Industry Intel

Unexpected Side Effects: How COVID-19 Affected our Click Habits

Phishing has been around for ages and continues to be one of the most common threats that businesses and home users face today. But it’s not like we haven’t all been hearing about the dangers of phishing for years. So why do people still click? That’s what we wanted...

Key Considerations When Selecting a Web Classification Vendor

Since launching our web classification service in 2006, we’ve seen tremendous interest in our threat and web classification services, along with an evolution of the types and sizes of cybersecurity vendors and service providers looking to integrate this type of...

4 Ways MSPs Can Fine-Tune Their Cybersecurity Go-To-Market Strategy

Today’s work-from-home environment has created an abundance of opportunities for offering new cybersecurity services in addition to your existing business. With cyberattacks increasing in frequency and sophistication, business owners and managers need protection now...

Ransomware: The Bread and Butter of Cybercriminals

Imagine a thief walks into your home and rummages through your personal belongings. But instead of stealing them, he locks all your valuables into a safe and forces you to pay a ransom for the key to unlock the safe. What choice do you have? Substitute your digital...

Cyber News Rundown: Ransomware Strikes Colorado Town

Colorado Town Suffers Ransomware Attack

The town of Lafayette, Colorado, fell victim to a ransomware attack last week without the capability to recover from the attack without paying a ransom of $45,000 in cryptocurrency. The attack disabled many city services for a number of days until officials determined they would not be able to recover without paying for systems to be decrypted. This attack was another example of how having data backed up, even if somewhat dated, is less expensive and more secure in the long run.

Illinois Healthcare Data Breach

The Illinois healthcare system suffered a multi-month data breach stemming from several compromised email accounts earlier this year. The breach does not affect all IHS clients, but those who were affected had much of their sensitive information, including social security numbers and personal health documents, leaked. The breach began in early February, but victims were not informed until the end of July, when they were offered credit and identity monitoring services to protect against illicit use of their data.

Cyberattack Strikes InfoSec Training Organization

One of the largest cybersecurity training organizations was recently targeted by a phishing attack against an internal email account. The compromised account was then used to install an illicit Office365 add-on to maintain control of the account and to forward over 500 emails to a third-party account, many of which contained sensitive information on customers. Affected customers have been contacted and warned to be vigilant against future phishing attacks.

Pace Center Data Compromised Following Blackbaud Breach

Some donor data for the Florida-based non-profit Pace Center for Girls was leaked after a data breach targeted its software provider, Blackbaud, in May. The breach affected over 200 organizations relying on Blackbaud for cloud-computing services and contained personally identifiable information on thousands of donors. Fortunately, no payment card data was included in the breach and the Pace organization has begun improving security protocols to avoid further attacks. ­­

Payment Card Data Stolen from MSU Website

At least 2,600 individuals were possibly affected by a payment card leak after the Michigan State University online shop was infiltrated through a known website vulnerability. The attack used a card-skimming technique and remained active on the site for nearly a year, leaving many customer’s data vulnerable to other possible attacks. This would be the second cybersecurity-related incident to target MSU in the last year. In May, the university was hit with a ransomware attack that resulted in the publishing of stolen data.

Cyber News Rundown: Twitter Hack Arrests

Multiple Individuals Charged for Twitter Hack

Three people were charged with last month’s Twitter hack, which generated over $100,000 in bitcoin by hijacking high-profile accounts. Of the 130 accounts used to spread the Bitcoin scam, major names included Elon Musk and Bill Gates, who have been portrayed in similar past scams. The FBI was apparently able to identify the perpetrators through a known hacking forum offering Twitter account hacking services for a fee.

Kentucky Unemployment Faces Second Breach in 2020

Kentucky’s unemployment system suffered its second data breach of the year last week. The breach came to light after a user reported being able to view another’s sensitive information while attempting to review their own. Officials are still uncertain how the breach occurred or the exact contents of the information available to the person who reported the incident.

Canon Suffers Ransomware Attack

Several services related to Canon, including its cloud storage systems, fell victim to a ransomware attack that knocked them offline for nearly a week. In addition to the offline systems, more than 10TB of customer data were allegedly stolen and a ransom note pertaining to the Maze Ransomware variant was identified. A large number of Canon’s website domains were also taken offline, with an internal server error being displayed to site visitors.

Havenly Interior Design Breach

A data trove containing roughly 1.4 million Havenly user accounts were posted for sale on a Dark Web marketplace last week. It included personally identifiable information of customers including names, physical addresses and emails. The company’s official statement stated no financial information was lost in the breach. While Havenly has recommended all customers update their login credentials, the breach occurred well over a month ago, enough time for affected customers to be subjected to identity theft or attacks aimed at compromising further accounts.

Massive VPN Server Password Leak

The credentials for over 900 enterprise-level VPN servers from Pulse Secure recently appeared on a hacker forum known to be frequented by ransomware groups. The plain-text information contains enough information to take full control of the servers that are currently running a firmware with known critical vulnerabilities identified within the past two months. The vulnerability that allowed this breach, CVE-2019-11510, was identified and a patch was released late last year. Many of the attack’s victims had neglected to implement the patch.

Cyber News Rundown: WasteLocker Ransomware

Garmin Hit with WastedLocker Ransomware

Nearly a week after the company announced they had suffered a system outage, Garmin has finally admitted to falling victim to a ransomware attack, likely from the increasingly popular WastedLocker variant. As is the norm for WastedLocker, the attack was very specific in its targeting of the company (even mentioning Garmin by name in the ransom note) and took many of their services offline. Though Garmin has confirmed that no customer data was affected, they are still unsure when their services will return to full functionality.

Israeli Marketing Firm Suffers Data Breach

More than 14 million user accounts held by the Israeli marketing firm Promo were compromised in a recent breach. Subsequently, at least 1.4 million decrypted user passwords were found for sale on a Dark Web forum, along with 22 million records containing highly sensitive information. The company has since contacted affected customers and is pushing a forced password reset.

Netwalker Ransomware Targets U.S. Government Organizations

The FBI has released a security statement concerning Netwalker ransomware attacks, which have targeted both U.S. and foreign government agencies in recent months. Netwalker is known for exploiting remote desktop utilities to compromise major enterprise networks. It also offers ransomware-as-a-service to other cybercriminals. The best methods for blocking these types of attacks is setting up two-factor authentication (2FA) and creating offline data backups to protect in case of a successful breach.

Lazarus Hacking Group Branches Out to Ransomware

The North Korean state-sponsored hacking group Lazarus has added ransomware to their latest attacks. Unfortunately for the group, the ransomware variant they’ve chosen is inefficient at encrypting data, sometimes taking up to 10 hours to fully encrypt a single system. These attacks are similar to those targeting Sony Pictures in 2014 and those that affected the 2018 Winter Olympic games, both of which are suspected to have been conducted by state-backed actors.

Nefilim Ransomware Begins Publishing Dussman Groups Data

At least 14GB of data belonging to a subsidiary of Dussmann Group, a major German MSP, is being leaked by the operators of the Nefilim ransomware variant. The operators have confirmed they were able to obtain roughly 200GB of data from the subsidiary after discovering a still-unknown method for compromising the network. Customers affected by the leak have already been notified.

Cyber News Rundown: ATM Jackpotting Attacks Rise

ATM Jackpotting Attacks on the Rise

ATM manufacturer Diebold Nixdorf has identified a malicious campaign that uses proprietary software to “jackpot” the machines. The attack requires malicious actors to breach the ATM manually and then use the software to force the machine to dispense cash at a rapid rate, known within the industry as jackpotting. While these attacks don’t seem to affect customer data or finances, the company is unsure how the attackers obtained the proprietary software used in the scam.

Ransomware Locks Down Telecom Argentina

Telecom Argentina is being extorted for over $7.5 million following a ransomware attack last week. The hacker group REvil is believed to be behind the attack, which may mean the stolen data is set to be posted on the group’s auction site. Officials are still unsure of how the intrusion occurred, but it’s likely to have stemmed from a compromised remote access point.

Maryland Health Services Breach Affects Thousands

More than 40,000 individuals may have had personal information leaked after a ransomware attack on Lorien Health Services in Maryland. The breach was discovered in June, but after the healthcare provider refused to pay the ransom the hackers began publishing the stolen data, which includes Social Security Numbers and other highly sensitive information. Lorien was quick to notify affected clients and had begun offering credit monitoring services to those affected within two days of the attack being confirmed.

University of York Data Breach

The University of York in the UK has learned of a data breach that occurred in May and could affect a considerable number of students and staff. The breach itself was enabled by a third-party service provider and contained personally identifiable information on an unknown number of victims. While there is little the university can do to contain this type of attack, it comes as another reminder of the importance of supply chain data security and the knock-on effect of such attacks.

Meow Attacks Target Vulnerable Databases

Dozens of unsecured databases from Elasticsearch and MongoDB were wiped in a new malicious campaign that seems to attack indiscriminately. Discovered within the last week, the Meow attacks as they’re known appear to use an automated script to overwrite any data in vulnerable databases and destroy any remaining data. This string of attacks may encourage stronger security policies among previously lax database administrators, but the lesson is costly for affected businesses.

Cyber News Rundown: GoldenSpy

Malware Discovered in Chinese Tax Software

As part of an official Chinese tax initiative, researchers have found multiple backdoors into mandatory tax software installed on all Chinese business systems. The new malware is called GoldenHelper, in a nod to the command-and-control domain tax-helper.ltd, and has been in active development and use since 2018. The latest campaign, dubbed GoldenSpy, is adept at avoiding detection and began within months of the old command-and-control servers going offline.

Texas Collections Company Suffers Data Breach

The Texas billing and collection company Benefits Recovery Specialists Inc. has announced that a breach containing data on over 250,000 customers occurred in April. The breach leaked personally identifiable information including Social Security Numbers, birthdates and physical addresses, that could all be used to launch additional attacks. Affected clients began receiving notifications about the breach in June, though the company has still not shared what malware was installed by the perpetrators.

Microsoft Fixes 17-Year-Old DNS Flaw

After nearly 17 years of being active and exploitable, Microsoft has finally identified and resolved a major vulnerability involving a worm-like transmission that requires no human interaction. With the help of a third-party security firm Microsoft was able to patch the vulnerability before it caused significant damage, though the time was certainly there for malicious actors to use the flaw to execute any number of malicious executables onto an endless string of compromised machines.

UK Ticket Provider Leaves 4.8 Million Logins Unsecured

A collection of roughly 4.8 million login credentials have been found in a leaked database belonging to a major UK ticker provider serving customers around the world. Among the credentials were domains belonging to several government agencies along with millions of consumer webmail users. The site has also been targeted in the past by attackers looking to deface the website and has been called vulnerable to SQL injection should attackers pursue that method.

Wattpad Database Compromises Millions of Users

Officials have been working over the past week to remediate a data breach that could affect over 200 million users of Wattpad. The compromised database was listed for $100,000 on a Dark Web sale site, but was later re-listed with no price. Its owners claim to hold records for over 271 million users. Wattpad has stated that, though personally identifiable information was revealed in the breach, no financial information was accessible since Wattpad doesn’t store it directly on its servers.

Cyber News Rundown: Ragnar Locker

Ragnar Locker Attacks Portuguese Energy Producer

It was recently confirmed that Energias de Portugal (EDP), one of the largest energy producers in the world, has fallen victim to the Ragnar Locker ransomware variant. The original attack took place in April but was only discovered in May after nearly three weeks of being active on their systems. After contacting affected customers, the company also revealed it was subject to a Bitcoin ransom of roughly $10 million to ensure the stolen data wasn’t publicly released.

Xchanging MSP Falls Victim to Ransomware

An MSP known as Xchanging, which primarily serves the insurance industry, was hit with a ransomware attack over the weekend that forced it to take many of its systems offline. Though the attack was largely confined to Xchanging’s systems and only affected a small number of customers, it is still unclear how long the infection was active before discovery. In a statement, the company says it’s working to restore access to customer operating environments as quickly as possible.

Fitness Firm Exposes Customer Info

Nearly 1.3 million customer files and photos were compromised after the fitness firm V Shred was breached, potentially affecting up to 100,000 clients. The data was stored on an improperly configured Amazon S3 bucket that was discovered as a part of a larger mapping project that had already located several similar leaks. While V Shred confirmed much of the data was publicly available, it originally denied that the dataset itself contained full names, addresses, and other highly sensitive personal information that could be used maliciously.

Magecart Group Surpasses 570 Victim Sites

In the three years since Magecart Group 8’s initial foray onto the card-skimming scene, it has successfully compromised over 570 e-commerce sites around the world. More than 25 percent of the attacks targeted US domains and stemmed from 64 unique attack domains that were able to distribute injected JavaScript software with relative ease. Many were nearly identical to legitimate domains. It’s believed the group has netted over $7 million from selling stolen payment card information since April 2017.

Clubillion Casino App Leak Could Affect Millions

A database containing personally identifiable information on millions of users of the casino app Clubillion was compromised in late March. The breach was discovered and secured within five days, though heavy traffic to the site may have enabled the compromise of hundreds of thousands more individuals in that time. These types of apps are common targets of cyberattacks because they hold such large quantities of sensitive data that can be used for further attacks by leveraging the stolen data.

Cyber News Rundown: WastedLocker Shuts Down US News Sites

WastedLocker Shuts Down US News Sites

Over 30 news sites were compromised in the latest WastedLocker attack that affected many sites under a single parent company. Of the more than 30 companies targeted, eight belong to the Fortune 500 group and were in the early stages of a experiencing a fully encrypting ransomware attack. Luckily, security teams monitoring these sites acted quickly and were able to block attacks against some sites while mitigating extensive damage to others. The infiltration of these sites was caused by employees accessing previously injected websites and compromising themselves in the process.

UCSF Pays Hefty Ransom

Following a ransomware attack on the University of California San Francisco (UCSF) last month, officials have decided to pay a ransom of $1.14 million to decrypt several vital systems. The ransom amount was decided upon after negotiations between the university and the attackers. The original ask was around $3 million but was cut to less than half and was paid the following day. UCSF is one of three universities targeted with ransomware by the Netwalker hacker group in June that decided to pay a ransom to restore normal network function.

EvilQuest Wiper Targets MacOS

A new malicious actor has taken aim at MacOS with an info-stealer disguised as a ransomware attack that goes by the name of EvilQuest. Upon execution of the malicious installer, the malware begins encrypting files indiscriminately and displays a ransom note demanding only $50 in Bitcoin for decryption. The notice of encryption, however, is merely a cover for the damage occurring behind the scenes: sensitive files removed from the system with no way to retrieve them.

Fake DNS Update Looks to Steal Login Credentials

Researchers have spotted a new malicious email campaign that spoofs security companies and claims to offer a DNS update if the domain admin enters their credentials. Using a surprisingly accurate landing page, which mocks the real login sites convincingly, the site user is instructed to log in to update. To make matters worse, the attackers can scan for the site’s hosting service and customize the fake landing page to their specific victim, thus ensuring a higher probability of gaining their login info.

Passports Compromised in COVID19 Scam

In the continuing saga of COVID19 HMRC scams, attackers in Great Britain have begun focusing on the passport details of self-employed individuals in hopes of attaining personal or banking information. The scam itself originates as a text message with an urgent warning for the recipient to access a legitimate looking Her Majesty’s Revenue and Customs site to receive a tax refund. Dozens of victims have been identified across London. With these login credentials alone, attackers could access much of the victims’ data.

Cyber News Rundown: Knoxville Rocked by Ransomware

Ransomware Knocks Out Knoxville, TN

Knoxville, Tennessee officials have been working over the past week to secure systems and determine if any sensitive information was stolen after a ransomware attack was identified. Fortunately, city IT staff were able to quickly implement security protocols and shut down critical systems before the infection could spread. Within the day, many of the targeted city domains were redirected to new sites, allowing city services to operate normally.

Magecart Attacks Multiple Online Retailers

Malicious Magecart scripts have been identified in recent months on multiple domains belonging to online retailers. Following the registration of a fake domain related to Claire’s in March, several weeks of inactivity passed before code was again spotted on Claire’s websites being used to intercept payment card transactions. It was finally removed from the company’s domains in the second week of June, but not before leaving thousands of customers potentially compromised.

Maze Ransomware Infiltrates US Chipmaker

The computer systems of MaxLinear, a U.S. computer chip maker suffered a Maze ransomware attack that forced them to take their remaining systems offline. Officials discovered that for more than a month there was unauthorized access resulting in the leak of over 10GB of stolen data from an alleged trove of over 1TB of total data. MaxLinear has since refused to pay the ransom and been in contact with affected customers. The manufacturer does not believe future operations will be delayed.

Over 100 NHS Email Accounts Compromised

Within the last two weeks a phishing campaign hit the National Health Service (NHS), successfully accessing over 100 internal email accounts. The affected accounts make up an extremely small portion of total NHS email accounts, of which there are nearly 1.4 million in total. The hacked accounts were used to distribute a malicious spam campaign designed to steal credentials through a fake login page.

DraftKings Announces Ransomware Attack Amidst Merger

Following the multi-way merger that resulted in the formation of DraftKings Inc., DraftKings revealed that one of the subsidiaries, SBTech, suffered a ransomware attack within weeks of the merger being finalized. While it is still not known what variant of ransomware was used in the cyberattack, officials have determined that no information was compromised. Rather, the attack was focused on taking their online systems down. Though SBTech was required to create a significant emergency fund preceding the merger, the deal seems to have been unaffected by the attack.

Cyber News Rundown: Nintendo Accounts Breached

Nintendo Accounts Breached

Stemming from a cyber-attack back in April, Nintendo has just announced that roughly 300,000 user accounts have been compromised, though most belong to systems that are now inoperable. From the excessive unauthorized purchases, the attackers likely used credential-stuffing methods to access accounts and make digital purchases through PayPal accounts that were already logged in. Nintendo has since contacted the affected customers and has begun pushing out mandatory password resets.

Kingminer Botnet Locks Down Entry Points Behind Them

After nearly two years of operation, the owners of the Kingminer crypto jacking botnet have taken up a new tactic of patching the very vulnerabilities they used to illicitly access systems. This implementation is likely being used to block any other malicious campaigns from accessing the compromised systems and net them larger profits. By using the EternalBlue exploit and patching it behind themselves, they can brute force their way into any vulnerable system and then keeping their own crypto mining scripts active for an increased amount of time before being discovered.

Honda Shuts Plants After Ransomware Attack

Several Honda plants around the world have recently closed due to a ransomware attack that has targeted several manufacturing systems. The shutdown came only hours after a new Snake ransomware sample was uploaded to Virus Total and was seen attempting to contact an internal site belonging to Honda. Currently, officials for Honda are still working to determine exactly what parts of their systems were affected and if any personally identifiable information was compromised.

Scammers Created Fake SpaceX YouTube Channels to Steal Cryptocurrency

Multiple malicious YouTube accounts have changed their names to keywords relating to SpaceX in order to scam viewers out of Bitcoin cryptocurrency donations. While it should be obvious that these channels are not the legitimate SpaceX account based solely on the number of subscribers, the fake channels have also been livestreaming old recorded SpaceX interviews with Elon Musk, to improve their legitimacy. Unfortunately, during the livestreams, the channels promote cryptocurrency scams in the chat section to entice other viewers to send in a small amount of cryptocurrency with the promise of a significant amount more being sent back.

Florence, Alabama Pays Ransom Demand

In the last week, officials for Florence, Alabama have been working to negotiate with the authors of the DoppelPaymer ransomware attack that took down the city’s email systems. Though the initial ransom amount was 38 Bitcoins, or the equivalent of $378,000, the security team that was brought in was able to drop the demand to 30 Bitcoins, or $291,000, which the city has decided to pay. It is still unclear exactly what information may have been stolen or accessed, the Mayor of Florence concluded that it was best to just pay the ransom and hope their information is returned and their systems are decrypted.

Cyber News Rundown: Trickbot Silently Targets Servers

TrickBot Silently Targets Servers

Knowing that many domain controller servers are rarely shutdown or rebooted, the authors of TrickBot have made some changes to allow the infection to run from memory. While this can be detrimental to the payload, as a reboot could easily remove it, the stealth approach could let the infection cause major havoc on systems that aren’t routinely restarted. Though TrickBot is normally dropped as a secondary infection from Emotet, it’s taken this new stealth approach to move across networks more easily.

Stenography Makes Leaps into Industrial Cyberattacks

Researchers have been following a new trend of incorporating multiple levels of steganography into cyber attacks focused mainly on large industries. The attacks are specified for each victim, including a language localization script that only executes if the local OS is in the right language and using macros to launch hidden malicious PowerShell scripts that require no additional input. The scripts, when executed, communicate with imgur.com or other image hosting sites to grab pictures with malicious code hidden in the pixels that eventually drops an encrypting payload.

Flaw in Apple Sign-in Nets Bounty Hunter $100,000

An authentication flaw has been discovered within the Apple sign-in feature for third-party sites that could allow an attacker to forge fake accounts if the victim hadn’t chosen their own email address to be identified. If a victim chooses not to do so, Apple creates a unique email ID that is used to create a JSON web token (JWT) to sign in the user. This could easily be forged alongside the email ID to gain unlimited access to any account. The researcher who found the bug and reported it to the Apple Security Bounty Program was rewarded with $100,000.

Ransomware Authors Begin Data Auction

The authors behind several prominent ransomware campaigns, including Sodinokibi and REvil, have begun an auction for stolen data on their dark web site. Currently, there are two auctions active on the site, one with data belonging to an unnamed food distributor and the other with accounting and financial information for an unnamed crop production company from Canada. The auctions have starting prices of $55,000, along with fees to be paid in Monero cryptocurrency because of its anonymity and ease of direct payment from victims.

San Francisco Employee Retirement Database Compromised

A vendor conducting a test on a database belonging to the San Francisco Employee Retirement Systems (SFERS) recently noticed some unauthorized access to the database containing records on 74,000 members. Though the database didn’t contain Social Security Numbers, it did contain a trove of personally identifiable information including names, addresses, and birthdates. Fortunately, the database was using old data for the test and had nothing newer than 2018. Nevertheless, SFERS officials are offering credit and identity monitoring services for affected victims.

Cyber News Rundown: Bank of America Breach Reveals PPP Info

Bank of America Breach Reveals PPP Information

After processing over 300,000 Paycheck Protection Program applications, Bank of America has revealed that a data breach occurred within the U.S. Small Business Administration’s program that allowed all other SBA-authorized lenders to view highly sensitive data. The data includes tax information and social security numbers relating to both businesses and their owners and could have extremely devastating effects in the wrong hands. Fortunately, the SBA secured the compromised data within a day of being notified and Bank of America has reached out to affected customers offering of two years of identity theft protection. null

Bank of Costa Rica Suffers Data Breach

Threat actors working for the Maze group recently claimed to have belonging to millions of Bank of Costa Rica customer accounts, a claim that was quickly refuted by the bank itself. Within a week, Maze began publishing proof of their bounty and promised to continue posting records if the bank fails to improve their current security. Maze also claimed to have accessed the bank’s systems on multiple occasions to determine if security had improved but chose not to encrypt their systems as the second breach occurred during the COVID-19 pandemic.

Old LiveJournal Breach Data Re-emerges

Researchers have been looking into a recent data dump that appears to have originated from the 2014 LiveJournal breach and contains over 33 million records up to 2017. It is hard to precisely date the breach, as LiveJournal is a Russian-owned journaling service and never reported it, though many LiveJournal users were targeted in a past spam extortion email campaign. More recently, users of Dreamwidth, which shares the LiveJournal codebase, has seen reports of compromised accounts.

Turla Hackers Grabbing Antivirus Logs to Check for Detection

One of the largest state-sponsored hacker groups, Turla, has turned their attention to accessing antivirus logs on infected systems to determine if their malicious activity has been discovered. With the use of ComRAT V1 (and later versions), Turla has been gaining highly sensitive information from major national organizations for over a decade and continues to improve on their methods. By viewing the logs created by local antivirus software, the attackers can adjust more quickly to avoid future detections.

New COVID-19 Tracker Drops [F]Unicorn Ransomware

The latest to capitalize on the public’s pandemic fears, a new fake COVID-19 tracing app has been targeting systems in Italy by dropping a new ransomware variant dubbed [F]Unicorn. The malicious payload comes disguised as a file from the Italian Pharmacist Federation. It then directs the victim to a beta version of the yet-to-be-released Immuni tracing app, showing a fake tracing dashboard as the encryption process begins. The ransomware demands a 300-Euro payment but displays an invalid email address, so users would be unable to prove payment to the attackers even if they choose to pay.

Cyber News Rundown: HMRC Takes Down COVID-19 Scam Sites

Adult Website Leaks Trove of Sensitive Data

An recently discovered unsecured database belonging to the adult streaming site Cam4 was found to contain nearly 11 billion unique records amounting to seven terabytes of data. For a site with billions of visitors each year, the exposed data could affect millions who have visited the site since March 16 of this year, and could be used to further harm individuals whose connection to the site could be politically or socially sensitive. While the database was quickly taken offline, an analysis of the data showed that, though much of the data belonged to U.S. citizens, millions of others were from South America and Europe.

Hundreds of COVID-19 Scam Sites Taken Down by HMRC

Her Majesty’s Revenue & Customs (HMRC) has recently taken down nearly 300 COVID-related scam sites and domains. Hackers are opportunistic and have taken to preying on people trying to get information on the current pandemic but are finding themselves as victims of financial scams and phishing attempts. Fortunately, many organizations have taken up the cause of identifying and removing these harmful sites.

Nearly One Million WordPress Sites Under Attack

At least 24,000 unique IP addresses have been identified in a series of on-going attacks targeting vulnerabilities in more than 900,00 WordPress sites. Many vulnerabilities have been patched in recent months, but some sites have yet to update their plugins and remain at risk. The attacks inject malicious scripts into website headers when the WordPress user is logged in. Otherwise, the victim is redirected to another malicious advertisement, in hopes of gaining some profitable information.

Tokopedia Breach Leaves 91 Million User Records Up for Grabs

Over 91 million user records belonging to Tokopedia, a major Indonesian e-commerce firm, were recently found for sale on a dark web. The sale offered records for 15 million individual, likely stolen during a security incident in March, for $5,000. With millions of users and merchants using the site regularly, the company has issued a notice for users to change passwords as they investigate the breach.

Ransomware Demanding More as Corporations Continue to Payout

In recent fiscal quarters, the earnings for Sodinokibi and Ryuk ransomware have been rising steadily as SMBs and corporations are increasingly paying ransoms for data. Over the first quarter of 2020, the average ransom payout hovered around $111,000. A year prior, the average neared only $12,000 for large companies, typically very willing to pay for the quick return of their data, so limiting the amount of downtime an attack may cause. The top earning ransomware variants, Ryuk and Sodinokibi, both have shifted their focus from service providers to carefully targeted large corporations and have even pushed ransom demands over $1 million in some instances.