Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the News Category

New Wave of HMRC Scam Calls Hits UK

New Wave of HMRC Scam Calls Hits UK

Security experts are warning of a new HMRC scam using a threatening automated message in a bid to trick taxpayers into paying a ‘fine.’

The scam calls appear designed to cash-in on the busy end-of-year period in the UK where taxpayers look to get their affairs in order before the self-assessment deadline at the end of January.

The automated message reveals the presumably fictitious name of an HMRC officer and extension number, before warning “the issue at hand is extremely time sensitive.”

“If you do not call us back or we do not here from your solicitors, either, then get ready to face the legal consequences,” it continues.

Comparitech attempted to call the number back in order to find out more information, but did not receive a response as of time of writing,” explained the vendor’s privacy advocate, Paul Bischoff.

“However, other people who have reported the same message from the same number say they were asked to pay upwards of £3000 in taxes. If they did not pay immediately, the scammer told them, that figure would increase 20-fold by the end of the day.”

Another variation on the scam apparently features a message claiming HMRC agents are watching the victim’s property and only a payment will prevent them from raiding it.

Victims were urged to report any scam phone numbers to Action Fraud, and HMRC-related phishing/vishing attempts to its own dedicated unit.

“If you receive a call claiming to be from the HMRC, search the phone number on the HMRC’s official website. If the number doesn’t come up, it’s probably a scam,” argued Bischoff.

“Scammers often attempt to instill a sense of urgency in victims to make them slip up. The real HMRC will not make threats over the phone, legal or otherwise, that require immediate action.”

The HMRC is one of the UK’s most phished organizations, which is partly why the National Cyber Security Centre’s active cyber defence (ACD) initiative was launched. It aims to take down phishing sites and use DMARC protocol to block phishing emails from getting through to end users.

Source: Information Security Magazine

Financial Services Employees Targeted with RAT

Financial Services Employees Targeted with RAT

An active email campaign is reportedly targeting banking and financial services employees in the US and UK using popular cloud services to host the malicious payload, according to a blog posted today by Menlo Security.

The campaign targets endpoints, including PCs, and attackers are reportedly using two types of payloads – VBScripts and JAR files – to compromise the endpoints. In looking at the victims who have clicked on malicious links to archive files, researchers found that all files were either ZIP or GZ.

Evidence suggests that the campaign has been active since August, and researchers have confirmed that the malware one RAT family used was Houdini.

“Of the JAR files we identified, we believe one file (Swift invoice.jar) belongs to the Houdini/jRAT malware family. We reached this conclusion because it communicated with pm2bitcoin.com. The other JAR files are still being investigated, and we believe they belong to the Qrat malware family,” researchers wrote.

According to the blog, attackers used storage.googleapis.com, the domain of the Google Cloud Storage service, to host the malicious payload, and the primary attack vector is email, where malicious URLs are embedded within emails rather than sent as attachments.

A compromised machine inside an enterprise network has wide-ranging business impact, which could be anywhere between loss of personally identifiable information to potentially much more damaging consequences like exfiltration of intellectual property, according to Vinay Pidathala, director of security research at Menlo Security.

“You can no longer trust ANY website: attackers are increasingly hiding behind well-know, popular hosting services to avoid detection. Credential attacks and remote access Trojans (RAT) malware are trends that will continue in the finance sector. These payloads, often zipped-up and in some cases in two layers, will continue to evolve to maneuver payloads into the environment,” Pidathala said.

“Botnets will decrease, and RAT malware will increase due to the ability RATs give attackers to customize and control every step of the attack. Once they get in, they can live off the fat of the land in the enterprise. We will continue to see an increase in cross-platform malware, similar to the malware we've seen in this specific campaign. By writing cross-platform malware, attackers only need to write one file to attack both platforms. Also, attackers tend to follow the money. With more enterprises using Macs, there is more of a motivation to go after them.”

Source: Information Security Magazine

Click2Gov Breach Payment Cards Sold on Dark Web

Click2Gov Breach Payment Cards Sold on Dark Web

In August 2017, Click2Gov software, a payment technology widely used by local governments to process utility payments, was the victim of a breach in which Oceanside, California, was the first in a long line of compromised municipalities. Many of the payment cards stolen from the compromised records are now likely being sold in underground marketplaces, according to Gemini Advisory.

During its routine monitoring of dark web marketplaces that sell compromised payment card data, Gemini Advisory noted “an out-of-pattern concentration of victims located in small-to-medium US cities. Further analysis of the card data linked to these locations and collaboration with partner banks have determined that records [have] likely been stolen from local municipal services that license Click2Gov software.”

According to Gemini Advisory’s blog post by Stas Alforov, there have been 46 confirmed compromised locations across the US with an additional location reported in Canada. At the time Gemini Advisory conducted its research, 294,929 payment records had reportedly been stolen. From those criminals have earned at least $1.7 million. Click2Gov's parent company, Superion, has made efforts to deploy patches, yet the software remains vulnerable, and three additional municipalities have reportedly been breached since October 2018.

Dozens of municipalities have reported instances of the Click2Gov breach, with at least 111,860 payment cards compromised. Those stolen cards were then uploaded and reportedly sold on the dark web for an average of $10 per card, and “breached payment card data was linked to over 1000 financial institutions, with 65% of stolen records associated with the top 20 affected banks,” Alforov wrote.

"In addition to Click2Gov payment records being sold on the dark web, we can also assume that the associated account login credentials – name and password pairs – were also for sale,” said Franklyn Jones, CMO, Cequence.

“So these nearly 300,000 credentials will likely be acquired for secondary bot attacks designed to gain unauthorized access to accounts on other web applications. And bot attacks, which are becoming more pervasive, are typically successful 10% of the time, which can lead to additional account takeover, financial fraud and business disruption."

Source: Information Security Magazine

Hackers Depart from Large Dark Web Markets

Hackers Depart from Large Dark Web Markets

Cyber-criminals are increasingly downsizing from selling their wares on large dark web marketplaces in a bid to build trust with buyers, according to McAfee.

The security giant claimed in its latest threat report for Q3 that the trend can also be seen as a response to law enforcement activity. Police effected the major takedowns of Hansa and Alpha Bay in 2017 while marketplace Olympus fell silent in September after a suspected exit scam.

“Cyber-criminals are very opportunistic in nature,” said John Fokker, head of cyber-criminal investigations at McAfee. “The cyber-threats we face today once began as conversations on hidden forums and grew into products and services available on underground markets. Additionally, the strong brands we see emerging offer a lot to cyber-criminals: higher infection rates, and both operational and financial security. ”

The move on the part of these business-minded hackers with strong underground ‘brands’ to set up shop on their own has brought with it a cottage industry in website designers offering to build their digital stores, McAfee claimed.

Elsewhere, the security firm blocked an average of 480 new threats per minute during the three-month period, with IoT malware (73%), cryptomining malware (71%) and new ransomware (10%) all increasing from the previous quarter.

Overall, new malware samples increased 53%, with new macro malware up 32%. It’s no surprise that malware was the most popular attack vector, followed by account hijacking, leaks, unauthorized access and vulnerabilities.

However, instances of new mobile malware declined by 24% in Q3, and McAfee customers reported 36% fewer infections in the quarter.

Data breaches in the financial sector jumped 20% and sextortion scams continued to grow in popularity, driven by Gamut, the top spam-producing botnet.

Source: Information Security Magazine

Huawei Hits Back at Claims it Poses Security Threat

Huawei Hits Back at Claims it Poses Security Threat

Huawei has hit back at reports claiming it is a national security risk, as the Czech republic joined a growing list of governments warning against using the firm’s equipment.

The Shenzhen giant’s chairman, Ken Hu, told reporters that such moves were driven by “ideology and geopolitics” and challenged the likes of the US government to provide proof to back up their claims.

“If you have proof or evidence, it should be made known,” he reportedly added. “Maybe not to Huawei and maybe not to the public, but to telecom operators, because they are the ones that buy Huawei.”

The US, Australia, New Zealand, Taiwan and Japan have all banned Huawei products on security grounds to a lesser or greater extent. With the kit-maker set to play a key role in coming  critical infrastructure deployments of 5G, the stakes couldn’t be higher.

In the UK, BT recently confirmed that the Chinese firm is not included in its plans for 5G core.

However, Australian spy chief Mike Burgess has previously warned: “the distinction between core and edge collapses in 5G networks. That means that a potential threat anywhere in the network will be a threat to the whole network.”

The UK government has long had a more open approach to dealing with the telco giant, allowing access to its markets as long as equipment passes muster at an evaluation center paid for by Huawei and staffed by experts from GCHQ, among others.

But even here there have been bumps in the road: in July the center claimed it could provide “only limited assurance” that Huawei equipment poses no threat to national security.

Although Huawei claims it has never acceded to any government demands which would “damage the networks or business of any of our customers,” it’s the risk of this happening in future which seems to be driving skepticism outside of China.

“High-risk vendors have been banned from Australia’s 5G network because of the threat they pose when they could be subject to unbounded extrajudicial directions from a foreign government,” wrote Burgess recently.

Although the lack of competition may indeed push up prices and slow innovation, it may be a price governments are prepared to pay. The Czech Republic’s cybersecurity watchdog this week became the latest to warn against the firm.

“China’s laws…require private companies residing in China to cooperate with intelligence services, therefore introducing them into the key state systems might present a threat,” said Dusan Navratil, director of the Czech National Cyber and Information Security Agency (NCISA).

Source: Information Security Magazine

NASA Staff at Risk After Server Breach

NASA Staff at Risk After Server Breach

NASA has been sitting on a potentially serious breach of employees’ personally identifiable information (PII) after revealing a server may have been compromised months ago.

In an HR message from the Office of the Chief Human Capital Officer, the US space agency claimed its cybersecurity staff began investigating an incident on 23 October, nearly two months ago.

“After initial analysis, NASA determined that information from one of the servers containing Social Security numbers and other PII data of current and former NASA employees may have been compromised,” the email continued.

“NASA and its federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals. This process will take time. The ongoing investigation is a top agency priority, with senior leadership actively involved. NASA does not believe that any agency missions were jeopardized by the cyber incidents.”

It’s still unclear exactly how many staff may have been affected by the incident, although NASA has sent the email to all employees so they can take precautions.

“Those NASA civil service employees who were on-boarded, separated from the agency, and/or transferred between centers, from July 2006 to October 2018, may have been affected,” it continued.

“Once identified, NASA will provide specific follow-up information to those employees, past and present, whose PII was affected, to include offering identity protection services and related resources, as appropriate.”

NASA is a major target for nation state and financially motivated, as well as bedroom enthusiasts.

UK hacker Gary McKinnon famously confessed in 2009 to compromising the networks of the US space agency as part of a misguided attempt to look for evidence of a UFO conspiracy.

Sometimes NASA can be its own worst enemy: between April 2009 and April 2011, 48 mobile computing devices loaded with sensitive information were either lost or stolen.

Source: Information Security Magazine

Email Security Systems Miss 17K Threats

Email Security Systems Miss 17K Threats

In its latest Email Security Risk Assessment (ESRA), Mimecast found that incumbent email security systems inaccurately deemed nearly 17,000 dangerous files “safe” this quarter. Email scams have been on the rise, which is partly what prompted Mimecast to dig into the efficacy of Office 365 and other widely used email security systems so that organizations can better understand their risk.

According to a recent survey also conducted by Mimecast, nearly 70% of employees are using company-issued devices for non-work activities, which presents an increased likelihood that users can fall victim to one of these malicious scams with dangerous files and malicious URLs while online shopping at work.

The ESRA also found that more than 21 million spam emails were missed by email security providers. Instead of being blocked they were delivered to users’ inboxes. Add to that massive oversight the fact that in excess of 205,000 malicious URLs were missed by incumbent providers, and it’s no surprise why the efficacy of email security systems needs to be measured.

In addition, providers missed more than 42,350 impersonation attempts, which were also delivered to users’ inboxes, along with an more than 17,500 undetected malware attachments that landed in inboxes.

“Mimecast has seen an increase in security efficacy versus legacy vendors along with detailed information on the proliferation of threats of all types. The ESRA provides deep insights for our customers on the types of attacks threatening their business,” said Lindsay Jack, security service director at Mimecast, in a press release.

“Attacks we are seeing include key executives being targeted with cloud storage services exploits, impersonation attacks targeting legal, finance and administrative assistance, as well as social engineering attacks against the C-suite. Mimecast helps organizations understand how they compare with other organizations in their geography or industry vertical. Additionally, these reports provide insights on the rise of new types of malware and key trends in malicious email campaigns.”

The last quarter saw a surge in emails containing dangerous file types, according to Matthew Gardiner, cybersecurity strategist at Mimecast, who said that cyber-criminals continue to adapt their email-based attacks, seeking ways to evade detection and bypass security solutions that rely on reputation-based detection or file signature matches.

“Mimecast uses multiple layers and types of detection engines, combined with high-performance analytics, a diverse set of threat intelligence sources, and computer-aided human analysis to identify and stop unsafe emails from getting into our customers’ inboxes,” Gardiner said.

Source: Information Security Magazine

Healthcare Employees Aware of Ransomware Threats

Healthcare Employees Aware of Ransomware Threats

In a new survey of North American healthcare employees, Kaspersky Lab found that ransomware has hit nearly a third of companies more than once.

Findings of the report, Cyber Pulse: The State of Cybersecurity in Healthcare, are based on the responses from the 1,758 employees surveyed. Participants ranged from doctors and surgeons to admins and IT staff within the United States and Canada. Of the total participants, 33% of healthcare employees who are aware of a ransomware attack to their organization said attacks have happened more than once.

More than one in six healthcare employees said that they know of a ransomware cybersecurity attack on their organization that has occurred in the past five years or more. Additionally, 78% of American and 85% of Canadian healthcare workers who said they were aware of a ransomware cybersecurity attack to their organization claimed to have experienced up to five attacks.

The last 12 months seem to have been slightly better, though, with only 27% of healthcare IT employees claiming that their employer experienced a ransomware cybersecurity attack within the past year.

Healthcare employees overwhelmingly value protecting their patients, and 71% cited that as their top reason for incorporating cybersecurity measures into their organizations. In addition, 60% of employees want their companies and colleagues protected.

Even though only 21% of healthcare employees believe that their organization will not likely suffer a data breach in the years to come, 23% said they trust in the cybersecurity strategy of their organizations.

“Through our study, we found that healthcare employees in North America were confident that their organization would not suffer a data breach in the forthcoming year. But whether they realize it or not, their industry is suffering hundreds of breaches a year,” said Rob Cataldo, vice president of enterprise sales at Kaspersky Lab, in a press release.

“Healthcare companies have become a major target for cyber-criminals due to the successes they’ve had, and repeatedly have, in attacking these businesses. As organizations look to improve their cybersecurity strategies to justify employee confidence, they must examine their approach. Business leaders and IT personnel need to work together to create a balance of training, education and security solutions strong enough to manage the risk.”

Source: Information Security Magazine

Attackers Connect with Malware via Malicious Memes

Attackers Connect with Malware via Malicious Memes

A new type of malware has been found listening for commands from malicious memes posted on Twitter, according to new research from Trend Micro.

Cyber-criminals are using the social site as an unwilling conduit in communicating with its mothership through the use of steganography, a tactic that hides a payload inside an image in order to evade detection. The payload also instructs the malware to take a screenshot and collect system information from the infected computer, Aliakbar Zahravi wrote in a recent blog post.  

“This new threat (detected as TROJAN.MSIL.BERBOMTHUM.AA) is notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled. Twitter has already taken the account offline as of December 13, 2018,” the blog said.

In late October, the malware authors posted malicious memes in two separate tweets. Using a Twitter account run by the malware operator, the malware listens for a command embedded in the memes. Once downloaded from the Twitter account onto the victim’s machine, the malware parses in order to act as the command-and-control (C&C) service for the malware, according to Zahravi.

“This isn’t the first occurrence of malware using popular websites to obscure command-and-control features. Most organizations will allow popular websites through their firewalls, so malware communicating with these sites can blend in with a large pipe of network data,” said Travis Smith, principal security researcher at Tripwire. “A slight uptick in a few bytes of data to Twitter is less of an anomaly than a few bytes of data going to an unknown IP address for the first time.

“What’s unique here is the use of steganography to obscure the commands even further. This tells me the authors of this malware are concerned more about folks scanning websites like Twitter or PasteBin for typical command-and-control or other malware functions in the text of those services. By using images, a typical scanning engine ingesting text would be blind to this type of obfuscation.”

Source: Information Security Magazine

PewDiePie Hackers Deface Wall Street Journal

PewDiePie Hackers Deface Wall Street Journal

Supporters of YouTube sensation PewDiePie have been at it again, this time defacing a Wall Street Journal web page in another bid to boost his subscribers.

The page itself, originally sponsored by a technology giant, was apparently fixed promptly by the newspaper’s IT team, but can be viewed here.

It references the WSJ’s 2017 investigation into PewDiePie and his featuring of anti-semitic content and Nazi imagery which ultimately led to his being dropped by Disney and losing his YouTube Red series.

“WallStreet Journal would like to apologize to pewdiepie,” the defaced message read. “Due to misrepresentation by our journalists, those of whom have now been fired, we are sponsoring pewdiepie to reach maximum subscribers and beat Tseries to 80million.”

The 27-year-old Swede has been tussling with Indian content giant T-Series at the top of the YouTube subscriber table for some time, with fans using increasingly unconventional methods to boost his base. He's currently at just over 77m subscribers.

Along with the legitimate, including billboard advertising in Times Square and around the US, have come not-so-legit tactics: including the hijacking of tens of thousands of printers around the world to print-out messages in support of the YouTuber.

This first happened last month, when an estimated 50,000 devices were compromised.

Then this week a second wave of attacks came to light, with more than double the number of printers thought to have been affected.

The individual behind it said he was using the PewDiePie banner to try and raise awareness about printer security. It was claimed that attackers could have caused devices to burn out, as well as capture and modify sensitive corporate documents.

Source: Information Security Magazine