It was another busy week in security, complete with hacks, murders, prosecutions, and US congressional investigations. But first, here’s some news from the security desk at WIRED.
In spite of law enforcement’s crackdown on ransomware attacks in recent years, 2023 is set to be the second biggest year for ransomware revenue after 2021. Data from cryptocurrency tracing firm Chainalysis shows that in the first six months of 2023, victims have paid $449 million—nearly as much as the total payments in all of 2022. As the volume of attacks has spiked, ransomware groups have become more aggressive and reckless in their tactics.
Earlier this week, Microsoft revealed that a Chinese hacker group had accessed the cloud-based Outlook email systems of 25 organizations, including the US State Department. They employed a unique trick: using stolen cryptographic keys to generate authentication tokens, which gave them access to dozens of Microsoft customer accounts.
A man who played a major role in building the world’s first dark-web drug market has been sentenced to 20 years in federal prison. Roger Thomas Clark—also known as Variety Jones—will now likely spend much of the rest of his life incarcerated for helping to pioneer Silk Road, the anonymous, cryptocurrency-based model for online illegal sales of drugs.
And finally, we examined the rapid rise of real-time crime centers since the September 11, 2001 attacks. Across the US, more than 100 of these high-tech surveillance operations have popped up, leveraging CCTV, gunshot sensors, face recognition, and social media-monitoring to keep watch over cities. But at what cost?
That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories, and stay safe out there.
An explosive report from IPVM, a surveillance industry trade publication, found that child sexual abuse material sourced from hundreds of hacked Hikvision cameras is being sold on Telegram. The report states that hackers likely gained access to insecure Hikvision cameras by exploiting weak or known passwords, and then used the company’s mobile app to distribute access to the feeds.
IPVM found messages in Telegram channels that advertise access to the hacked cameras using terms like “cp” (child porn), “kids room,” “family room,” and “bedroom of a young girl” to entice potential buyers. Telegram has since taken down the channels, some of which had thousands of members.
Telegram has long been criticized for lax content moderation. In 2021, a nonprofit called the Coalition for a Safer Web sued Apple and demanded that the company remove Telegram from its App Store, citing the app’s failure to remove violent and extremist content.
Hikvision’s response was adversarial. “Hikvision knows nothing about these potential crimes,” the company said in a statement. “IPVM’s selfish decision to seek comment from us prior to alerting authorities is highly questionable and, in this instance, disgraceful.”
IPVM disputes this allegation and says it promptly contacted the FBI upon discovering the crimes.
A murdered Russian submarine captain may have been tracked by his killer through the Strava fitness app. According to the BBC, the commander, Stanislav Rzhitsky, kept a public Strava profile that detailed his jogging routes—including one that took him through the park where he was killed early this week.
Privacy experts have been concerned about the dangers posed by social fitness apps like Strava for years. In 2018, for example, researchers exposed several secret US military installations using public data from soldiers tracking their fitness with the app.
While the killer’s motivations are currently unclear, Russian investigators say they arrested a man named Serhiy Denysenko, born in Ukraine, in connection with the murder. According to several Russian Telegram channels, Denysenko was the former head of the Ukrainian Karate Federation.
Ukrainian media reported that Rzhitsky commanded a Russian Kilo-class submarine that may have carried out a deadly missile attack on the Ukrainian city of Vinnytsia last year. Rhitsky’s personal information had previously been uploaded to the Ukrainian website Myrotvorets (Peacemaker), an unofficial database of people considered to be enemies of Ukraine, according to CNN.
Ukraine’s Defense Intelligence did not take responsibility for the commander’s death. “Obviously, he was eliminated by his own men for refusing to continue to carry out combat orders from his command regarding missile attacks on peaceful Ukrainian cities,” the agency wrote in a statement.
A congressional investigation, led by US senator Elizabeth Warren, found that millions of Americans who file their taxes online with H&R Block, TaxSlayer, and TaxAct had financial information shared with Google and Facebook. The investigation was spurred by a 2022 report by The Markup that revealed how the three companies were transmitting sensitive data to Facebook through a tool called the Meta Pixel. The data was sent as taxpayers filed their taxes and contained personal information, including income and refund amounts.
Warren and six other lawmakers wrote to the US Justice Department this week, asking for criminal charges against the tax companies for breaking laws forbidding them from sharing their clients’ personal information. “The tax prep firms were shockingly careless with their treatment of taxpayer data,” the lawmakers wrote.
A third of the 80,000 most popular websites on the internet use the Meta Pixel, a 2020 investigation by The Markup found. Website operators include the pixel to measure clicks from their ads on Facebook’s platforms, but at the expense of their users’ privacy. Crisis Pregnancy Centers, Suicide Hotlines, and hospitals and have all been caught sending sensitive user data to Meta in the past few years.
The seven Democrats called on the US Internal Revenue Service to build its own free tax preparation software, though government services have also been caught using the Pixel to send data to Meta.
A Nebraska woman has pleaded guilty to criminal charges after helping her 17-year-old daughter with a medication abortion last year; key evidence against her included her Facebook messages. In mid-June of 2022, Nebraska police sent a warrant to Meta requesting private messages from the mother and daughter as part of an investigation into an illegal abortion, court documents show. The chats appear to show the mother instructing her daughter about how to take the pills. “Ya the 1 pill stops the hormones an rhen u gotta wait 24 HR 2 take the other,” reads one of her messages.
Since the US Supreme Court overturned Roe v. Wade in June 2022, experts have raised serious concerns about the variety of ways data will be weaponized by law enforcement who want to prosecute people seeking abortions. Because Facebook Messenger doesn’t default to end-to-end encryption (E2EE) the way messaging services like Signal, WhatsApp, and iMessage do, people are especially vulnerable to criminal investigations if they use the platform.
According to a recent report from Reuters, prosecutors told a London court that a teenager associated with the hacking group Lapsus$ was responsible for high-profile hacks of Uber and fintech company Revolut in September of last year. Arion Kurtaj, who is 18, faces 12 charges, including three counts of blackmail, two counts of fraud, and six charges under the UK’s Computer Misuse Act.
The Uber hack reportedly cost the company $3 million in damages. At the time, Uber said the hacker who took responsibility posted pornographic material to an internal information page alongside the message: “Fuck you wankers.”
Kurtaj, along with an unnamed 17-year-old, is also facing allegations of blackmailing BT Group, EE, and Nvidia. Prosecutors described the pair as “key players” in Lapsus$. Kurtaj has been deemed not fit to stand trial by medical professionals; the jury will decide whether he is responsible for the hacking incidents rather than guilty of them.
