STE WILLIAMS

The Russian programmer who built the bank-acount-raiding Citadel Trojan has admitted his crimes.

Mark Vartanyan, who operated under the handle “Kolypto”, was arrested in Norway last year, and extradited to America in December. The 29-year-old was charged with one count of computer fraud. On Monday, he pleaded guilty [PDF] to a district court in Atlanta, US. He faces up to 10 years in the clink and a $250,000 fine – that’s slashed from a maximum of 25 years due to his guilty plea. He will be sentenced in June.

“We must continue to impose real costs on criminals who believe they are protected by geographic boundaries and can prey on the American people and institutions with impunity,” said David LeValley, special agent in charge from the FBI Atlanta Office.

“It further demonstrates the FBI’s long-term commitment to identifying and pursuing cyber criminals world-wide, and serves as a strong deterrent to others targeting America’s financial institutions and citizens through the use of malicious software.”

Citadel surfaced in 2011, infected Windows PCs, and silently slurped victims’ online banking credentials so their money could be siphoned into crooks’ pockets. It could also snoop on computer screens and hold files to ransom. It was a remarkable success. US prosecutors estimate that, at its height, the malware infected 11 million computers and was responsible for the theft of more than $500m from bank accounts.

Citadel is a variant of the ZeuS banking trojan – the source code of which was leaked – and was sold on invite-only Russian dark web forums to criminals to unleash on the public. The code was later adapted to go after password managers and airport networks. Versions of the malware are still in circulation today. As the US attorney’s office in the northern district of Georgia put it:

According to industry estimates, Citadel infected approximately 11 million computers worldwide and is responsible for over $500 million in losses.

Between on or about August 21, 2012 and January 9, 2013, while residing in Ukraine, and again between on or about April 9, 2014 and June 2, 2014, while residing in Norway, Vartanyan allegedly engaged in the development, improvement, maintenance and distribution of Citadel. During these periods, Vartanyan allegedly uploaded numerous electronic files that consisted of Citadel malware, components, updates and patches, as well as customer information, all with the intent of improving Citadel’s illicit functionality.

Citadel was one of the first examples of malware-as–a-service, whereby the creators and developers offered full support and paid-for add-ons, just like the commercial software industry.

While living in Ukraine and Norway, Vartanyan developed and supported Citadel as part of a team. His co-conspirator Dimitry Belorossov has been jailed for his part in the crime operation, and the US Department of Justice says investigations are continuing into snaring others involved with Citadel. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/22/russian_citadel_malware_pleads_guilty/

The World Wide Web Consortium has formally put forward highly controversial digital rights management as a new web standard.

Dubbed Encrypted Media Extensions (EME), this anti-piracy mechanism was crafted by engineers from Google, Microsoft, and Netflix, and has been in development for some time. The DRM is supposed to thwart copyright infringement by stopping people from ripping video and other content from encrypted high-quality streams.

The latest draft was published last week and formally put forward as a proposed standard soon after. Under W3C rules, a decision over whether to officially adopt EME will depend on a poll of its members.

That survey was sent out yesterday and member organizations, who pay an annual fee that varies from $2,250 for the smallest non-profits to $77,000 for larger corporations, will have until April 19 to register their opinions. If EME gets the consortium’s rubber stamp of approval, it will lock down the standard for web browsers and video streamers to implement and roll out.

The proposed standard is expected to succeed, especially after web founder and W3C director Sir Tim Berners-Lee personally endorsed the measure, arguing that the standard simply reflects modern realities and would allow for greater interoperability and improve online privacy.

But EME still faces considerable opposition. One of its most persistent vocal opponents, Cory Doctorow of the Electronic Frontier Foundation, argues that EME “would give corporations the new right to sue people who engaged in legal activity.” He is referring to the most recent controversy where the W3C has tried to strike a balance between legitimate security researchers investigating vulnerabilities in digital rights management software, and hackers trying to circumvent content protection.

The W3C has also received three formal objections:

• It does not provide adequate protection for users
• It will be hard to include in free software
• It doesn’t legally protect security researchers

The W3C notes that the EME specification includes sections on security and privacy, but concedes “the lack of consensus to protect security researchers remains an issue.” Its proposed solution remains “establishing best practices for responsible vulnerability disclosure.”

It also notes that issues of accessibility were ruled to be outside the scope of the EME, although there is an entire webpage dedicated to those issues and finding solutions to them.

It has been a long and winding road getting to the point where the W3C has formally proposed a standard that allows controls to be placed on content – something that many internet engineers remain philosophically opposed to. But despite the lengthy efforts to address a plethora of concerns, the formal notice still goes out of its way to note that “publication as a Proposed Recommendation does not imply endorsement by the W3C membership.”

There is little opportunity for those bitterly opposed to the measure to stir up a grassroots campaign against the spec, due to the entry barriers for W3C membership and the fact that only members can vote on approval.

It is that barrier – created to make the W3C financially sustainable – that some feel is pushing the organization down a path too closely aligned with corporate interests rather than the will of internet engineers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/22/w3c_drm_web_standard/

Zero-day attack exploits a legitimate process in Windows, according to Cybellum; AV vendors downplay threat.

Several antivirus vendors today downplayed a dramatic report warning of a zero-day exploit for compromising AV tools and turning them against the very systems they are designed to protect.

The attack, dubbed DoubleAgent, takes advantage of a legitimate Windows tool called Microsoft Application Verifier and works against AV products from numerous vendors including Symantec, Trend Micro, Kaspersky Lab, ESET, and others, security vendor Cybellum said in an alert this week.

The exploit gives attackers a way to turn an antivirus product from any of these vendors into malware for snooping on users, stealing data from their systems, and for moving laterally across the network and sabotaging the system, Cybellum said. Most importantly, since the malware would masquerade as an AV product, it would also give attackers a way to maintain persistence on a compromised system for as long as they wanted.

“DoubleAgent gives the attacker the ability to control the AV without being detected, while keeping the illusion that the AV is working normally,” says Slava Bronfman, cofounder and CEO of Cybellum.

Bronfman says researchers from the company discovered the issue a few months ago and immediately reported it to Microsoft and the affected AV vendors.

“We have reported all the vendors more than 90 days ago, and gave them plenty of time to patch it,” Bronfman says. “The responsible thing to do now is to publish it, since attackers are examining other vendor patches and might use this attack.”

DoubleAgent takes advantage of an undocumented feature in Microsoft Application Verifier that has been around since at least Windows XP. Application Verifier is a Windows feature that lets developers do runtime verifications of their applications for finding and fixing security issues.

The undocumented feature that Cybellum researchers discovered gives attackers a way to replace the legitimate verifier with a rogue verifier so they can gain complete control of the application.

The technique can be used to hijack any application, not just AV tools, Bronfman says. Attackers do not even need to alter the proof-of-concept code that Cybellum released this week to attack an application. “You just execute it with the requested application name and it would automatically attack it, no matter if it’s an antivirus or a different application,” he says. “Every script kiddie can just compile it, include his malicious code, and use it right away.”

Because the attack exploits a legitimate Windows tool, there’s little Microsoft can do to patch against it, adds Bronfman. “The only thing that can be done to mitigate the problem is per-application mitigation,” he says.

 

AV vendors would need to figure out if the Microsoft verifier tool can be used against their software and then figure out a way to block it, according to Bronfman. “DoubleAgent works against any application that doesn’t specifically protect itself against DoubleAgent” he says.

But several security vendors say the threat posed by the DoubleAgent attack is less dramatic than it might first appear.

“This requires an attacker to be able to write to the Windows registry, which is something normally restricted to those with Administrator access,” says Dustin Childs, director of communication for Trend Micro’s Zero Day Initiative. In order to pull off the attack, a threat actor would already need to be in control of a system, he says.

“One area where this issue could be impactful is maintaining access to a compromised system by increasing their chance of persistence,” Childs says.

Jon Clay, director of global threat communications for Trend Micro, adds that the company’s Trend Micro Consumer endpoint product is vulnerable to DoubleAgent, but a patch for it is already available.

A spokeswoman from ESET confirmed that the company’s AV product for Windows is vulnerable to the DoubleAgent attack. But she add that the severity of the threat is considered very low since attackers would first need to have all necessary admin right on the victim machine. ESET researchers are currently working on a fix for the issue and will release a customer advisory when it becomes available, she says.

In an emailed statement, a Symantec spokesperson maintained that an attacker would need admin rights plus physical access to a machine—something that Bronfman refutes—in order to pull off an attack. “We confirmed that this PoC does not exploit a product vulnerability within Norton Security,” the spokesperson said. “We remain committed to protecting our customers and have developed and deployed additional detection and blocking protections to users in the unlikely event they are targeted.”

Microsoft declined a request for comment on DoubleAgent.

Meanwhile, Microsoft already provides a mechanism called Protected Processes that is designed to protect AV products against code-injection attacks such as DoubleAgent.

The Protected Processes infrastructure ensures that only trusted and digitally signed can run, so any attempt to inject a rogue verifier into an AV product would not work. But Microsoft’s own Windows Defender currently is the only tool to implement Protected Processes, although it has been available to third parties for more than three years.

Related stories:

• Multiple Major Security Products Open To Big Vulns Via ‘Hooking Engines’
• FireEye, Kaspersky Lab Scramble To Fix Bugs In Security Tools
• Known Security Flaw Found In More Antivirus Products

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/windows-doubleagent-attack-turns-av-tools-into-malware-/d/d-id/1328462?_mc=RSS_DR_EDT

Back in September, many tech publications highlighted a killer stick: a USB stick marketed to pen testers and law enforcement that could be used to test the surge protection circuitry of electronics.

Test, or, as the case may be for devices lacking surge protection, zap to death.

The so-called USB Killer – which comes from a Hong Kong company – looks like a standard USB drive, but it’s actually filled with capacitors.

Once you plug it in, the USB Killer rapidly charges all those capacitors from the USB power supply. Then, once it’s full, it turns around and electro-vomits all that power back into the drive. It works in a fraction of a second, frying circuits in laptops, PC monitors, photo booths, kiosks, or even cars.

The charge/discharge cycle is repeated many times per second, until the USB Killer is removed, leaving about 95% of all devices partially or permanently damaged. According to Bleeping Computer, the only products that could withstand USB Killer 2.0 were recent MacBook models, since they optically isolate the data lines on USB ports.

Here’s one of many YouTube videos of the near-instant death throes of a sitting duck non-MacBook:

But wait, there’s more. It gets worse. Or better, depending on whether you’re a fryer or a fryee.

The company has released USB Killer Version 3 (PDF), and it’s deadlier than ever. The new kill stick has a higher voltage and amp output, and its pulse rate, which can ramp up to 12 times a second, is 3x higher than the previous version.

Plus, there’s this: Apple devices are now reportedly sitting ducks too. USBKiller.com is now shipping an adapter kit that allows users to zap devices via microUSB, USB-C, and (the proprietary Apple) Lightning ports on the iPhone 5/6/7. Beyond those iPhones, the adapter kit will also enable the murder of iPads, other phones, tablets, and digital cameras.

All of this mayhem, for so little cash: you can still pick up the latest version of USB Kill for €49.95, or about $54. The adapter kit goes for €14.99, or about $16.

If you’re not aware of these USB devices yet, now’s the time to learn. The story highlights how vulnerable our publicly available USB ports are.

But it’s also another reminder that we should never plug in mysterious USB drives we find kicking around… Or that pop up in our letterboxes, as was the case recently when cybercrooks in Australia tried to trick people into plugging them in and thereby downloading malware.

What makes the scenario even scarier is that USB Kill now comes in two flavors: its regular version, with the logo of a skull and crossbones, or an anonymous, discreet, unlabelled version.

All the better for pen testers who don’t want to call attention to their activities, according to the marketing – although it’s worth pointing out that the manufacturer makes it very clear that it “strongly condems malicious use of its products”.

Or to crooks who want to destroy our expensive gear without calling attention to the devices that do it.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NskbQzWbE2k/

How many tiny accelerometers do you depend on? There’s the one in your smartphone, telling it which way’s up, so it can adjust the screen horizontally or vertically (or track your footsteps or how fast you’re running, or for that matter, transform your iPhone into a seismometer).

For similar reasons, there’s one in your FitBit-type contraption too. Then there are devices like Microsoft’s Kinect and Nintendo’s Wii which use them to help track motion. And that’s not all. You can find them in toy remote control cars (and real cars, which use them to detect rapid deceleration and trigger your airbag) and even medical devices – where they might soon help control when and how much medicine you get.

The answer is probably more than you think. Oh… and they’re hackable. A team of computer scientists and engineers from the University of Michigan and University of South Carolina have done it using nothing but carefully tweaked audio.

Similar “resonant acoustic injection attacks” have already been used to disable related nano-devices, such as gyroscopes. Now, these scientists have gone a step further, spoofing MEMS accelerometers with “intentional acoustic interference” that takes “fine-grained control” of the device, and generates specific spurious values.

Since most current systems blindly trust accelerometer data as gospel truth to be acted upon accordingly, that’s not good.

As reported by Michigan Engineering, Professor Kevin Fu’s team:

…used precisely tuned acoustic tones to deceive 15 different models of accelerometers into registering movement that never occurred.

This works because the heart of a MEMS accelerometer is analog: “a mass suspended on springs” that moves when the object it’s embedded in changes speed or direction. Such movements, however, can also be created by sound waves, even if the bigger object hasn’t budged. And that opens “a backdoor into the devices – enabling the researchers to control other aspects of the system”.

75% of the accelerometers Fu’s team tested were vulnerable to the first type of attack they conjured up; 65% proved vulnerable to the second. In these cases, as Fu put it:

The fundamental physics of the hardware allowed us to trick sensors into delivering a false reality to the microprocessor.

Having fooled the accelerometer, they next showed how their exploit could change real systems’ physical behavior. For instance, they coaxed a Fitbit into generating 3,000 steps per hour that its owner never walked.

You laugh, but that exploit could have been used to cash in on rewards programs designed to incentivize exercise to promote better health. And what if we told you they also coaxed a Samsung Galaxy S5 accelerometer into generating the word “WALNUT” in a graph of its readings?

Still laughing? Yeah, OK, us too, a bit. Here’s one that’s a bit spookier: they tricked a smartphone into playing a music file that in turn hijacked its own accelerometer’s output, and used the fake output to control and drive a toy car via an app running on the same smartphone.

As is so often the case, the principles matter more than the proofs-of-concept, however goofy or spooky they may be: analog devices are vulnerable and require cybersecurity attention. Cyber-physical systems bring unique security challenges. And, just perhaps, more systems should take precautions before instantly acting on their sensory inputs.

Principles like these helped earn this research an official Alert (ICS-ALERT-17-073-01) from the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team.

Meanwhile, those tiny accelerometers are out there by the billions. You couldn’t exactly recall or replace them all. Fortunately, the paper’s authors have proposed two “low-cost software defenses” that could be implemented in firmware, for systems that can be found and flashed.

They’ve also made suggestions for tightening up hardware design going forward – and, of course, notified the affected accelerometer manufacturers.

Follow @NakedSecurity
Follow @BillCamarda

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MtXV4q-IdMw/

New York state politicians have introduced a right-to-be-forgotten bill that would require the removal of some online statements about others. To be exact, statements that are judged “inaccurate”, “irrelevant”, “inadequate” or “excessive.”

New York Assembly Bill 5323 was introduced by David Weprin and as Senate Bill 4561 by state senator Tony Avella.

Eugene Volokh, who teaches free speech law at the University of California-Los Angeles School of Law, analyzed the bill in an article published by the Washington Post on Wednesday.

Here’s what the bill would do:

• Within 30 days of a ”request from an individual,”
• “all search engines and online speakers shall remove… content about such individual, and links or indexes to any of the same, that is ‘inaccurate’, ‘irrelevant’, ‘inadequate’ or ‘excessive,’ ”
• “and without replacing such removed… content with any disclaimer [or] takedown notice.”
• “‘[I]naccurate’, ‘irrelevant’, ‘inadequate’, or ‘excessive’ shall mean content”
• “which after a significant lapse in time from its first publication”
• “is no longer material to current public debate or discourse”,
• “especially when considered in light of the financial, reputational and/or demonstrable other harm that the information… is causing to the requester’s professional, financial, reputational or other interest”,
• “with the exception of content related to convicted felonies, legal matters relating to violence, or a matter that is of significant current public interest, and as to which the requester’s role with regard to the matter is central and substantial.”

The bill would cover the following wide range of online publishers, running the gamut from search giants like Google all the way down to ordinary individuals like you and me:

…search engines, indexers, publishers and any other persons or entities which make available, on or through the internet or other widely used computer-based network, program or service, information about an individual…

Failure to comply would carry fines of at least $250/day, plus attorney fees.

The bill contains no exception for materials of genuine historical interest, as Volokh pointed out. Nor would it exempt autobiographic material, whether it’s found “in a book, on a blog or anywhere else,” he said. Ditto for information on political figures or celebrities.

From Volokh’s analysis:

So, under this bill, newspapers, scholarly works, copies of books on Google Books and Amazon, online encyclopedias (Wikipedia and others) – all would have to be censored whenever a judge and jury found (or the author expected them to find) that the speech was “no longer material to current public debate or discourse” (except when it was “related to convicted felonies” or “legal matters relating to violence” in which the subject played a “central and substantial” role).

The bill aims for censorship with a “broad, vague test based on what the government thinks the public should or shouldn’t be discussing,” Volokh says.

It is clearly unconstitutional under current First Amendment law, and I hope First Amendment law will stay that way (no matter what rules other countries might have adopted).

Remember: There is no “right to be forgotten” in the abstract; no law can ensure that, and no law can be limited to that. Instead, the “right” this aims to protect is the power to suppress speech – the power to force people (on pain of financial ruin) to stop talking about other people, when some government body decides that they should stop.

Europe and other countries have for years been successfully forcing Google to enforce right to be forgotten laws across as many of its domains as possible. Google’s been kicking and screaming the whole way.

Things are different in the US, where the First Amendment and the public’s right to know are deeply embedded in the culture. In 2014, for example, a San Francisco Superior Court judge upheld the then-already widespread legal opinion that search results constitute free speech.

But then again, Americans also value the right to privacy. Hence, in 2015, California adopted the Online Eraser Law, which gave California minors a narrow but significant right to be forgotten. Meant to save minors from having social media posts dog them throughout their adult lives, it was the first state law of its kind.

How does the NY bill compare to Europe’s right to be forgotten? For one thing, the European Commission has made it clear that the courts meant for journalistic work to be protected when they passed the right to be forgotten judgment.

Debate over the judgment, and the competing values of privacy vs the public’s right to know, has been passionate. The EU Court of Justice has gone so far as to publish a list of myths about the right to be forgotten.

Two of the myths, it says: that the judgment contradicts freedom of expression, and that it allows for censorship.

Wikipedia co-founder Jimmy Wales has heartily disagreed with the notion that those are myths, warning that the right to be forgotten will lead to a form of cyber-mad cow disease, or what he termed “an internet riddled with memory holes”.

In comparison, the NY bill is toddling into this contentious debate practically stripped of any exceptions at all for freedom of speech and with no signs that it’s been crafted to protect against censorship.

However, it’s in the proposal stage at this point and could well be amended.

I’ve reached out to the bill’s authors for their reaction to charges that their bill is unconstitutional and will be used as a tool of censorship. I’ll update the article if they get back to me.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Vt19RYlAI3Y/

Gemalto warned on Wednesday that its first-quarter revenues will be between 7 to 9 per cent lower compared to the same period of 2016.

The firm blamed weak sales in its US payment business for the revenue shortfall. Payment card revenue for the full year 2017 is estimated to be around €100 million lower than its initial expectation.

Looking ahead, and taking into account the first-quarter trend, Gemalto now expects its 2017 profit from an operations outlook to be at a similar level to 2016.

Gemalto is currently reviewing its action plan to minimise the impact of much lower than expected EMV card and associated service sales. The firm is due to report first-quarter revenue on 28 April, at which point it has promised to update the market on its revised business plan.

Shares in Gemalto fell more than 18 per cent to €51.45 on the profit warning.

Gemalto is the world’s biggest supplier of SIM cards. It also offers smart cards and tokens, and managed services. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/22/gemalto_profits_warning/

Coppers in England and Wales are “persistently” committing data breaches, according to the Police Federation’s head of misconduct.

Technologies from the Police National Computer (PNC) systems through to the Automatic Number Plate Recognition (ANPR) databases are “increasingly being used by officers for non-work related reasons” according to the Police Federation, the statutory staff association for officers – all of whom are barred from joining an ordinary trade union under the Police Act 1996.

“Computer misuse is a serious issue and if officers commit data protection breaches – outside of lawful policing purposes – they are likely to face very significant penalties,” warned Andy Ward, the federation’s deputy general secretary and head of crime and misconduct claims.

Criminal misuse of the PNC has been an issue for years, although misuse for a lawful purpose is something of a grey area. Last year, the biometrics commissioner warned that police employees were effectively hacking the PNC to unlawfully retain suspects’ biometric data.

“We’re seeing about two cases a week involving data protection breaches,” Ward said. “In the majority of cases, the officer thinks that they are doing it for the right reasons – they’re either looking into family members, friends, neighbours or others they know, often because they are concerned about those individuals or people close to them.

“If officers have concerns about people they know, or if they are approached to access the PNC for a friend, then there are ways of dealing with these issues without breaking the law.

“Officers need to distance themselves, and raise the concerns in the first instance to their supervisor who will decide on the best course of action and, if they are for lawful policing purposes, may be able to conduct intelligence searches on their behalf, or pass it on to someone who can.

“What they should not do, for example, is take the law into their own hands and look up their ex-wife’s new boyfriend themselves – even if it is because they are worried about the safety of their children – or find out who owns the car parked across the street. Those types of actions are only likely to lead them into serious trouble.”

In an average year the federation spends around £17m on legal advice and representation for police in civil and criminal cases, and deals with more than 6,000 applications for legal assistance, including employment tribunal cases.

It also receives about 2,500 criminal and misconduct allegations at the joint claims office, although there are many more outside the national office, and says it carries approximately 1,000 ongoing live cases at any one time – some of which will last for several years.

Ward added: “From a representative perspective, we cannot guarantee that legal representation will be provided by the federation in every case as each must be considered on its merits; we will look not only at whether the matter occurred on duty but also the extent to which it could be said to be in the performance of police duty.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/22/coppers_persistently_breaching_data_protecton_laws_with_pnc_and_anpr/

Hackers who claim to have gained access to over 300 million iCloud and Apple email accounts are threatening to wipe user data unless Apple pays a ransom.

The self-styled “Turkish Crime Family” are threatening to remotely wipe data from those millions of Apple devices unless Apple pays it $75,000 in crypto-currency or $100,000 worth of iTunes gift cards before a 7 April deadline.

Evidence of the supposed breach is far from conclusive (the hackers provided screenshots of alleged emails between the group and members of Apple’s security team to Motherboard) leaving security watchers sceptical about the alleged breach. Several researchers are speculating that the whole thing might be an elaborate bluff.

Lee Munson, security researcher at Comparitech.com, commented: “Whether the group has the means to do as it claims is debatable – supposed correspondence with Apple and a YouTube video showing the takeover of an account may well have been faked – but what is not up for debate is Apple’s resolve to not pay a ransom to make the group back down.

“While Apple’s stance that it will ‘not reward cyber criminals for breaking the law’ is the right one to take, I cannot help but wonder if the option to pay $100,000 in iTunes gift cards, rather than $75,000 in untraceable crypto-currency, could have been explored in association with law enforcement,” he added.

Any one of several possible causes might have hypothetically have given rise to the supposed mega-breach. Password re-use by consumers whose credentials were exposed by problems at third-party sites would be the most likely possibility. Other (less likely) scenarios include vulnerabilities in Apple’s infrastructure or breach of third-party tool or organisation.

David Kennerley, director of threat research at Webroot, commented: “The big question for Apple is what procedures are in place to prevent the destructive action threatened by the hackers? Without a full understanding of what the hackers really have, the true quantity and how they came by it, everything thereafter can only be a best-guess scenario.” Chris Doman, security researcher at SIEM vendor AlienVault, added: “The attackers do seem desperate for publicity. Yesterday a Twitter account (turkcrimefamily) and Website (turkishcrimefamily[.]org) were created in their name, and today they claimed ‘The number of Apple credentials have increased from 519m to 627m, we are convinced it will keep growing until 7 April 2017’.

“Apple has some of the best security people in the business, and it seems hard to believe they would have lost control of hundreds of millions of accounts. The attackers may have taken control of a small number of accounts, through everyday iCloud phishing attacks, and used that as ‘evidence’ to justify their more outlandish claims.

“Apple users should be suspicious of any unexpected messages from Apple asking them to enter their credentials,” he added.®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/22/supposed_apple_breach_ransom_threat/

Evaldas Rimasauskas, a 48-year-old Lithuanian man, has been charged with defrauding two major US-based internet companies for more than $100m through whaling attacks.

Rimasauskas, from Vilnius, was arrested late last week by Lithuanian authorities on the basis of a provisional arrest warrant, according to the US Department of Justice.

He is accused of whaling (like phishing, but bigger) his way to more than $100m. Whaling is a form of social engineering fraud in which criminals trick financial controllers at large corporations into paying money into the wrong bank accounts. Attacks are far more successful than you’d think.

Acting US Attorney Joon Kim said: “From half a world away, Evaldas Rimasauskas allegedly targeted multinational internet companies and tricked their agents and employees into wiring over $100 million to overseas bank accounts under his control. This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cybercriminals.”

FBI assistant director William F Sweeney Jr. said: “As alleged, Evaldas Rimasauskas carried out a business email compromise scheme creatively targeting two very specific victim companies. He was initially successful, acquiring over $100 million in proceeds that he wired to various bank accounts worldwide. But his footprint would eventually lead investigators to the truth, and today we expose his lies.”

According to allegations in the indictment against Rimasauskas, which was unsealed this week, he had orchestrated his scheme between 2013 and 2015, targeting “a multinational technology company and a multinational online social media company” and tricking them into wiring funds to bank accounts under his control.

The bank accounts in question belonged to companies that Rimasauskas had himself set up and incorporated with the same name as an unspecified “Asian-based computer hardware manufacturer” with whom the victim companies were involved in legitimate business.

Rimasauskas’s phishing emails posed as if they represented the real hardware manufacturer, and requested that money which the victim companies owed to that manufacturer for legitimate good and services be paid into the accounts of the company he’d set up himself.

Once he’d snared the funds, the would-be mastermind attempted to wire the stolen money into different bank accounts in various jurisdictions throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.

He also caused forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the victim companies, and which bore false corporate stamps embossed with the victim companies’ names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.

Rimasauskas is charged with one count of wire fraud and three counts of money laundering, each of which carries a maximum sentence of 20 years in prison, and one count of aggravated identity theft, which carries a mandatory minimum sentence of two years in prison. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/22/man_charged_for_stealing_100m_from_unnamed_usbased_multinational_internet_companies/