Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for April 2019

Fake Social Accounts Multiply; Can Users ID Them?

Fake Social Accounts Multiply; Can Users ID Them?

Despite Facebook and Twitter repeatedly removing illegitimate accounts from their social media platforms, the number of impersonating accounts increased 56% from 2017 to 2018 and is projected to continue to grow by 30% in 2019, according to research from ZeroFOX.

Because of this rapid proliferation of fake accounts, it is becoming increasingly more difficult for users to distinguish between accounts that are real or fake, the research found. In an April 23 blog post, ZeroFOX’s Diana Parks wrote, “There is no denying that fake profiles run rampant on social media and digital platforms. Between October 2017 and September 2018, Facebook alone removed almost 2.8 billion illegitimate accounts worldwide. By some estimates, this accounts for between 25–35% of all Facebook accounts.”

While fake accounts online are inevitable, they are also highly problematic and pose security risks to individuals and organizations. Bad actors use fraudulent accounts to target individuals using social engineering. Others use fake accounts for scams or to distribute malicious content, phishing and malware, or even inappropriate content.

Still, not everyone can easily distinguish which social media accounts are fake. Despite a 2018 post offering users tips on how to spot a fake account, the number of impersonating profiles has increased across social networking sites. This continued growth promoted ZeroFOX to develop a quiz in which users are challenged to correctly identify the fake social media account.

In addition, research from the ZeroFOX Alpha team found that since 2017 there has been a steady growth in the number of both brand and executive impersonations. “Between 2017 and 2018, brand impersonations for ZeroFOX customers increased by 5%. Based on current projections, the ZeroFOX Alpha Team anticipates an estimated 17% increase in brand impersonations over the next year. The numbers are even more staggering for executive impersonations,” Parks said.

Fake accounts impersonating top executives and VIPs reportedly grew by over 300% between 2017 and 2018 and are expected to rise another 47% in 2019.

Source: Information Security Magazine

ASUS Not Alone in ShadowHammer Supply Chain Attack

ASUS Not Alone in ShadowHammer Supply Chain Attack

Researchers believe that in last month’s malware attack, dubbed Operation ShadowHammer, the network of Taiwanese technology giant ASUS was not the only company targeted by supply chain attacks. According to Kaspersky Lab, during the ShadowHammer hacking operation, there were at least six other organizations that the attackers infiltrated.

“In our search for similar malware, we came across other digitally signed binaries from three other vendors in Asia,” Kaspersky researchers wrote in a blog post. Electronics Extreme Co. Ltd., a game developer from Thailand, was among the vendors listed as having released digitally signed binaries of a video game called Infestation: Survivor Stories, which was reportedly taken offline in 2016.

“This weaponization of code signing is direct evidence that machine identities are a beachhead for cyber-criminals. The only way to protect against these kinds of attacks is for every software development organization to make sure they are properly protected,” said Michael Thelander, director of product marketing, at Venafi.

“No one should be surprised at how extensive this attack is. Due to their wide reach, bad actors target code-signing certificates in broad, deliberate campaigns and leverage them in large, multi-stage attacks.”

Supply chain attacks have become increasingly concerning, according to the 2019 Internet Security Threat Report, which found that supply chain attacks rose by 78% between 2017 and 2018, prompting US intelligence agencies to partner in designating April as Supply Chain Integrity Month.

“Software subversion attacks – such as the ASUS Live Update intrusions – are particularly difficult to thwart because they are incredibly sophisticated and highly targeted,” said Chris Duvall, senior director at The Chertoff Group.

“Unfortunately, due to the apparent success rate, we can expect to see a continued surge in the use of third-party applications as the back channel into networks. While not a panacea, we advise clients to help prevent these attacks by accessing file integrity whenever possible and maintaining good cyber hygiene through configuration hardening, vulnerability management, segmentation.”

Source: Information Security Magazine

IoT Set to Put Strain on Cyber Skills Market

IoT Set to Put Strain on Cyber Skills Market

UK demand for cybersecurity skills rose 10% year-on-year in the last quarter of 2018, with adoption of the Internet of Things (IoT) technologies set to put further strain on the market going forward, according to Experis.

The recruitment company’s latest Experis Industry Insiders report revealed a near 17% increase in advertised cybersecurity roles from the previous quarter, to 13,214.

However, average permanent salaries actually dropped slightly, by 2% year-on-year to £58,557, as employers sought out short-term solutions to fill their skills gaps. Contractor day rates jumped nearly 20% over the previous year, to £505.

In the IoT space, the number of new roles advertised jumped 49% quarter-on-quarter to Q4 2018. Permanent (1.5%) and contractor (4%) average salaries both increased.

“IoT offers huge opportunities for organizations, if they have the right cybersecurity foundations in place to take advantage of new innovations safely. We can see that there is a strong demand for top talent, but the market is struggling to keep pace,” argued Experis director of specialist markets, Martin Ewings.

“Businesses are having to be creative and take a blended approach to their talent acquisition strategies — tapping into the contractor market to build a hybrid team of permanent and temporary workers. In doing so, they can have fast access to the skills they need right now, while taking a longer-term view by building permanent capabilities and investing the time required to enable strategic development.”

However, building these permanent capabilities will be challenging given continued global shortfalls. Skills shortages in cybersecurity have reached nearly three million worldwide, including 142,000 in EMEA, according to (ISC)2.

Defense contractor Raytheon is doing its bit by announcing this week a new cyber-apprenticeships scheme as part of a £2m investment strategy which also includes a Cyber Academy to train university students.

The firm claimed there would be opportunities for 70 cyber-apprentices each year for the two-year program, which offers an alternative to three- and four-year degree courses. Plans are in place to certify around 280 apprentices over four years.

Source: Information Security Magazine

Dark Web’s Wall Street Market Suspected of Exit Scam

Dark Web’s Wall Street Market Suspected of Exit Scam

Dark web drugs marketplace Wall Street Market appears to have become the latest underground site to be hit by an exit scam, taking with it an estimated $30m of users’ money.

News has swirled for days that the site’s owners are about to pull the plug, with suspicions raised after an official moderator published a notice claiming that it had suffered a server crash. This meant it was unable to synchronize bitcoin wallets with the blockchain, the individual claimed.

“Due to this incident, we were forced to send crypto assets manually to the waiting list bitcoin wallet, as we have to wait for this process to complete, so that coins can be sent to the appropriate matching escrow wallet,” the post continued.

“Our technical advisors said that the platform will soon shift to the maintenance mode in order to prevent sending of more bitcoins, and they estimated the synchronization process to be successfully completed yesterday.”

However, multiple posts on dark web Reddit-like forum Dread claim this is merely a distraction designed to buy the administrators time while they drain funds, according to Deepdotweb.

Users have also taken to Reddit to complain about problems with the site, suggesting that its owners have decided to exit scam after a large influx of users and money that came from the recently shuttered Dream Market.

Exit scams typically occur when dark web sites stop shipping orders but continue to accept payment. Once a significant pot of money is built up in escrow, the administrators take it and close the site.

This latest incident highlights the continued uncertainty of doing business on the dark web. Law enforcers have done their best to disrupt some of the biggest marketplaces in recent years, notably with the take downs of Hansa and Alpha Bay in 2017.

Things had begun to stabilize since then, but exit scams are a constant concern and widely seen as a cost of doing business on the dark web.

It could be that the administrators of Wall Street Market decided to do a runner with the money rather than face the potential scrutiny of investigators.

Source: Information Security Magazine

Report: 42% of Used Drives Sold on eBay Hold Sensitive Data

Report: 42% of Used Drives Sold on eBay Hold Sensitive Data

A new report from Blancco Technology Group has warned that those looking to make some money by selling used storage drives may be putting themselves at risk of falling victim to cybercrime.

As detailed in Privacy for Sale: Data Security Risks in the Second-Hand IT Asset Marketplace, Blancco, in conjunction with Ontrack, analyzed 159 leading brand drives purchased through auction site eBay in the US, UK, Germany and Finland, discovering that almost half (42%) still held sensitive data.

What’s more, 15% of the drives assessed were found to contain personally identifiable information (PII), despite sellers surveyed by Blancco as part of the research stating they had used proper data sanitization methods to ensure no data was left behind. This worrying finding suggests that although sellers recognize the need to remove any data before looking to sell-on a storage drive, the methods they are using are inadequate.

“Selling old hardware via an online marketplace might feel like a good option, but in reality, it creates a serious risk of exposing dangerous levels of personal data,” said Fredrik Forslund, VP, cloud and data erasure, Blancco. “By putting this equipment into the wrong hands, irreversible damage will be caused – not just to the seller, but their employer, friends and family members.”

It is also clear that there is confusion around the right methods of data erasure, Forslund added, as each seller was under the impression that data had been permanently removed.

“It’s critical to securely erase any data on drives before passing them onto another party, using the appropriate methods to confirm that it’s truly gone. Education on best ways to permanently remove data from devices is a vital investment to negate the very real risk of falling victim to identity theft, or other methods of cybercrime.”

“Deleting data is notoriously difficult,” added Sam Curry, chief security officer at Cybereason. “Most people don’t understand and probably shouldn’t have to understand how indexing works, but most so-called deletion just removes pointers to data and not the data itself.

“Destruction of the device really doesn’t make the data go away either; sure parts of it might be damaged or hard to read because the media can't be plugged in easily. The data, however, persists.

“The conventional best practices for securely decommissioning drives before disposal are to get professionals that you trust (and that’s a big deal and another subject) to really wipe and rewrite every trace ‘three times,’ which feels a little like overkill to laypeople. It does matter, though, when the data you have is in trust from and for other people.”

Source: Information Security Magazine

Insider Threats a Top Risk to Healthcare

Insider Threats a Top Risk to Healthcare

Across the healthcare sector, ransomware is reportedly no longer the most prevalent security threat, according to new research from Vectra that found attacks decreased during the second half of 2018.

The Vectra 2019 Spotlight Report on Healthcare found that internal human error and misuse occur much more frequently than hacking. In addition, a growing number of errors are the result of unmanaged devices and lateral movement of device-to-device communication.

Based on data from the Attacker Behavior Industry Report (2019 RSA Conference Edition), researchers also observed network behaviors from a sampling of 354 opt-in enterprise organizations in healthcare and eight other industries.

Among the findings, the report noted that attackers hide command-and-control communications in healthcare networks using HTTPS tunnels. “Hidden HTTPS tunnels are the most common behavior detected in healthcare. This traffic represents external communication involving multiple sessions over long periods of time that appear to be normal encrypted web traffic. When attackers hide their command-and-control communications in HTTPS tunnels, it often looks like service provider traffic,” the report said.

Researchers also found that hidden domain name system (DNS) tunnels were commonly used to mask data exfiltration behaviors, as these behaviors can also be caused by IT and security tools that use DNS communication.

The second most-common behavior consistent with data exfiltration in healthcare, according to the research, is the smash and grab. “This occurs when a large volume of data is sent to an external destination not commonly in use, in a short period of time.”

Security cameras are able to quickly send mass volumes of data to a hosted cloud site, but smash-and-grab behaviors can appear to be normal operation for an IoT device. As a result, low and slow attackers are able to use it for obfuscation.

“Healthcare organizations struggle with managing legacy systems and medical devices that traditionally have weak security controls, yet both provide critical access to patient health information,” said Chris Morales, head of security analytics at Vectra. “Improving visibility into network behavior enables healthcare organizations to manage risk of legacy systems and new technology they embrace.”

Source: Information Security Magazine

Magecart Swoops in to Strike Atlanta Hawks Shop

Magecart Swoops in to Strike Atlanta Hawks Shop

The online shop for the Atlanta Hawks currently states that it is temporarily down for maintenance, and according to Sanguine Security, the ecommerce site is the latest victim of a Magecart attack.

In the wild, hawks hold their place at the top of the food chain. On the court, the Atlanta Hawks boast 29 wins for the 2018–2019 season. The ecommerce store, though, reportedly has a weak link in its supply chain.

"Yesterday, we were alerted that the host site for HawksShop.com was subject to an isolated attack," a spokesperson for the Hawks organization said. "We take these matters of security and privacy extremely seriously. Upon receiving that information, we disabled all payment and checkout capabilities to prevent any further incident.

"At this stage of the investigation, we believe that less than a handful of purchases on HawksShop.com were affected. We are continuing to investigate and will provide updates as needed."

According to an April 23 post, Magecart thieves injected a payment skimmer in the online store of the Atlanta Hawks. 

As many online stores do, the Atlanta Hawks shop also runs Magento Commerce Cloud 2.2, a commonly used enterprise-grade e-commerce system, owned by Adobe. While Magento itself is quite secure, attackers often use insecure third-party components to gain access to the core of the shop system,” Sanguine Labs wrote.

Leveraging vulnerabilities in third parties has proven successful for the Magecart group, which is also reportedly responsible for infecting hundreds of websites via supply chains. “Cyber-criminals have found that this card-skimming malware is stealth and effective in securing credit card information off of websites. This payment card information can have a huge impact on customers, far beyond the unauthorized use of their cards,” said Ryan Zuk, VP of customer success for NuData Security, a Mastercard company.

“Payment card information, combined with other user data from other breaches and social media, builds a complete profile. Using these real identities, and sometimes fake identities with valid credentials, allows cyber-criminals to take over accounts, apply for loans and much more. This is why more companies today are implementing user verification platforms that include passive biometrics that verify users based on more parameters than just their personally identifiable information.”

Sanguine Labs reported that the time frame for detection is small, with new attacks being discovered each week. In addition to using automation to identify and prevent attacks, “passive biometric technology is making stolen data valueless by verifying users based on their inherent behavior instead of relying on their data. This makes it challenging for bad actors to access illegitimate accounts, as they can't replicate the customer’s inherent behavior,” Zuk said.

Source: Information Security Magazine

Online Fitness Store Gets One-Upped by Hackers

Online Fitness Store Gets One-Upped by Hackers

Lifting weights might build strength for the body, but for customers of Bodybuilding.com, bulking up wasn’t enough to stop hackers from stealing their personal data. According to a security notice issued by the popular online fitness store, Bodybuilding.com recently experienced a security incident that may have affected customer information.

“We became aware of a data security incident involving unauthorized access to our systems in February 2019. We engaged one of the leading data security firms to conduct a thorough investigation, which traced the unauthorized activity to a phishing email received in July 2018,” according to the statement.

“On April 12, 2019, we concluded our investigation and could not rule out that personal information may have been accessed. While we have no evidence that personal information was accessed or misused, we are notifying all current and former customers and users about the incident out of an abundance of caution to explain the circumstances as we understand them.”

In the aftermath of discovering the incident, the company contacted law enforcement and brought in external forensic investigators. Additionally, the notice to customers said that the company will be forcing a password reset upon the next login for all of its customers.

The company does not store full credit or debit card information, but customers do have the option of storing card information in their accounts. In those cases, Bodybuilding.com only stores the last four digits of the card, and according to the statement, it never stores the full card number.

“While we have no evidence that personal information was accessed or misused, information you provided to us which might have been accessed in this incident could include name, email address, billing/shipping addresses, phone number, order history, any communications with Bodybuilding.com, birthdate, and any information included in your BodySpace profile,” the company said, adding that much of the information in the BodySpace profile is already public.

“We’re never out of danger from a data breach of our personal information and passwords, as the Bodybuilding.com incident reminds us. Despite the fact that web applications often house sensitive consumer data, they are often forgotten when it comes to implementing security measures,” said Oscar Tovar, vulnerability verification specialist, WhiteHat Security.

“Since Bodybuilding.com’s breach was a phishing attack, this showcases the importance of ongoing security training for employees. Organizations’ people continue to be the single largest threat vector for successful breaches. In addition, this paints a large target on an organization making them an easy target for hackers, who can exploit them and gain access to sensitive information. Every single company that touches sensitive data needs to make security a consistent, top-of-mind concern.”

Source: Information Security Magazine

FBI: BEC Losses Surged to $1.3bn in 2018

FBI: BEC Losses Surged to $1.3bn in 2018

The FBI dealt with cyber-attacks causing losses of over $2.7bn in 2018, nearly half of which were linked to Business Email Compromise (BEC) scams.

In total, there were over 20,000 victims of BEC/Email Account Compromise (EAC) last year, leading to losses of just under $1.3bn, the largest of any cybercrime type. The nearest to this were confidence fraud/romance scams ($362m) and investment cybercrime ($253m), according to the 2018 Internet Crime Report.

The FBI noted an increase in the number of gift card BEC scams, of the sort spotted by Agari recently. The security vendor claimed fraudsters are increasingly transferring their victims from email to mobile communications early on in the scam.

The largest group losing money to cyber-criminals was the over-60s ($649m), followed by the 50-59 age group ($495m). This could be partly explained by the continued prevalence of tech support scams which predominantly target the elderly. There were over 14,000 reported victims last year, linked to losses reaching almost $39m — a 161% increase from 2017.

Elsewhere, the number of reported ransomware victims dropped from 1783 to 1493 cases. However, the losses incurred by these victims rose from $2.3m to $3.6m. What’s more, these estimates don’t include lost business, wages, files, equipment, productivity or third-party remediation.

“In some cases, victims do not report any loss amount to the FBI, thereby creating an artificially low ransomware loss rate. Lastly, the number only represents what victims report to the FBI via the IC3 and does not account for victim direct reporting to FBI field offices/agents,” the report claimed.

Finally, the FBI also noted a strong surge in extortion-related attacks in 2018. The 51,000+ complaints it received accounted for losses of over $83m, a 242% increase on 2017 figures. These included DoS attacks, “hitman schemes,” sextortion, government impersonation schemes, loan schemes, and high-profile data breaches.

Source: Information Security Magazine

Online Thief Cracks Private Keys to Steal $54m in ETH

Online Thief Cracks Private Keys to Steal $54m in ETH

An individual or group of hackers have managed to amass over $54m in stolen digital currency by raiding digital wallets improperly secured with private keys, according to a new report.

Consultancy Independent Security Evaluators (ISE) claimed the “Blockchainbandit” had taken advantage of poorly implemented private keys to transfer nearly 38,000 in Ethereum (ETH) out of the targeted wallets to one under its control.

That was the figure as of January 13, 2018, but it may be many times greater today, the firm warned. In a test operation, it placed a dollar’s worth of ETH in a weak private key-derived wallet and saw it transferred out to the attacker within seconds.

In total, ISE claimed it was able to guess or duplicate 732 weak private keys in use on the Ethereum blockchain, highlighting a potential issue with key generation by developers.

The firm suggested that programming errors in the software generating these keys has made them easy to brute force.

It hypothesized that a 256-bit private key may have been truncated due to coding mistakes, meaning it’s insufficiently complex. Other possible errors suggested by the researchers included “error codes used as keys, memory reference issues, object confusion, stack corruption, heap corruption, or unchecked pre-compiled coding errors.”

It’s even possible that users were allowed to choose their own keys, it’s claimed.

“The bottom line is that a private key needs to be random, unique, and practically impossible to guess in a brute force attack,” argued ISE executive Partner, Ted Harrington.

ISE urged developers to use well-known libraries or platform-specific modules for random number generation; use a cryptographically secure pseudo-random number generator; audit code for truncated keys; and use multiple sources of entropy. It also claimed developers should review NIST guidelines on cryptographic random number generation.

Source: Information Security Magazine