Industry Intel

Cookies, Pixels, and Other Ways Advertisers are Tracking You Online

In May of 2018, the General Data Protection Regulation (GDPR) came into effect in the EU. Seemingly overnight, websites everywhere started throwing pop-ups to inform us about their use of cookies and our privacy rights. While the presence of the pop-ups may be...

Online Gaming Risks and Kids: What to Know and How to Protect Them

Online games aren’t new. Consumers have been playing them since as early as 1960. However, the market is evolving—games that used to require the computing power of dedicated desktops can now be powered by smartphones, and online gaming participation has skyrocketed....

STEM for Kids: Why Does it Matter?

You have probably seen or heard news reports about STEM education (Science, Technology, Engineering, and Math), and how important STEM jobs are for the economy; or maybe you’ve heard reports on schools that are making strides to improve their STEM programs for...

Keeping Your Vehicle Secure Against Smart Car Hacks

An unfortunate reality of all smart devices is that, the smarter they get, and the more integrated into our lives they become, the more devastating a security breach can be. Smart cars are no exception. On the contrary, they come with their own specific set of...

Thoughtful Design in the Age of Cybersecurity AI

AI and machine learning offer tremendous promise for humanity in terms of helping us make sense of Big Data. But, while the processing power of these tools is integral for understanding trends and predicting threats, it’s not sufficient on its own. Thoughtful design...

Cybersecurity in Schools: What Families Need to Know

Our kids are more connected than any previous generation. From the moment they wake up, they have an instant connection to the internet through phones, tablets, and laptops. The internet is also now an important part of their learning experience, and many parents...

Out from the Shadows: The Dark Web

You’ve likely heard of the dark web. This ominous sounding shadow internet rose in prominence alongside cryptocurrencies in the early 2010s, eventually becoming such an ingrained part of our cultural zeitgeist that it even received its own feature on an episode of Law...

A Cybersecurity Guide for Digital Nomads

Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means...

Cyber News Rundown: Apple Removes Facebook Research App

Reading Time: ~ 2 min.

Facebook Research App Removed from App Store

After seeing their Onavo VPN application removed from the Apple App Store last year, Facebook has re-branded the service as a “research” app and made it available through non-Apple testing services. The app itself requires users download and install a Facebook Enterprise Developer Certificate and essentially allow the company complete access to the device. While many users seem to be in it only for the monthly gift cards, they remain unaware of the extreme levels of surveillance the app is capable of conducting, including accessing all social media messages, sent and received SMS messages and images, and more. Apple has since completely removed Facebook’s iOS developer certificate after seeing how they collect data on their customers.

Japan Overwhelmed by Love Letter Malware Campaign

Following the discovery of the Love Letter malware a couple weeks ago, the campaign has been determined to be responsible for a massive spike in malicious emails. Hidden amongst the contents of the suspiciously-titled attachments are several harmful elements, ranging from cryptocurrency miners to the latest version of the GandCrab ransomware. Unfortunately for users outside of the origin country of Japan, the initial payload is able to determine the system’s location and download additional malicious payloads based on the specific country.

Apple FaceTime Bug Leads to Lawsuit

With the recent announcement of a critical vulnerability for Apple’s FaceTime app, the manufacturer has been forced to take the application offline. Unfortunately, prior to the shutdown, one Houston lawyer filed a case alleging that the vulnerability allowed for unauthorized callers to eavesdrop on a private deposition without any consent. By simply adding a user to a group FaceTime call, callers were able to listen through the other device’s microphone without that user answering the call.

Authorities Seize Servers for Dark Online Marketplace

Authorities from the US and Europe announced this week that, through their combined efforts, they had successfully located and seized servers belonging to an illicit online marketplace known as xDedic. While this was only one of many such server sites, administrators could have used it to facilitate over $68 million in fraudulent ad revenue and other malicious activities. Hopefully, this seizure will help law enforcement gain an understanding of how such marketplaces operate and assist with uncovering larger operations.

French Engineering Firm Hit with Ransomware

Late last week the French engineering firm Altran Technologies was forced to take its central network and supported applications offline after suffering a ransomware attack. While not yet confirmed, the malware used in the attack has likely been traced to a LockerGoga ransomware sample uploaded to a malware engine detection site the very same day. Along with appending extensions to “.locked”, LockerGoga has been spotted in multiple European countries and seems to spread via an initial phishing campaign, and then through compromised internal networks.

The Rise of Information Stealers

Reading Time: ~ 5 min.

This is the second of a three-part report on the state of three malware categories: miners, ransomware, and information stealers. 

As noted in the last blog, mining malware is on a decline, partly due to turmoil affecting cryptocurrencies. Ransomware is also on a decline (albeit a slower one). These dips are at least partly the result of the current criminal focus on information theft.

Banking Trojans, hacks, leaks, and data-dealing are huge criminal enterprises. In addition to suffering a breach, companies might now be contravening regulations like GDPR if they didn’t take the proper precautions to secure their data. The ways in which stolen data is being used is seeing constant innovation. 

Motivations for data theft

Currency

The most obvious way to profit from data theft is by stealing data directly related to money. Examples of malware that accomplishes this could include:

  • Banking Trojans. These steal online banking credentials, cryptocurrency private keys, credit card details, etc. Originally for bank theft specialists, this malware group now encompasses all manner of data theft. Current examples include Trickbot, Ursnif, Dridex.
  • Point of Sale (POS). These attacks scrape or skim card information from sales terminals and devices.
  • Information stealing malware for hijacking other valuables including Steam keys, microtransactional or in-game items

Trade

Data that isn’t instantly lucrative to a thief can be fenced on the dark web and elsewhere. Medical records can be worth ten times more than credit cards on dark web marketplaces. A credit card can be cancelled and changed, but that’s not so easy with identity. Examples of currently traded information include:

  • Credit cards. When cards are skimmed or stolen, they’re usually taken by the thousands. It’s easier to sell these on at a reduced cost and leave the actual fraud to other crooks.
  • Personal information. It can be used for identity theft or extortion, including credentials, children’s data, social security information, passport details, medical records that can be used to order drugs and for identity theft, and sensitive government (or police) data

Espionage

Classified trade, research, military, and political information are constant targets of hacks and malware, for obvious reasons. The criminal, political, and intelligence worlds sometimes collide in clandestine ways in cybercrime. 

As a means of attack

While gold and gemstones are worth money, the codes to a safe or blueprints to a jewellery store are also worth a lot, despite not having much intrinsic value. Similarly, malware can be used to case an organisation and identify weaknesses in its security setup. This is usually the first step in an attack, before the real damage is done by malware or other means. 

“In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment.” –From a story that appeared in the New York Times

Just another day in the Cobalt/Carbanak Heists 

Some examples of “reconnaissance” malware include:

  • Carbanak. This was the spear-tip of an attack in an infamous campaign that stole over €1 billion ($1.24 billion) from European banks, particularly in Eastern Europe. The Trojan was emailed to hundreds of bank employees. Once executed, it used keylogging and data theft to learn passwords, personnel details, and bank procedures before the main attacks were carried out, often using remote access tools. ATMs were hacked to spill out cash to waiting gang members and money was transferred to fraudulent accounts.
  • Mimikatz, PsExec, and other tools. These tools are freely available and can help admins with legitimate issues like missing product keys or passwords. They can also indicate that a hacker has been on your network snooping. These software capabilities can be baked into other malware.
  • Emotet. Probably the most successful botnet malware campaign of the last few years, this modular Trojan steals information to help it spread before dropping other malware. It usually arrives by phishing email before spreading like wildfire through an organisation with stolen/brute-forced credentials and exploits. Once it has delivered its payload (often banking Trojans), it uses stolen email credentials to mail itself to another victim. It’s been exfiltrating the actual contents of millions of emails for unknown purposes, and has been dropping Trickbot recently, but the crew behind the campaign can change the payload depending what’s most profitable. 

“Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”- An August 2018 warning from the American DHS

  • Trickbot/Ryuk. Trickbot is a banking Trojan capable of stealing a huge array of data. In addition to banking details and cryptocurrency, it also steals data that enables other attacks, including detailed information about infected devices and networks, saved online account passwords, cookies, and web histories, and login credentials. Trickbot has been seen dropping ransomware like Bitpaymer onto machines, but recently its stolen data is used to test a company’s worth before allowing attackers to deploy remote access tools and Ryuk (ransomware) to encrypt the most valuable information they have. The people behind this Trickbot/Ryuk campaign are only going after big lucrative targets that they know they can cripple.

What are the current trends?

Emotet is hammering the business world and, according to our data, has surged in the last six months of 2018:

Data recorded between 1 July and December 31, 2018. Webroot SecureAnywhere client data.

Detection of related malware surged alongside these detections. Almost 20% of Webroot support cases since the start of December have been related to this “family” of infections (Emotet, Dridex, Ursnif, Trickbot, Ryuk, Icedid).

What can I do?

  • Update everything! The success of infections such as WannaMine proved that updates to many operating systems still lag years behind. Emotet abuses similar SMB exploits to WannMine, which updates can eliminate.
  • Make sure all users, and especially admins, adhere to proper password practices.
  • Disable autoruns and admin shares, and limit privileges where possible.
  • Don’t keep sensitive information in plain text.

What can Webroot do?

  • Webroot SecureAnywherehome security products detect and remove information stealers including Emotet, Trickbot, Ursnif, Heodo, and Mimikatz, as well as any other resultant malware.
  • Our Identity and Privacy Shield stops keylogging and clipboard theft, even if malware isn’t detected.
  • Ongoing cybersecurity education and trainingfor end users is a must for businesses to stay secure. Remember: phishing and email tend to be the top delivery methods for this malware. 
  • As well as helping you clean machines, Webroot’s support (in the case of infections such as Emotet) will help you plug security holes. Our specialised security hardening tools can be deployed through our console to all endpoints in a few clicks.

Information theft can be a very complicated business, but to tackle it, the basics have to be done. Criminals will always go for the low hanging fruit, so lifting your organisation’s data out of this category should be your first priority.But proper device protection and knowledge of good cyber hygiene are also essential to protecting your data. Stay tuned to the Webroot blog for the latest information on the newest threats.

Would You Like To Know My Social Security Number?

Reading Time: ~ 4 min.

It’ll cost you a buck. Just like everyone else’s. The use of a Social Security Number (SSN) as unique identifiers has long been a contentious subject. SSNs were never intended to be used for identification, and their ubiquitous abuse for identification and authentication has lead me to call them “Social Insecurity Numbers,” or SINs.

There was a time when my response to a breach that leaked SSNs was “the horror, the horror.” Now my cynical reaction is “big deal, they stole my public information… again.” Yes, I know it’s improper for a security expert to feel this way, but an improper response is sometimes still the correct response. 

Let me walk you through both sides of the issue: the horror and the dispassion.

The Horror

When aliens visit our lifeless planet in 2525, they will run DNA tests on our remains and they will catalog or index us by our SINs. That’s one of the things that makes the theft of SSNs worrisome. SSNs do not expire. A person may expire, their SSN does not. Social security numbers are not reused. They just stop being used. Funds may be paid to surviving spouses and children, but after that the SSNs are a permanent entry in a database.

Let’s put this into perspective. Of all of the credit cards issued between 1946 and 2012, virtually none are valid. Of all of the compromised credit cards issued between 2012 and 2018, very few remain valid. Sometimes the cards are replaced before they’re fraudulently used, and other times fraudulent use results in the cancellation of the cards. In either case, the cards are simply replaced with new account numbers. 

Compare this to SSNs. Of all of the SSNs issued since 1934, well… Have you ever see an expiration date on a Social Security card? You can change your credit card number. You can change bank. You can change your career, your doctor, your vet, your clothes, or your mind. But unless you enter the United States Federal Witness Protection Program, your SSN isn’t changing. (Actually, that’s a bit overstated. Under certain circumstances you can get a new SSN, but your SSN simply being compromised does not qualify you to change SSNs.)

According to a study published by Javelin, more social security numbers were involved in breaches in 2017 than credit cards. Think about that for a moment. Do you know anyone who has had a fraudulent purchase made on their credit card? Here’s where the problem becomes insidious. Credit card fraud is loud. You can hear it coming. I have alerts set up on my bank accounts so that I know each time a charge is made. I am alerted through text and email. One fraudulent charge and I know. I can act. 

But SSNs are quiet. Multiple applications for credit cards can be made simultaneously, but you’re not likely to find out very quickly. Pair this with a compromised email account, and you could be in big trouble. For me, it’s of serious concern.

The Dispassion

Why don’t I worry about my SSN being leaked? Because it’s already been leaked multiple times in multiple breaches. 

How do I know that? 

I don’t, I just assume it has been. Why? Because my SSN has been vulnerable to theft for decades, and there are so many compromised SSNs stocking the dark web that they’re a cheap commodity. You might even expect to encounter a “buy five credit card numbers get two SSNs free” deal, or to see them sold by the dozen, like Kleenex at Costo.  

According to Brian Stack, the Vice President of Dark Web Intelligence at Experian, Social Security numbers sell for only $1 on the dark web. In the massive Marriot breach, it wasn’t my SSN I was worried about, it was my loyalty program information. My loyalty program information is worth 20 times more than my SSN on the dark web. Loyalty program points can be used to buy travel or merchandise in airline shopping malls.

For several years, “assume the breach” has been the mindset of many security professionals, meaning that we should assume a company will be breached, or already has been breached, and we should be clear-eyed about it. It is a call to action. Put mitigations and remediation processes in place. Have an action plan. 

For the public, and I cannot emphasize this enough, this means you should assume it was your data that was compromised in the breach, and put a remediation plan in place. If the businesses holding your data assumes your data is toast, then you should too.

What You Can Do

So, if we’re adopting the fatalist position on SSN theft, but still want to protect ourselves, what’s a person to do?

  • Credit freezes and fraud alerts. Both are good proactive defenses. The Federal Trade Commission (FTC) is a good place to start if you don’t know how. For information about credit freezes, check here. For information about fraud alerts and extended fraud alerts, take a look here and here.
  • Use two-factor authentication. Gmail, Facebook, Twitter, and other sites offer two-factor authentication. Typically, this means you’ll need to respond to a text or email in order to log into your account. This makes it harder for the bad guys to hijack it. Not impossible, but significantly more difficult.
  • Take advantage of alerts offered by financial institutions. If someone tries to log into my bank account or make a charge on my credit or debit card, I will know it immediately. 
  • Be Prepared for Identity Theft. Once again, the FTC consumer information page on identity theft is a great resource for consumers, security evangelists, and businesses alike on how to build a strong defensive posture.

Identity theft is real, it can be devastating, and you need to be prepared for it. But reports of breaches that include SSNs tell me what I already know; my SSN is in the hands of cybercriminals. It has been for years.

So no, I’m not going to tell you my SSN. You’ll have to pay your dollar for it, just like everyone else.

A Miner Decline: The Slowdown of a Once-Surging Threat

Reading Time: ~ 4 min.

This is the first of a three-part report on the state of three malware categories: miners, ransomware and information stealers.

In Webroot’s 2018 mid-term threat report, we outlined how cryptomining, and particularly cryptojacking, had become popular criminal tactics over the first six months of last year. This relatively novel method of cybercrime gained favour for being less resource-intensive and overtly criminal when compared to tactics involving ransomware. But mining cases and instances of mining malware seem to have dropped off significantly in the six months since this report, both anecdotally and in terms of calls to our support queue. 

The crytpo world has gone through significant turmoil in this time, so it’s possible the reduced use of malicious cryptojacking scripts is the result of tanking cryptocurrency values. It’s also possible users are benefitting from heightened awareness of the threat and taking measures to prevent their use, such as browser extensions purpose-built to stop these scripts from running. 

Setting aside the question of why for a moment, let’s take a look at some stats illustrating that decline during that time period.

Cryptojacking URLs seen by Webroot over six months beginning 1 July through 31 December, 2018, Webroot SecureAnywhere client data. 

Webroot endpoints detected URLs associated with over 17,000 cryptojacking instances over the last year.


New miner malware seen by Webroot 

Data from six months beginning 12 July through 9 Jan, 2019, Webroot data, units logarithmic.

Portable executable mining malware seen by Webroot threat intelligence. Data from hundreds of millions of Webroot sensors.


Monero mining profitability ($)

Data covering six months from 12 July – 9 Jan, 2019, Bit Info Charts, units logarithmic

We chose Monero as the currency to analyse here because of its popularity among crooks operating miners or cryptojacking sites. However, results for Bitcoin over the same time period are similar.


Monero price ($)

Data covering six months from 12 July through 9 Jan, 2019, World Coin Index

Interpreting the data

None of the graphs are identical, but without too much statistical comparison, I think a broad trend can be seen: malicious mining is on the decline alongside a general decline in coin value and coin mining profitability. 

Profitability affecting criminal tactics is of course not surprising. The flexibility of exploit kits and modern malware campaigns like Emotet mean that cybercriminals can change tactics and payloads quickly when they feel their malware isn’t netting as much as it should.

Thanks to the dark web, criminal code has never been easier to buy or rent than in recent years, and cryptocurrencies themselves make it easy to swap infection tactics while keeping the cash flowing. Buying or renting malicious code and malware delivery services online is easy, so the next time the threat landscape changes, expect criminals to quickly change with it. 

Should I still care about miners?

Yes, absolutely. 

Cryptocurrency, cryptomining, and malicious cryptomining aren’t disappearing. Even with this dip, 2018 was definitely a year of overall cryptocrime growth. Our advanced malware removals teams often spot miner malware on machines infected by other malware, and it can be an indication of security holes in need of patching. And any illegal mining is still capable of constantly driving up power bills and frustrating users.

Where are cybercriminals focused now?

Information theftis the current criminal undertaking of choice, a scary development with potentially long-lasting consequences for its victims that are sometimes unpredictable even to thieves. The theft, trade, and use for extortion of personal data will be the focus of our next report.

What can I do?

Cryptojacking may only be on the decline because defences against them have improved. To up your chances of turning aside this particular threat, consider doing the following:

  • Update everything. Even routers can be affected by cryptojacking, so patch/update everything you can.
  • Is your browser using up lots of processor? Even after a reset/reinstall? This could be a sign of cryptojacking.
  • Are you seeing weird spikes in your processor? You may want to scan for miner infections.
  • Don’t ignore repeated miner detections. Get onto your antivirus’ support team for assistance. This could be only the tip of the iceberg.
  • Secure your RDP.

What can Webroot do?

Webroot SecureAnywhere®antivirus products detect and remove miner infections, and the web threat shield blocks malicious cryptojacking sites from springing their code on home office users. For businesses, however, the single best way to stop cryptojacking, is with DNS-level protection. DNS is particularly good at blocking cryptojacking services, no matter how many sites they try to hide behind.

Persistent mining detections might point to other security issues, such as out-of-date software or advanced persistence methods, that will need extra work to fix. Webroot’s support is quick and easy to reach.

In the end, cryptomining and cryptojacking aren’t making the same stir in the cybersecurity community they were some months ago. But they’ve far from disappeared. More users than ever are aware of the threat they pose, and developers are reacting. Fluctuations in cryptocurrency value have perhaps aided the decline, but as long as these currencies have any value cryprojackers will be worth the limited effort they require from criminals.

Watch for the use of cryptominers to be closely related to the value of various cryptocurrencies and remain on the lookout for suspicious or inexplicable CPU usage, as these may be signs that you’re being targeted by these threats. 

And of course, stay tuned to the Webroot blog for information on the latest threat trends.

Cyber News Rundown: Anatova Ransomware Infects the Globe

Reading Time: ~ 2 min.

Anatova Ransomware Reaches Global Market

A new ransomware family, dubbed Anatova by researchers, has been infecting machines across the globe. During encryption, Anatova appears to focus on small files to speed up overall encryption times, but doesn’t append the encrypted files with a new extension. Unexpectedly, this variant demands DASH crypto coins, rather than using a currency with a less visible transaction ledger. It also uses several tactics to prevent analysis in both real-world and virtual environments.

Android Malware Remains Dormant until it Detects Motion

On the Google Play store, researchers have discovered several malicious apps that rely on an unusual trigger to install a banking Trojan: motion sensors. By monitoring the motion sensor in a specific mobile device, the malware can determine if it is a real victim device or a research emulator (which would likely remain stationary during analysis.) In particular, one of these insidious apps was downloading the Anubis banking Trojan, which launched a fake Android update screen to start keylogging in hopes of capturing banking credentials.

Google Faces First Major GDPR Fine

Regulators in France have issued a fine against Google for two separate complaints, the first being the company’s misuse of their users’ data, the second being the legal use of that data without providing the user enough details to give fully-informed consent. This fine is the first issued by the CNIL, the official regulator for France, and could cost Google up to $57 million.

ElasticSearch Database Exposes Online Gambling Bets

In the last couple days, security researchers have discovered a database holding sensitive information on dozens of online casino sites’ bettors. After contacting the hosting provider, researchers verified that the database, which contained over 100 million bet entries, had finally been secured. However, it’s still unclear whether the database’s owner or the ISP was responsible.

Chinese Crypto Farms Get Unique Ransomware Strain

Since China houses most of the world’s cryptocurrency mining farms, it comes as little surprise that malware authors are beginning to focus on this lucrative market. By infecting Antminer devices, which mine Litecoin and Bitcoin, this variant can quickly shut down the device and prevent further mining operations. Victims must choose between paying an extremely high ransom and allowing the infection to spread to thousands of other devices. For victims who do not pay, this variant also threatens to shut down devices’ fans, causing them to overheat and eventually destroy themselves.

Cyber News Rundown: Ransomware Halts Texas Town

Reading Time: ~ 2 min.

Texas Town Brought to a Halt by Ransomware

Several days ago the town of Del Rio, Texas, fell victim to a ransomware attack that knocked most of the town’s major systems offline. While the town’s IT department quickly worked to isolate the infection, remaining departments were forced to switch to hand-written transactions in order to not completely shut down. Fortunately, the attack was quickly resolved and all city websites returned to normal within only a couple of days.

Data Vulnerability Affects Booking Systems for 141 Airlines

Researchers recently discovered a vulnerability affecting the Amadeus ticket booking system, which is used by more than a hundred international airlines. By making simple changes to a provided URL link, researchers were able to access passenger records and view related flight information. They were also able to access an Israeli airline’s user portal and make changes to the user account, and even change or cancel flight reservations.

Ryuk Ransomware Surpasses $4 Million in Ransom Payments

The ransomware variant known as Ryuk has pulled in nearly $4 million in Bitcoin payments alone since last August. By remaining dormant on previously infected systems, Ryuk can stay hidden for months or even years while its operators build an understanding of the system. In doing so, the attackers are able to command much higher ransom payments by focusing on victims with the means to pay a larger sum.

Account Vulnerability Plaguing Fortnite Players

A new vulnerability has been found pertaining to user accounts for Fortnite that could allow attackers to take full control of an account. By intercepting game-specific authentication tokens, attackers could access a user’s payment card details and use them to purchase in-game currency, or even gain access to a victim’s in-game conversations. Fortunately, Epic Games reacted swiftly to the announced exploits and quickly resolved the security flaws.

Advertising Hack Pushes Malware on Online Shoppers

The latest MageCart attack has compromised the entire distribution network for Adverline, a French advertising company that conducts a substantial amount of business in Europe. By injecting a malicious JavaScript code into dozens of online stores, the attack has been used to steal payment data from at least 277 unique websites thus far. By starting the attack at the top of the distribution chain, these types of attacks have an increased chance of success as the number of victims rises.

Cyber News Rundown: Bad Apps Infect Google Play

Reading Time: ~ 2 min.

Malicious Apps Get Millions of Installs

Google recently removed 85 apps from the Play Store after they were found to contain predatory adware. With over nine million combined downloads, the apps were mostly fake games or utility apps that began pushing a constant stream of full-screen ads to users until the app itself crashed. More worrisome, while nearly all the apps shared similar code, they were mostly uploaded from different developer accounts and used different digital certificates to minimize detection.

Tuition Scam Targets UK College

Several parents of students attending St. Lawrence College in the UK fell victim to an email scam over the holidays that requested early tuition payment at a discounted rate for the upcoming terms. While security measures surrounding parental information have since been improved, at least two separate families confirmed they sent undisclosed amounts of money to the scammers. Though these types of attacks target large audiences, it takes only a small number of successful attempts to make the campaign profitable.

Australian EWN System Hacked

With the help of a strong detection system, a brief hack of the Australian Early Warning Network (EWN) was quickly shutdown. Some of the messages contained warnings about the security of the EWN and listed several links that the user could navigate through. Fortunately, staff were quick to notice the severity of what was occurring and acted to prevent additional customers from being spammed.

Ransomware Uses Children’s Charity as Cover

When CryptoMix first came to light, it included a ransom note masquerading as a request for a “donation” to a children’s charity. It has since returned, but now includes actual information from crowdfunding sites attempting to help sick children and using their stories to guilt victims into paying a ransom. Even worse, as victims navigate the payment process, the ransomware continues to urge them on with promises that the sick child will know their name for the aid they provide.

Exploit Broker Raises Bounties for New Year

Following the New Year, a known exploit broker, Zerodium, announced they would be effectively doubling all bounty payouts for zero-day exploits. While lower-end Windows exploits will net a researcher $80,000, some Android and iOS zero-days will pay out up to $2 million. Unfortunately for many working on the lawful side, nearly all the exploits obtained by Zerodium will be privately sold, rather than used for patching or improving security.

Cyber News Rundown: Ransomware Hits Tribune Publishing

Reading Time: ~ 2 min.

American Newspapers Shutdown After Ransomware Attack

Nearly all news publications owned by Tribune Publishing suffered disruptions in printing or distribution after the publisher was hit by a ransomware attack. Many of the papers across the country were delivered incomplete or hours or days late. Even some papers that had been sold off to other publishers in previous years were affected. Fortunately, digital and mobile versions of the newspapers were untouched by the attack, allowing users to view local news as normal online.

‘PewDiePie’ Hacker Turns Focus to Smart Devices

The hacker previously responsible for hacking thousands of printers and directing them to print ads in support of PewDiePie, the world’s largest YouTuber, has now started using unsecured smart devices to continue the campaign. In addition to requesting the “victim” subscribe to PewDiePie, the hacker’s main message is to bring light to the extreme lack of security many of us live with daily. By using the standard ports used by smart TVs to connect to streaming devices, the hacker has even created scripts that will search for these insecure ports and begin connecting to them.

California Alcohol Retailer Faces Data Breach

One of the largest alcohol retailers in California, BevMo, recently announced they’ve fallen victim to a credit card breach on their online store. The breach lasted for nearly two months, during which time customer payment card data for nearly 14,000 customers was illegitimately accessed. While officials are still unclear as to who was behind the breach, it is likely related to the MageCart attacks that appeared across the globe during the latter half of 2018.

Blur Password Manager Leaves Passwords Exposed

An independent security researcher recently discovered a server that was allowing unauthenticated access to sensitive documents for well over two million users. The exposed information included names, email addresses, IP addresses from prior logins, and even their account password, though the company has remained firm that the passwords contained within their accounts are still secure. Since the reveal, Blur’s parent company, Abine, has prompted users to change their main passwords and enable two-factor authentication, if they had not already done so.  

Bitcoin Wallets: Still Major Target for Hackers

Nearly $750,000 worth of Bitcoin was stolen from Electrum wallets in an attack that began only a few days before Christmas. By exploiting a previously documented vulnerability, the hackers were able to inject their own server list into the connections made by the Electrum wallet and successfully rerout their victims to another server, where they were then presented with a fake update screen. By moving forward with the “update,” malware was promptly downloaded to the device and users could then enter their wallet credentials, only for them to be stolen and their accounts drained.

Cyber News Rundown: Amazon User Receives Thousands of Alexa-Recorded Messages

Reading Time: ~ 2 min.

Amazon User Receives Thousands of Alexa-Recorded Messages

Upon requesting all his user data from Amazon, one user promptly received over 1,700 recorded messages from an Alexa device. Unfortunately, the individual didn’t own such a device. The messages were from a device belonging to complete stranger, and some of them could have easily been used to find the identity of the recorded person. While Amazon did offer the victim a free Prime membership, it’s cold comfort, as these devices are constantly recording and uploading everyday details about millions of users. 

San Diego School District Hacked

In a recent phishing scheme, hackers successfully gained the trust of a San Diego Unified School Districtemployee and obtained credentials to a system that contained student, parent, and staff data from the past decade. The database mostly consisted of personal data for over half a million individuals, but also included student course schedules and even payroll information for the District’s staff. 

Data Breach Affects Hundreds of Coffee Shops

Attackers were able to access payment data for 265 Caribou Coffee shopsacross the United States. The breach could affect any customers who made purchases between the end of August 2018 and the first week of December. The company recommends that any customers who may have visited any of their locations across 11 states engage a credit monitoring service to help avoid possible fraud.

FBI Shuts Down DDoS-for-Hire Sites

At least 15 DDoS-for-Hire siteshave been taken down in a recent sweep by the U.S. Justice Department, and three site operators are currently awaiting charges. Some of the sites had been operating for more than 4 years and were responsible for over 200,000 DDoS attacks across the globe. This is the second in a series of government-led cyberattack shutdowns over the last year. 

Email Scam Offers Brand New BMW for Personal Info

A new email scam is informing victims that they’ve just won a 2018 BMW M240iand over $1 million dollars, which they can easily claim if they provide their name and contact information. Victims who provide their contact details are then contacted directly and asked to give additional information, such as their social security number and credit or bank card details. If you receive this email or one like it, we recommend you delete it immediately, without opening it. 

Cyber News Rundown: Facebook Bug Exposes User Photos

Reading Time: ~ 2 min.

Facebook API Bug Reveals Photos from 6.8 Million Users

Facebook announced this week that an API bug had been found that allowed third-party apps to access all user photos, rather than only those posted to their timeline. The vulnerability was only available for 12 days in mid-September, but could still impact up to 6.8 million users who had granted apps access to their photos in that time.

Children’s Charity Falls Victim to Email Scam

Over $1 million was recently diverted from a children’s charity organization after hackers were able to gain access to an internal email account and begin creating false documents and invoices. Due to a lack of additional authentication measures, the funds were promptly transferred to a Japanese bank account, though insurance was able to compensate for most of the loss after the scam was finally discovered.

Email Extortion Scams Now Include Hitmen

The latest in a series of email extortion campaigns promises its victims will be executed by a hitman if a Bitcoin ransom of $4,000 isn’t paid within 38 hours. Given such poorly executed scare tactics, it comes as no surprise that the payment account has still not received any funds after several days. Hopefully, as the threats of violence leads to victims contacting law enforcement rather than paying the scammers, these types of scams will become more rare.

Hackers Force Printers to Spam PewDiePie Message

Nearly 50,000 printers around the world have been spamming out a message suggesting subscribing to PewDiePie on YouTube and recommending the recipient improve their printer security. The group behind the spam has stated they want to raise awareness of the real threat of unsecured devices connected to the internet and how they can be used maliciously. In addition to sending print-outs, attackers could also steal data being printed or modify documents while they are being printed.

Cybersecurity Audit Shows Major Vulnerabilities in U.S. Missile Systems

A recent report showed that U.S. ballistic missile defense systems have consistently failed security audits for the past five years. Some of the major flaws included a lack of encryption for data stored on removable devices, patches reported in previous years that remained untouched, and the regular use of single-factor authentication for entire facilities. Physical security issues that could leave highly-sensitive data exposed to anyone willing to simply try to access it were also detailed in the report.

Cyber News Rundown: Android Trojan Steals Credentials

Reading Time: ~ 2 min.

Clemson Supercomputer Susceptible to Cryptojacking

IT staff at Clemson University have been working to remove the recent introduction of a cryptominer on its supercomputer, known as Palmetto. As they compromised the system for the mining of Monero, the attackers’ ploy was only spotted due to spikes in computing power and rising operating costs for the supercomputer, since manually monitoring the entire system is nearly impossible. It’s still unknown who was responsible for the mining, but Clemson staff have already begun increasing security measures to discourage copy-cat crimes. 

Cyberattack Strikes Italian Oil Company

Italian oil and gas company Saipemfell victim to a cyber-attack earlier this week that knocked several critical servers offline. The attack appears to have focused specifically on servers located in Middle Eastern countries in which the company operates. It’s presently believed the attackers were also involved in prior cyberattacks on Saudi Aramco, for whom Saipem is a supplier. 

Data Breach Affects Topeka Residents

A data breach that could expose the personal details of nearly 10,000 residents of Topeka, Kansas was recently discovered. The breach could affect anyone who made online payments to the Topeka Utilities Department between October 31 and December 7. Officials are still working to determine the cause of the breach. The city’s utility department is in the process of contacting all 10,000 potential victims.

Google+ Reaches End of Life Sooner than Expected 

While the consumer version of Google+was destined to be shut down in mid-2019, a new bug will hasten its end to April. This final vulnerability had the potential to expose entire user profiles to any applications searching for data, even if the account was set to private. This vulnerability left over 52 million accounts accessible to any number of app developers during the six days it was left exposed.  

Android-based Trojan Steals Credentials

A new Trojan has been spotted on the Android OS that uses screen overlays for popular applications to trick users into entering credentials for apps like PayPal, Google Play, and even several banking apps. By displaying the overlay in the lock foreground screen, users are unable to close the pop-ups with normal methods, and can only do so by completing a form requesting login information. Additionally, the malware can identify if a legitimate app is currently installed and prompt the user to open it and log in, thereby removing a step in gaining access to the victim’s funds.

Cyber News Rundown: WeChat Ransomware

Reading Time: ~ 2 min.

Touch ID Used to Scam Apple Users

Two apps were recently removed from the Apple App Store after several users reported being charged large sums of money after installing the app and scanning their fingerprint. Both apps were fitness-related and had users scan their fingerprint immediately so they could monitor calories or track fitness progress. But the apps launched a payment confirmation pop-up with the user’s finger still on the device to charge any card on file for the account. Luckily, the apps were only available for a brief period before being removed and refunds issued.

Signet Jewelers Expose Customer Order Data

Signet Jewelers, the parent company for Kay and Jared jewelers, was informed last month by an independent researcher of a critical flaw in their online sites. By simply altering the hyperlink for an order confirmation email, the researcher was able to view another individual’s order, including personal payment and shipping information. While Signet resolved the issue for future orders, it took additional weeks to remedy the flaw for past orders.

WeChat Ransomware Hits over 100k Chinese Computers

In the five days since December began, a new ransomware variant dubbed WeChat Ransom has been spreading quickly across China. With over 100,000 computers currently infected and thousands more succumbing each day, WeChat has made a significant mark. Though it demands a ransom of only roughly $16 USD, the variant quickly begins encrypting the local environment and attempts to steal login credentials for several China-based online services. Fortunately, Tencent banned the QR code being used to send ransom payments and disabled the account tied to it.

Nearly 100 Million Users Compromised in Quora Breach

Servers containing sensitive information for nearly 100 million Quora.comusers were recently compromised by unknown hackers. In addition to personal information about users, any posts or messages sent over the service were also breached. While informing affected users of the leak, Quora stated that all password data they store was fully encrypted using bcrypt, which makes it considerably more expensive and time-consuming for the hackers to break the algorithms and obtain the data. 

Marriott Hotels Breach Leaves Half a Billion Users Vulnerable

In one of the largest data breaches to date, Marriott International is under fire for exposing the personal data of nearly 500 million individuals. A class-action lawsuit has been filed against the hotel chain. For many victims, their names, home addresses, and even passport information was available on an unsecured server for nearly four years after the company merged with Starwood, whose reservation systems were already compromised.