STE WILLIAMS

What action-thriller car-chase fan wouldn’t be star-struck if Hollywood actor/stuntman/producer/eye candy Jason Statham were to personally reach out from a fan page to chat with them?

…and to invite her to join him to chat on WhatsApp?

…and to subsequently claim to have fallen in love with her, sending hundreds of messages, and to confide in her that he needed help with some “financial difficulties,” given that a film payment was delayed (in spite of the fact that Statham is reportedly worth an estimated $70 million)?

You and I can likely see the marquee blinking “conman” from a mile away, but a British woman who was grieving over the deaths of both her mother and fiancé says that she did not. The woman, who requested anonymity, told BBC Radio Manchester that she sent the fraudster a fortune. She wouldn’t say exactly how much, besides that it was hundreds of thousands of pounds.

It was a substantial amount, which would have made a difference to my life and my family.

Posing as Statham, the scammer first reached out to her via Messenger while she was on a Facebook fan-page dedicated to the Fast Furious star. The message showed his face. Or, rather, the message showed a photo of Statham, which of course anybody can find online and throw onto an account to make them look like whoever they want.

At any rate, the woman didn’t suspect that a crook was contacting her. Rather, she thought that the star had a nice, personal touch:

I thought ‘Oh, that’s nice of him, talking to his fans’. I might have been star-struck then, I don’t know.

After months of exchanging messages, the fraudster hit her up for money. Some of the messages he sent over the course of the swindle, as reconstructed by the BBC:

Send me a selfie of you

I would love to get a very decent smiles from your face right now

Will you love me and be the special woman beside me for the rest of your life honey

Western Union

You will get the official website then you can set up an account darling

Just send £20k this night and tomorrow you do the same then by Friday it’s already done

Baby

Where are you I miss you

Talk to me baby

Baby where are you

So little money, such a wealth of endearments!

As her own money dwindled, she eventually contacted Greater Manchester Police, where the Economic Crime Unit investigated the crime. The BBC quoted detective constable Craig Moylon, who worked on the investigation:

This lady has been subject to somebody who just tricked her at a very vulnerable time in her life.

When you see the relentless messaging that this lady got from this person and you see the grooming and the exploitation… the impact is extraordinary.

He said that this case was just the “tip of the iceberg”, given that such a small number of victims – about 5-10% – wind up reporting this kind of fraud. According to the Crime Survey for England and Wales, there was an estimated 12% increase in fraud in 2018. Just over 3 million people – 6.6% of adults – were victims of some form of fraud.

We don’t know exactly how the woman in the Statham fraudster case sent her money, but the survey notes that victims who send authorized push payments (APPs) – sending funds directly from their own to a fraudster-controlled account – have no legal recourse (at least in the UK and the US), given that they authorize the payments themselves.

What to do if you suspect a scam

If you, or somebody you know, have been bilked by an online fraudster or any other criminal, please do try to fight off the shame (why should YOU be embarrassed? You’re not a crook stealing people’s money!) and report it to the authorities. US citizens should contact the FTC and if you’re in the UK, report it to Action Fraud.

They need victims to let them know who’s being targeted, and how, so they can figure out how to fight these romance-scam slimeballs.

Read more about Advance Fee Fraud, and how you can spot the signs of a romance scammer.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Aq-6IVzUzCc/

The New York Attorney General’s office announced last week that it’s launched an investigation into Facebook’s harvesting of 1.5 million users’ email address books without their consent.

Earlier this month, a security researcher had noticed that Facebook was asking some new users for their email passwords when they signed up: what he called “a HORRIBLE idea from an #infosec point of view”…

…particularly from a company that’s mishandled the passwords we use in two-factor authentication (2FA) and which saved hundreds of millions of users’ passwords to disk in raw, unencrypted form.

But Facebook wasn’t just asking for some new users’ email passwords, the company would go on to admit: it was also sucking up their contacts, popping up a message saying the platform was “importing” their contacts without asking for permission first, nor offering any way for users to cancel the process.

Facebook admitted it had “unintentionally uploaded” 1.5 million contact databases of new Facebook users since May 2016. But as noted in a press release issued on Thursday by the office of New York Attorney General Letitia James, the number of emails drawn into this filter feeder’s baleen is bound to be orders of magnitude higher, as in, hundreds of millions, given that the affected people could have hundreds, if not thousands, of contacts in their contact databases.

While Facebook claims that 1.5 million contact databases were directly harvested by its email password verification process for new users, the total number of people whose information was improperly obtained may be hundreds of millions.

Well, isn’t it just typical, AG James said. It’s just the latest demonstration of how Facebook “does not take seriously its role in protecting our personal information,” she was quoted as saying. She added…

It is time Facebook is held accountable for how it handles consumers’ personal information.

Put it on top of the “legal repercussions” pile

She’s not alone in that belief: Facebook’s anticipating that an upcoming settlement with the Federal Trade Commission (FTC) over user data privacy handling could be up to $5 billion. Canadian regulators last week said that they too believe that Facebook has broken the law and plan to take the company to court to force it to change its practices.

The Irish Data Protection Commission also said last week that it’s investigating Facebook over the issue of user passwords stored on its internal servers in plain text format.

“Unintentional” (perhaps illegal) but great for ad targeting!

Getting its hands on this vast trove of emails is great for Facebook’s core business of ad targeting, as well as to expand its already vast web of social connections. But it could have broken a number of privacy laws, some say.

Experts told Business Insider that the harvesting of the 1.5 million users’ email contact lists could possibly violate a 2011 consent decree between Facebook and the Federal Trade Commission (FTC), the EU General Protection Data Regulation (GDPR), and potentially even the Computer Fraud and Abuse Act (CFAA).

A Facebook spokesperson declined to comment on the legality of the company’s actions when Business Insider asked.

The investigation

Two people briefed on the NY AG’s investigation told the New York Times that it will “focus on how the contact list-importing practice came about, and whether or not it spread to hundreds of millions more people across the social network.”

After a furious backlash, shortly after the press got wind of the practice, Facebook said it stopped asking for new users’ email passwords and stopped importing their contact lists. Last week, it told news outlets that it was in touch with NY AG James’s office and was responding to questions about the matter.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xV4oVisYJNQ/

Containerisation platform Docker has asked 190,000 developer users to change their account passwords after hackers gained access to a database containing personal data.

According to an advisory on the company’s website, the incident happened on 25 April when for a “brief period” attackers accessed a single Docker Hub repository used to store the accounts.

Exposed data included usernames, an unknown number of hashed passwords and, inconveniently, API tokens used by developers with GitHub and Bitbucket (which, when embedded in scripts, perform the same function as passwords for Docker autobuilds).

When Docker discovered the breach it acted quickly, adding:

No Official Images have been compromised. We have additional security measures in place for our Official Images including GPG signatures on git commits as well as Notary signing to ensure the integrity of each image.

Data breaches are always bad news but the possible compromise of 190,000 accounts (about 5% of the service’s user base) on a development system used by businesses heaps additional worries on top of the usual workload.

What to do?

Docker said it has sent password reset links to all affected users, so if you’re on that list you should follow the company’s advice. In addition:

Users who have autobuilds who have had their GitHub or Bitbucket repositories unlinked will need to relink those repositories.

In a separate notification email, Docker said that anyone it thinks is in this category will have had their tokens and access keys revoked and will have to reconnect manually after checking security logs to identify whether “any unexpected actions have taken place.”

This can be done by following the log-checking advice on GitHub and on BitBucket. Because this relates to development software, affected users should treat these checks as their top priority.

Should all Docker users change their account password?

If we take the company’s explanation at face value, that doesn’t appear to be necessary although Docker does suggest that users consider changing their password if they haven’t done so in a while. In the meantime Docker is:

enhancing our overall security processes and reviewing our policies. Additional monitoring tools are now in place.

The comment about enhancing security might be a reference to multi-factor authentication (MFA or 2FA) which users have complained on social media and in forums that Docker doesn’t yet offer.

On the basis of a test account we set up, that does appear to be the case. It’s an unfortunate omission – authentication is precisely the sort of security that reduces the likelihood of account compromise in the sort of incident where usernames and hashed passwords have been breached.

Separately, it was revealed in March that a root access vulnerability (CVE-2019-5736,) in Docker was being exploited by cybercriminals to mine the Monero (XMR) cryptocurrency on hundreds of servers.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nAysajZOu8U/

A Chinese software developer who previously expressed suicidal thoughts has been jailed after putting one of drone company DJI’s AES private keys onto Github in plain text.

That key, as we revealed at the time in January 2018, allowed world+dog to decrypt DJI’s encrypted flight control firmware, paving the way for the curious and the malicious alike to bypass geofencing and other performance restrictions on their DJI drones.

Also disclosed in plain text was a wildcard SSL key for *.dji.com, giving anyone with the right skills the ability to spoof DJI’s website and decrypt encrypted comms between DJI drones and the company’s own servers in China.

Local Chinese-language reports indicated that the Shenzhen Municipal People’s Procuratorate – the local version of the Crown Prosecution Service – successfully prosecuted the developer in early April, before the Shenzhen District Court. One summary said: “The employee was sentenced to six months in prison for infringement of trade secrets. The penalty is 200,000 yuan” (just under £23,000).

Damage caused to DJI was allegedly said to be 1.164m yuan, or around £134,000.

“I am the stupid guy who unintentionally shared the DJI SSL keys and firmware AES keys on the github. I in total shared 4 repositories named ‘spray-system’, ‘Management-platform’, ‘real_time_serve_v1’ and ‘real_time_serve’,” read an email from the jailed dev, Li Zhanbin, forwarded to The Register by infosec researcher Kevin Finisterre.

Finisterre was the one who originally spotted the carelessly shared key on Github. Zhanbin, the Chinese dev, had asked for help in dealing with the Chinese police.

In a later email, Zhanbin said he had been dismissed from DJI on 26 January 2018, adding: “I was born in a very poor village; I stud[ied] hard all the time, I finally got into …university. It is a very happy thing to me and my parents. BUT now all the things are done. I am done. I will go to jail, and I have to take this stain … in my life. My girlfriend begin to break up with me, woooo, my family are broken. Fuck!!! What are terrible things! Maybe the only thing I can do now is to die; it is so hard. I need to be free.”

Local reports, apparently quoting the Chinese state prosecutors, quoted the dev as having written on Twitter: “There is no intention to disclose the secrets of Dajiang” and “I regret that I have no legal awareness, and I am willing to bear the corresponding legal responsibilities.”

A DJI spokesman told The Register: “DJI does not comment on legal matters involving current or former employees. Our company policy is that we do not discuss specific employment issues in the media.” ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/30/dji_dev_jailed_fined_leaking_aes_ssl_keys_github/

Roundup Here’s your quick-fire summary of recent computer security news.

Docker: Someone broke into a database holding Docker Hub account information, and managed to siphon off non-financial records on 190,000 users before the exfiltration was, presumably, detected and stopped.

The intrusion happened on Thursday, April 25, though Docker emailed people late on Friday alerting them to the security breach. Less than five per cent of Hub users were affected, according to the biz.

The swiped information included “usernames and hashed passwords for a small percentage of these users, as well as GitHub and Bitbucket tokens for Docker autobuilds,” we’re told. Hub account passwords should be changed, and snatched tokens have been revoked. Crucially, no hosted Dockerfiles were touched, we’re assured.

This cyber-break-in is not great news for Docker and its Hub users, but it could have been a lot worse. Docker Hub lets people share container configurations with the world; if miscreants had been able to maliciously tamper with hosted Docker containers, and these were fetched and installed by others on their machines, the damage could have been catastrophic.

Facebook: Online yard sale Facebook Marketplace was caught leaking the precise location data of advertisers, allowing burglars to know exactly what to nick from where. The info was included in JSON data from a Facebook API.

After some prodding, we’re told, the antisocial network finally tweaked its interface to remove these exact GPS coordinates.

Shadowhammer: More details have emerged about the espionage effort to infect targets via Asus system updates. It turns out other software downloads were tampered with: downloads from a videogame company, a conglomerate holding company, and a pharmaceutical biz, all based in South Korea.

Nokia: Nokia 9 PureView phones can be unlocked by sticks of gum or previously unseen fingers, when pressed against their fingerprint scanners, following a firmware update this month. The software was supposed to improve the tech, but in fact made it worse. Until Nokia fixes this, try using some other form of authentication.

SIM swapper: Joel Ortiz, 21, was sent down down for 10 years after siphoning Bitcoin from wallets hijacked using SIM swapping – that’s where you transfer the ownership of a cellphone number from a victim’s SIM to your own, and then use that to reset passwords, via SMS-based two-factor authentication, until you’re able to access the mark’s crypto-currency.

DDoS: Users of the Electrum Bitcoin wallet are being slammed by a botnet of 152,000 infected devices.

FYI: Someone left 24GB of personal info on 80m US households exposed to the public internet

READ MORE

Qualcomm: Malware with root access on Qualcomm-powered Android devices can steal hardware-protected private keys that not even privileged software should be allowed to touch. This requires exploiting a vulnerability that was patched earlier this month, though obviously not every device gets these fixes in a timely fashion.

Alexa: Amazon staff debugging people’s queries to its voice-controlled Alexa personal assistant have access to location data, allowing them to trace some folks down to their home addresses.

Passwords: If you’ve ever wondered how miscreants steal user passwords from one website to log into accounts in other websites where passwords are reused – so-called credential stuffing attacks – then look no further than this.

Cryptocurrency: People are using easily guessable private keys to secure their Ethereum wallets, and a crook dubbed the Blockchain Bandit is exploiting this to drain them of crypto-cash.

Backdoors and framworks: The source code to the Carbanak backdoor leaked onto VirusTotal and FireEye has been poring over the blueprints and analyzing how the thing works. Meanwhile, Kaspersky Lab has detailed an interesting hacking framework dubbed Project TajMahal.

Russiagate: After the Mueller Report landed, some 5,000 Twitter bots that previously organized to back the Saudi Arabia were spotted pushing the message that allegations President Trump colluded with Russia were a hoax.

Islamic State: A woman used hacked Facebook accounts to share instructions for producing explosives and poison, according to prosecutors. Now she and one other person have pleaded guilty to crimes related to providing support for the Islamic State.

Ransomware: Manufacturing giant Aebi Schmidt was hit by file-scrambling ransomware that disrupted its operations.

LinkedIn: Databases containing 60 million profiles scraped from LinkedIn, including email addresses, were found facing the public internet.

Port scans: Mass port scans of internet-facing IP addresses using spoofed source addresses – mainly of banks and other financial institutions – have been detected. It’s thought these were launched by miscreants trying to cause trouble by tricking outfits like Spamhaus, which have put spoofed source IP addresses on block lists, into black listing legit organizations.

Chrome: Standby for a Chrome for iOS security update after bad ads were spotted bypassing its pop-up blocker on iThings.

Filtering: Some in the UK ISP industry are upset [PDF] that web browsers using DNS-over-HTTPS will be able to bypass filters that block bad stuff on the internet.

Fitness: Bodybuilding.com detected an intruder on its network who may have swiped people’s personal information. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/30/security_roundup/

Come to the August event and learn how Intel’s Converged Security and Manageability Engine has been fine-tuned to guard against low-level firmware attacks.

Low-level firmware attacks are a pernicious problem in cybersecurity, and this August the team at Intel will be at Black Hat USA to share an inside look at how their Converged Security and Manageability Engine (CMSE) is built to thwart them.

This is a great opportunity to see, firsthand, how improvements have been made to the CSME firmware to make it more difficult to exploit common memory corruption issues and reduce security vulnerabilities caused by firmware complexity.

You’ll also learn how firmware environments can achieve the same results by applying the same technology, and get a behind-the-scenes look at how Intel applies feedback fuzzing and queue-management in a generic form, so it could be applied on any given existing fuzzer.

For more details on this promising Briefing and many others over on the Black Hat USA Briefings page, which is regularly updated with new content as we get closer to the event.

Black Hat USA will return to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/black-hat-usa-offers-an-inside-look-at-intels-security-engine/d/d-id/1334561?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Comment The President’s son Donald Trump Jr broke the Computer Fraud and Abuse Act, a US federal law.

That’s not an opinion, incidentally, it’s a fact, at least according to the Mueller Report, finally published earlier this month. However, that dossier makes it plain that federal prosecutors ultimately decided not to press charges against Don Junior, and that decision has become the subject of debate by law professors this week.

Before you get ready to rage-tweet or fury-comment, though, you may find the debate is disappointingly reasonable since it is built around how badly written tech law has ended up giving prosecutors too much leeway in deciding when to bring cases and when to let them drop: a situation that everyone should be able to agree is not a great thing.

But before the reasonableness, let’s get some digs in. The president’s son is such a weapons-grade idiot that this isn’t the only time that Mueller decided not to prosecute him for breaking the law because he was too thick to realize that what he was doing was illegal.

The other time is, of course, when he agreed to a meeting in Trump Tower with Russians offering “dirt” on Hillary Clinton. Accepting help from a foreign power during an election is a federal crime but Mueller ultimately decided not to prosecute because for Don Junior to be found guilty it would have to be proved that he knew he was breaking the law.

And, without explicitly saying it, Mueller decided that Trump Jr’s inevitable “I don’t really know what’s going on at any given point in my life” defense was going to be all too believable.

New info demonstrating Don Jr.’s intelligence

But back to this particular piece of idiocy: he was sent a direct message from Wikileaks during the election campaign about a new site that was about to go live at putintrump.org that purported to have evidence of misdoing between the Trump Campaign and Russian government. Wikileaks had correctly guessed the (terrible) admin password of putintrump.org – it was “putintrump” – and sent the password to Don Junior as a heads-up.

Same law, wildly different end result

Now, logging into someone else’s website using a hacked password in order to access information is, for obvious reasons, not legal. In fact it is a federal crime under 18 U.S.C. § 1030(a)(2) of the Computer Fraud and Abuse Act.

But the prosecution of this crime can vary from nothing more than a misdemeanor to as serious as a felony, depending on the circumstances. Guessing the password to some random WordPress blog is obviously not going to be the same as hacking into the servers of a financial institution.

But because the law is currently so poorly structured and defined, the end result of this ability to either lock someone up for years or give them a slap on the wrist for the exact same crime, has meant that such decisions come down almost entirely to prosecutorial discretion.

What we didn’t know until this month is whether Don Junior actually used the password Wikileaks had sent him to access the site and dig around. But now we do [PDF, p33]. He did.

Guys I got a weird Twitter DM from wikileaks. See below. I tried the password and it works and the about section they reference contains the next pic in terms of who is behind it. Not sure if this is anything but it seems like it’s really wikileaks asking me as I follow them and it is a DM. Do you know the people mentioned and what the conspiracy they are looking for could be? These are just screen shots but it’s a bully built out page claiming to be a PAC let me know your thoughts and if we want to look into it.

Which is an absolutely clear-cut case of breaking the law. But Don Junior is such a moron that he didn’t even think twice about maybe not doing what someone suggested.

Mueller decided not to prosecute him for it though. Why? Well, we don’t know. Because the relevant part has been redacted by Attorney General Barr using the most unjustifiable version of his many redactions – that of “personal privacy.” Which, as they say these days, is “not a thing.”

Redacted so you don’t know it’s Donald Trump Jr

Not important

Fortunately, no one is really arguing that Don Junior should be prosecuted for being dumb enough to actually log into someone else’s server using a password sent by an anonymous stranger. Given the unimportant nature of the website, it definitely fits into the misdemeanor side of the sentencing equation.

We’ve read the Mueller report. Here’s what you need to know: ██ ██ ███ ███████ █████ ███ ██ █████ ████████ █████

READ MORE

But by redacting the reasoning in the Mueller Report to avoid embarrassing the president and his son, law professors are arguing that we are losing a critical piece of guidance for future prosecution.

It is fair to assume that Mueller and his team carefully considered whether to prosecute what is an obvious breaking of the law and, due the spotlight that was going to be put on any such decision, were very careful in explaining how they reached that decision.

In the absence of properly worded and defined law covering the unauthorized entry into other people’s computers and servers, having that kind of expert opinion would be extremely useful.

But as with everything around Trump and the Russia investigation, it seems the world is determined not to learn anything useful from it but instead use it as a weapon against whoever you happen to dislike today.

And for Trump supporters, you can also get annoyed about this decision because ill-defined prosecutorial discretion was also behind the decision by former head of the FBI James Comey not to prosecute Hillary Clinton over her use of a personal server to carry out official government business. Not so much “lock her up!” as “better define the statutes to provide greater clarity in future decisions!”

When/if the Mueller report does finally get unredacted, this part of the report may provide some useful guidance and hence case law to better define computer fraud. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/29/donald_trump_jr_cfaa/

A database with no login required has been found to contain names, addresses, age, and more for over 80 million U.S. households.

An unprotected database with information that could affect up to 65% of US households has been found by researchers Noam Rotem and Ran Locar, and this time the exposed data is focused on the physical, rather than the cyber, world.

The database, which the researchers believe belong to a service of some sort, contains open information on full address, name, age, and date of birth. Coded information on topics like gender and income is also included. The one common factor in all the records? Everyone included in the database appears to be over the age of 40.

Researchers found the database during an internet-mapping project. Concern about the data’s availability includes the risk of more accurate spear-phishing campaigns and physical crimes, including theft, physical assault, and intimidation. As of this article, the database is still online because the researchers have not been able to identify the owner for notification.

For more, read here.

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/unknown-unprotected-database-exposes-info-on-80-million-us-households/d/d-id/1334559?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As the saying goes, experience is the best teacher. It’ll also make you a better and more well-rounded security pro.

Image Source: Adobe Stock: lassedesignen

Whether it’s a military network, an e-commerce site, or a nonprofit group, organizations are constantly under attack — and they’re looking to their security teams to protect them.

So what types of skills and experiences do security pros need to develop to succeed? Being good at technology is a given — that’s why they went into the field in the first place. In talking to seven security pros, what came up time and again was that they need to be good listeners and develop communication and business skills.  

It’s time for security pros to ask themselves what’s really important to them and their organizations, says Paul Kurtz, co-founder and CEO of TruStar.

“It’s not always about adding new tools,” he says. “In fact, we went through a period after the Target and Anthem hacks and all the other major hacks where security pros were just overlaying tools on top of one another. A lot of those tools became shelfware.”

Of course, that doesn’t mean security pros should stop learning and build new skills. Yet another way to learn is through experiencing different situations on the job. Following are seven types of experiences that will make you a better and more well-rounded security pro, whether you’re a one-person operation or work in a large SOC.

[Hear Paul Kurtz, co-founder and CEO of TruStar, present Cybersecurity Crash Course, Day 2 at Interop 2019 next month]

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/7-types-of-experiences-every-security-pro-should-have/d/d-id/1334554?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Financial services firms saw upticks in credential leaks and credit card compromise as cybercriminals go where the money is.

More than one-quarter of all malware attacks target the financial services sector, which has seen dramatic spikes in credential theft, compromised credit cards, and malicious mobile apps as cybercriminals seek new ways to generate illicit profits.

It’s hardly surprising to learn attackers want money; what researchers highlight in IntSights’ “Banking Financial Services Cyber Threat Landscape Report” is what they look for and how they obtain it. The first quarter of 2019 saw a 212% year-over-year spike in compromised credit cards, 129% surge in credential leaks, and 102% growth in malicious financial mobile apps.

Banks and other financial services organizations were targeted in 25.7% of all malware attacks last year – more than any of the other 27 industries tracked. Researchers point to two key events that largely shaped the modern financial services threat landscape: the shutdown of cybercriminal forum Altenen and “Collections #1-5,” a major global data leak earlier this year.

In January 2019, roughly 2.2 billion usernames and passwords were leaked on the Dark Web in an incident dubbed “Collections #1-5,” named for the relatively bland file names containing the data. Researchers saw a major increase in leaked credentials during this time frame – credential leaks in the first quarter of 2019 nearly doubled those of any of the previous four quarters.

There was also the shutdown of Altenen, a major hub for buying and selling credit card data that was taken down in May 2018 when Israeli authorities arrested its manager. Researchers estimate Altenen facilitated fraud for more than 20,000 credit cards and $31 million in money laundering. Since it was taken down, new sites – including Altenen.nz – emerged in its place, but experts say it’s unlikely any of the substitutes will grow to reach the scale of the original.

“That was a huge setback,” says Hadar Rosenberg, white hat hacker and IntSights threat intelligence research analyst, of the Altenen shutdown. “That was the biggest black market that was selling credit cards. It was the most well-known, and everybody was using it.” When asked whether Altenen.nz has the potential to replace Altenen, she says it “doesn’t seem so right now.”

Credential theft is a pervasive and dangerous threat in financial services, Accenture researchers note in a new report on industry threats. In 2018, more than 43,000 breaches across industries involved the use of customer credentials stolen from botnet-infected clients. Credential theft is a rapidly growing threat to enterprise networks, especially if cybercriminals gain access to the username and password of a privileged employee. With this level of access, they don’t need malware to achieve their goals.

In addition to credential compromise, IntSights researchers saw 9,708 instances of exposed credit card data in the first quarter, marking a 212% increase year-over-year. The number of leaked credit cards continued to rise throughout 2018 and spiked in the first quarter of 2019, which Rosenberg says came as a surprise.

“You do expect that the industry would do more to mitigate this problem, but you still see where hackers are going,” she says. “It’s the easiest money for them.”

Cybercriminals primarily use compromised credit card numbers to make small purchases, a tactic they can use to evade detection while generating nearly 10 times more “free money” than what the card is worth on the Dark Web. Credit card companies usually reimburse people affected by card fraud; as a result, cybercriminals see potentially big gains and little risk.

IntSights also noticed 102% growth in the frequency of malicious mobile applications since early 2018. More than one in three consumers are tricked by fake mobile apps, which include fraudulent banking apps that mimic apps from major companies. Researchers anticipate the risk of these apps will grow as consumers become more comfortable with mobile banking.

Malicious apps aside, cybercriminals are targeting financial firms with a range of tactics, the most common of which are malware (banking Trojans Adload, Atrpas, and Emotet), ransomware, ATM malware and card skimmers, and vulnerabilities in SS7, which attackers exploit to intercept text messages authorizing payments from bank accounts. The first publicly reported SS7 exploitation affected the UK-based Metro Bank in February 2019. While rare now, Rosenberg anticipates we may see more SS7 exploitation as hackers learn to understand it.

Related Content:

• How to Build a Cloud Security Model
• Cyberattackers Focus on More Subtle Techniques
• Enterprise Trojan Detections Spike 200% in Q1 2019
• Regulations, Insider Threat Handicap Healthcare IT Security

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/credit-card-compromise-up-212--as-hackers-eye-financial-sector/d/d-id/1334562?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple