STE WILLIAMS

Only half of American consumers claim they can determine the safety and legitimacy of online shopping sites, discovered a new survey conducted by the Global Cyber Alliance (GCA) ahead of Cyber Monday.

More than one-third (35%) of the 1,019 respondents say they have stopped online purchases due to security concerns. Fear of being scammed causes 27% of consumers to excessively worry and 12% to lose sleep. Sixty percent have had their machine infected with malware.

The season of giving is also a season of scamming for cybercriminals, who launch more fake websites during the holiday shopping period than any other time of year. Nearly 119,000 unique phishing sites were detected in November 2016, targeting more than 300 brands. The most “spoof-able” sites are Amazon (82%), Walmart (36%), and Target (20%).

Scammers commonly trick victims by designing websites that look like legitimate brand sites but have a different IP address. GCA found nearly 77% of consumers have mistyped a Web address into their browser or clicked a suspicious link, both of which could lead to fake sites.

Read more details here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/half-of-americans-unsure-of-online-shopping-safety/d/d-id/1330471?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The US Department of Justice today unsealed an indictment charging an Iranian national with a cyberattack earlier this year against HBO and using the stolen content for $6 million worth of Bitcoin in an extortion scheme.

Iranian resident Behzad Mesri, 29, aka “Skote Vahshat,” has not been arrested by US authorities. According to the indictment says Mesri – who had previously performed hacking for the Iranian military – stole scripts, plot summaries, and other proprietary program information from HBO and leaked some of stolen HBO content online, including information on upcoming episodes of “Game of Thrones” and other programs. He also stole emails from at least one HBO employee, financial files, and online credentials for HBO social media accounts.

“Mesri now stands charged with federal crimes, and although not arrested today, he will forever have to look over his shoulder until he is made to face justice.  American ingenuity and creativity is to be cultivated and celebrated — not hacked, stolen, and held for ransom.  For hackers who test our resolve in protecting our intellectual property — even those hiding behind keyboards in countries far away — eventually, winter will come,” said Acting Manhatten US Attorney Joon H. Kim.

Among the charges Mesri faces are wire fraud, hacking, aggravated identity theft, and extortion-related activity. Read more on the indictment here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/iranian-nation-state-hacker-indicted-for-hbo-hack-extortion/d/d-id/1330474?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Alternative payment systems, or “virtual currencies” as the Financial Action Task Force (FATF) has dubbed them, have fueled the exchange of illegal goods and services on the Dark Web. Under the shield of anonymity these currencies have let criminals engage in a growing breadth of illicit activities.

The use of cyberspace for financial activity has expanded opportunities for attackers, writes Tom Kellerman in a new report, “Follow the Money: Civilizing the Darkweb Economy,” an initiative for The Wilson Center’s Digital Futures Project, where he is a global fellow.

The World Economic Forum estimates cybercrime costs the global economy about $445 billion per year, the report states, citing a stat from the McKinsey Global Institute. It’s time for payment systems to be held accountable, according to the report. Many implement Anti-Money Laundering (AML) and Know Your Customer (KYC) protocols, but criminals continue to find workarounds.

“We, as an industry, continue to talk about the symptoms of cybercrime without appreciating the fact that hacking tools and services are all commodities that are facilitated by an economy of scale,” Kellerman explains. “The Dark Web has become a full economy of scale by definition.”

Indeed, the Dark Web has enabled the sale not only of hacking tools, but all types of personally identifiable information and content promotion services to spread disinformation online. While hacking tools can be expensive, data is not: Identity “packages” can cost as little as 25 cents. Criminal markets include weapon and drug sales, child pornography, and hackers for hire.

Bitcoin is among the most well-known virtual currencies but far from the only one; in fact, most cybercrime proceeds are not laundered through Bitcoin, says Kellerman. Internet-based virtual currencies also include the more anonymous Monero, Dash, and Zcash, as well as China’s AliPay, Russia’s WebMoney, and Kenya’s M-Pesa. While these are commonly used for legitimate purposes, they are also “ripe for abuse,” the report says.

“The more anonymous they are, the more likely they are to be used on the Dark Web,” says Scott Dueweke, president at the Identity and Payments Association, who provided insight for the report. Anonymity fuels cybercrime and the movement of currencies across systems.

Kellerman says financial institutions, including alternate payment providers, should be able to prove who their customers are and freeze funds used for crime and conspiracies if needed by law enforcement. “The best way to destabilize the capability of cybercriminals to flourish is to put pressure on their capacity to deliver goods and services,” he explains.

Since 50% of all crimes now have a cyber component, the report states, it’s time to “follow the money” and create an e-forfeiture fund to benefit public and private organizations around the world. The idea is financial institutions can track funds used for illegal purposes, seize it, and reinvest the money in protecting the infrastructure of the global financial system.

As cybercrime is a global problem, it demands an international solution among public and private organizations, says Dueweke. A public-private partnership could build a de facto or industry-led standard for converting money into alternate payment systems.

“This could create a baseline of respectability and standard of trust that doesn’t exist now,” Dueweke explains. There is no standard for companies to prove which customers are using virtual currencies for legitimate purposes, and which are using them for crime.

The global initiative would involve the Bank for International Settlements, which is owned by 60 member central banks around the world, the report explains. Because global cybercrime is enabled by cryptocurrencies, all nations should join to regulate and supervise them.

“The fund would represent a global public/private partnership to combat money laundering using these alternative payment systems,” the report states. Virtual currencies which refuse to identify their customers or freeze accounts could potentially be linked to criminal activity.

“The only way to get a global standard like that is to have a public/private partnership,” Dueweke says.

Related Content:

• 6 Real Black Friday Phishing Lures
• North Korea’s Lazarus Group Evolves Tactics, Goes Mobile
• New Guide for Political Campaign Cybersecurity Debuts
• Crooks Turn to Delivering Ransomware via RDP

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/a-call-for-greater-regulation-of-digital-currencies/d/d-id/1330478?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The fallout from the Equifax breach will most likely continue well into 2018 as the criminals use the stolen data to break into other organizations. According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking-related breaches leveraged stolen or weak passwords. We should assume that after big breaches like those experienced by Equifax and Yahoo, hackers already have enough information to put millions of people at risk of being compromised.

It’s time that organizations shift their focus from keeping attackers out to detecting them once they are in.

The credit card industry has gotten very good at this process. To give a personal example, I recently received a call from my credit card company asking if I bought gas in Guatemala. I replied “no,” and the company froze my account. The process was so seamless and efficient, I faced very little impact. On the other side, while visiting my family in Iowa, I received a text from my credit card company asking if I bought gas. I responded “yes,” and faced no impact. I bought gas and made other purchases during that trip uninterrupted.

I am just one of millions of credit cardholders who have received these kinds of texts and calls. In fact, the credit card industry has become so good at detecting fraud that we expect to hear from them whenever we purchase something that’s outside our norm.

The cybersecurity industry can learn a lot from the credit card industry, especially when it comes to monitoring and analyzing behaviors. If someone were to steal my credentials, log in to my corporate email account, and act in a way that’s inconsistent with what I normally do, I would expect my company to flag the behavior and stop it with the same promptness as my credit card company when confirming I did not buy gas in Guatemala.

However, many organizations do not yet have that level of security sophistication. For some, it’s a philosophical belief that monitoring and analyzing users’ behaviors is an invasion of privacy.

Privacy and security are not at odds with each other. They are on the same side of the table. We need security to protect privacy. Today’s criminals know more about us than ever before. They know our commonly used passwords, Social Security numbers, secret questions and answers, relationships, and more. Our private information has been compromised. Yet, if companies more efficiently spotted a bad actor walking in a legitimate employee’s shoes and took immediate action, the risk of this private information being used against us would decrease.

The credit card industry also learned a valuable lesson. Instead of blocking everything that looks suspicious, the card company first proactively and quickly communicates with the cardholder, and then adjusts on the fly. Using the Iowa example, when I confirmed that I was in Iowa and bought gas, I did not hear from my card company again during that trip. If the cybersecurity industry were to adopt that same strategy, it would avoid inhibiting employees from doing their jobs and reduce wasted time chasing down false positives.

For example, an alert comes in that an employee is accessing a database that he, his peers, and the overall team would not normally log in to. The alert is sent to the application owner who manages the database, asking if the attempted access was justified by business or unusual. The owner affirms the employee was granted access to the database for a legitimate business reason. That alert is then whitelisted so that the behavior is not flagged again. As a result, the employee’s behavior in relation to that database receives less scrutiny while the information on the database remains protected (security + privacy), and the employee can go about doing his job uninterrupted due to the automated verification that his behavior was business justified.

Finalizing the credit card fraud detection and mitigation process did not happen overnight. Enterprise security is at a turning point but far from its destination. Ten years from now (and earlier than that, I hope), I expect that all employees will have that same level of treatment and care when it comes to their credentials. 

Related Content:

• 7 Takeaways From The Equifax Data Breach
• Tips to Protect the DNS from Data Exfiltration
• Forget APTs: Let’s Talk about Advanced Persistent Infrastructure

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Ryan Stolte is co-founder and CTO at Bay Dynamics, an analytics company that enables organizations to quantify the impact of cyber-risk from insider and outsider attacks and prioritize mitigation. Ryan has spent more than 20 years of his career solving big data problems with … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/lets-take-a-page-from-the-credit-card-industrys-playbook/a/d-id/1330461?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source: wk1003mike via Shutterstock

Black Friday is expected to attract 115 million physical shoppers, making it the busiest holiday shopping day during the Thanksgiving Day weekend, according to a National Retail Federation report. And phishers are looking to get a cut of the action on Black Friday.

Last year, for example, Black Friday alone racked up approximately 770,000 financial phishing attack attempts, according to Kaspersky Lab’s Beyond Black Friday Threat Report 2017. RiskIQ, meanwhile, discovered 19,219 URLs with the words Black Friday directing users to another page with malicious content, according to its recently released 2017 Black Friday e-Commerce Blacklist report.

Black Friday phishing scams run the gamut of unethical merchants duping users into visiting bogus high-end retailing websites to sell them knock-off items at a “discount,” to cyberthieves enticing users to visit malicious websites to steal their credit card and personally identifiable information.

“Cybercriminals use Black Friday to cover their attacks. They know that people are looking for a chance to buy expensive things at a much lower cost, so the phishers make sure they offer the best price, disguising themselves as well known and trusted brands,” says Nadezhda Demidova, lead Web-content analyst at Kaspersky Lab.

Here are examples of six real phishing campaigns from past Black Fridays, and how to avoid falling for these types of attacks.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/mobile/6-real-black-friday-phishing-lures/d/d-id/1330468?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple