STE WILLIAMS

On 12 July, Los Angeles police arrested a 20-year-old college student from Boston at the LA International Airport.

Bound for Europe, he was lugging a Gucci bag: only one piece of swag among many that prosecutors allege were bought with the proceeds of cryptocurrency that he ripped off in SIM swap scams.

They’re charging Joel Ortiz with hijacking phone numbers to steal the Bitcoin and other cryptocurrencies. Ortiz is now facing 28 charges: 13 counts of identity theft, 13 counts of hacking, and two counts of grand theft, according to the complaint filed against him on the day before his arrest and subsequently obtained by Motherboard.

Ortiz allegedly hijacked around 40 victims’ phone numbers with the help of a gang of scammers. His co-conspirators haven’t yet been named, according to court documents. All together, the crooks allegedly stole $5 million, including some from cryptocurrency investors at a blockchain conference called Consensus that’s run by CoinDesk.

Included in the court documents was a screen grab that gives a hint as to how much control these scammers can get over our lives given they nab enough information about us to convince our phone companies that yes indeed, it’s really, truly us, calling to port our own phone number to a new SIM card:

“Hi Daddy Love you,” texted the daughter of one of the hacker’s alleged cryptocurrency investor victims.

The reply: “TELL YOUR DAD TO GIVE US BITCOIN”.

SIM card swap scams have been around for years. So too have the many flavors of cryptocurrency scams, be they exploiting Twitter to con naïve users out of their digital currencies (last month, one fraudster even managed to compromise a verified Twitter account), looting the exchanges (sometimes using real-life robbers with real-life guns), or carting off hundreds of the servers used to mine the digital currencies.

But the crime that Ortiz stands accused of is reportedly the first time an alleged SIM-swap fraudster has ripped off cryptocurrency.

As we’ve explained, SIM swaps work because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number… and your identity.

That comes in handy when you get a new phone or lose your phone: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number. But if a SIM-swap scammer can get enough information about you, they can just pretend they’re you and then social-engineer that swap of your phone number to a new SIM card that’s under their control.

That’s how the investor’s daughter managed to text her “I love you” message to the thief who had her dad’s phone number: she just texted the same number she’s always used.

Unfortunately, the same goes for communication with your sensitive accounts, like bank accounts: it’s all under the control of a thief when you’ve been victimized by a fraudulent SIM swapper.

Banks have traditionally sent authorization codes needed when using 2FA or 2SV – that’s two-factor authentication or two-step verification – via SMS to complete a financial transaction. (Fortunately, this is becoming less common: The United States National Institute for Standards and Technology [NIST] in 2016 published new guidelines forbidding SMS-based authentication in 2FA. Besides the security risks of mobile phone portability, problems with the security of SMS delivery have included malware that can redirect text messages and attacks against the mobile phone network such as the so-called SS7 hack.)

By stealing your phone number, the crooks have also stolen access to your 2FA codes – at least, until you manage to convince your account providers that somebody else has hijacked your account.

Crooks have made the most of that window of opportunity to:

• Change as many profile settings on your account as they can.
• Add new payment recipient accounts belonging to accomplices.
• Pay money out of your account where it can be withdrawn quickly in cash, never to be seen again.

By changing settings on your account, they make it more difficult both for the bank to spot that fraud is happening and for you to convince your bank that something has gone wrong.

But back to Ortiz: he was a member of OGUSERS, an online marketplace for selling online accounts and virtual goods and a black market for valuable, stolen Instagram and Twitter accounts. SIM swap fraudsters are also known to sell stolen accounts on the site.

Motherboard spoke to one cryptocurrency investor who was attacked during Consensus and allegedly lost nearly $1.5m that he had crowdfunded in an Initial Coin Offering (ICO). It was one of at least three attacks during the conference.

The investor requested anonymity, fearing that he’d be targeted again. He told Motherboard that the first indication of the swap came when he looked at his phone and found that it was dead. He knew what that meant, given that the day before, it had happened to a friend.

We were having a meeting and all of a sudden he says ‘f*ck, my phone just stopped working.’

Later in the day, the investor said that his friend texted him:

My f*cking SIM got hacked.

Court documents allege that Ortiz took control of the entrepreneur’s phone number, reset his Gmail password, and then gained access to his cryptocurrency accounts. Visiting the ATT store to get his number back did no good. By then, it was too late.

Erin West, the Santa Clara County deputy district attorney, told Motherboard that many people are getting scammed by these SIM swappers, but not enough are coming forward to report it.… so please, if you’ve been scammed, she asked, DO REPORT IT:

This is happening in our community, and unfortunately, there are not a lot of complaints to law enforcement about it. We would welcome the opportunity to look into other complaints of this happening. We think that this is something that’s underreported and very dangerous.

Ortiz’s plea hearing is scheduled for 9 August. His bail has been set at $1m.

What to do?

Last year, we reported on the rising trend of fraudsters using SIM swaps to drain accounts. Fast-forward 14 months, and it doesn’t matter that they’re going after digital instead of nondigital currency: the precautions we can all take to avoid becoming victims stay the same.

Here they are again:

• Watch out for phishing emails or fake websites that crooks use to acquire your usernames and passwords in the first place. Generally speaking, SIM swap crooks need access to your text messages as a last step, meaning that they’ve already figured out your account number, username, password and so on.
• Avoid obvious answers to account security questions. Consider using a password manager to generate absurd and unguessable answers to the sort of questions that crooks might otherwise work out from your social media accounts. The crooks might guess that your first car was a Toyota, but they’re much less likely to figure out that it was a 87X4TNETENNBA.
• Use an on-access (real time) anti-virus and keep it up-to-date. One common way for crooks to figure out usernames and passwords is by means of keylogger malware, which lies low until you visit specific web pages such as your bank’s logon page, then springs into action to record what you type while you’re logging on. A good real time anti-virus will help you to block dangerous web links, infected email attachments and malicious downloads.
• Be suspicious if your phone drops back to “emergency calls only” unexpectedly. Check with friends or colleagues on the same network to see if they’re also having problems. If you need to, borrow a friend’s phone to contact your mobile provider to ask for help. Be prepared to attend a shop or service center in person if you can, and take ID and other evidence with you to back yourself up.
• Consider switching from SMS-based 2FA codes to codes generated by an authenticator app. This means the crooks have to steal your phone and figure out your lock code in order to access the app that generates your unique sequence of logon codes.

Having said that, Naked Security’s Paul Ducklin advises that we shouldn’t think of switching from SMS to app-based authentication as a panacea:

Malware on your phone may be able to coerce the authenticator app into generating the next token without you realising it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.

If in doubt, don’t give it out!

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-qxGbw3zUOw/

British shipping services firm Clarksons has revealed a high profile data breach last year stemmed from a hack on a “single and isolated user account”.

Hacked Brit shipping giant Clarksons: A person may release some of our data today

READ MORE

Criminal hackers stole employee information from the shipping firm before unsuccessfully attempting to blackmail it. In an update this week on its progress in dealing with the previously disclosed breach, Clarksons said it has been “able to successfully trace and recover the copy of the data that was illegally copied from its systems”.

The breach itself ran for more than five months – between 31 May 2017 until November 4 of ’17 – the update (pdf) also revealed.

Clarksons is in the process of notifying potentially affected individuals, some of whom have had a complete portfolio of their personal information laid bare by the breach. Judging by the types of information exposed, employees and (perhaps) contractors are among those most exposed by the breach. Clarksons has consistently refused to clarify whether or not customer data was exposed, and we still can’t be sure on that point.

While the potentially affected personal information varies by individual, this data may include a date of birth, contact information, criminal conviction information, ethnicity, medical information, religion, login information, signature, tax information, insurance information, informal reference, national insurance number, passport information, social security number, visa/travel information, CV / resume, driver’s license/vehicle identification information, seafarer information, bank account information, payment card information, financial information, address information and/or information concerning minors.

Affected individuals are urged to “remain vigilant against incidents of identity theft and fraud by reviewing personal account statements for suspicious activity”. The scope of the data theft opens the door to all manner of ID theft scams. Fraudsters who happen to obtain copies of the stolen data might be able to mount highly plausible social engineering or phishing scams, for one thing.

Clarksons was compromised in the UK by hackers who made off with data before demanding a ransom for its safe return. It responded by notifying the police and regulators as well as launching an investigation of its own, aided by external forensics experts. Partial results of this computer forensics effort are covered in its update.

Through the forensic investigation, Clarksons quickly learned that the unauthorized third party had gained access to its system from May 31, 2017 until November 4, 2017.

Clarksons learned that the unauthorized access was gained via a single and isolated user account. Upon discovering this access, Clarksons immediately disabled this account.

Through the investigation and legal measures, Clarksons were then able to successfully trace and recover the copy of the data that was illegally copied from its systems.

We know that Clarksons resisted this attempted blackmail, going so far as to obtain an injunction against unnamed criminals back in March. It’s unclear how many records were exposed or whether any criminal prosecution has been initiated in the case.

Unidentified hax0rs told not to blab shipping biz Clarksons’ stolen data

READ MORE

Clarksons has yet to respond to requests from The Register for information on these as-yet unanswered questions. We’ll update this story as when more information comes to hand.

Single point of pwnage

Joseph Carson, chief security scientist at privileged account management tech firm Thycotic, told El Reg that it wasn’t particularly significant that a single user account was to blame for the breach at Clarksons.

“Many organisations have failed to implement privileged access security and in failing to do so, they typically allow single user accounts to access sensitive information directly with only a single password protecting the sensitive data,” Carson explained. “Many cybercriminals use techniques that first target user accounts through phishing and social engineering, then move laterally to find those privileged accounts that provide them with full access to the network and sensitive data.”

He added: “However, in this particular instance it appears they hit the jackpot account with their first try – or they have a good passive assessment so they knew which user account to target.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/01/clarksons_breach_update/

Analysis exposes the lengths malware authors will go to in order to protect their code from disassembly and reverse engineering.

A malware sample that had code in all the wrong places piqued Maddie Stone’s curiosity. So she dug into the sample and emerged many hours later with a description of a complex anti-analysis library that threat actors are using to, among other things, give new life to old threats.

“I came across this app that had a native code library, which is not that common in the Android security space where I was doing the malware analysis,” says Stone, a security engineer for Google Android security. “It was strange compared to all the other ones I’ve looked at before — nothing looked where it should have been.” 

As she dug deeper and deeper into the code, Stone became more interested because of the novelty of the defense mechanisms. “I found that this was actually a brand new anti-analysis library being used by a few large malicious campaigns in the Android ecosystem,” she says. And it wasn’t just new — it was very complex.

[See Stone’s session, Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library on Thursday, August 9 at Black Hat USA.]

“They’re using four groups of techniques for about 45 different checks. And if a single one of them fails then the application exits,” Stone says. The rigorous checking mechanism means that the threat actors are willing to miss out on an expanded attack surface if it means keeping their code out of the hands of defenders.

Stone, who will present her findings next week at Black Hat USA in Las Vegas, describes the defense architecture as a “wedding cake” because there are many layers to the defense. The first is aimed at thwarting human analysts, the second at humans using automated systems, and the third autonomous systems running alone.

“They’re really trying to hedge their bets and ensure that there’s no way, shape, or form that they could be run in an emulator or debugger, and that if I reverse engineer and am going to take the time to disassemble them, it’s really going to take a lot of work,” she says.

What malware is so valuable that it warrants delivering with such an advanced mechanism? Stone says that one of the primary campaigns she’s seen uses this library to re-launch Chamois, a Trojan that Google engineers were able to shut down in 2017. The attackers haven’t tried to get back into Play, but are depending on users willing to side-load software to gain entry to a particular Android phone, she says.

As with side-loading itself, the individual mechanisms used in this malware family aren’t novel or unique; the novelty comes from the sheer volume and combination of techniques used to protect the payload.

“We’re seeing a lot more of both native and Java obfuscation and trying to cloak themselves and prevent any sort of dynamic analysis of the application,” Stone says. “As there’s no longer this low, low hanging fruit for security, the malware authors have to continue developing more robust schemes.” 

The priorities shown in the mechanisms are a reflection, Stone says, of the value of the investment malware represents. Malware development and reverse engineering are each forms of asymmetric warfare, each side trying to force the other to invest more and more to counter their own efforts.

“As the Android platform security mechanisms have continued to grow in how our detection pipeline will be able to catch more things, they’re trying to do anything they can to get around the automated detection, because that’s what so many different malware detectors are using now,” she says.

Related Content:

• New Android Smartphones in Developing Markets Sold With Pre-installed Malware
• 10 Tips for More Secure Mobile Devices
• ZipperDown Vulnerability Could Hit 10% of iOS Apps
• APT Attacks on Mobile Rapidly Emerging

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/google-researcher-unpacks-rare-android-malware-obfuscation-library-/d/d-id/1332444?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

This compromise feels like a mere annoyance, but it can open the door to real trouble.

As a CISO or cybersecurity pro, you could notice one day that “something is different” because your users’ computers are slowing down. Or — with a little sleuthing — you may discover that your organization’s power bill has suddenly soared by hundreds or even thousands of dollars.

At this point, it’s possible that cryptominers have compromised your enterprise network and/or web environment. But there is no immediate need to panic. Cryptominers typically aren’t looking to steal sensitive data or intentionally disrupt operations. They want to take your computing resources and use them to surreptitiously mine for cryptocurrency.

On the surface, this might seem like a “no harm/no foul” crime. However, the potential for risk is equivalent to that of any botnet, malware, ransomware, or other malicious threat. When cryptominers successfully compromise your network or cloud environment, they are hijacking the resources your organization pays for, while possibly setting the stage for expanded exploitation or, at minimum, evidence that there is a security gap that others could exploit.

Bitcoin’s valuation — which peaked at $20,000 in December 2017 — soared, and interest in cryptomining followed suit. Even if the valuations of cryptocurrenices have declined since then, the overall market is projected to reach $1 trillion this year, up from about $417 billion in February.

Hackers keep “borrowing” computing power because it takes plenty of processing power to solve the complex mathematical equations required to create the digital coins. Bitcoin’s network alone currently consumes at least 2.55 gigawatts of electricity, and probably will reach 7.67 gigawatts sometime this year, according to research published by Alex de Vries, blockchain specialist for PwC. (To put this in context, the nation of Austria uses 8.2 gigawatts.)

The insatiable need for power drives hackers to infect cloud environments and enterprise networks purely to exploit computing resources. Over the past year, cryptomining hackers have compromised the Amazon Web Services (AWS) and Microsoft Azure environments of organizations such as Aviva, a British multinational insurance company; Gemalto, the world’s largest manufacturer of smart cards; and Tesla, the electric vehicle and solar energy manufacturer, according to researchers from RedLock, a cloud monitoring and defense firm.

To gain further enterprise-level access to the power, attackers embed miner scripts in websites so they can tap the computing resources of many computers without installing malware on each of them, according to Kaspersky Lab. They’re also embedding the scripts in YouTube ads to spread them via multiple pages and videos without the attackers having to do anything.

The activity is pervasive: Nearly 49,000 websites host some kind of cryptocurrency mining malware, according to research from the Bad Packets Report. More than four out of five of the sites use Coinhive, which mines for the Monero cryptocurrency. Hackers favor Monero because its transactions are essentially untraceable, and it is still feasible to mine Monero on commodity hardware, unlike Bitcoin, which requires specialized equipment.

What’s more, not all of the hacking is benign: In May, 360 Total Security announced that it had discovered malware that it named WinstarNssmMiner, a new form of Monero miner that crashes systems when antivirus products attempt to remove it. 360 Total Security reported during the announcement that it had intercepted WinstarNssmMiner attacks more than 500,000 times over a three-day period.

Any vulnerable application will targeted, and any weakly secured interface will be exploited. Fortunately, preventing most of these attacks simply requires good cyber hygiene, which should include the following steps:

1. Update antivirus signatures and patches. Despite the relatively “new” and “hot” status of cryptomining, these attacks are straightforward. They work just as traditional malware works using slightly modified commodity mining software, and use standard protocols to communicate with mining servers. If your antivirus signatures are current, there is a good chance you will detect infections. The safest course of action is to keep your hosts patched up. Prioritize externally facing hosts and vulnerabilities that have publicly disclosed exploits.

2. Use the latest versions for software and apps. Similarly, if you’re deploying the latest version of these products from vendors, you improve the chances of defending your organization from cryptominers seeking to exploit via vulnerabilities in older products.

3. Avoid unauthenticated platforms and application programming interfaces (APIs). By default, they are unsecured, and hackers can manage them remotely. At Alert Logic, for instance, we found attackers targeting exposed unauthenticated Docker Daemon APIs, with the attacker’s “haul” totaling 175 Monero, which, at the time, equaled about $35,000. Enabling authentication and not exposing these services directly to the Internet should be your only acceptable deployment strategy.

4. Keep your cloud credentials out of the public side of GitHub. Attackers are aware that a rich source of AWS keys comes from monitoring GitHub. It takes minutes for an attacker to spin up hundreds of instances on your account after an errant commit that includes credentials. Ensure your developers are not using public Github repositories for production or test code in general, and especially not credentials to your cloud infrastructure.

5. Monitor Windows Task Manager. Task Manager will reveal whether your CPUs are going into overdrive. “Normal” utilization for the cloud is up to 80% percent of CPU capacity during working hours. But cryptominers will go full-throttle, seeking 100% utilization 24/7/365. When you see such spikes across your environment, you can safely assume that you have a malware situation.

As shown, this isn’t the kind of compromise that should keep you up at night. So far, the impact of cryptomining amounts to more of an annoyance and additional cost burden than anything else. But an infection is an infection, and an exposure that opens the door to these attackers speaks to the overall defense of your entire cyber ecosystem. By addressing the “basics” illustrated in the steps here, you’re sending a clear message to cryptominers: There’s no money to be made here, so move along.

Related Content:

• 7 Ways Cybercriminals Are Scamming a Fortune from Cryptocurrencies
• 7 Ways to Protect Against Cryptomining Attacks
• Ransomware vs. Cryptojacking
• Coin Miner Malware Spikes 629% in ‘Telling’ Q1

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info. 

Matt Downing is a Principal Threat Researcher at Alert Logic. In this role, he investigates the tactics and techniques hackers employ to attack Alert Logic’s wide customer base. He has previously held various technical and security roles in the financial sector and Department … View Full Bio

Article source: https://www.darkreading.com/endpoint/5-steps-to-fight-unauthorized-cryptomining/a/d-id/1332391?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Nearly all organizations hit with a security incident report a long-term negative impact on both revenue and consumer trust.

Today’s customers have higher standards for where they store their data – and their trust in businesses is falling, as evidenced by a new report investigating online trust in the digital age.

Nearly 80% of consumers report it’s “very important” or “crucial” their personally identifiable information (PII) is protected online, and 86% say a high level of data protection is a priority in choosing online services, according to “The Global State of Online Digital Trust,” from CA Technologies and Frost Sullivan.

About half (48%) of organizations report involvement in a publicly disclosed data breach. Of those, nearly all say they have experienced a long-term negative impact related to client trust and/or revenue. Half of the respondents whose businesses had been breached report strong long-term negative effects on both consumer trust (50%) and business results (47%).

Consumer trust in businesses is in a precarious state following breaches at major organizations, including Equifax, Deloitte, Uber, CEX, and Ticketmaster. Most business leaders (84%) think trust is growing, but consumer responses indicate the opposite. Only 38% of users say their trust has increased – a sign that organizations aren’t in touch with client needs and perceptions. Only half of consumers polled say they are willing to exchange personal data for online services.

Read more details here.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/48--of-customers-avoid-services-post-data-breach/d/d-id/1332452?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The UK’s National Cyber Security Centre (NCSC) has dispensed advice aimed at securing Ubuntu installs and followed it up with help for Dixons customers.

The NCSC, part of the UK’s Government Communications Headquarters (GCHQ) exists to make the UK a safer place to do business online and, in an unusual step for a Government agency, does a pretty good job of dispensing sensible security advice.

Dixons Carphone customers got the treatment yesterday, following the admission that, er, maybe a bit more than 1.2 million users had actually had their privates exposed in a data breach. More like 10 million records. It suggested Dixons users shouldn’t fill in their log-in info via that link on that unsolicited email, hmm?

Last week, however, it was Ubuntu 18.04 LTS onto which the agency turned its gimlet gaze. The security wonks first state the obvious – route data over a secure VPN to avoid prying eyes, stop users installing whatever they want and for goodness sake, cut down on the admin rights.

Once over the summary, the agency dives into detail. It has a number of security principles, and soberly explains the risks associated with Ubuntu along with mitigating steps. The list should be required reading for anyone about to leap into the wonderful of Linux, thinking all their Windows woes or Mac migraines will vanish overnight.

Of course, this isn’t to say a default installation of Ubuntu 18.04 LTS isn’t already pretty secure. As well as making recommendations, the agency highlights areas where the OS does just fine, with minimal tinkering needed (such as stopping the execution of malicious code, unless you’ve sprayed the system with root level rights like a naughty child with a water pistol.)

The agency has also provided guides for the likes of Office 365, Windows 10 (but only to 1709) and macOS (to 10.13). Ubuntu 16.04 LTS is also present, but other Linux distributions are conspicuous by their absence.

Dell recently shovelled Ubuntu 18.04 LTS onto the Developer Edition of its XPS 13 laptop and users, mindful of the operating system’s presence in the vulnerability charts (number 10 in the all time list, but down to 32 in 2017) could do considerably worse than look to the NCSC for tips on keeping things secure. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/01/ncsc_ubuntu/

A breach at an e-commerce provider exposed the details of more than a million unique accounts on British clothing and accessories websites.

Sub-optimal security at Fashion Nexus meant that a white-hat hacker, Taylor Ralston, was able to access databases containing personal details of customers of various online clothing stores.

The data included names, email addresses, IP addresses, physical addresses, phone numbers, password hashes (MD5 and SHA-1, both salted) and dates of birth. Product orders also featured in the mix, mapped to customers and including addresses. There’s no evidence that payment card information was exposed.

El Reg learned of the breach via infosec veteran Graham Cluley’s post and confirmed details of what had been exposed with Troy Hunt, the security researcher behind the haveibeenpwned.com breach notification website.

The Register approached White Room Solutions, the sister firm of Fashion Nexus, for comment. The firm disputed the size of the breach and initially would not confirm which brands were affected before relenting and publishing a breach notice on Tuesday.

We can confirm that, on or around the 9th July 2018, a White Hat Hacker obtained access to one of our servers leading to the breach of several thousand customer records belonging to our clients. We will present a quantitive breakdown of those records in due course, however no payment information of any kind is recorded by Fashion Nexus Ltd or our clients, and therefore not compromised.

We would suggest that people change their passwords if they’ve been a customer of AX Paris (axparis.com), Granted London (grantedldn.com), Jaded London (jadedldn.com), ElleBelle Attire (ellebelleattire.com), or Traffic People (trafficpeople.co.uk).

Whilst DLSB (dlsb.co.uk) is named online, customer data was not taken from our server.

The breach was quickly identified and the vulnerability removed. The ICO has been informed.

Fashion Nexus take our clients and their customer’s data security extremely seriously and we apologise that we have come up short in this instance.

The “several thousand” figure cited in the Fashion Nexus statement rather understates matters. Troy Hunt has the data, passed to him by the white hat, and has confirmed there are almost 1.3 million unique records in total. Of these 280,000 maybe test accounts of some sort, but that still leaves close to a million unique email addresses/records in the breach.

“This breach was reported to our clients and the ICO as soon as we found out and we are working with them to establish [the] fact[s] and, if required (and once we know the full facts), for our clients (as Data Controller) to contact those affected,” a representative of White Room Solutions told El Reg.

Bootnote

In the case of DLSB (Dirty Little Style Bitch) – another Fashion Nexus customer mentioned in Graham Cluley’s blog – we understand its database was not compromised but customer info did nonetheless leak due to SMTP config information left there by White Room.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/01/fashion_nexus_breach/

Fake support scams aren’t new – they’ve been plaguing our phones, our ears and our wallets for years.

They generally follow one of two main patterns: active or reactive.

Active support scams rely on unlawfully acquired lists of phone numbers – the scammers call you, in blind disregard of any Do Not Call list in your country, and pressurise you into accepting technical support you don’t need for a problem you don’t have.

The crooks then {cajole, pester, badger, trick, frighten, threaten, extort} you into giving them remote access to your computer and charge you a stiff fee for pretending to fix your non-existent problems.

Reactive scams hit you up by email, or through poisoned websites, and harrass you with scary warnings and popups that urge you to call a local toll free “support” number to get your “problem” looked at.

Given that you initiate the call, and it’s free, a reactive scam seems on the surface like a low-risk proposition.

It won’t cost you anything but time; you can withhold your number so you won’t get called back unless you want to be; and, as the maker of the call, you probably feel in control because you can hang up any time you like.

But the risk of talking to cybercrooks about your own security arrangements, no matter how briefly, is obvious: if you lie down with dogs, you get up with fleas.

Every little bit you give away by mistake, even if you’ve already figured out it’s a scam and are being careful, is data that you’ll later wish you’d kept to yourself.

If you’ve ever had the misfortune to be browbeaten over the phone in this sort of scam, you’ll know that the script is usually about Windows.

But some of these scammers do use Apple-flavoured playbooks, hoping to tap into the huge market of Apple hardware owners out there.

Indeed, security spelunker Sean Gallagher at Ars Technica just wrote about an intriguing support scam that selectively steers users of Apple devices towards a fake “Apple Care” call centre.

The emails that start this scam look something like this:

That’s a well-known formula we’ve seen over many months, with email subject lines typically looking like one of these:

      Critical alert for your account
      Critical alert for your account ID nnnn
      Yourname, Critical alert for your account #nnnn
      Yourname, Critical alert for your account ID nnnnn

Handily, Gallagher, who goes by the amusing nickname of packetrat on Github, has kept copies of the various web redirects and malicious JavaScript in this “Apple Care” attack.

When we tried to reproduce the attack today, we were either at the wrong geolocation, in the wrong timezone, or simply not cool enough to be identified as Mac users.

The crooks redirected us repeatedly between servers before falling back on an old favourite of the spam world, cheap meds:

But that’s not where Gallagher ended up.

He was pushed through a series of website redirections before running into JavaScript that included this very simple test against his UserAgent string:

      userAgent = window.navigator.userAgent.toLowerCase(),
      ios = /iphone|ipod|ipad/.test(userAgent);

Don’t worry if you aren’t fluent in JavaScript – this code extracts the UserAgent string, set by your browser when it makes a web request, gets rid of any capital letters, and checks whether you’re announcing yourself as an iphone, ipod or ipad.

Your browser’s UserAgent string is transmitted in each web request as an HTTP header called User-Agent, and is typically quite detailed. For example, Firefox on a Mac identifies itself along these lines: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13) Gecko/20100101 Firefox/61.0. Edge on Windows 10 gives out an extensive and all-embracing string of: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134.

If you’d arrived at the scam page from a list of 11 different porn sites stored in the malicious JavaScript, you’d see a warning like this:

      Your |%model%| has been locked due to detected 
      illegal activity on |%ref%|! Immediately call 
      Apple Support to unlock it!

The placeholder text |%model%| is automatically replaced with iPhone, iPad or iPod, depending on how yourUserAgent string denoted your hardware.

The text |%ref%| is replaced by the one of the porn domains from the JavaScript list.

If you arrive at the scam page by inadvertently clicking the CHECK ACTIVITY button in a spam sample like the one shown above, you’ll see a similar warning, but with no site name in it.

By using a tel: web link in the scam page, rather than a more usual http:// or https:// link, the crooks then urge you to dial their bogus tech support centre:

Gallagher reports that his scammer identified himself as “Lance Roger from Apple Care”, but hung up when he realised Gallagher was himself fishing for information about the innards of the scam.

What to do?

• Don’t click on security warning links in messages. If there’s a genuine security alert on your webmail account, and you need to login to investigate, then follow your usual procedure for logging in. Why trust a follow-up link that could have come from anywhere, and probably did?
• Don’t click through to phone numbers you don’t know. At the very best, you’ll give nothing away about yourself, assuming you remember to suppress your own number and don’t say a word. Why take the risk of letting anything slip?
• Don’t stay on the line if you ever end up talking to a call centre you don’t trust. Some people pride themselves on winding up spammers as a joke, or deliberately trying to waste the time of scammers by talking nonsense. The best you can do if you indulge in so-called “spambaiting” is to reveal nothing about yourself, but a single incautious remark might let slip something you later regret.

If in doubt, don’t give it out…

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/K353aPmJV50/

Do you know what happens to your data when it’s not in use? If the answer is no, you need to fix that.

When cyberattacks take place in enterprises, the resulting data lives in various siloes: security information and event management (SIEM) systems, emails, ticketing systems, intel feeds, security devices, and more. Data flows in and out of these systems, and security teams react to the data as best they can in order to address threats as they arise. But what happens to the data once it’s not in use? Where does this data live long term, and how can it be applied to future threats? Unifying data across an entire security architecture provides the intelligence and context necessary to activate data on demand and use it to identify and resolve persistent threats.

For example, a phishing email is the most common and pervasive attack vector that leaves a trail of data throughout the security architecture. The 2017 Verizon Data Breach Report found that 90% of data breaches are the result of phishing or social engineering. A 2015 Intel report reveals that 97% of people around the world are unable to identify a sophisticated phishing email; while Symantec reports that an astounding one in 131 emails contains malware.

A typical phishing email is detected by an email security gateway and/or reported directly to the security team by a recipient. Data identified by the device is directly reported and searchable in the SIEM but lacks much of the critical information contained in the email itself. The raw email provides critical contextual information and lives in a system outside of those processing security alerts, making it not searchable in a SIEM. This makes the data very difficult to correlate and creates a process that relies on point-in-time analysis requiring advanced knowledge of what data to look for before it can be found. This leaves the analyst piecing together an incident without any way of knowing what he or she might be missing.

After a security analyst is done cobbling together the attack elements, the following questions remain:

• Has there been related, unusual traffic?
• Was the company compromised?
• Did the attacker send other phishing emails in the past?
• Is the attack an evolution of a previous attack?

Unifying security data helps answer all of these questions within a specific environment. To achieve unification, a dynamic data hub should be established that captures all data that flows throughout an architecture. Once a hub is established, information such as historical data not only has a place to reside but can also be activated as new data is ingested. Security teams then have the ability to identify the secondary characteristics that distinguish the malicious instance versus the false positive. For example, similar emails from the same sender were both flagged as malicious based on the existing alerting rules, but only one was actually malicious.

Alerting rules are refined based upon the new indicators, making the resulting future alerts more useful. This reduces the amount of investigation needed, surfaces details that might otherwise go undetected and allows security teams to focus on what matters — effectively and efficiently resolving the threat.

Despite the significant benefits of unifying data, many organizations struggle with achieving it in practice or think they have achieved it using standard technologies. Some rely too heavily on SIEMs and, in turn, adjust data ingestion and analysis based on a SIEM’s capabilities. This results in reliance on static rules, vendor-specific correlation, and the elimination of data streams due to cost. Others try to piece together SIEMs, point solutions, and response platforms, but instead of creating a unified data architecture, this usually results in the scenario outlined above in which data related to the same threat ends up dispersed throughout multiple systems and must be manually pieced together.

If questions are continuously left unanswered at the end of a mitigation process, then it’s time to take a serious look at how security data is being captured and applied to safeguard enterprises.

Related Content:

• Threat Hunting: Rethinking ‘Needle in a Haystack’ Security Defenses
• 10 Ways to Protect Protocols That Aren’t DNS
• London Calling with New Strategies to Stop Ransomware
• Why Artificial Intelligence Is Not a Silver Bullet for Cybersecurity

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info. 

Liz Maida is instrumental in building and leading the company and its technology, which is founded on core elements of her graduate school research examining the application of graph theory to network interconnection. She was formerly a senior director at Akamai Technologies, … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/unified-security-data-a-simple-idea-to-combat-persistent-complex-cyberattacks-/a/d-id/1332379?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Experts believe there could be thousands more in the wild.

Microsoft Component Object Model (COM) hijacking is an old type of cyberattack getting a new spin as attackers find stealthy ways to maintain persistence and evade detection.

The Microsoft COM is a system integrated into Windows to facilitate interaction between software components through the operating system. COM is managed in the Windows registry, which contains keys that reference Phantom COM objects. These objects could refer to files that no longer exist on the hard drive and include old applications or obsolete programs.

Even if files are gone, registry keys will continue to refer to them. If an attacker hijacks a phantom COM object ID of a trusted application and instead uses it for a malicious file, he can load and execute the file onto the OS. So long as the COM object ID (CLSID) has been registered as a legitimate object, the malicious file will appear legitimate and bypass security tools.

Security tools often miss COM hijacking because hundreds of CLSIDs are available and are all connected to common Windows processes, such as explorer.exe, chrome.exe, svchost, and iexplore. New ones appear each day, making it tough for systems to keep up.

COM hijacking is now gaining popularity as attackers seek new ways to maintain persistence without autorun entries, which are easy to map, explains Cyberbit research director Meir Brown, in a new report on the attack vector. Researchers found hundreds of registry keys are vulnerable to COM hijacking, far more than was first believed.

“We knew COM hijacking was used for persistence and have seen some of this used for injection, but didn’t know the scale of this phenomenon – how many entries there are in the registry which are vulnerable to COM hijacking,” Meir explains. The tactic is commonly referred to as a persistence mechanism, but it’s also one of the most effective ways to achieve stealth.

Hunting Registry Keys Online
Researchers ran a proof-of-concept experiment in which they put themselves in the attackers’ shoes and sought out Phantom COM objects to take over. They mapped registry keys that failed to find and load a file, and tried to use those keys to load a fake dynamic link library (DLL).

The trial was a “troubling” success, says Brown, as researchers were able to load and run their DLL within the context of valid applications. The Windows machine loaded all of their objects without any side effects.

As they hunted for keys online, researchers found multiple samples using these keys in the wild. Hundreds of keys are vulnerable to COM hijacking and Phantom COM objects loading, they concluded. The process is easy for attackers to implement and doesn’t require them to leverage code injection, a technique more frequently picked up by detection platforms.

COM hijacking is considered dangerous because it runs using legitimate user privileges, doesn’t require reboot, and does reveal suspicious activity to the target, Meir says. It’s gaining popularity; organizations should be aware and monitor the registry.

Researchers believe the scope of this issue goes far beyond the hundreds of potential vulnerabilities they found and could potentially reach into the thousands. Further, while COM hijacking is used in the wild, it remains less common than registry run key and injection tactics.

Related Content:

• Accidental Cryptojackers: A Tale of Two Sites
• New Spectre Variant Hits the Network
• ‘Identity Has Become the Perimeter’: Oracle Security SVP
• 8 Steps Toward Safer Elections

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/hundreds-of-registry-keys-exposed-to-microsoft-com-hijacking/d/d-id/1332441?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple