Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

19-Year-Old Awarded More than $1M in Bug Bounties

19-Year-Old Awarded More than $1M in Bug Bounties

A 19-year-old completely self-taught hacker from Argentina has just been recognized as the first bug bounty hacker to earn more than $1 million in bounty payout awards, according to HackerOne.

Santiago Lopez, the hacker, who uses the handle @try_to_hack, has been discovering and disclosing vulnerabilities through HackerOne’s bug bounty program since 2015. In 2016, he earned his first award of $50, though he admitted, "At the time I was not very interested in the size of the bounty. I was just so happy and excited to earn my first reward on my own."

Since joining the hacker community, Lopez has reported over 1,600 security flaws to companies including Twitter and Verizon Media Company. He’s also worked on different private corporate and government initiatives.

"I never knew anything about hacking. I didn’t even know it existed until I saw the movie Hackers, which opened up a whole new world for me. As I learned more, I realized that I was naturally drawn to the types of challenges and problem solving opportunities associated with hacking.

Lopez said that he is completely self-taught and learned most of his hacking techniques through the internet. I watched online tutorials and also read a lot about hacking. This is how I became the hacker that I am today. It took me a long time to find my first vulnerability, but with patience and effort it can definitely be achieved.”

In related news, HackerOne has today released its 2019 Hacker Report, which is the result of a survey of more than 3,667 hackers from over 100 countries and territories. The report found that 2018 was a big year for bounty payouts, with hackers earning $19 million in bounties.

While India and the US remain the most popular hacker locations, the African continent is starting to welcome hacker activity. According to the report, more than six African countries launched engagements with hackers in 2018.

Source: Information Security Magazine

Sextortion Scammers Target Employees

Sextortion Scammers Target Employees

Corporate employees are more likely to receive a sextortion scam today than an impersonation or Business Email Compromised (BEC) attack, according to new data from Barracuda Networks.

The security vendor analyzed malicious emails sent to its customers and found one in 10 (11%) spear-phishing attempts can now be classed as sextortion.

Typically these try to convince users to pay a cryptocurrency fee in order for the hacker not to release a non-existent webcam video of the victim watching porn. They use personal information harvested from the dark web including log-ins and email addresses to lend credibility to the blackmail threat.

According to Barracuda Networks, the black hats are evolving their tactics to bypass traditional filters.

“Many sextortion emails end up in users’ inboxes because they originate from high-reputation senders and IPs. In fact, hackers will use already compromised Office 365 or Gmail accounts in their campaigns,” it said.

“These emails don’t usually contain any malicious links or attachments that traditional gateways will look for. Attackers have also started to vary and personalize the content of the emails, making it difficult for spam filters to stop them.”

The scams are also under-reported due to their embarrassing nature and so IT teams are often unaware of the scale of the problem, the vendor claimed.

Interestingly, the education sector is by far the most popular target, accounting for over half (55%) of the attacks detected by Barracuda, followed by government (14%) and business services (11%).

Organizations should combine anti-spear-phishing and account takeover protection tools with employee training and awareness exercises to help mitigate the threat, Barracuda Networks advised.

Source: Information Security Magazine

Tik Tok Kids’ App Hit by Record $5.7m FTC Fine

Tik Tok Kids’ App Hit by Record $5.7m FTC Fine

US regulators have handed a Chinese-owned social networking app a record fine after it illegally collected the personal data of children who used it.

A Federal Trade Commission notice issued this week revealed that Music.ly, now incorporated into Tik Tok following its acquisition by China’s ByteDance, has agreed to pay $5.7m to settle the case.

The FTC alleged that the video-sharing app broke the Children’s Online Privacy Protection Act (COPPA) by failing to seek parental consent from users under the age of 13 before collecting information.

This data included email addresses, phone numbers, usernames, first and last names, short biographies, and profile pictures. The app also came under fire for allowing accounts to remain public by default, with profile pics and bios remaining viewable by all even if users went private.

They could still be messaged directly by other users, and the FTC noted that there had been reports of adults trying to contact users via the app. It added that until 2016, users were able to view all others signed up within 50 miles.

“The operators of Musical.ly — now known as TikTok — knew many children were using the app but they still failed to seek parental consent before collecting names, email addresses, and other personal information from users under the age of 13,” said FTC Chairman Joe Simons. “This record penalty should be a reminder to all online services and websites that target children: We take enforcement of COPPA very seriously, and we will not tolerate companies that flagrantly ignore the law.”

The FTC claimed that over 200 million users have downloaded the Musical.ly app worldwide, including 65 million in the US.

John Fokker, head of cyber investigations at McAfee, argued that the tech industry “needs to up its game” regarding age verification and protection of younger users.

“But the responsibility also lies with parents to ensure their children are only signing up for services they’re old enough and wise enough to use,” he added. “Despite our children becoming heavy tech users, we found that only two fifths of British parents monitor their children when using internet-connected devices.”

Source: Information Security Magazine

Coinhive Monero Miner Set to Close

Coinhive Monero Miner Set to Close

Cryptocurrency mining tool Coinhive has decided to shut up shop, although not because of its rampant abuse by hackers over the past two years.

The team behind the Monero miner revealed all in a brief post on Tuesday, claiming that the 18-month project had come to an end as it was no longer economically viable.

“The drop in hash rate (over 50%) after the last Monero hard fork hit us hard. So did the ‘crash’ of the cryptocurrency market with the value of XMR depreciating over 85% within a year. This and the announced hard fork and algorithm update of the Monero network on March 9 has led us to the conclusion that we need to discontinue Coinhive,” it explained.

“Thus, mining will not be operable anymore after March 8, 2019. Your dashboards will still be accessible until April 30, 2019 so you will be able to initiate your payouts if your balance is above the minimum payout threshold.”

Although a legitimate browser-based mining tool, Coinhive sprung to notoriety quickly as it was abused by cyber-criminals around the world.

In February last year, it was found on over 4000 sites including several belonging to US and UK government agencies, after a supply chain installation.

As of December 2018, it remained the most prevalent ‘malware’ detected by Check Point for the 13th straight month, impacting 12% of organizations worldwide.

Other cryptocurrency mining software filled out the rest of the top four “most wanted” list compiled by the security vendor.

Although cryptojacking technically does not result in any data theft or serious IT operational issues, it can crash systems and — when installed on corporate servers — result in increased power consumption/charges and shorten replacement cycles for expensive kit.

Trend Micro claimed this week that detections of cryptocurrency mining malware passed the one million mark for the first time in 2018, a 237% increase from 2017 figures. However, hackers are increasingly expanding their methods of spreading these tools, to include exploit kits, plug-ins, abused ad platforms, server exploits and more, it said.

Source: Information Security Magazine

SSL-Based Phishing Surges 400% from 2017

SSL-Based Phishing Surges 400% from 2017

Hackers are increasingly using encrypted traffic to hide their attacks from security filters, with phishing emails soaring in popularity, according to new data from Zscaler.

The cloud security provider processes more than 60 billion transactions per day and claimed that hiding threats in SSL traffic has become standard practice among the black hats.

Its biannual 2019 Cloud Security Insights Threat Report revealed that the vendor blocked 1.7 billion advanced threats hidden in SSL traffic from July to December 2018, amounting to an average of 283 million per month.

This included 2.7 million phishing attempts each month, an increase of over 400% from 2017 figures.

This chimes somewhat with a new report from Trend Micro released this week, which revealed the vendor blocked 269 million phishing URLs last year, a 269% increase over 2017.

Other malicious activity blocked by Zscaler in the second half of 2018 included 32 million botnet callback attempts per month, and 240,000 browser exploitation attempts. In addition, nearly 32% of newly registered domains blocked by the firm were ‘protected’ with SSL encryption.

Zscaler CTO, Amit Sinha, argued that the trend towards having everything encrypted by default is great for user privacy, but it presents a challenge to security teams.

“Decrypting, inspecting, and re-encrypting traffic is non-trivial, causing significant performance degradation on traditional security appliances, and most organisations are not equipped to inspect encrypted traffic at scale,” he added. “With a high percentage of threats now delivered with SSL encryption, and over 80% of internet traffic now encrypted, enterprises are blind to over half of malware sent to their employees.”

Zscaler also noted an increase in SSL-based JavaScript skimming attacks on e-commerce sites, a reference to the growing number of bad actors using Magecart code to harvest shoppers' card details as they are entered in. Popular brands including BA, Ticketmaster and Newegg have already been breached this way.

“With the increase in JavaScript skimmer-based attacks, criminals can conduct their nefarious activity within the confines of the SSL environment, leaving most e-commerce sites unaware of the activity,” warned Zscaler VP of security research, Deepen Desai.

Source: Information Security Magazine

Global Spam Calls Hit 85 Billion in 2018

Global Spam Calls Hit 85 Billion in 2018

Global spam calls have soared by 325% over 2018 to reach a staggering 85 billion worldwide, according to new findings from Hiya.

The Caller ID company claimed in its first Global Robocall Radar report that spam rates in Spain (24%), the UK (22%), Italy (21%) and France (20%) are the highest in the world.

These are more than mere nuisance calls: Hiya claimed that they can expose victims to serious fraud attempts.

The top four types of voice spam campaign listed include bank account scams in which the caller pretends to be a representative of the recipient’s bank with the aim of gaining account details, and “neighbor scams” in which the caller pretends to be a nearby friend or business, aided by VoIP software that spoofs their phone numbers.

The wangiri or one-ring scam sees the fraudsters call just once and in so doing entice users into calling back to premium rate international numbers owned by the scammer. Some robocalls even demand payment from random phone users for the return of a ‘kidnapped’ family member or friend.

However, the various tactics used around the world vary from country to country. In the UK, robocalls selling fake payment protection insurance (PPI) are popular, as are malware-laden SMS messages spoofed to appear as if sent from HMRC.

In the US, calls pretending to come from the IRS and neighbor scams are popular, according to the report.

New rules introduced in September by UK regulator Ofcom could help to mitigate the threat from such spam calls.

They've banned phone companies from charging for the Caller ID service that helps users screen their calls and mandate that any phone numbers displayed to users must be valid and can be called back.

Phone companies have also been forced to block calls with invalid numbers and Ofcom now has the power to take back whole blocks of numbers from telcos if they’ve been used repeatedly to carry out nuisance calls and fraud.

Source: Information Security Magazine

Threat Report Tries to Change Security's Narrative

Threat Report Tries to Change Security's Narrative

Over the course of the second half of 2018, criminally motivated attackers were able to cause significant damage to enterprises without their knowledge by using not-so-sophisticated attacks, according to a new report from Gigamon.

Not surprisingly, the report found that the top three malware threats of 2018 were Emotet, LokiBot and TrickBot. While these malware threats seemed to be vying for position of most prevalent in the middle of the year, attackers increased their use of Emotet, which turned out to be the front-runner by the year’s end, according to the report.

"Most notably, Emotet’s rapid increase began in early November 2018, which continued through late December 2018. During this time, Emotet campaigns appeared daily with different attachment hashes, different attachment filenames and different email subject lines. On or about 21 December 2018, Emotet went silent and remained silent through the first weeks of 2019."

Despite its being widely known in the security industry as the top threat and the most frequently delivered malware, Emotet is still able to evade detection, which is one reason why the report advised that CISOs should be aware of the malware’s ability to steal sensitive corporate information.

"Due to Emotet’s polymorphic nature, it is difficult to detect by signatures alone, so organizations must be able to identify Emotet’s network communications behaviors to mitigate its rapid proliferation. Security teams should examine both north/south C2 communications as well as east/west lateral communications."

LokiBot also proved useful in business email compromise, as once it was installed, attackers were able to execute other malicious code. "Attackers tied to the ransomware outbreak in the Ukraine targeting major banks, utilities and telcos also installed a variant of LokiBot to not only make the compromised machine inoperable, but to also steal credentials and information."

According to the report, one objective of the research was to change the cybersecurity narrative by educating CISOs on how to mitigate these prevalent threats. To that end, the report advised that CISOs be dedicated to studying the behavior of successful threats, and apply known research in the development of a robust set of indicators and detection mechanisms. When security teams are able to leverage new indicators and detection mechanisms across comprehensive network visibility, they are better positioned to use gained insight that will enable them to reduce risk.

Source: Information Security Magazine

Scarlet Widow Targets K-12 Schools, Nonprofits

Scarlet Widow Targets K-12 Schools, Nonprofits

A gang of known scammers allegedly based in Nigeria is believed to be targeting schools in the K-12 sector along with the Boy Scouts and other nonprofit organizations around the world, according to a report published by Agari.

The group has been named "Scarlet Widow," and the most recent report reveals a new pattern of attacks targeting nonprofit organizations, K-12 school districts, and universities – using a directory scraping technique the Scarlet Widow gang calls 'bombing.' The group has also been identified as targeting single men and women with romance scams in early February. 

Using email fraud attacks, Scarlet Widow appears to go after some of the more vulnerable organizations around the globe, including dozens of small-town schools and school districts in Indiana and Wisconsin. Attackers have also reportedly gone after US and UK-based nonprofits including Boy Scouts of America and the Salvation Army as well as universities in Florida, the UK, New Zealand and Australia, Agari found.

"When Scarlet Widow goes after nonprofits, the group primarily uses publicly-accessible websites to scrape contact information for employees," wrote Crane Hassold, Agari's Senior Director of Threat Research. "Working off a list of identified websites that contain directories of nonprofit organizations, Scarlet Widow uses a web scraper to traverse the online directory and collect email addresses associated with each organization—a process they refer to as 'bombing' an online directory."

The attackers leverage business email compromise tactics to target the organizations ranging from a chapter of the United Way, a Texas-based ballet foundation, a North Carolina physician, an Archdiocese of the Catholic Church in the Midwest, and several chapters of the YMCA. An investigation revealed that Scarlet Widow had collected information from more than 30,000 individuals at 13,000 organizations across 12 different countries.

The Scarlet Widow scammers have reportedly been using a peer-to-peer cryptocurrency exchange, Paxful, to convert fake gift cards into cryptocurrency. In investigating Scarlet Widow, researchers found that, "By first advertising the stolen cards on Paxful, the group can successfully turn them into bitcoin, which they can then trade on Remitano for a specified price. Once the Scarlet Widow actors have exchanged their bitcoin and the buyer’s funds are in their bank account, the process of converting illicit gift cards into cash is complete."

Source: Information Security Magazine

APT Uses Arsenal of Tools to Evade Detection

APT Uses Arsenal of Tools to Evade Detection

The advanced persistent threat (APT) group known since 2013 as BRONZE UNION, as well as Emissary Panda, APT 27 and LuckyMouse, is believed to be based in China, according to Secureworks.

Published today, the State of the [BRONZE] UNION Snapshot and A Peek into BRONZE UNION’S Toolbox, are based on nearly two years of continuous,in-depth visibility of the group’s threat campaigns.  

Researchers have tracked the group’s activities, including its persistent and long-term approach to espionage, and their analysis of network compromises suggests that since 2016 BRONZE UNION has been using a range of capabilities and tactics to target data mostly from political, technology, manufacturing and humanitarian organizations.

Focused on espionage activities, the threat group’s tactics ranged from stealing data about cutting-edge weapons technologies to spying on dissidents and other civilian groups, according to researchers.

Using stolen credentials, the threat actors have been able to compromise business email accounts and then use that access to perform different tasks from keyword searches to downloading email attachments and data.

The arsenal of intrusion methods and tools used by the group have been problematic for defenders as the sophisticated skills of the attacks allows them to evade common security tools and escalate their privileges, according to the report.

The group often uses services, tools and credentials native to the compromised environment, a technique commonly known as living off the land. "After obtaining access to a network, the threat actors are diligent about maintaining access to high-value systems over long periods of time,” researchers wrote.

A distinguishing pattern of the BRONZE UNION activity is that they seem to have a routing maintenance schedule where they return to compromised networks every three months. Researchers suspect that this schedule aligns with the time frame many organizations use to force password changes.

“The threat actors have access to a wide range of tools, so they can operate flexibly and select tools appropriate for intrusion challenges. During complex intrusion scenarios, the threat actors leverage their proprietary tools, which offer custom functionality and lower detection rates.”

Source: Information Security Magazine

Malicious Suicide Game, Momo Challenge, Targets Kids

Malicious Suicide Game, Momo Challenge, Targets Kids

Police in Northern Ireland and National Online Safety have issued warnings to parents regarding the disturbing and potentially dangerous Momo Challenge that has resurfaced in social media apps, including WhatsApp and YouTube Kids.

According to a report from Mirror, hackers have spliced images of Momo into children’s videos, including Peppa Pig and Fortnite. The images share a number for users to text to connect with Momo on WhatsApp, at which point the hackers engage with users asking them to perform seemingly meaningless tasks. The requests eventually become quite eerie, though.

“Momo is a sinister ‘challenge’ that has been around for some time. It has recently resurfaced and once again has come to the attention of schools and children across the country. Dubbed the ‘suicide killer game,’ Momo has been heavily linked with apps such as Facebook, WhatsApp, YouTube, and most recently (and most worryingly)…YouTube Kids,” National Online Safety warned.

The frightening figure is that of a doll with bulging eyes and powder-white skin who reportedly shares disturbing graphic images both depicting violence and asking recipients to partake in dangerous challenges.

According to PediMom, a parenting blog, when the challenge surfaced several months ago, a mother reported that her child was watching a YouTube Kids video when “four minutes and forty-five seconds into the video. The man quickly walked in, held his arm out, and tracing his forearm, said, 'Kids, remember, cut this way for attention, and this way for results,' and then quickly walked off.”

Resoundingly, the message from police is that parents assure their children that this challenge – and others similar to it – are not real. Hackers are believed to be using Momo as a way to harvest information from participants.

A spokesperson for the NSPCC in Northern Ireland told the BBC, "The constantly evolving digital world means a steady influx of new apps and games and can be hard for parents to keep track of. That's why it's important for parents to talk regularly with children about these apps and games and the potential risks they can be exposed to.”

The NSPCC also issued a warning on its Facebook page advising parents to monitor their children's online time and supervise them when playing games or watching videos. NSPCC noted, "This game conceals itself within other harmless looking games played by our kids! There has also been reports of parts of the game being viewable on YouTube…when downloaded tells your child to communicate with them via WhatsApp and a number of other widely used apps. "Momo" then tells your child to self harm or she will put a curse on them!"

Source: Information Security Magazine