecurity, 9/13/18

ThreatMetrix released new cybercrime insights from the first half of 2018, revealing a sharp rise in fraud attack levels on mobile transactions. As consumer behavior increasingly embraces mobile for virtually all online goods and services, fraudsters are starting to close the gap on this channel.

mobile fraud increase

Mobile becomes the go-to digital channel

The rise of mobile is undisputedly the key change agent in digital commerce currently. According to ThreatMetrix data, in the last three years the proportion of mobile transactions versus desktop has almost tripled. Mobile transactions, which include account creations, logins and payments, reached 58% of all traffic by the middle of 2018.

Mobile fraud rates have tended to lag behind the channel’s overall growth, however in the first half of 2018 mobile attack rates rose 24%, when compared to the first half of 2017. In the United States mobile attack rates experienced a far higher growth rate of 44% for the same period.

Globally, one third of all fraud attacks are now targeting mobile transactions. This means that although digital companies do need to prepare for increasing attacks, mobile remains the more secure channel compared to desktop.

Mobile offers organizations unique opportunities for accurately assessing user identity, thanks to highly personalized device attributes, geo-location and behavioral analysis. It offers strong customer authentication options that require no user intervention, including cryptographically binding devices for persistent authentication (“Strong ID”).

“Mobile is quickly becoming the predominant way people access online goods and services, and as a result organizations need to anticipate that the barrage of mobile attacks will only increase,” said Alisdair Faulkner, Chief Identity Officer at LexisNexis Risk Solutions. “The good news is that as mobile usage continues to increase, so too does overall customer recognition rates, as mobile apps offer a wealth of techniques to authenticate returning customers with a very high degree of accuracy. The key point of vulnerability, however, is at the app registration and account creation stage. To verify users at this crucial point, organizations need to tap into global intelligence that assesses true digital identity, compiled from the multiple channels that their customers transact on.”

Financial services under fire

Financial institutions were besieged with 81 million cybercrime attacks in the first half of 2018 on the ThreatMetrix global network. Of these, 27 million were targeting the mobile channel as fraudsters turn their attention to the success story that is mobile banking adoption.

Financial services mobile transactions are growing globally, with China, South East Asia and India showing the strongest regional growth. This indicates that the mobile channel is a key enabler for financial inclusion in emerging economies.

Overall, the biggest threat in financial services comes from device spoofing, as fraudsters attempt to trick banks into thinking multiple fraudulent log in attempts are coming from new customer devices, perhaps by repeatedly wiping cookies or using virtual machines.

Mule networks also continue to negatively impact the global banking ecosystem, particularly as financial crime becomes an ever-more sophisticated and hyper-connected beast. The challenge for financial institutions is detecting mule activity even when individual account behavior may not trigger red flags.

mobile fraud increase

Bot attacks illustrate the spread of stolen data to emerging economies

Throughout the first half of 2018 there was an unprecedented spike in the volume of bot attacks targeting digital transactions worldwide. The ThreatMetrix Digital Identity Network registered a 60% spike in bot attacks in the second quarter of the year, increasing from 1 billion bot attacks in Q1 to 1.6 billion in Q2. The sheer volume of this automated bot traffic impacts businesses worldwide because, without the correct measures in place, this slows order processing times and the ability to effectively identify good returning customers in real time. At peak times, individual organizations report these attacks account for more than half of all transactions.

Large retailers are the primary targets as fraudsters attempt to infiltrate good user accounts and access sensitive personal data and saved credit card information. A total of 170 million bot attacks came from mobile devices in 1H 2018.

This bot traffic in the first six months of the year predominantly originated from locations such as Vietnam and South Korea, illustrating the global trend of stolen identity data disseminating to growth regions and emerging economies.

Social networks are growing as gateway for cybercrime

Social networks and dating websites have the highest mobile footprint of all industries, reaching 85% of total transactions and 88% of account creations by the middle of 2018. This reflects usage patterns that virtually eschew desktop interactions and prioritize mobile app interactions. Given these sites’ often modest security requirements, attack rates are high as hackers use these platforms to test stolen identity credentials, as well as to steal sensitive personal data via account takeovers.

“Social networks are at risk of becoming a gateway to further organized crime”, says Rebekah Moody, Director of Fraud and Identity at ThreatMetrix. “Identity data is arguably as valuable a currency online as hard cash. Fraudsters funnel towards the easiest target to help test, augment and validate stolen identity data to make future attacks more successful: in many cases this is social networks. These organizations must start to deploy the same kind of defenses a user would expect elsewhere online, without introducing unnecessary friction.”

Identity spoofing is widespread, with the ThreatMetrix Q2 2018 Cybercrime Report revealing this as the top attack vector (13.3%) for this sector. IP spoofing is also prevalent, with fraudsters—predominantly from Vietnam, Ghana, Nigeria, U.S. and Philippines—using proxy servers to make it appear as though they are actually based in locations close to their intended victims.

Healthcare Lags Other Industries in Phishing Attack Resiliency Rate

Posted on

Originally Seen: September 18, 2018 on Thinkstock by Fred Donovan

Healthcare lags behind other major industries in its phishing attack resiliency rate, which measures the ratio between people who report a phish versus those who fall victim to one.

 Healthcare trails other major industries in its phishing attack resiliency rate, which measures the ratio between people who report a phish versus those who fall victim to one, according to a report released Sept. 17 by Cofense.

The healthcare resiliency rates for the last 12 months was 1.49, compared with an average resiliency score of 1.79 for all industries examined by Cofense (formerly PhishMe).

By comparison, the energy sector had a resiliency rate of 4.01, the insurance industry had a rate of 3.03, and the financial services had a rate of 2.52. The data is based on phishing simulations that Cofense uses to test employees at customer organizations.

“One factor that surely inhibits the industry’s resiliency: high turnover. With physicians, registered nurses, and administrative staff constantly churning, it’s hard to gain traction in the fight against phishing,” the report commented.

The top five phishing scenarios that healthcare workers most frequently clicked on were Requested Invoice, Manager Evaluation, Package Delivery, Halloween eCard Alert, and Beneficiary Change.

“The healthcare industry knows better than most that phishing is a serious problem. But the industry is still playing catch-up in phishing resiliency,” the report noted.

Unfortunately, phishing has become the preferred method for hackers to get access to healthcare organizations to steal valuable medical data.

The 2018 Verizon Data Breach Investigations Report (DBIR) found that phishing and financial pretexting represented 93 percent of all breaches investigated by Verizon, with email being the main entry point (96%).

Phishing is also a way attackers deploy ransomware, which has devastated the healthcare industry over the last couple of years. The Verizon report found that ransomware accounts for 85 percent of the malware in healthcare.

In a phishing campaign, an attacker poses as a legitimate person or entity in an email to get the target to provide valuable information, such as credentials, or click on a link that results in ransomware being downloaded on the victim’s machine.

It only takes one person to fall for the bait for an entire organization to be infiltrated.

According to an American Medical Association and Accenture survey of 1,300 US physicians, 83 percent of respondents had experienced a cyberattack and more than half of those said the attack came in the form of a phishing email.

Nearly two-thirds of all the physicians who experienced a cyberattack experienced up to four hours of downtime before they resumed operations, and approximately one-third of physicians in medium-sized practices that suffered a cyberattack said they experienced nearly a full day of downtime.

More than half of the physicians were very or extremely concerned about future cyberattacks in their practice. In addition, physicians were most concerned that future attacks could interrupt their clinical practices (74%), compromise the security of patient records (74%), or impact patient safety (53%).

Data from Wombat Security’s learning management system revealed that healthcare industry is one of the worst when it comes to data security knowledge, answering 23 percent of IT security best practice questions wrong on average.

The Wombat learning management system includes questions about avoiding ransomware attacks and identifying phishing threats, two topics dear to the heart of healthcare CISOs.

Alan Levine, a cybersecurity advisor to Wombat Security, told HealthITSecurity.com: “If an email purports to come from a person who seems to be an authority, then it is very likely that people who receive the email will not look for the specific things that may indicate that there is a potential risk with the email and will instead be more interested in promptly reacting to it.”

The primary purpose of a phishing attack is to gain a foothold inside the organization by infecting a computer or other endpoint.

“Then an attacker will use that individual platform that he now controls to do a variety of things,” Levine said. “He wants to move from PC to PC, within a subnet, and laterally across subnets in order to compromise or control as many other devices as possible. Now he has a base of operations.”

“By collecting information from an individual compromised asset,” he continued, “an attacker learns a great deal about the institution itself in which that compromised machine now operates. Maybe he gets a copy of the GAL, which is the global address list. Now he’s got a lot more email addresses he can send phishes to.”

To combat phishing, organizations need to train employees on how to spot and avoid phishing emails. They also need to adopt security best practices and deploy appropriate technology to lessen the chances that a phishing attack will succeed.

Health care cyber experts tout progress in vulnerability disclosure at BSides Vegas

Posted on

Written by  on 


The delicate process for disclosing software and hardware bugs in medical devices has made important strides in recent years, according to experts, as big manufacturers have set up disclosure programs and the threat of lawsuits against security researchers has receded. Health care cybersecurity hands are now looking to capitalize on what they say is growing trust between manufacturers and researchers to strengthen vulnerability disclosure in the industry.

“There’s still a lot of work to be done to make it better, but man, has it come a far way,” Jay Radcliffe, a cybersecurity researcher at medical device manufacturer Boston Scientific, said at the BSides Las Vegas conference Tuesday.  “And as a researcher, that makes me a lot more comfortable doing my disclosures and doing my research.”

Radcliffe, who is diabetic, told the story of a presentation he gave at Black Hat in 2011 on hacking insulin pumps.

“At that time, the state of disclosure was pretty chaotic,” he said. “I didn’t feel comfortable enough going to the manufacturer to disclose that before my talk” out of fear of getting sued.

The Digital Millennium Copyright Act, for example, could have been used to prosecute researchers for accessing copyrighted data on a device. But a three-year exemption to that DMCA provision for “good faith” research, instituted in October 2015, has helped lift the specter of lawsuits. And last year, Radcliffe said he worked hand-in-hand with a different manufacturer when he found the same type of vulnerability in an insulin pump.

“They said, ‘Great. We have a vulnerability intake program and we want to work with you and make sure that we address these issues correctly and safely,’” he recalled. That greater collaboration between researchers and manufacturers in health care mirrors the progress in vulnerability disclosure made in other sectors, such as the automotive industry.

Health care delivery organizations are demanding more secure devices, according to Radcliffe. “They actually are doing their homework and they’re asking lots of questions of us – of how we are testing these devices, how are we guaranteeing that these devices that they’re buying are going to be secure not only now, but secure going forward for the next five, 10, 15 years,” he said.

In recent years, industry heavyweights like Johnson & Johnson have set up vulnerability disclosure programs, while the Food and Drug Administration has advised manufacturers to “systematically” address cybersecurity risk, including through a coordinated disclosure process. Nonetheless, industry insiders say more work is needed to make these practices widespread.

Suzanne Schwartz, a top cybersecurity official at the FDA, said she would like to see wider adoption of vulnerability disclosure programs among medical device manufacturers beyond the “two handfuls” of companies that are leading the way. Within the next year, she said, industry groups will be identifying the concerns and challenges that may be keeping many manufacturers from setting up programs. The goal, she said at the BSides panel, is to ramp up the number of companies that have programs from roughly 15 today to, say, 100.

The maturing of vulnerability disclosure programs comes as the health care industry has grappled with the persistent threat of ransomware, with hackers looking to exploit health care facilities’ reliance on sensitive data. In January, for example, the SamSam ransomware struck an Indiana hospital’s computer network, and hospital officials paid hackers roughly $50,000 to unlock the data.

To prepare for attacks like that, Radcliffe said hospitals need to have a clearer understanding of their IT assets and how to make them more secure. “It makes me very nervous to see the amount of devices that go unpatched,” he said.

For her part, Schwartz said the FDA has been working with cybersecurity company MITRE and the states of Massachusetts and New York to produce “playbooks” in helping hospitals prepare for and respond to such cyberattacks.