Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

LinkedIn Data Found in Unsecured Databases

LinkedIn Data Found in Unsecured Databases

A security researcher identified eight unsecured databases that held "approximately 60 million records of LinkedIn user information."

GDI Foundation, where the security researcher is from, is a nonprofit organization with a mission to "defend the free and open Internet by trying to make it safer." The researcher, Sanyam Jain, contacted Bleeding Computer when he noticed "something strange." He was seeing unsecured databases containing the LinkedIn data "appearing and disappearing from the Internet under different IP addresses."

While the majority of the LinkedIn data was reportedly public, some of the data contained email addresses.

"According to my analysis the data has been removed every day and loaded on another IP. After some time the database becomes either inaccessible or I can no longer connect to the particular IP, which makes me think it was secured. It is very strange," Jain told Bleeding Computer. The total size of all of the databases was 229 GB, with each database ranging between 25 GB to 32 GB. 

As an experiment, Bleeding Computer editor Lawrence Abrams asked Jain pull his record from one of the databases and review it. According to the article, Abrams found the data contained in the record included "his LinkedIn profile information, including IDs, profile URLs, work history, education history, location, listed skills, other social profiles, and the last time the profile was updated." 

The email address Abrams used when he registered his LinkedIn account was also included. The editor doesn't know how the information got onto this database as he "always had the LinkedIn privacy setting configured to not publicly display his email address."

Each profile also contains what appears to be internal values that describe the type of LinkedIn subscription the user has and whether they utilize a particular email provider, according to Bleeding Computer. These values were labeled "isProfessional," "isPersonal," "isGmail," "isHotmail" and "isOutlook."

Bleeding Computer contacted Amazon, who was hosting the databases, and as of April 15, 2019, the databases were secured and were no longer accessible via the internet.

LinkedIn's Paul Rockwell, head of trust and safety, told the website: "We are aware of claims of a scraped LinkedIn database. Our investigation indicates that a third-party company exposed a set of data aggregated from LinkedIn public profiles, as well as other, non-LinkedIn sources. We have no indication that LinkedIn has been breached."

LinkedIn also told the outlet that in some cases an email address could be public and provided a link to a privacy page that allows users to configure who can see a profile's email address.

Source: Information Security Magazine

TA505 Targets Financial and Retail Using 'Undetectable' Methods

TA505 Targets Financial and Retail Using 'Undetectable' Methods

A financially motivated gang is targeting retailers and financial institutions around the world using remote access software. 

CyberInt's Research Lab has found that TA505 is using tactics and an off-the-shelf commercial remote administration tool, developed by Russian-based company TektonIT. The group was behind attacks on the global financial industry between December 2018 and February 2019 and is using the same techniques, according to the company. 

Proofpoint says that according to its actor profile, "TA505 is responsible for the largest malicious spam campaigns we have ever observed, distributing instances of the Dridex banking Trojan, Locky ransomware, Jaff ransomware, The Trick banking Trojan and several others in very high volumes."

"Although they are using phishing and social engineering to get the software into the organisations, once its installed, it’s virtually undetectable by traditional threat protection systems because it’s legitimate software,” says Adi Peretz, senior strategic consultant and head of research at CyberInt. “They are still very much active and this is only the beginning of our deep-dive investigation.”

According to the report, TA505 tried its hand at payloads such as stealing back doors and remote access Trojans following the decline in the popularity of ransomware, likely due to mitigation tactics. However, the illegitimate software is throwing others off the scent and making the group undetectable. 

"Tried and tested attack patterns appear to be consistent across these recently observed campaigns and commence with the delivery of phishing emails that have lure document attachments," says the CyberInt report. "Utilising legitimate logos, language and terminology consistent with common business interactions or the target organization, the email encourages the potential victim to open the lure document attachment which in turn instructs them to disable security controls within Microsoft Office to allow a nefarious macro to be executed."

The report goes on to say that if the macro, if executed, subsequently attempts to download "malicious payloads from the threat actor’s C2 infrastructure that in most cases also masquerades as, or mimics, legitimate-looking domains such as using names and misspellings related to ‘Cloud’, ‘Microsoft Office 365’ or ‘Security.’"

Source: Information Security Magazine

Fraudsters Exploit Sympathies Surrounding Notre Dame Tragedy

Fraudsters Exploit Sympathies Surrounding Notre Dame Tragedy

Fraudsters are preying on the goodwill of people everywhere by using the tragic fire of Notre Dame to their advantage.

According to research by security company ZeroFOX, cyber-criminals are "spreading misinformation about the disaster," which includes fake donation pages and launching new phishing campaigns. The company says in a blog post that "preying on the sympathy of those wanting to help victims is nothing new, but the technical underpinnings of the internet and its social media platforms allow hackers and spammers to scale their efforts at an unprecedented rate."

The blog goes onto explain that these threat actors use a variety of tactics, such as: 

  • Using bots on Twitter to spread donation links leading to spam or malware sites
  • Impersonating websites and social media accounts of legitimate charity organizations
  • Sending fraudulent charity emails with bad links or attachments
  • Registering domains related to the disaster
  • Creating fake donation campaigns on crowdfunding sites
  • Using fraud messaging that includes vague victim stories, pressure to act quickly or promises of high payouts for a company involved in cleanup

Most worryingly, the crowdfunding tactics might work more than anything else. There is a rise of raising money this way for help people in need, especially around tragic events such as this. Sites such as JustGiving might be copied to set up fake donation sites. "People looking to donate quickly may easily mistake a fraudulent donation page for the real page – losing their money and putting money in the hands of bad actors, not those in need," says the blog post. 

One example the ZeroFox Alpha Team found was on justgiving.com, where an anonymous user created this crowdfunding campaign supporting “Friends of Notre-Dame De Paris Inc.” "Based on the information provided (and lack of details) in the post, any supporter should be hesitant to donate to this particular fundraising effort," the post goes on to say. 

Another tactic targets social media users who follow trending hashtags. 

"In the case of the Notre Dame disaster, we have seen multiple instances of posters using the hashtag #NotreDameCathedralFire looking to capitalize on the tragedy," explains the post.

"[This example of one such post] is looking to sell 'services' using the Notre Dame fire hashtag." Users need to be be careful, it goes on, of any seller using hijacked hashtags, as they are "typically associated with scams and malicious links."

Example of potential crowdfunding scam – note the warning signs.
Example of potential crowdfunding scam – note the warning signs.

When it comes to avoiding scams related to this disaster, ZeroFOX recommends the following:

  • Review suggestions from crowdfunding sites on how to identify legitimate campaigns.
  • Be cautious of unfamiliar individuals or organizations soliciting donations or investments through social media, email or phone.
  • Conduct thorough research on charity organizations and use a website that rates organizations, such as Charity Navigator or CharityWatch.
  • Be cautious of requests for donations or investments in cash, by gift card, or by wiring money, which are frequent methods of payment for scams.
  • Report potential scams to crowdfunding sites, and reach out for a potential refund in the case of a suspected scam.

Source: Information Security Magazine

Cloud Security Spending Set to Top $12bn by 2023

Cloud Security Spending Set to Top $12bn by 2023

Global spending on cloud security is set to grow nearly 18% to reach $12.7bn by 2023, with protection for public cloud deployments prioritized over the coming years, according to a new report from Forrester.

Organizations spent $178bn on public cloud services last year, a figure that will grow to $236bn by 2020 — making security increasingly important to protect mission critical systems and sensitive data.

Infrastructure decision makers are particularly concerned about cyber risk, with over half (54%) implementing cloud solutions, the analyst claimed in its report, Forrester Analytics: Cloud Security Solutions Forecast, 2018 To 2023 (Global).

The sheer complexity of cloud deployments, often covering multiple providers and hybrid deployments, also requires enhanced security to monitor data, detect anomalies, and intercept threats.

Public cloud remains the biggest focus for security investment. Some $4bn was spent on public cloud native platform security in 2018, accounting for over 70% of total cloud security spend and this will be the fastest-growth area to 2023, when it will reach $9.7bn, Forrester claimed

The good news is that these efforts appear to be working: just 12% of breaches targeted public cloud environments, while 37% of global infrastructure decision makers cited improved security as an important reason to move to the public cloud, according to Forrester.

The analyst was also keen to point out that there’s no single solution which can meet all an organization’s cloud security needs.

As mentioned, public cloud native solutions are growing fastest. These cover areas like: data classification, categorization and segmentation; server access control; user IAM; encryption; and logging, auditing, and anomaly detection.

Then there are cloud workload solutions designed to centralize and automate cloud security across multiple platforms and environments. This market is set to grow at 17.3% CAGR to reach $1.9bn by 2023.

Finally, cloud security gateways succeed where traditional security tools fail by encrypting data before it’s sent to SaaS applications; detecting shadow IT; data loss prevention (DLP); malware detection; and cloud access anomaly detection.

Source: Information Security Magazine

Dark Web Fraudsters Defraud Each Other with Fraud Guides

Dark Web Fraudsters Defraud Each Other with Fraud Guides

Cyber-criminals are doing a roaring trade in “how-to” fraud guides for their fellow scammers, although many are out-of-date and incomplete, according to new dark web research from Terbium Labs.

The cyber-intelligence firm analyzed nearly 30,000 of these guides to compile its latest report, Fraud Guides 101: Dark Web Lessons on How to Defraud Companies and Exploit Data.

These online documents typically include instructions on specific fraud capabilities such as account takeover, phishing, cashing out, doxing, synthetic fraud, account creation and so on.

They could feature instructions, personal notes from the author on their experiences of what works and what doesn’t, social engineering and technical advice, and more.

However, while it appears to be an ominously thriving industry, it’s unclear exactly how much value these guides are offering to the typical fraudster.  

According to Terbium Labs, over a quarter (26%) of guides are more than a decade old, and there are more out there from 2010 than 2017 and 2018 combined.

“Any guidance or information from within a few years is bound to still be helpful for criminals looking to get started, but once we get five or 10 years out, the value certainly decreases,” Terbium Labs VP of research, Emily Wilson, told Infosecurity.

“If buyers think they’re getting the most up-to-date methods in these major fraud collections, they’re going to be surprised and disappointed. These collections represent the information gathered over a couple of decades, rather than a highly curated group of the most recent materials.”

What’s more, three-quarters (75%) of those analyzed were found to be duplicates which have simply been repackaged and resold, at an average of £6 each.

“What we see here is a criminal community gathering information over time, and then doing what vendors do best: repackaging it and reselling it under their own name, looking for a new way to turn a profit,” Wilson continued.

“These guides require little work to gather, and even less work to throw into a zip file and market under your own brand. They’re in business to make money, and what better way to make money than to repackage someone else’s work and pass it off as your own?”

In addition, some 11% of fraud guide purchases the researchers attempted to make on the dark web turned out to be scams, the report revealed.

However, despite all the scams and the old and incomplete data found in many guides, the info gathered by the dark web intelligence vendor could still be useful for organizations trying to get inside the fraudster’s head. It could even be used by risk teams to help evaluate current fraud controls and detection services, for example.

Terbium Labs also ran a check on the appearance of personal and financial information in the guides to see what was of greatest interest to fraudsters.

Surprisingly, email addresses came out top, ahead of payment card data and other PII, according to the report.

Source: Information Security Magazine

DCMS Shares UK Journalists Emails, Potential GDPR Breach

DCMS Shares UK Journalists Emails, Potential GDPR Breach

The government department that is responsible for implementing the General Data Protection Regulation (GDPR) has committed an email faux pas with UK journalists which could also mean it has broken its own rules. 

Flagged by Guardian journalist Alex Hern on Twitter, the email was regarding its announcement on age verification rules on online pornography. Hern tweeted: "DCMS has just announced that the porn filters are coming online on July 15, in an email that cc's every media and technology journalist in Britain." 

According to the Information Commissioner's Office (ICO)'s website, "The GDPR applies wherever you are processing ‘personal data.' If the email addresses make obvious the name, such as 'initials.lastname@company.com,' GDPR will apply."

Furthermore, the GDPR protects people from being cold-emailed or spammed requiring explicit consent from individuals. If anyone on the mailing list didn't consent to being on it, there might be a breach.

What counts as consent?

  • Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data
  • Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly
  • Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity
  • You must make it easy for people to withdraw consent at any time they choose

While DCMS is a high-profile organization, breaches due to human error are not uncommon. In the last two years of reports of UK data breaches to the ICO, just 12% were the result of malicious attacks, according to Kroll. This means that 88% were the result of human error.

"Effective cybersecurity is not just about technology. Often, companies buy the latest software to protect themselves from hackers, but fail to instigate the data management processes and education of employees required to mitigate the risks," said Kroll managing director, Andrew Beckett, to Infosecurity Magazine in September 2018. "The majority of data breaches, and even many cyber-attacks, could be prevented by human vigilance or the implementation of relatively simple security procedures."

The ICO confirmed it was aware of the incident, commenting: "We are in contact with the Department for Digital, Culture, Media and Sport regarding today’s email incident."

Source: Information Security Magazine

UK To Become First Country To Bring in Age-Verification for Online Pornography

UK To Become First Country To Bring in Age-Verification for Online Pornography

The UK will become "the first country in the world" to bring in age verification for online pornography, according to the Department for Digital, Culture, Media and Sport (DCMS). The measures, which come into force on July 15, 2019, mean that commercial providers of online pornography will be required by law to carry out robust age-verification checks on users to ensure they are 18 or over.

In its announcement this morning, the DCMS says "the move is backed by 88% of UK parents with children aged 7–17, who agree there should be robust age-verification controls in place to stop children seeing pornography online." It has also said that websites that fail to implement age-verification technology face having payment services withdrawn or being blocked for UK users.

Minister for digital Margot James said, "Adult content is currently far too easy for children to access online. The introduction of mandatory age-verification is a world-first, and we’ve taken the time to balance privacy concerns with the need to protect children from inappropriate content. We want the UK to be the safest place in the world to be online, and these new laws will help us achieve this."

The change in law is part of the government’s commitment to making the UK "the safest place in the world to be online, especially for children." It follows the publication of a whitepaper by the government department last week, which also referenced social media companies being more accountable for content on their sites.

The British Board of Film Classification (BBFC) will be responsible for ensuring compliance with the new laws.

Online pornography websites have also been a goldmine for stealing user credentials. In 2018, 850,000 attempts were made to steal porn credentials according to a report by Kaspersky Labs. The attacks had been focused on paid accounts for only two sites, Pornhub and XNXX.

Ransomware has also affected users of these sites, making underage users vulnerable. According to Kaspersky's report, ransomware poses as an application. Once in use it locks the screen of the device and shows a message stating that illegal content (usually child porn) has been detected on the device, and the device has been locked. In order to unlock the device, the victim has to pay a ransom.

Source: Information Security Magazine

Scranos Goes Global After Targeting China

Scranos Goes Global After Targeting China

A new password and data stealing operation that has been targeting China has started to infect users worldwide, according to Bitdefender Cyber Threat Intelligence Lab. 

Using a rootkit driver, which is believed to have been a possibly stolen certificate, the attack is still a work in progress with many components in the early stage of development, say the researchers behind the company's latest report, Inside Scranos – A Cross Platform, Rootkit-Enabled Spyware Operation.

"We discovered that the operators of this rootkit-enabled spyware are continuously testing new components on already-infected users and regularly making minor improvement to old components," according to the report. "The various components can serve different purposes or take different approaches to achieve their goals."

Some of these components identified include:

  • Extract cookies and steal login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex Browser
  • Steal a user’s payment accounts from Facebook, Amazon and Airbnb webpages
  • Send friend requests to other accounts, from the user’s Facebook account
  • Send phishing messages to the victim’s Facebook friends containing malicious APKs used to infect Android users as well
  • Steal login credentials for the user’s account on Steam

Bitdefender's research reveals that the malware spreads via Trojanized applications "disguised as cracked software, or applications posing as legitimate software such as e-book readers, video players, drivers or even antimalware products." When executed, the rootkit driver is installed to cloak the malware and ensure persistence. The malware then phones home and is told what other components to download and install.

"Our telemetry shows the adware has a global presence, but it seems more prevalent in India, Romania, Brazil, France, Italy and Indonesia," continues the report. "All identified samples confirm that this operation is in a consolidation stage: the oldest samples identified date back to November 2018, with a massive spike in December and January. However, in March 2019, the command and control servers started pushing other strains of malware – a clear indicator that the network is now affiliated with third parties in pay-per-install schemes."

The rootkit driver, at the time the report was written, contains a valid digital signature with a certificate issued to Yun Yu Health Management Consulting (Shanghai) Co., Ltd.

"The most likely scenario is that an impersonator obtained this certificate fraudulently, even if the company is not a software vendor," the report deduces. 

The rootkit sets up and creates a device named DeviceVideoDriver and serves three main purposes, according to the report:

  1. Decrypts and injects the downloader in a svchost.exe process with system authority
  2. Deletes a specified file using low-level file system operations
  3. Registers an IRP_MJ_SHUTDOWN function which is used to ensure the persistence of this rootkit in the infected system by rewriting itself on disk and in the registry at every shutdown, in case it was deleted

Source: Information Security Magazine

Fifth of Web Traffic Comes from Malicious Bots

Fifth of Web Traffic Comes from Malicious Bots

Around a fifth of all web traffic last year was linked to malicious bot activity, with financial services hit more than any other sector, according to Distil Networks.

The security vendor compiled its 2019 Bad Bot Report from analysis of a global network covering thousands of anonymized domains.

It claimed to have discovered hundreds of billions of “bad bot” requests across this network, enabling large-scale, automated malicious activity including: web scraping, competitive data mining, personal and financial data harvesting, brute-force login and digital ad fraud, spam, transaction fraud and more.

The report revealed 20.4% of traffic to be linked to this kind of activity. Although this was a slight drop from last year, nearly three-quarters (74%) of these bots are classified as “Advanced Persistent Bots” (APBs) which are able “to cycle through random IP addresses, enter through anonymous proxies, change their identities, and mimic human behavior.”

In terms of ISPs, bad bot traffic was most likely to originate from Amazon (18%), while geographically, most traffic originated in the US (53%), according to the report. However Russia and Ukraine accounted for nearly half (48%) of blocking requests from Distil customers, given their notoriety.

Financial services had the highest percentage of malicious bot traffic (42%) thanks mainly to the uptick in credential stuffing designed to access and/or hijack user accounts. Between May and December 2018 Akamai tracked over a billion credential stuffing attempts on financial services firms.

However, ticketing (39%), education (38%) and government sectors (30%) were also badly affected. Government is unusual in that the motivations of attackers in this sector are not solely driven by financial gain, but also election (voter registration account) interference.

“Bot operators and bot defenders are playing an incessant game of cat and mouse, and techniques used today, such as mimicking mouse movements, are more human-like than ever before,” said Tiffany Olson Kleemann, CEO of Distil Networks.

“As sophistication strengthens, so too does the breadth of industries impacted by bad bots. While bot activity on industries like airlines and ticketing are well-documented, no organization — large or small, public or private — is immune. When critical online activity, like voter registration, can be compromised as a result of bad bot activity, it no longer becomes a challenge to tackle tomorrow. Now is the time to understand what bots are capable of and now is the time to act.”

Source: Information Security Magazine

EU: We Have No Evidence Kaspersky Lab is Security Risk

EU: We Have No Evidence Kaspersky Lab is Security Risk

The European Commission has admitted it has no evidence that Kaspersky Lab products are a national security risk to member states, despite the European Parliament voting last summer for a ban on the Russian AV company.

The revelations come in response to a question from right-wing European Parliament member (MEP), Gerolf Annemans.

It refers to the non-binding resolution, passed on June 13 2018, which branded Kaspersky Lab as ‘malicious’ and ‘dangerous.’

“Does the Commission know of any reason other than certain press articles that justifies the labelling of Kaspersky as ‘dangerous’ or ‘malicious,” especially since Member States such as Germany, France and Belgium do not perceive any problems with cooperation with the firm concerned?” he asked.

The Belgian MEP also asked whether the Commission is aware “of any reports or opinions of cyber-experts or consultancies about Kaspersky Lab, and can it give me references to them?”

In response, the Commission said it is “not in possession of any evidence regarding potential issues related to the use of Kaspersky Lab products,” and that “it did not commission any reports” into the issue to find out more.

“The Commission is following closely debates and developments concerning the security of IT products and devices in general, including discussions about potential measures related to access to the EU market,” it added.

“The EU is an open market, which can be accessed by foreign companies in compliance with EU rules. In addition, Member States have the competence to decide whether to exclude companies from their markets for national security reasons.”

That would seem to suggest that too much weight was given to US moves to ban the Moscow-based vendor at the time of the vote, despite it not being able to produce any proof to back up its claims of the firm being a national security risk. The UK also issued a warning in December 2017 for agencies not to use its products for processing information classified SECRET and above.

The European Parliament motion in question was framed in general terms about cyber-defense, yet only Kaspersky Lab was named, adding weight to the notion that it was unfairly singled out.

It’s unclear why it took so long to gain clarification from the Commission on this.

Source: Information Security Magazine