Month: December 2017

Weekly Cyber Risk Roundup: Bitcoin Attacks Dominate Headlines, New Phishing Warnings

Several cryptocurrency exchanges were among the week’s top trending cybercrime targets due to a variety of different currency thefts, data breaches, and warnings from researchers.

2017-12-8_ITT.png

The most impactful incident occurred at the bitcoin mining platform and exchange NiceHash, which said on Wednesday that its payment system was compromised and the bitcoin in its wallet was stolen. NiceHash said it is “working to verify the precise number of BTC taken”; however, news outlets reported that a wallet linked to the attack obtained around 4,736 bitcoin, which is valued at more than $72 million based on Saturday’s price. The company has not released many details about the attack other than that it began after an employee’s computer was compromised.

In addition, researchers warned this week that the increased valuation of bitcoin has led to it becoming one of the top 10 most targeted industries for DDoS attacks. On Monday, Bitfinex said that its services were disrupted by a DDoS attack. On Thursday, Coinbase warned that the explosion of interest in digital currencies was creating “extreme volatility and stress” on its systems and warned its users to invest responsibly as any future downtime could impact their ability to trade.

News outlets also reported that some Bittrex customers who go through the company’s manual verification process but are rejected have received customer support emails that contain the passports details and photographs of other users, although Bittrex has not confirmed the reports.

Finally, the SEC announced that it obtained an emergency asset freeze to halt the Initial Coin Offering PlexCorps after it raised up to $15 million from thousands of investors by falsely promising a 13-fold profit in less than a month’s time.

2017-12-8_ITTGroups

Other trending cybercrime events from the week include:

  • TIO Networks announces breach: PayPal announced a breach at TIO Networks, a payment processor it acquired in July, that affects approximately 1.6 million customers. City Utilities (CU) and Duke Energy have since notified customers that their personal information was compromised due to the breach, as TIO was the provider of the operating system for CU’s payment kiosks and mobile payment app, in addition to being used to process Duke Energy’s in-person payments.
  • Payment card breaches: The Image Group is notifying customers of a temporary vulnerability on its eCommerce platform, Payflow Pro, that made some payment card numbers susceptible to interception while in transit to PayPal. JAM Paper & Envelope is notifying customers of a payment card card breach affecting its website due to unauthorized access by a third party. A payment card breach involving the Royal National Institute for the Blind’s web store affects as many as 817 customers, and around 55 individuals have already reported fraudulent activity as a result of the incident.
  • Extortion attacks: The Alameda County Library is notifying its users that their personal information may have been compromised after it received an extortion email that claimed hackers had gained access to the library’s entire database of users and may sell that information if they weren’t paid a five bitcoin ransom. The Mecklenburg County government in North Carolina said that its computer systems were infected with ransomware that is demanding $23,000 for the encryption key. Mad River Township Fire and EMS Department in Ohio said that years of data related to residents who used EMS or fire services was lost due to a ransomware infection. The fertility clinic CCRM Minneapolis said that nearly 3,300 patients may have had their information compromised due to a ransomware attack.
  • Other notable incidents: The Center for Health Care Services in San Antonio is notifying 28,434 patients that their personal information was stolen by a former employee. The County of Humboldt is notifying current and former employees that the Humboldt County Sheriff’s Office recovered payroll documents from the county. Pulmonary Specialists of Louisville is notifying patients their information may have been compromised due to possible unauthorized access. Virtual keyboard developer Ai.Type, bike sharing company oBike, Real Time Health Quotes, and Stanford University all had data breaches due to accidental data exposure. Baptist Health Louisville, Sinai Health System, and The Henry Ford Health System notified patients of employee email account breaches.
  • Law enforcement actions: Authorities reportedly shut down Leakbase, a service that sold access to more than two billion credentials collected from old data breaches. The Justice Department announced a software developer at the National Security Agency’s Tailored Access Operations has pleaded guilty to removing classified NSA data and later having that data stolen from his personal computer by Russian state-sponsored actors. A Michigan man pleaded guilty to gaining access to the Washtenaw County computer network and altering the electronic records of at least one inmate in an attempt to get the inmate released early. A Missouri man has been sentenced to six years in prison for hacking his former employer, American Crane & Tractor Parts, in order to steal trade secrets.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-12-8_ITTNew

Cyber Risk Trends From the Past Week

2017-12-8_RiskScoresPhishing concerns were highlighted once again this past week due to a newly announced vulnerability that allows malicious actors to spoof emails, as well as warnings that phishers are making efforts to appear more legitimate.

A researcher has discovered a collection of bugs in email clients, dubbed “Mailsploit,” that circumvents spoofing protection mechanisms and, in some cases, allows code injection attacks. The vulnerabilities were found in dozens of applications, including Apple Mail, Mozilla Thunderbird, Microsoft Outlook 2016, Yahoo! Mail, ProtonMail, and others.

The bug has been fixed in 10 products and triaged for 8 additional products, the researcher said. In addition, Mozilla and Opera said they won’t fix the bug as they consider it to be a server-side problem; however, Thunderbird developer Jörg Knobloch told Wired that a patch would be made available. DMARC spoofing protection is not attacked directly using Mailsploit,  the researcher said, but rather bypassed by taking advantage of how the clients display the email sender name.

In addition, researchers said that nearly a quarter of all phishing websites are now hosted on HTTPS domains, up from three percent a year ago. The increase is due to both an increased number of HTTPS websites that can be compromised and used to host malicious content, as well as phishers registering HTTPS domains themselves due to their belief that the “HTTPS” designation makes a phishing site seem more legitimate to potential victims. An informal poll conducted by PhishLabs found that more than 80% of the respondents incorrectly believed the green padlock associated with HTTPS websites indicated that a website was either legitimate or safe — when in reality it only means that the connection is encrypted.

Individuals and organizations should be aware that malicious actors continue to leverage exploits like Mailsploit along with more secure-looking websites in order to dupe potential victims via phishing attacks with the goal of installing malware, gaining access to networks, or stealing sensitive data.

Weekly Cyber Risk Roundup: Uber’s Breach Woes, Major Cybercriminals Prosecuted

Uber was the week’s top trending cybercrime target due to the announcement of a year-old breach that affects 57 million customers and drivers. In addition, the company admitted to paying the hackers $100,000 in an effort to keep the breach out the public eye.

2017-12-1_ITT

The data was stolen in October 2016, and it includes the names, email addresses, and phone numbers of 50 million Uber riders, as well as the driver’s licenses and personal information of approximately 7 million drivers. Bloomberg reported that two attackers accessed a private GitHub repository used by Uber software engineers, used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company, and then discovered an archive of rider and driver information they later used to extort the company.

The breach announcement is just the latest chapter is Uber’s security and legal woes, and Dara Khosrowshahi, who took over as chief executive officer in September, said that the company is “changing the way we do business” moving forward. The payment of $100,000 to conceal the breach and have the attackers delete the stolen information led to the firing of Uber’s chief security officer and another employee for their roles in the incident. Reuters reported that three senior managers within Uber’s security unit have since resigned as well.

Europe’s national privacy regulators have formed a task force to investigate Uber’s breach and the company’s attempt at concealing it from regulators. In addition, numerous state attorneys general have initiated investigations or lawsuits related to the breach. The breach also came a week before three senators introduced a national bill that would require companies to report data breaches within 30 days.

2017-12-1_ITTGroups

Other trending cybercrime events from the week include:

  • Organizations continue to expose data: Researchers found 111 GB of internal customer data from National Credit Federation exposed online via a publicly accessible Amazon S3 bucket. Researchers discovered three publicly accessible Amazon S3 buckets tied to Department of Defense intelligence-gathering operations that contain at least 1.8 billion posts of scraped internet content over the past 8 years. Researchers discovered data belonging to the United States Army Intelligence and Security Command (INSCOM) exposed on the internet, including internal data and virtual systems used for classified communications. A security researcher discovered a file containing 11 million email addresses and plaintext passwords for users of Armor Games and Coupon Mom. Dalhousie University is notifying 20,000 individuals that their personal information was inadvertently saved to a folder accessible by faculty, staff, and students.
  • Email incidents lead to breaches: YMCA of Central Florida is notifying individuals that an unauthorized person gained access to several employee email accounts, potentially compromising a variety of personal information including ID cards, financial information, and health information. The Medical College of Wisconsin said that 9,500 patients had their information compromised due to a spear phishing attack on the school’s email system. Ireland’s Central Statistics Office said that 3,000 former employees had their personal information exposed due to an error that resulted in their personal P45 information being sent via email.
  • More extortion attacks: The British shipping company Clarksons said that it was the victim of a data breach and that the actors behind the breach have threatened to release some of the stolen data if a ransom is not paid. The Texas Department of Agriculture, which oversees school breakfast and lunch programs, said that several East Texas school districts were affected by a ransomware infection on a department employee’s computer. A server used by USA Hoist Company, Mid-American Elevator Company, and Mid-American Elevator Equipment Company to store employee and vendor information was infected with ransomware by a group claiming to be TheDarkOverlord.
  • Other notable incidents: Imgur said that it was recently notified by a researcher of a data breach that occurred in 2014 affecting the email addresses and passwords of 1.7 million user accounts. Combat Brands is notifying customers of breach of payment card data involving cards used at fightgear.com, fitness1st.com, ringside.com, and combatsports.com between July 1, 2015 and October 6, 2017. The Australian Department of Social Services is notifying 8,500 individuals that data relating to staff profiles within the department’s credit card management system prior to 2016 has been compromised due to a breach at a contractor. Brinderson, L.P. is notifying employees that their personal information may have been compromised due to unauthorized access to one of its computer systems.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-12-1_ITTNew

Cyber Risk Trends From the Past Week

2017-12-1_RiskScoresThis past week saw several notable legal actions against cybercriminals.

The most prominent figure was Roman Valeryevich Seleznev, aka Track2, who was sentenced to 14 years in prison for his role in the 2008 defrauding of Atlanta-based payment card processor RBS Worldpay – which led to the theft of 45.5 million debit card numbers and $9.4 million in fraudulent ATM withdrawals – as well as his role in selling stolen payment card and personal data to members of carder.su – a cybercriminal website that resulted in victims losing at least 50 million dollars.

As SurfWatch Labs noted in April, Seleznev is already serving a 27-year prison sentence, the longest ever related to cybercrime, for his role in a separate $170 million payment card fraud operation. The prosecutors in that case described Seleznev as “the highest profile long-term cybercriminal ever convicted by an American jury” and a “pioneer” and “revered” point-of-sale hacker in the criminal underworld. Seleznev’s two sentences will be served concurrently.

In addition, the U.S. government has charged three Chinese nationals with hacking into Siemens AG, Trimble Inc, and Moody’s Analytics between 2011 and 2017 to steal business secrets. According to the indictment, the three defendants were associated with the Chinese cybersecurity firm Guangzhou Bo Yu Information Technology Company Ltd. Government officials told Reuters that most if not all of the firm’s hacking operations are state-sponsored and directed; however, the case is not being prosecuted as state-sponsored hacking.

The week also saw the guilty plea of one of the four men indicted earlier this year on charges related to the hacking of Yahoo. Karim Baratov, 22, a Canadian national and resident, pleaded guilty for his role in assisting the three other men who are charged and remain at large in Russia. The three other men are accused of hacking Yahoo’s network, and Baratov said in his plea agreement that he hacked more than 11,000 webmail accounts in total from around 2010 until March 2017, including accounts of individuals of interest to the FSB as directed by one of the other men. Baratov’s sentencing hearing is scheduled for February 20, 2018.

Finally, Europol announced that a joint law enforcement action across 26 countries had led to the arrest of 159 individuals and the identification of 766 money mules and 59 money mule organizers. The money mule transactions accounted for total losses of nearly €31 million, more than 90 percent of which was cybercrime related.