Industry Intel

Simplified Two-factor Authentication for Webroot

Webroot has evolved its secure login offering from a secondary security code to a full two-factor authentication (2FA) solution for both business and home users. Webroot’s 2FA has expanded in two areas. We have: Implemented a time-based, one-time password (TOTP)...

Shoring Up Your Network and Security Policies: Least Privilege Models

Why do so many businesses allow unfettered access to their networks? You’d be shocked by how often it happens. The truth is: your employees don’t need unrestricted access to all parts of our business. This is why the Principle of Least Privilege (POLP) is one of the...

Online Gaming Risks and Kids: What to Know and How to Protect Them

Online games aren’t new. Consumers have been playing them since as early as 1960. However, the market is evolving—games that used to require the computing power of dedicated desktops can now be powered by smartphones, and online gaming participation has skyrocketed....

Thoughtful Design in the Age of Cybersecurity AI

AI and machine learning offer tremendous promise for humanity in terms of helping us make sense of Big Data. But, while the processing power of these tools is integral for understanding trends and predicting threats, it’s not sufficient on its own. Thoughtful design...

A Cybersecurity Guide for Digital Nomads

Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means...

High Value Cryptocurrency Stolen by Hackers

Reading Time: ~ 2 min.

Hackers Breach Private Keys to Steal Cryptocurrency

A possible coding error allowed hackers to compromise at least 732 unique, improperly secured private keys used in the Ethereum blockchain. By exploiting a vulnerability, hackers have successfully stolen 38,000 Ethereum coins so far, translating to over $54 million in stolen funds, though the current number is likely much higher. While uncommon, such attacks do show that the industry’s security and key-generation standards have plenty of room for improvement.

Prominent Malware Reverse Engineer Faces Jail Time

The malware researcher Marcus Hutchins, who successfully reversed and stopped the WannaCry ransomware attacks in 2017, is facing up to six years of jail time for prior malware creation and distribution. Hutchins’ charges all tie back to his involvement in the creation of Kronos, a widespread banking Trojan that’s caused significant damage around the world.

Data Exposed for Thousands of Rehab Patients

Personally identifiable data belonging to nearly 145,000 patients of a Pennsylvania rehab facility have been found in a publicly available database. After a Shodan search, researchers discovered the database that contained roughly 4.9 million unique documents showing information ranging from names and birthdays to specific medical services provided and billing records, all of which could be used to to steal the identity of these thousands of individuals.

Study Finds Password Security Still Lacking

After this year’s review of password security it may come as no surprise that the top five passwords still in use are simple and have remained at the top for some time. Using a list generated from past data breaches, researchers found the password “123456” was used over 23 million times, with similar variations rounding out the top five. Several popular names, sports teams, and bands like blink182 and Metallica are still in use for hundreds of thousands of accounts. While these passwords may be easy to remember, they are exceedingly simple to guess. Stronger passwords should include multiple words or numbers to increase the complexity.

Bodybuilding Site Breached through Phishing Campaign

The website bodybuilding.com has announced they were the victim of a data breach stemming from an email phishing campaign in July 2018 that could affect many of the site’s clients. Fortunately, the site doesn’t store full payment card data, and the data it does store is only stored at the customer’s request, leaving little data for hackers to actually use. The site also forced a password reset for all users issued a warning about suspicious emails coming from bodybuilding.com, noting they may be part of another phishing campaign.

Antivirus vs. VPN: Do You Need Both?

Reading Time: ~ 3 min.

Public concern about online privacy and security is rising, and not without reason. High-profile data breaches make headlines almost daily and tax season predictably increases instances of one of the most common types of identity theft, the fraudulent filings for tax returns known as tax-related identity theft

As a result, more than half of global internet users are more concerned about their safety than they were a year ago. Over 80% in that same survey, conducted annually by the Center for International Governance Innovation, believe cybercriminals are to blame for their unease.  

Individuals are right to wonder how much of their personally identifiable data (PII) has already leaked onto the dark web. Are their enough pieces of the puzzle to reconstruct their entire online identity?  

Questions like these are leading those with a healthy amount of concern to evaluate their options for enhancing their cybersecurity. And one of the most common questions Webroot receives concerns the use of antivirus vs. a VPN.  

Here we’ll explain what each does and why they work as compliments to each other. Essentially, antivirus solutions keep malware and other cyber threats at bay from your devices, while VPNs cloak your data by encrypting it on its journey to and from your device and the network it’s communicating with. One works at the device level and the other at the network level.  

Why You Need Device-Level Antivirus Security 

Antiviruses bear the primary responsibility for keeping your devices free from infection. By definition, malware is any software written for the purpose of doing damage. This is the category of threats attempting to undermine the antivirus (hopefully) installed on your PC, Mac, and yes, even smartphones like Apple and Android devices, too.  

In an ever-shifting threat landscape, cybercriminals are constantly tweaking their approached to getting your money and data. Banking Trojans designed specifically for lifting your financial details were among the most common examples we saw last year. Spyware known as keyloggers can surreptitiously surveil your keystrokes and use the data to steal passwords and PII. A new category of malware, known as cryptojackers, can even remotely hijack your computing power for its own purposes.  

But the right anti-malware tool guarding your devices can protect against these changing threats. This means that a single errant click or downloaded file doesn’t spell disaster. 

“The amazing thing about cloud-based antivirus solutions,” says Webroot threat analyst Tyler Moffit, “is that even if we’ve never seen a threat before, we can categorize it in real time based on the way it behaves. If it’s determined to be malicious on any single device, we can alert our entire network of users almost instantaneously. From detection to protection in only a few minutes.” 

Why You Need Network-Level VPN Security 

We’ve covered devices, but what about that invisible beam of data traveling between your computer and the network it’s speaking to? That’s where the network-level protection offered by a VPN comes into play.  

While convenient, public networks offering “free” WiFi can be a hotbed for criminal activity, precisely because they’re as easy for bad actors to access as they are for you and me. Packet sniffers, for instance, can be benign tools for helping network admins troubleshoot issues. In the wrong hands, however, they can easily be used to monitor network traffic on wireless networks. It’s also fairly easy, given the right technical abilities, for cybercriminals to compromise routers with man-in-the-middle attacks. Using this strategy, they’re able to commandeer routers for the purpose of seeing and copying all traffic traveling between a device and the network they now control.  

Even on home WiFi networks, where you might expect the protection of the internet service provider (ISP) you pay monthly, that same ISP may be snooping on your traffic with the intent to sell your data.  

With a VPN protecting your connection, though, data including instant messages, login information, social media, and the rest is encrypted. Even were a cybercriminal able to peek at your traffic, it would be unintelligible.  

“For things like checking account balances or paying bills online, an encrypted connection should be considered essential,” says Moffit. “Without a VPN, I wouldn’t even consider playing with such sensitive information on public networks.”  

How Webroot Can Help 

Comprehensive cybersecurity involves protecting both data and devices. Antivirus solutions to protect against known and unknown malware—like the kinds that can ruin a laptop, empty a bank account, or do a cybercriminals bidding from afar—are generally recognized as essential. But for complete protection, it’s best to pair your antivirus with a VPN—one that can shield your data from intrusions like ISP snooping, packet sniffers, and compromised routers.  

Click the links for more information about Webroot SecureAnywhere® antivirus solutions and the Webroot® WiFi Security VPN app.  

Notice: What Happens on Public Computers, Stays on Public Computers

Reading Time: ~ 4 min.

These are the places your digital tracks can be dug up. With a little sleuthing.

Experts have warned for years of the risks of using public computers such as those found in libraries, hotels, and airline lounges. 

Many warnings focused on the potential for hackers to plant keystroke loggers, or intercept data as it flows across the internet. Indeed, in 2014, the National Cybersecurity and Communications Integration Center of the U.S. Secret Service issued an advisory for “owners, managers, and stakeholders in the hospitality industry” concerning data breaches. The text of the advisory claimed, “The attacks were not sophisticated, requiring little technical skill, and did not involve the exploit of vulnerabilities in browsers, operating systems or other software.” A 2014 announcement may seem to be an outdated reference, except that the recent Marriott data breach of over 300 million records was attributed to an attack in…wait for it…2014.)

But spyware and keyloggers aren’t the most common threat to the users of business center and other public computers. Forgetfulness, operating systems, applications, and temporary files are high up on the list. For several years I have searched public computers, mostly at hotels, to see what kinds of information people have left behind. It’s been an interesting passion project, to say the least.  

Uncovering a Very Public Digital Paper Trail

The first places I look are the documents, downloads, desktop, and pictures folders. The pictures folder typically yields the least interesting information, usually pictures of groups of drunken people, group gatherings at restaurants, weddings, or cats.

The desktop, document, and occasionally downloads folders are where most documents are inadvertently left behind. Some interesting samples I’ve discovered include a spreadsheet of faculty merit raises at a university in Texas, including the names of professors, their departments, their current salaries, and their projected raises. Another was the assignment of a chief officer to a ship belonging to one of the largest shipping companies in the world. It included the officer’s name, address, phone number, vessel name, date of assignment, and contact information.

I have come across corporate audits and strategic business plans. Recently, I discovered a document called “closing arguments” created by a district attorney. When possible, I contact the owners of the information to help them understand the risks of using public computers for sensitive work. I rarely hear back, however the DA did thank and assure me the document was a training example.

The biggest menace, however, has been the temporary files folders, which include auto-saved documents and spreadsheets, as well as attachments. It is in the Temporary Internet Files folder that I have uncovered complete emails, and even a webpage including a bank statement detailing a large balance, the account holder’s name, sources of income, and the names and addresses of places he had done business. Of all of the temporary files I have discovered, documents belonging to businesses’ employees have been the most unsettling. 

If you must, take precautions

There is some good news concerning the safety of public computers. Due to technology changes, I no longer find the contents of emails in the Temporary Internet Files folder. But we’re far from out of the woods. I have found my inbox cached, including pictures within emails and even a PDF that had not yet opened.

Although I could not open emails in the temoprary copy of my inbox shown above, subject lines and return email addresses may reveal more information than desired. 

Deleting temporary internet files is a good habit, but there are multiple locations that temporary files are stored. Documents edited on public computers remain of particular concern. Due to auto-save features, it’s possible to open a document on a thumb drive and leave auto-saved documents behind on the computer. Now in normal operating circumstances and with current operating systems and Office applications, this is not likely to happen. But errors like OS and application crashes will leave these copies behind. Microsoft Word and Excel will even proactively offer these auto-saved documents to the next user of these applications

The PDF file shown above was left behind when I read an email using my ISP’s webmail interface. 

Other than finding and deleting information left behind, my use of public computers is limited to reading online articles, checking the weather, and performing internet searches. What personal information you are willing to leave behind on a public computer depends on your risk tolerance. But it’s important to note that accessing corporate data on public computers could result in an inadvertent violation of company policies involving confidential data.

Although I still find public computers running Windows XP, there is a growing shift in the hospitality industry to use Kiosk applications. These provide limited functionality combined with locked-down security configurations. Access to the start menu is not possible and functionality is limited to desktop applications. Printing of boarding passes is a common allowed application. Reading web email is sometimes allowed, though I don’t recommend it because it requires entering a password. The risk of password compromise may be low, but the value of practicing quality security habits leads me to advise against it. If you must, consider changing your email password the next time you log onto a private computer.

If you happen to be using a public computer without a Kiosk interface, would you be so kind as to copy this blog, paste it into a Word document, and save it on the public computer to help inform the next user? They may end up paying it forward.

Cyber News Rundown: Phishing Attack on Global IT Outsourcer

Reading Time: ~ 2 min.

Major IT Outsourcer Suffers After Phishing Attack

Global IT services provider Wipro announced they are in the process of investigating a data possibly affecting some of their clients. These types of companies are popular for hackers because, by breaching a single IT service company, they gain access to a far larger pool of victims through compromised credentials belonging to client networks. It’s still unclear how long the hackers had access to the systems, but some reports claim the attack was ongoing for several months.

Age-Verification Hits UK Porn Viewers

The UK has passed a measure that will subject users to age-verifications before being allowed to enter a pornographic website, as part of their ongoing fight to make the UK safer online. This measure was originally introduced as a way to decrease ransomware infections and slow the stream of stolen credentials from paid accounts for higher-traffic sites. The new law has an 88% backing from UK parents and will go into full effect on July 15.

Data Breach Affects Navicent Patients

A recent Navicent Health announcement revealed the email systems of the health care services provider were compromised in July, 2018, possibly affecting over 275,000 patients. While the remainder of their internal systems were untouched, the email server did contain patient data, including social security numbers and billing information. Fortunately, Navicent responded to the breach quickly and began notifying the proper authorities, as well as their client base, in addition to providing identity monitoring services for those whose information was exposed.

Chrome for iOS Bug Redirects Users to Ads

A new bug, found only in the iOS version of Chrome, has exposed up to half a million users to unwanted advertising redirects, sometimes from legitimate websites. The bug works by allowing malicious code to be executed from within page advertisements, which can then overlay onto the device’s screen until clicked. The majority of this campaign’s victims are based in the US and were targeted over a four-day period in early April.

Microsoft Loses Subdomain for Live Tiles

A German researcher recently took control of a subdomain used by Microsoft to assist websites with correctly formatting RSS feeds into a usable XML format for Windows 8 and 10 Live Tiles. Because the subdomain wasn’t registered to Microsoft or their Azure cloud services, and any malicious actor could have compromised the domain, the researcher purchased it and alerted Microsoft of his findings.

Cyber News Rundown: Tax Extortion Ransomware Scams Corporations

Reading Time: ~ 2 min.

Tax Extortion Emails Bring Major Threats

A new email campaign has been spotted threatening ransomware and DDoS attacks over fake tax documents allegedly held by the attackers if a Bitcoin ransom isn’t paid. The campaign authors also threaten to send fake tax documents to the IRS through a poorly-worded ransom email that even provides Wikipedia excerpts for each threat put forward. Fortunately, as the campaign seems to be focused on corporations rather than individuals, no payments have been made to the attacker’s crypto coin wallet address.

Hotel Reservation Data Leaking Through Third-Party Services

As major data breaches continue to flood headlines, a recent study has revealed that nearly two of every three hotels exposes information about its guests to third-parties. Excerpts of the data show names, social security numbers, and payment card details that could give unauthorized users the ability to compromise identities or make changes to current reservations. Most of the exposed data involves comping through third-party services run on hotel websites offering customers additional packages.

Ransomware Conspirator Jailed in the UK

Police in the UK have officially charged and jailed a man for his part in the operation of a global ransomware campaign with ties to a Russian criminal organization. Charges range from fraud and blackmail to computer misuse relating to DDoS attacks and the Essex man is set to face at least six years. By masquerading as an advertising agent looking to purchase ad space on high-traffic sites, he was able to infect ad links with malware and other exploits to spread his campaign.

Firefox Begins Blocking Cryptomining Scripts

Even after the demise of CoinHive, cryptomining scripts are still being secretly deployed on thousands of websites without the knowledge of their owners and visitors. With the release of Firefox 67 beta, Mozilla is hoping to completely protect their users from malicious scripts that download and run cryptominers and other unwanted tracking software by using a blacklist created by Disconnect, a VPN developer with a reputation for privacy protection. Additionally, the new Firefox version will block fingerprinting scripts commonly used to invade a user’s browsing privacy.

MyCar App Uses Hardcoded Credentials

Thousands of cars were left vulnerable after a widely used vehicle telematics systems was found to be using hardcoded credentials in their mobile apps. Used in dozens of different car models to enable remote control functions, the hardcoded credentials leave these vehicles accessible to anyone with the app’s source code and the plaintext credentials within. Fortunately for users, the latest iOS and Android versions of the MyCar app have been updated to resolve this vulnerability.

Cyber News Rundown: Massive Data Breach at Georgia Tech

Reading Time: ~ 2 min.

Massive Data Breach at Georgia Tech

It was recently revealed that the personal information on over 1.3 million people was illicitly accessed by hackers who breached Georgia Tech systems in December of last year. The breach is the second of the year for the university, and was only discovered after IT staff noted performance issues on a widely used web application that interacts with a major database for both students and staff. 

Restaurant Firm Admits to Data Breach

Earl Enterprises, the parent firm of several popular restaurants around the country, recently announced they had fallen victim to a point-of-sale breach at multiple restaurant locations over the last 10 months. At least 100 restaurants, including all locations of the Italian chain Buca di Beppo, have begun working on restoring their systems and contacting affected customers. Nearly 2.1 million payment card accounts have been found in a dark web marketplace that were posted just a month before the company made its discovery.

Toyota Confirms Sales Data Breach

Personal information for over 3.1 million individuals may have been compromised before officials found signs of unauthorized activity on an internal network used in multiple sales subsidiaries of Toyota and Lexus. While the company’s dealerships continue to provide service and parts to customers, this specific breach comes only a month after another cyber attack that impacted Toyota dealerships in Australia, leaving many customers worried about the safety of their data.

GPS Watches Display PWNED! Message

Nearly a year after researchers contacted the watch maker Vidimensio about multiple vulnerabilities in their GPS watches, a new message has appeared on watch maps. The phrase “PWNED!” has been seen on at least 20 different watch models as a message alerting the company to their poor security infrastructure, as end-users are susceptible to being tracked through their watches. More alarmingly, many of the devices were found to have this vulnerability after Germany passed a law banning smart-watches for children that were capable of remote-listening after it was found they often ran on unpatched firmware.

Ransomware Strikes Albany, NY

The city of Albany, New York has been working to restore normal operations after a ransomware attack took down several key components of its systems. Aside from a few document-specific requests, however, the vast majority of the functionality was left undisturbed throughout the attack and recovery process. According to officials, all public safety services remained fully operational and had staff working around the clock to continue to provide assistance or direct individuals to a working facility.

Hijacked Email Reply Chains

Reading Time: ~ 4 min.

Although phishing has been around in various forms since the 1980s, our research shows it continues to evolve—and remains a major threat. These days, phishing tactics have gotten so sophisticated, it can be difficult to spot a scam—particularly in the case of hijacked email reply chains. Let’s look at a concrete example.

Imagine you’re a purchaser for a concrete supplier, and you get an email from a regular client about an order. In that email, you can see this client, Michael, has been exchanging messages with your colleague, Jill. The email addresses, corporate logos, and everything about the email chain look 100% legitimate. You’ve even met Michael in person, so you know he’s trustworthy.

In this case, the conversation details are convincing to you—because they’re real. Someone gained access to your colleague’s email and took over a legitimate conversation about purchases, then forwarded it to you with a malicious payload attached.

A message like this is very likely to get through any email filtering, and you’d probably open it, since it looks like it’s from a trusted sender.

Had you opened the file in this hypothetical scenario, you might have gotten infected with Emotet or another banking Trojan, such as Ursnif / Gozi.

This image is an example of a malicious word document asking you to “enable macros.” This is a common malware tactic that convinces a victim to disable their own security.

“Phishing attacks increased 36%, with the number of phishing sites growing 220 percent over the course of 2018.” – Webroot Inc. “2019 Webroot Threat Report.” (March 2019)

Ursnif / Gozi Campaigns

The difference between an ordinary phishing attack and a hijacked email chain really comes down to believability. The criminals behind these campaigns take their time breaking into email accounts, watching business conversations, negotiations, and transactions, then launching their attempts at plausible moments when the recipient’s guard is most likely to be down. Most commonly, these attacks have been attributed to Ursnif/Gozi campaigns. Webroot has seen quite a few cases of these hijacked emails with the same style of phishing text and nearly identical payloads. There are numerous reports online as well. 

In a malware campaign like this one, it really doesn’t matter whose account the malicious actors have broken into. If you receive an email from your project manager, a sales colleague, the finance department, a particular client, or anyone else that bears the markers of a legitimate, ongoing email conversation, the attack is highly likely to succeed.

Samples

Seen since last November: all email bodies had a long list of replies, but all had the following message.

This would suggest they are all samples that can be attributed to the same gang. Each had .zip files attached with convincing names related to the business at hand, which contained Microsoft® Word documents with filenames that started with “request”.

What You Can Do

Faced with such plausible attacks, it might seem impossible to stay safe. But there are a few tips that can keep you protected. First, never turn macros on, and never trust a document that asks you to turn macros on, especially if it’s a Microsoft® Office file that wants you to show hidden content. Macros are a very common attack vector.

Second, always make sure to keep your operating system up to date, especially Microsoft Office programs. 

Third, you likely already mistrust emails from people you don’t know. Now, it’s time to turn that suspicion onto trusted senders too. Attackers commonly try to spoof email addresses to look like those you’re familiar with, and may even gain control of an email account belonging to a person you know. Always err on the side of caution when it comes to emails asking you to download attachments. 

Fourth, it’s important to protect your own email account from being hijacked. Attackers can use techniques like alternate inboxing to send messages from your account without your knowledge. Be sure to secure your account with strong passwords, 2-factor authentication, or use a secure password manager. Encourage friends and colleagues to do the same.Finally, if you’re suspicious of an email, the best way to check its legitimacy is to pick up the phone. If you know the sender personally, ask them about the message in person or via phone. Or, if you receive a message from a company, look up their publicly listed phone number (do not use the number provided in the email) and call them.

How Webroot Protection Can Keep You Safe

  • Webroot security for computers, smartphones, and tablets blocks malicious scripts, downloads, and executables. (However, you should still exercise caution and common sense, regardless which internet security solutions you use.)
  • For businesses and managed service providers, our portfolio of integrated, next-generation security includes Endpoint ProtectionDNS Protection, and Security Awareness Training for end users.

For more information on these types of attacks, you can read the following articles:

Cyber News Rundown: First GDPR Fine Issues in Poland

Reading Time: ~ 2 min.

First GDPR Fine Issued in Poland

The first fine issued from the Polish privacy regulator has been issued to an unnamed firm for quietly gathering personal data for over 6 million Polish citizens and using it for commercial gains without consent. The fine of £187,000 was generated after officials learned that only 90,000 individuals had been contacted via email, as the company had seemingly no other low-cost options for contacting the remaining millions of affected citizens. 

ASUS Update Utility Used as Backdoor

ASUS recently confirmed that their Live Update utility for notebooks was compromised, leading to at least 500,000 machines being affected by malicious code. While this attack was focused on a only a couple of specific servers, the announcement came nearly a month after the company was told by researchers about the issue and it continued to push the malware via Live Update. Fortunately, ASUS resolved the issue with their latest update and has provided a tool to help customers determine if they’re still at risk. 

Microsoft Takes Domains Back from Hackers

Microsoft has been working for some time to combat state-backed hackers by regaining control of nearly 100 domains that have been used in spear-phishing attacks across the globe. Many of the domains used keywords relating to more popular companies to steal login credentials for the sites they mimicked By obtaining court orders for the domains, Microsoft has continued its long-term legal battle, with help from domain registrars, to take these scams offline. 

Facebook Hack Exposes 110,000 Australians

After the Facebook hack in September of last year the personally identifiable information for over 100,000 Australians was compromised. While some users saw only their name and email address exposed, others had their search history, recent location check-ins, and more information available to the hackers. Facebook began notifying the proper regulatory officials four days after they themselves became aware of the breach that had begun more than a week earlier. 

Cryptocurrency Exchanges Hacked

With an estimated combined loss of over $46 million in cryptocurrency, two exchanges have come forward about hacks that have taken them offline as investigations unfold. DragonEx initially announced that an attack had occurred over the weekend and that they were able to regain some of the stolen funds. They then posted the wallet addresses that had received stolen funds in hopes of having the accounts frozen and the flow of currencies stopped. The second hack on CoinBene has been denied by the company as they haven’t lost any funds, but users were able to trace significant amounts of several cryptocurrencies dumped into other markets not long after the attack on the exchange took place.

Cyber News Rundown: Hacker Exposes 26 Million Personal Records

Reading Time: ~ 2 min.

Gnosticplayers Adds 26 Million More Records for Sale

After the first 3 major data dumps, which totaled over 600 million records, the hacker known as Gnosticplayers has released his latest cache of data, which contains at least 26 million personal user records. These data caches hold customer information for 32 companies overall and have been obtained over just the past couple months, making the data that much more lucrative. The hacker claims these breaches are done simply out of frustration that security is still not being taken seriously by many major companies from across the globe, which may explain why the price tag for each dump is so low.

Hackers Set Off Tornado Sirens in Texas Towns

At least 30 tornado warning sirens in two Texas towns were triggered in the early morning hours by an unknown hacker. While officials quickly shut down the sirens, they did so just 24 hours prior to a major storm during which they might have needed to use these critical emergency systems. This attack is very similar to one that affected the entire Dallas area in 2017, when hackers successfully compromised a radio system that set off over 100 tornado sirens across the city.

Marketing Firm Exposes 230 Million Records

Another misconfigured Amazon database, this time belonging to Exactis, carries the blame for a data breach that could affect at least 230 million individuals, with more data on 110 million individual records tied to businesses. While it is still unclear exactly how long the database was accessible, the company and an external security auditor maintain that the data was not accessed maliciously during its time online, though the independent researcher who first discovered the database reports that the data may have been spotted for sale on the dark web.

Ransomware Cripples Major Aluminum Manufacturer

Norsk Hydro, a major Aluminum producer, suffered a ransomware attack that successfully shut down a large portion of the company’s operations. The attack forced the company to switch to manual operations at all of its facilities around the world, and temporarily take down their website while they worked to restore their systems from backups. Fortunately, the company retains backups for their major operations, so normal production should resume within the week.

Gearbest Leaks 1.5 Million Customer Records

Following the trend of unprotected databases, researchers recently found yet another one, this time belonging to Gearbest (a Chinese e-commerce site). This database contained unencrypted personal records for over 1.5 million customers around the globe, including payment data, ID and passport info, and even data that could compromise Gearbest itself, as URLs for an internal software platform were also exposed. The company has since claimed that the number of exposed records is much smaller than originally posted. However, they also maintain that they use strong encryption on all stored data, despite this latest evidence to the contrary. 

HTTPS: Privacy vs. Security, and Where End Users and Security Culture Fit In

Reading Time: ~ 4 min.

Since the dawn of IT, there’s been a very consistent theme among admins: end users are the weakest link in your network, organization, security strategy, fill-in-the-blank. We’ve all heard the stories, and even experienced them first-hand. An employee falls for a phishing scam and the whole network is down. Another colleague torrents a file laced with malware. Or maybe it’s something less sinister: someone wants to charge their phone, so they unplug something from the only nearby outlet, but what they unplug is somehow critical… help desk tickets ensue. 

But when it comes to security issues caused by human error, it’s not necessarily always the end user’s fault. Cyberattacks are getting more and more sophisticated by the second, and all of them are designed to either circumvent defenses or appear totally legitimate to fool people. One of the major advances of this type that we’ve seen is with phishing sites and the use of HTTPS.

HTTPS: The Beginning

While HTTP is the foundation of all data exchange and communication on the internet, it wasn’t designed for privacy. Transmitting information on the web using HTTP is kind of like sending a postcard; anybody who handles that card can read it. HTTPS was supposed to be a way of adding privacy to protect users and sensitive information from prying eyes.

At first, you’d only see HTTPS on financial or health care websites, or maybe the cart page on a shopping site, where the extra privacy was necessary. And back then, getting a security certificate was much harder—it involved significant costs and thorough security checks. Then, a few years ago, most web browsers started requiring security certificates for every website, or else they’d throw up a scary-looking warning that the site you were trying to visit might be dangerous. That trained us to look for (and trust) HTTPS.

A False Sense of Security

These days, when we see HTTPS at the beginning of a URL or the accompanying lock icon in our browser’s address bar, we’ve been conditioned to think that means we’re safe from harm. After all, the S in HTTPS stands for “secure”, right? But the issue is that HTTPS isn’t really about security, it’s about privacy. That little lock icon just means that any information we transmit on that site is encrypted and securely delivered to its destination. It makes no guarantees that the destination itself, is safe.

If you unwittingly end up on a well-faked phishing copy of your banking website and see the lock icon, it’s natural to assume that you’re in the right place and all is well. Except when you try to log in, what you’re really doing is securely transmitting your login credentials to an attacker. In this case, HTTPS would’ve been used to trick you.

The Bad Guys and HTTPS

Malicious actors are always looking for new ways to trick end users. Because so many of us think HTTPS ensures security, attackers are using it against us. It’s no longer difficult to obtain a security certificate. Attackers can do so very cheaply, or even for free, and there’s really no background or security check involved. 

As I mentioned during my talk on HTTPS at this year’s RSA conference, almost half a million of the new phishing sites Webroot discovered each month of 2018 were using HTTPS. In fact, 93% of phishing domains in September and October alone were hosted on HTTPS sites. When you think about these numbers, it’s easy to see why end users might not be to blame when you discover that a major security breach was caused by someone being duped by a phishing scam. 

The Way Forward

As more HTTPS phishing and malware sites emerge, even the most vigilant among us could fall victim. But that doesn’t mean we shouldn’t invest in end user education. End users are on the front lines on the cybersecurity battlefield. It’s up to us to provide right tools and armor to keep users and the companies they represent safe. To be truly effective, we need to implement ongoing security awareness training programs that recur continually throughout an employee’s time with the company. If we accomplish that, the results speak for themselves; after 12 months of training, end users are 70% less likely to fall for a phishing attempt!

We also need to make sure our security strategies incorporate real-time threat intelligence to accurately classify and determine which websites are good or malicious, regardless of their HTTPS designation. In an age where phishing sites appear and disappear in a matter of hours or minutes, malicious sites use HTTPS, and at least 40% of bad URLs can be found on good domains, it’s more important than ever that we all use the most advanced real-time technologies available. 

Ultimately building a culture of cybersecurity will always be more effective than a top-down mandate.. Everyone in the organization, from the CEO to the newest intern, should be invested in adopting and furthering a security conscious culture. Part of that process is going to be shifting the general IT perceptions around human error and the issues it can cause. We shouldn’t think of our end users as the weakest link in the chain; instead we should think of them as the key to a robust security strategy.

To hear more about HTTPS, phishing, and end user education, you can listen to the podcast I did with cybersecurity executive and advisor Shira Rubinoff at RSAC 2019.

Post Coinhive, What’s Next for Cryptojacking?

Reading Time: ~ 2 min.

In late February, the notorious cryptojacking script engine called Coinhive abruptly announced the impending end to its service. The stated reason: it was no longer economically viable to run.

Coinhive became infamous quickly following its debut as an innovative javascript-based cryptomining script in 2018. While Coinhive maintained that its service was born out of good intentions—to offer website owners a means to generate revenue outside of hosting ads—it took cybercriminals no time at all to create cryptojacking attack campaigns. Cryptojacking became incredibly popular in 2018, infecting millions of sites (and cloud systems among the likes of Tesla) and netting criminals millions in cryptocurrency at the expense of their victims.

Source: Coinhive [dot] com

I honestly did not see this happening, but I do understand. It is reasonable to think that Coinhive didn’t intend for their creation to be abused by criminals. However, they have still kept 30 percent of ALL the earnings generated by their script, one that was often found running illegally on hijacked sites. Most of that profit came from illicit mining, which has earned Coinhive a lot of negative press.

Additionally, 2018 was a terrible year in terms of the US-dollar value of Monero (XMR), which means their service is significantly less profitable now, relative to what it once was. Combined with the fact that the XMR development team hard-forked the coin and changed the difficulty of the hashrate, this means Coinhive is making very little money from legitimate miners.

Coinhive created this service so legitimate domain owners could host their script and generate enough revenue to replace ads. Ads are annoying and I believe this innovation was aimed at attempting to fix that problem. But the ultimate result was a bunch of criminals breaking into other people’s domains and injecting them with Coinhive scripts that essentially stole from visitors to that domain. Without consent, millions of victims’ computers were subject to maximum hardware stress for extended periods of time, all so some criminals could make a few pennies worth of cryptocurrency per computer.

Would you continue to operate a startup business in which most of the money you earned was a cut of criminal activity—stealing from victims in the form of an increased power bill? Maybe a year ago, when the hashing difficulty was easier (you earned more XMR) and XMR was worth 10 times what it’s worth now, it might have been easier to “sleep at night” but now it probably just isn’t worth it.

Even before this news, there were plenty of other copycats—Cryptoloot, JSEcoin, Deepminer, and others—so criminals have plenty of similar services to choose from. At the time of its shutdown, Coinhive had about around 60% share of all cryptojacking campaigns, though we saw this market dominance reach as high as 80% last year. I anticipate these other services stand to take larger shares of cryptojacking revenue now that the largest player has left. We might even see a new competitor service emerge to challenge for cryptojacking dominance.

Stay tuned to the Webroot blog for future developments in cryptojacking.

Cyber News Rundown: Georgia County Pays for Ransomware Threat

Reading Time: ~ 2 min.

Georgia County Pays Six Figure Ransom to Restore IT Systems

Following a ransomware attack earlier this month, officials in Jackson County, Georgia decided to pay a $400,000 ransom in order to obtain a decryption key and return their systems to normal operations. While it’s not normally recommended to pay ransoms, but instead to keep proper backups of critical files, the county decided that it would cost significantly more to restore the systems on their own. It is still unclear how the breach unfolded or how long the hackers had access to the network.

Michigan Healthcare Group Compromised

Sensitive information on over 600,000 patients was recently exposed after the Wolverine Solutions Group (WSG) suffered a data breach. The WSG initially suffered a ransomware attack in September of last year, and has been working to decrypt many of their systems since then. Due to Michigan’s lax laws regarding the announcement of a data breach, customers who may have been affected were contacted only within the last month.

Redirect Tags Found on Fortune 100 Sites

Hundreds of third-party redirect tags have been found hidden on the websites of Fortune 100 companies. These tags could allow attackers to access user data from any of the compromised sites and also degrade the performance of sites with multiple hidden tags. Many site owners even expressed concern over possible customer data loss, but did little to clear the tags from  their sites.

Asian Gaming Companies Infiltrated by Backdoors

Several Asia-based gaming companies have discovered hidden backdoors within main executables of some games attracting tens of thousands of players. Fortunately, after identifying the malicious code two of the three companies immediately pushed updates to their software, and the command & control servers for the backdoors were taken offline soon after. The backdoors appear to have originated from a malicious Chinese hacker group that has committed these types of attacks multiple times in recent years.

Info on 1.8 Million Women Found on Unprotected Chinese Database

An unprotected database was recently found which contains extremely sensitive data for nearly 1.8 million women in China. Amongst the personally identifying information was GPS coordinates, political affiliations, and even available video of specific individuals. Unfortunately, while the owners of this one database were successfully contacted, there are still thousands of similarly unprotected databases on Chinese networks.