Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Criminals Try to Schedule Spam in Google Calendar

Criminals Try to Schedule Spam in Google Calendar

A sophisticated scam is targeting Gmail users through fraudulent, unsolicited Google Calendar notifications as well as through other Google services, including Photos and Forms, according to Kaspersky.

In these scams, criminals are exploiting Gmail calendar’s default feature that automatically adds calendar invitations and notifications.

Cyber-criminals reportedly send targets an unsolicited calendar invitation with a malicious link to a phishing URL. A pop-up notification of the invitation appears on the smartphone’s screen, where the recipient is tempted to click on the link. However, the website to which they are delivered asks victims to enter their credit card details and add some personal information – which is sent straight to the scammers.

“The ‘calendar scam’ is a very effective scheme, as most people have become used to receiving spam messages from emails or messenger apps,” said Maria Vergelis, security researcher at Kaspersky, in a press release.

“But this may not be the case when it comes to the Calendar app, which has a main purpose to organize information rather than transfer it. So far, the sample we’ve seen contains text displaying an obviously weird offer, but as it happens, every simple scheme becomes more elaborate and trickier with time. The good news is that it’s fairly easy to avoid such a scam – the feature that enables it can be easily turned off in the calendar settings.”

Kaspersky advised that turning off the auto-add feature will help to prevent falling victim to the scam. “To do so, open Google Calendar, click the settings Gear Icon, then on Event Settings. For the ‘automatically add invitations’ option, click on the drop-down menu and select ‘No, only show invitations to which I've responded’. Below this, in the View Options section, make sure ‘Show declined events’ is NOT checked, unless you specifically wish to view these,” today’s press release said.

In addition to the Calendar service, scammers are also leveraging Google Photos, sending pictures that detail a large remittance that the recipient can receive if they reply to the email address supplied in the message.

“A photo of a nonexistent check should immediately betray the scammers’ intentions. The check states that some commission fee will unlock a much larger amount. After the victim pays up, the scammers simply vanish into the ether,” researchers wrote.

Source: Information Security Magazine

Data of 1m Users Lost in EmuParadise Breach

Data of 1m Users Lost in EmuParadise Breach

Community members have taken to social media to share the news that the accounts of more than 1 million gamers were reportedly leaked after EmuParadise suffered a data breach, according to multiple reports. 

Some of those impacted by the data breach of the retro gaming site, which used to host ROM, said that over the weekend, they started receiving notices that their accounts had been compromised in a data breach.

“The retro gaming website EmuPardise was breached in April 2018. The vBulletin forum exposed 1.1m email addresses, IP address, usernames and passwords stored as salted MD5 hashes. 71% of addresses were already in @haveibeenpwned,” tweeted.

The site boasts “a huge community, a vast collection of gaming music, game related videos (movies, fmvs, etc.), game guides, magazines, comics, video game translations and much much more!” Infosecurity has contacted EmuParadise and will update if the company responds.

“We know even less about this breach than most. We know the source of the database, and the fact that it exists, but there are no details about how the incident occurred,” said Tim Erlin, vice president of product management and strategy at Tripwire. "It’s been well understood that MD5 is insecure for more than a decade, and its weaknesses have been actively exploited. Despite these known issues, MD5 has persisted for a long time.”

“It would be extremely rare to see new applications making use of MD5 for secure hashing. The problem is that there are so many legacy systems out there, following the modernized adage ‘if it ain’t down, don’t touch it.’ Until these applications are replaced, or the underlying infrastructure stops supporting MD5, we’ll continue to see this type of persistence.”


Source: Information Security Magazine

Vectra Raises $100m in Series E Funding

Vectra Raises $100m in Series E Funding

After having experienced 104% growth in annual recurring revenue in 2018 over 2017, Vectra has today announced that it closed a $100 million funding round led by TCV, bringing the company’s total funding to date to more than $200 million, according to a June 10 press release.

The triple digit Series E funding, in which existing investors also participated, comes only one year after Vectra raised $36 million in Series D funding. The financing is expected to drive the company's growth and market expansion in what is estimated at a $12.7 billion cloud security market, according to Forrester Research.  

While critical security gaps leave organizations vulnerable, consumers continue to use online services for everything from entertainment to banking. Securing consumer data and preserving their privacy is critical to maintaining trust and preserving an organization’s reputation, a Vectra spokesperson said. The business impact of lost revenue and shareholder value as a result of consumer data breaches in the cloud are significant and are therefore making cloud security a board level priority.

“TCV has an extensive track record of partnering with enterprise security companies, including Rapid7 and Splunk, from growth stage to public,” said Tim McAdam, general partner at TCV and member of the Vectra board of directors. “In our research on the category, it became clear to us that Vectra was rapidly gaining momentum with customers by rethinking the way enterprises view both network and cloud security. The Vectra Cognito platform is poised to become requisite in the security infrastructure of multinational enterprises and midsize businesses alike.”

“The cloud has inherent security blind spots, making it imperative to eliminate cyber-risks as enterprises move their business to the cloud,” said Hitesh Sheth, president and chief executive officer at Vectra. “The Cognito platform enables them to stop hidden cyber-attacks in the cloud. We look forward to partnering with TCV and our existing investors as we continue our rapid growth.”

Source: Information Security Magazine

UK Taxpayers Overwhelmed with Phishing Scams

UK Taxpayers Overwhelmed with Phishing Scams

HMRC has received over 2.6m reports of phishing attempts over the past three financial years, according to a new Freedom of Information (FOI) request from a think tank.

The tax office processed a total of 2,602,528 reports of phishing emails and texts as well as phone scams from 2016-19, according to Parliament Street. Although the worst year was 2016-17 (921,900), 2018-19 saw an increase of 15% over the previous year to reach 897,649.

The largest number were fraudulent emails spoofing tax rebate messages, which accounted for 1,957,003 reports over the three years. The worst year for these was 2016-17, accounting for 733,980.

Next came scam SMS messages, which accounted for 150,009 over the past three financial years — although the volume of these has dropped by almost half between 2016-17 and 2018-19, according to the report.

The number of phone scams reported to the tax office has soared alarmingly over the period: from just 407 in 2016/17, to 104,774 reports in 2018/19.

The number of taxpayers who admitted disclosing financial details to the phishers was 10,647 in 2016-17, but then dropped considerably in the succeeding years, to total 18,792 for the three years. That equates to a success rate of less than 1%.

Also reassuring is the number of phishing websites being reported for removal: 50,323 over the three years, with 2017/18 being the worst year with 19,198 reports.

The HMRC is said to be the government’s most abused ‘brand’ but it has been getting better at combating the fraudsters, having implemented DMARC in 2016, for example. This has helped the agency block hundreds of millions of phishing emails, while a Customer Protection Team works hard to follow-up reports from taxpayers to take down phishing sites.

However, the wider business community may be less well protected, according to Centrify VP, Andy Heather.

“These incidents are just a snapshot of techniques used by hackers to gain confidential financial information as well as credentials and passwords. In many cases we’re seeing fraudsters gaining access to company data, using legitimate user ID and log-in details, without raising suspicion,” he argued.

“For businesses, it’s time to face the reality that cyber-attackers now no longer hack in, they log in using credentials and passwords that are weak, stolen or in cases of phishing are simply handed over to them. Tackling this problem means adopting a zero-trust approach to all user-accounts, ensuring every employee who tries to access critical information is screened with the necessary password, location and authentication procedures to ensure they are who they say they are.”

Source: Information Security Magazine

Microsoft Warns of Campaign Exploiting 2017 Bug

Microsoft Warns of Campaign Exploiting 2017 Bug

Microsoft has alerted users to a new campaign utilizing a vulnerability which was discovered and patched back in 2017 to download a backdoor Trojan to victim machines.

Spam emails have been detected in various European languages carrying malicious RTF attachments which feature an exploit for CVE-2017-11882, the computing giant said in a series of tweets on Friday.

“The CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks. Notably, we saw increased activity in the past few weeks. We strongly recommend applying security updates,” it said.

“In the new campaign, the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload. The backdoor payload then tries to connect to a malicious domain that’s currently down.”

Although the domain in question is currently out-of-service, hackers may in the future update the attack to connect to a working C&C domain. This could enable the download of additional payloads, leading to infection with ransomware or banking Trojans, information-theft and more.

“Office 365 ATP detects the emails and attachments used in this campaign. Windows Defender ATP detects the documents as Exploit:O97M/CVE-2017-11882.AD and the payload as Trojan:MSIL/Cretasker,” Redmond’s security team concluded.

“Other mitigations, like attack surface reduction rules, also block the exploit.”

The software flaw in question, which exists in Microsoft Office’s Equation Editor, has been incredibly popular since it was discovered a couple of years ago as it requires no user interaction to work.

It was used by APT34, an Iranian cyber espionage group, and just last week was spotted in attacks on central government targets delivering the Hawkball backdoor. It’s also been used to spread the infamous Cobalt malware and a RAT which uses the popular Telegram Messenger app for its command and control (C&C).

Source: Information Security Magazine

Sextortion Scammers Pose as Corrupt CIA Agents

Sextortion Scammers Pose as Corrupt CIA Agents

In a new sextortion scam, cyber-criminals are posing as corrupt officials of the CIA and demanding $10,000 from their targets whose names they claim to have found in an investigation into online pedophiles, according to Kaspersky Lab.

Victims reportedly receive an email authored by what appears to be a corrupt CIA agent involved in “a large international operation set to arrest over 2,000 people suspected of pedophilia, in over 27 countries.”

The scope of the information the department reportedly has includes the victim’s name, phone number, and email, along with the person's home and work addresses. The scammer also claims that the CIA has information about relatives, which was reportedly obtained from a range of sources, including ISP, online chats and social networks, researchers said.

The note alleges that the victim’s contact details and those of their relatives are being held as part of the operation identified as case #45361978 (relating to possession and distribution of child pornography, or so it seems).

Credit: Kaspersky
Credit: Kaspersky

The fake agent offers to remove all files relating to the victim in return for a payment of $10,000 in cryptocurrency, but time is of the essence, as the letter also notes that arrests will begin in two weeks' time. As a result, the sextortion payment needs to be received in nine days of receiving the letter.

“Compared with regular sextortion spam, the 'CIA' message is well-written, with grammatically correct, stylistically restrained language in a quite official-sounding tone. The scammers also took care of the layout: The message text is nicely formatted and easy to read, and the effect is amplified by the CIA emblem staring out from the screen,” researchers wrote.

“However, just because the message looks more imposing doesn’t make it more true. Don’t be offended, but the CIA is unlikely to give a hoot about you. The scammers most likely found your email address in a database leaked online, or even just came across it by chance.”

Kaspersky recommends trashy any messages immediately. “Our number one tip is don’t panic,” the researchers said. Beyond that, they advised that victims do not reply to the email and never consider paying a ransom to scammers.

Source: Information Security Magazine

New Adware Found in 200+ Google Play Apps

New Adware Found in 200+ Google Play Apps

A new adware known as BeiTaAD was found embedded in 238 applications in the official Google Play store and have been installed by 440 million Android users, according to security researcher Kristina Balaam of Lookout.

“BeiTaAd is a well-obfuscated advertising plug-in hidden within a number of popular applications in Google Play. The plug-in forcibly displays ads on the user’s lock screen, triggers video and audio advertisements even while the phone is asleep and displays out-of-app ads that interfere with a user’s interaction with other applications on their device,” Balaam wrote.

The ads displayed, which become visible at least 24 hours after the application is launched, are so pervasive that users impacted by the adware have reportedly been unable to answer calls or interact with other apps. Balaam said that on one of the Lookout test devices, the out-of-app ads did not appear until two weeks after the application, Smart Scan (, was launched.

“There is a very fine – and, one could argue, diminishing – line between adware and malware. They exhibit similar behaviors for disseminating content and techniques for avoiding detection and analysis,” said Usman Rahim, digital security and operations manager for The Media Trust.

“Adware can also be vulnerable, as there is little to no incentive for developers to patch up the flaws, and can leak data. In the wrong hands, adware plug-ins can be used to distribute malicious code to commit theft and fraud on millions of users. Companies that monetize their apps by featuring ads must thoroughly vet their vendors and continuously monitor what these vendors do to users. The temptation for vendors to exploit access to users is great and can put developers at odds with current and forthcoming privacy regulations.”

Source: Information Security Magazine

Entrust Datacard Closes on Thales' nCipher Security

Entrust Datacard Closes on Thales' nCipher Security

Entrust Datacard announced today that it has completed its acquisition of Thales’ General Purpose Hardware Security Module (GP HSM) business, nCipher Security.

With this acquisition Entrust Datacard enhances its existing public key infrastucture (PKI) and SSL offerings, which the company says positions itself to effectively secure customers’ sensitive information and business critical applications with the implementation of new digital initiatives, particularly those solutions using general purpose HSMs.

The hope is to better protect blockchain, crypto wallets and internet of things (IoT) manufacturing – some of the most vulnerable aspects of emerging business applications – and to help customers achieve compliance with stringent regulatory requirements such as the General Data Protection Regulation (GDPR) and electronic identification and trust services (eIDAS).

“We are extremely pleased to complete this acquisition and bring nCipher’s exceptional talent and technology into the Entrust Datacard portfolio,” said Todd Wilkinson, president and CEO of Entrust Datacard, in a press release.

“The need for secure network access and data integrity continues to multiply – from mobile devices and cloud services to connected IoT devices and digital payments. The use of HSMs is expanding across all of these domains. With nCipher now part of our solution portfolio, customers will see benefit from our expanded offerings for the most sensitive, high assurance use cases.”

For nCipher, the deal brings 300 employees in as part of the Entrust Datacard team and expands its authentication and cloud capabilities, and allows it to offer advanced solutions from Entrust Datacard’s secure hosting facilities. “nCipher is excited to join the talented Entrust Datacard team. This acquisition quickly expands the global footprint for nCipher solutions and accelerates our strategy for ‘as-a-service’ offerings,” said Cindy Provin, CEO of nCipher Security.

“HSMs provide a foundation of trust for business applications such as PKI, blockchain, mobile payments and code signing. As a single company, Entrust Datacard is positioned to effectively secure our customers’ sensitive information and business critical applications as they implement new digital initiatives.”

Source: Information Security Magazine

Researchers Find 40,000+ Containers Exposed Online

Researchers Find 40,000+ Containers Exposed Online

Researchers have discovered over 40,000 Kubernetes and Docker container hosting devices exposed to the public internet through misconfigurations.

Palo Alto Networks’ Unit 42 revealed the results of its latest research in a blog post yesterday. The discovery was made via a simple Shodan search.

Some 23,353 Kubernetes containers were found in this way, located mainly in the US, as well as Ireland, Germany, Singapore, and Australia. Even more (23,354) misconfigured Docker containers were discovered exposed to the internet, mainly in China, the US, Germany, Hong Kong and France.

“This does not necessarily mean that each of these 40,000+ platforms are vulnerable to exploits or even the leakage of sensitive data: it simply highlights that seemingly basic misconfiguration practices exist and can make organizations targets for further compromising events,” explained senior threat researcher, Nathaniel Quist.

“Seemingly simple misconfigurations within cloud services can lead to severe impacts on organizations.”

This has happened several times in the past: attackers exploited weak security configurations to steal keys and tokens for 190,000 Docker Hub accounts, while poor container security also led to a major breach of 13 million user records at Ladders.

Digging down into the exposed containers they found, the Palo Alto researchers discovered unprotected databases, in one case exposing multiple email addresses.

“Misconfigurations such as using default container names and leaving default service ports exposed to the public leave organizations vulnerable to targeted reconnaissance,” Quist concluded.

“Using the proper network policies, or firewalls can prevent internal resources from being exposed to the public internet. Additionally, investing in cloud security tools can alert organizations to risks within their current cloud infrastructure.”

Some 60% of US organizations experienced security incidents related to their use of containers over the previous year, according to research from Tripwire released in January.

Source: Information Security Magazine

GateHub Users Lose $9.7m to Hackers

GateHub Users Lose $9.7m to Hackers

Two cryptocurrency firms have come under attack over recent days with users of one, GateHub, suffering losses estimated at nearly $9.7m.

The cryptocurrency wallet service provider sounded the alarm in a statement on Thursday, claiming an investigation had been started after around 100 XRP Ledger wallets were compromised. The firm urged users to transfer their funds from these to a hosted wallet.

An XRP security community revealed in a separate post that, as of Wednesday, 23.2m XRP (Ripple) coins had been stolen, of which 13.1m had already been laundered.

However, the cause of the attack remains a mystery.

“API requests to the victim’s accounts were all authorized with a valid access token. There were no suspicious logins detected, nor there were any signs of brute forcing. We have however detected an increased amount of API calls (with valid access tokens) coming from a small number of IP addresses which might be how the perpetrator gained access to encrypted secret keys,” said GateHub.

“That, however, still doesn’t explain how the perpetrator was able to gain other required information needed to decrypt the secret keys. All access tokens were disabled on June 1 after which the suspicious API calls were stopped.”

The news comes as a separate digital currency platform managed to prevent a major theft of currency with some quick thinking.

Blockchain startup Komodo revealed it discovered an attack targeting its Agama wallet application. Hackers had uploaded malware to a supply chain provider’s software designed to steal cryptocurrency wallet seeds and other login passphrases.

“After discovering the vulnerability, our cybersecurity team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk,” Komodo said. “We were able to sweep around 8m KMD ($12.5m) and 96 BTC ($765K) from these vulnerable wallets, which otherwise would have been easy pickings for the attacker.”

Source: Information Security Magazine