Sat.Apr 13, 2019 - Fri.Apr 19, 2019

MY TAKE: Most companies blissfully ignorant of rising attacks on most-used endpoint: mobile devices

The Last Watchdog

A dozen years after Apple launched the first iPhone, igniting the smartphone market, the Bring Your Own Device to work phenomenon is alive and well. Related: Stopping mobile device exploits. The security issues posed by BYOD are as complex and difficult to address as ever. Meanwhile, the pressure for companies to proactively address mobile security is mounting from two quarters.

MDM 154

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Troy Hunt

Do you ever hear those stories from your parents along the lines of "when I was young." and then there's a tale of how risky life was back then compared to today.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

'Sea Turtle' DNS Hijacking Group Conducts Espionage: Report

Data Breach Today

Cisco Talos Researchers Describe Group's Methods A nation-state sponsored espionage campaign dubbed "Sea Turtle" has been manipulating the domain name system to target more than 40 organizations, including intelligence agencies - especially in North Africa and the Middle East, Cisco Talos warns.

231
231

How Not to Acknowledge a Data Breach

Krebs on Security

I’m not a huge fan of stories about stories, or those that explore the ins and outs of reporting a breach.

How to Solve 4 Common Challenges of Legacy Information Management

Speaker: Chris McLaughlin, Chief Marketing Officer and Chief Product Officer, Nuxeo

After 20 years of Enterprise Content Management (ECM), businesses still face many of the same challenges with finding and managing information. Join Chris McLaughlin, CMO and CPO of Nuxeo, as he examines four common business challenges that these legacy ECM systems pose and how they can be addressed with a more modern approach.

New DNS Hijacking Attacks

Schneier on Security

DNS hijacking isn't new, but this seems to be an attack of uprecidented scale: Researchers at Cisco's Talos security division on Wednesday revealed that a hacker group it's calling Sea Turtle carried out a broad campaign of espionage via DNS hijacking, hitting 40 different organizations.

More Trending

Australian Child-Tracking Smartwatch Vulnerable to Hackers

Data Breach Today

Report: Hacker Could Spoof Child's Location, View Personal Information An Australian company that markets a smartwatch designed to let parents monitor their child has taken its service offline after researchers revealed hackers could listen in on and spy on a child's location.

Experts: Breach at IT Outsourcing Giant Wipro

Krebs on Security

Indian information technology (IT) outsourcing and consulting giant Wipro Ltd. [ NYSE:WIT ] is investigating reports that its own IT systems have been hacked and are being used to launch attacks against some of the company’s customers, multiple sources tell KrebsOnSecurity.

IT 285

Source code of tools used by OilRig APT leaked on Telegram

Security Affairs

Lab Dookhtegan hackers leaked details about operations carried out by Iran-linked OilRig group, including source code of 6 tools.

China Spying on Undersea Internet Cables

Schneier on Security

Supply chain security is an insurmountably hard problem. The recent focus is on Chinese 5G equipment, but the problem is much broader.

Top 10 industries for monetizing data: Is yours one of them?

Find out which industries, use cases, and business applications are the best opportunities for data monetization. Understand what data is being monetized, who wants it, and why. Use data you already own to create new revenue sources. Download the eBook today!

10 Highlights: Cryptographers' Panel at RSA Conference 2019

Data Breach Today

Facebook's Cryptocurrency Folly, Scaling Security and Why Doomsday Is Temporary From blockchains and surveillance to backdoors and GDPR, a group of leading cryptographers rounded up the top cybersecurity and privacy matters of the day at the cryptographers' panel held at the recent RSA Conference 2019 in San Francisco.

‘Land Lordz’ Service Powers Airbnb Scams

Krebs on Security

Scammers who make a living swindling Airbnb.com customers have a powerful new tool at their disposal: A software-as-a-service offering called “ Land Lordz ,” which helps automate the creation and management of fake Airbnb Web sites and the sending of messages to advertise the fraudulent listings. The ne’er-do-well who set up the account below has been paying $550 a month for a Land Lordz “basic plan” subscription at landlordz[.]site that helps him manage more than 500 scam properties and interactions with up to 100 (soon-to-be-scammed) “guests” looking to book the fake listings. Currently, this scammer has just four dozen listings, virtually all of which are for properties in London and the surrounding United Kingdom. The Land Lordz administrative panel for a scammer who’s running dozens of Airbnb scams in the United Kingdom. Your typical victim will respond to an advertisement for a listing provided at Airbnb.com, and be assured they can pay through Airbnb, which offers buyer protection and refunds for unhappy customers. But when the interested party inquires about the listing, they are sent a link to a site that looks like Airbnb.com but which is actually a phishing page. In the case of these particular fraudsters, their fake page was “ airbnb.longterm-airbnb[.]co[.]uk ” (I’ve added brackets to prevent the link from being clickable). The site looks exactly like the real Airbnb, includes pictures of the requested property, and steers visitors toward signing in or to creating a new account. The fake site simply forwards all requests on this page to Airbnb.com, and records any usernames and passwords submitted through the site. The fake Airbnb site used by the scammers logged all Airbnb credentials submitted by new and existing users. Here’s a look at some of the properties listed for rent by these scammers. All of the names and images on these listings have been lifted from other legitimate listings. Fake properties for rent, as listed by the Land Lordz Airbnb scam service. The Land Lordz service includes several sets of default positive comments from fake past reviewers that can be used to populate the phony listings. The non-existent home and apartment rentals offered by these scammers are all sold on monthly rates, and the seller’s page says buyers must pay a deposit of the first month before the date is locked in. A phony comments generator page. The Land Lordz panel lets the scammer keep track of all messages with would-be victims, who are strung along and told the reservation on the residence will be lifted unless a cash deposit is made within 72 hours. Here’s one from would-be victim Shanon, on March 28, 2019, to the scammers. Shanon: My partner wants to see the place before we send money over as we done this last time and someone scammed us I ain’t saying your not legit as you have send documents with details on name etc. Scammer: “Hello, The property is still available for your dates. The price is € 250 + €500 secure deposit. As security deposit needs to be added ,discount needs to be applied please follow the airbnb link” (which goes to the fake Airbnb page). Alex Holden , chief information security officer of Hold Security LLC and the researcher who shared screen shots of this fraud panel, said the scammers appear to be advertising their fake listings primarily via Gumtree , a free classifieds service in the U.K. People who lose money in these scams fail big time on two things. First, they fail to notice they are not on airbnb.com. More importantly, they end up wiring money to secure the promise of a fake apartment or home in another country, and the thieves cut off all communications at that point. Like they did to this poor sucker, who paid $1,200 in exchange for a piece of paper which promised they’d hand over keys to the apartment at a specific date: The subject of this victim’s message “pickup of keys” says it all. This 2018 story from travel blog goatsontheroad.com tells the tale of a couple that was very nearly scammed by a Land Lordz-like trap, before the wife figures out they’re no longer on airbnb.com. It’s important to note that these scams can just as likely target users of Airbnb as they can other services, such as craigslist.com and booking.com. Be wary of clicking on links in emails from property hosts, and make sure you are always on Airbnb or whatever site you think you’re on. Airbnb could help by adding some type of robust multi-factor authentication, such as Security Keys — which would defeat these Airbnb phishing pages. According to twofactorauth.org , Airbnb currently does not support any type of multi-factor authentication that users can enable. Airbnb.com says if the company detects something phishy about a login for your account it may ask you to enter a security code sent to your phone or email address, or verify some of your account details. In case anyone would like to follow up on this research, other domains used by these scammers include airbnb.longterm-airbnb[.]co.uk , airbnb.pt-anuncio[.]com , airbnb.request-online[.]com , and airbnb-invoice[.]com. Some of the bank accounts and payment recipients from scams tied to these listings are pictured here. A Little Sunshine Web Fraud 2.0 Airbnb scam page alex holden goatsontheroad.com Gumtree Hold Security LLC Land Lords Land Lordz

A new DDoS technique abuses HTML5 Hyperlink Audit Ping in massive attacks

Security Affairs

Experts at Imperva discovered a new type of large-scale DDoS attack that abuses the HTML5 Ping-based hyperlink auditing feature. Experts at Imperva Vitaly Simonovich and Dima Bekerman observed a large-scale DDoS attack abusing the HTML5 Ping-based hyperlink auditing feature.

IT 114

Vulnerabilities in the WPA3 Wi-Fi Security Protocol

Schneier on Security

Researchers have found several vulnerabilities in the WPA3 Wi-Fi security protocol: The design flaws we discovered can be divided in two categories.

Privacy without borders: Reality or Fantasy?

Imagine a world in which every country shared a vision and a common set of principles to protect and regulate the use of personal data. It would make international business far simpler, provide citizens in every country with the same privacy rights.

Data Breaches in Healthcare Affect More Than Patient Data

Data Breach Today

Blue Cross of Idaho and Palmetto Health Report Financial, Payroll Breaches Two recent data breaches at organizations in the healthcare sector illustrate that systems beyond those directly related to patient care can be at risk

Wipro Intruders Targeted Other Major IT Firms

Krebs on Security

The crooks responsible for launching phishing campaigns that netted dozens of employees and more than 100 computer systems last month at Wipro , India’s third-largest IT outsourcing firm, also appear to have targeted a number of other competing providers, including Infosys and Cognizant , new evidence suggests. The clues so far suggest the work of a fairly experienced crime group that is focused on perpetrating gift card fraud. On Monday, KrebsOnSecurity broke the news that multiple sources were reporting a cybersecurity breach at Wipro, a major trusted vendor of IT outsourcing for U.S. companies. The story cited reports from multiple anonymous sources who said Wipro’s trusted networks and systems were being used to launch cyberattacks against the company’s customers. A screen shot of the Wipro phishing site securemail.wipro.com.internal-message[.]app. Image: urlscan.io. In a follow-up story Wednesday on the tone-deaf nature of Wipro’s public response to this incident, KrebsOnSecurity published a list of “indicators of compromise” or IOCs , telltale clues about tactics, tools and procedures used by the bad guys that might signify an attempted or successful intrusion. If one examines the subdomains tied to just one of the malicious domains mentioned in the IoCs list (internal-message[.]app), one very interesting Internet address is connected to all of them — 185.159.83[.]24. This address is owned by King Servers , a well-known bulletproof hosting company based in Russia. According to records maintained by Farsight Security , that address is home to a number of other likely phishing domains: securemail.pcm.com.internal-message[.]app. secure.wipro.com.internal-message[.]app. securemail.wipro.com.internal-message[.]app. secure.elavon.com.internal-message[.]app. securemail.slalom.com.internal-message[.]app. securemail.avanade.com.internal-message[.]app. securemail.infosys.com.internal-message[.]app. securemail.searshc.com.internal-message[.]app. securemail.capgemini.com.internal-message[.]app. securemail.cognizant.com.internal-message[.]app. secure.rackspace.com.internal-message[.]app. securemail.virginpulse.com.internal-message[.]app. secure.expediagroup.com.internal-message[.]app. securemail.greendotcorp.com.internal-message[.]app. secure.bridge2solutions.com.internal-message[.]app. ns1.internal-message[.]app. ns2.internal-message[.]app. mail.internal-message[.]app. ns3.microsoftonline-secure-login[.]com. ns4.microsoftonline-secure-login[.]com. tashabsolutions[.]xyz. www.tashabsolutions[.]xyz. The subdomains listed above suggest the attackers may also have targeted American retailer Sears ; Green Dot , the world’s largest prepaid card vendor; payment processing firm Elavon ; hosting firm Rackspace ; business consulting firm Avanade ; IT provider PCM ; and French consulting firm Capgemini , among others. KrebsOnSecurity has reached out to all of these companies for comment, and will update this story in the event any of them respond with relevant information. WHAT ARE THEY AFTER? It appears the attackers in this case are targeting companies that in one form or another have access to either a ton of third-party company resources, and/or companies that can be abused to conduct gift card fraud. Wednesday’s follow-up on the Wipro breach quoted an anonymous source close to the investigation saying the criminals responsible for breaching Wipro appear to be after anything they can turn into cash fairly quickly. That source, who works for a large U.S. retailer, said the crooks who broke into Wipro used their access to perpetrate gift card fraud at the retailer’s stores. Another source said the investigation into the Wipro breach by a third party company has determined so far the intruders compromised more than 100 Wipro systems and installed on each of them ScreenConnect , a legitimate remote access tool. Investigators believe the intruders were using the ScreenConnect software on the hacked Wipro systems to connect remotely to Wipro client systems, which were then used to leverage further access into Wipro customer networks. This is remarkably similar to activity that was directed against a U.S. based company in 2016 and 2017. In May 2018, Maritz Holdings Inc. , a Missouri-based firm that handles customer loyalty and gift card programs for third-parties, sued Cognizant (PDF), saying a forensic investigation determined that hackers used Cognizant’s resources in an attack on Maritz’s loyalty program that netted the attackers more than $11 million in fraudulent eGift cards. That investigation determined the attackers also used ScreenConnect to access computers belonging to Maritz employees. “This was the same tool that was used to effectuate the cyber-attack in Spring 2016. Intersec [the forensic investigator] also determined that the attackers had run searches on the Maritz system for certain words and phrases connected to the Spring 2016 attack.” According to the lawsuit by Maritz Holdings, investigators also determined that the “attackers were accessing the Maritz system using accounts registered to Cognizant. For example, in April 2017, someone using a Cognizant account utilized the “fiddler” hacking program to circumvent cyber protections that Maritz had installed several weeks earlier.” Maritz said its forensic investigator found the attackers had run searches on the Maritz system for certain words and phrases connected to the Spring 2016 eGift card cashout. Likewise, my retailer source in the Wipro attack told KrebsOnSecurity that the attackers who defrauded them also searched their systems for specific phrases related to gift cards, and for clues about security systems the retailer was using. It’s unclear if the work of these criminal hackers is tied to a specific, known threat group. But it seems likely that the crooks who hit Wipro have been targeting similar companies for some time now, and with a fair degree of success in translating their access to cash given the statements by my sources in the Wipro breach and this lawsuit against Cognizant. What’s remarkable is how many antivirus companies still aren’t flagging as malicious many of the Internet addresses and domains listed in the IoCs, as evidenced by a search at virustotal.com. A Little Sunshine Breadcrumbs Avanade Capgemini Elavon Green Dot King Servers Maritz Holdings Inc. PCM Rackspace ScreenConnect Sears Virustotal.com Wipro data breach

IT 279

Facebook admitted to have stored millions of Instagram users’ passwords in plaintext

Security Affairs

Other problems for Facebook that admitted to have stored m illions of Instagram users’ passwords in plaintext. Yesterday, Facebook made the headlines once again for alleged violations of the privacy of its users, the company admitted to have ‘unintentionally’ collected contacts from 1.5

Q&A: Researchers find evidence of emerging market for stolen, spoofed machine identities

The Last Watchdog

It’s edifying what you can find shopping in the nether reaches of the dark web. Related: Why government encryption backdoors should never be normalized. Academic researchers from Georgia State University in the U.S. and the University of Surrey in the U.K. recently teamed up and found evidence of an emerging market for stolen and spoofed machine identities.

The Key to Strategic HR: Process Automation

Do you want to automate your HR processes, but don’t know where to start? In this eBook, PeopleDoc explores which processes benefit the most from automation, and how an HR Service Delivery platform can help get things off the ground.

Researchers: Malware Can Be Hidden in Medical Images

Data Breach Today

But Does 'Flaw' in DICOM File Format Represent a Serious Risk? A "flaw" in the file format of the DICOM standard for communication of medical imaging information could be exploited to hide malware in MRI and CT scans alongside patient data, according to a new research report.

Risk 236

Marcus “MalwareTech” Hutchins Pleads Guilty to Writing, Selling Banking Malware

Krebs on Security

Marcus Hutchins, a 24-year-old blogger and malware researcher arrested in 2017 for allegedly authoring and selling malware designed to steal online banking credentials, has pleaded guilty to criminal charges of conspiracy and to making, selling or advertising illegal wiretapping devices.

Ransomware attack knocks Weather Channel off the Air

Security Affairs

A ransomware attack knocked the Weather Channel off the air for at least 90 minutes Thursday morning, federal law enforcement are investigating the incident.

Q&A: How AI, digital transformation are shaking up revenue management in high tech, life sciences

The Last Watchdog

A recent poll of some 300 senior executives from U.S.-based based life sciences and high-tech manufacturing companies sheds light on how digital transformation – and the rising role of third-party partners – have combined to create unprecedented operational challenges in the brave new world of digital commerce. Related: AI one-upsmanship prevails in antivirus field.

Embedded BI and Analytics: Best Practices to Monetize Your Data

Speaker: Azmat Tanauli, Senior Director of Product Strategy at Birst

By creating innovative analytics products and expanding into new markets, more and more companies are discovering new potential revenue streams. Join Azmat Tanauli, Senior Director of Product Strategy at Birst, as he walks you through how data that you're likely already collecting can be transformed into revenue!

Today's Forecast: Cloudy With a Chance of Malware

Data Breach Today

Program on The Weather Channel Knocked Off Air by Malware for 90 Minutes For about 90 minutes Thursday morning, the broadcast of The Weather Channel's signature early show, "AMHQ," was shut down by what the company called "a malicious software attack

234
234

Iranian Cyberespionage Tools Leaked Online

Schneier on Security

The source code of a set of Iranian cyberespionage tools was leaked online. cyberespionage doxing hacking iran leaks

112
112

Attackers hacked support agent to access Microsoft Outlook email accounts

Security Affairs

Bad news for users of the Microsoft Outlook email service, hackers have compromised the Microsoft Support Agent to access their email accounts.

Access 114

GoT Guide to Cybersecurity: Preparing for Battle During a Staffing Shortage

Dark Reading

Faced with an overwhelming adversary, Game of Thrones heroes Daenerys Targaryen and Jon Snow have a lot in common with today's beleaguered CISOs

Silk Road 2.0 Operator Sentenced to Prison

Data Breach Today

Authorities Say He Received Commission on Darknet Site's Sales An unemployed British man has been sentenced to more than five years in prison for his role in operating the Silk Road 2.0 darknet site, which succeeded the original Silk Road website after the FBI closed it in 2013, U.K. authorities sa

Sales 226