STE WILLIAMS

Google shipped version 71 of its Chrome browser earlier this week, alongside fixes for 43 security issues. The latest Chrome version also introduces several new security measures.

Perhaps the biggest new security feature in Chrome is its anti-abuse technology, which focuses on ads that deliberately mislead users. These sites use a range of techniques such as presenting buttons that purport to do one thing like playing video or closing a window, but which actually do another like opening advertising windows.

Such sites are also known to use fake chat messages, transparent areas that are clickable without the user’s knowledge, auto-redirects without user interaction, and ads that use fake moving mouse cursors to try and make users click on a certain area. Scammers and phishers sometimes use these techniques to steal personal information, the company said.

Google is stepping up the anti-abuse measures that it launched last year by identifying sites that persist in using these abusive techniques to serve ads, and blocking advertising from them altogether. Site owners will get a 30-day warning.

Another anti-abuse measure focuses on mobile subscription sites. These are websites that invite users to enter their phone number in return for some service. The fee then shows up as a subscription on their mobile phone bill. In many cases, these payment forms represent a legitimate way to pay. Some sites abuse the feature, though, by misleading users about how much they can expect to pay, or whether they will be charged at all.

Chrome 71 identifies these sites and then warns users before they visit them:

Generally, sites can avoid getting this warning by following Google’s best practices for mobile billing. If their sites get hit with a warning screen, Google will do its best to let them know about it, using its Search Console service if the site is registered there. The owner can then make the necessary changes and appeal to have the warning removed.

Chrome 71 will also no longer allow websites to speak to users unless the user interacts with the loaded site first. This will stop sites abusing the speech API by trying to persuade unwitting users to do things. Google had already implemented restrictions on autoplaying for all its other Chrome APIs, but the capability remained as a bug, first reported in February. Chrome 71 will follow similar rules as part of its autoplay policy for web audio, mirroring those already introduced for other content in Chrome 66.

With version 71, Google is also removing the inline installation feature which allowed users to install browser extensions on sites other than the official Chrome web store. This makes it more difficult for bad actors to cajole users into installing malicious extensions.

Google had already begun restricting inline installation in Chrome, making it unavailable for all newly-published extensions from June onward and disabling it for existing extensions in September. This latest release strips out the code within Chrome that allowed inline installations altogether.

These security improvements are the latest of many introduced by Google this year which has also seen the company roll out new rules for extension developers and a native password generator.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CTVnwwU2MyQ/

New research has found that it doesn’t matter what you do to burst out of Google’s search filter bubble: you can log out of Google, then enter private browsing mode, but those precautions won’t render your search anonymous. Google’s search engine will still tailor results to the personal information the company has on you, including search, browsing and purchase history.

Granted, the research comes from search competitor DuckDuckGo, which draws search results from third-party sites such as Bing, Yahoo and Yandex without tracking you. The research is still eye-opening, though, in spite of DuckDuckGo being a competitor.

In order to test whether a search engine is really profiling you or not, it helps to keep in mind that a search engine that doesn’t profile users should show all users who search at the same time the same search results for a given search term, without tweaking the results based on things like an individual’s previous search history.

Google has claimed to have taken steps to reduce the filter bubble problem – a problem that’s been implicated in influencing US presidential election outcomes both in 2016 and in the 2012 Romney-Obama bout. The thinking is that profiling search users and feeding them tailored search results essentially surrounds them with a walled garden of information they already agree with, thereby silencing new information or differing opinions.

But in spite of Google’s steps to pop the bubble, it’s still showing users nonidentical search results even when they’re in private browsing mode, signed out of Google services.

DuckDuckGo studied a group of individuals who entered identical search terms at the same time. What it found:

1. Most participants saw results unique to them. These discrepancies could not be explained by changes in location, time, by being logged in to Google, or by Google testing algorithm changes to a small subset of users.
2. On the first page of search results, Google included links for some participants that it did not include for others, even when logged out and in private browsing mode.
3. Results within the news and videos infoboxes also varied significantly. Even though people searched at the same time, people were shown different sources, even after accounting for location.
4. Private browsing mode and being logged out of Google offered very little filter bubble protection. These tactics simply do not provide the anonymity most people expect.

The methodology: DuckDuckGo asked volunteers in the US to search for the terms “gun control”, “immigration”, and “vaccinations” (in that order) at the same time on 24 June. First, they searched in private browsing mode, while logged out of Google. Then, they repeated the searches in normal, non-private mode. Then, DuckDuckGo restricted results analysis to top-level domains. For example, http://www.cdc.gov/features/vaccines-travel and http://www.cdc.gov/vaccines/adults would both be treated as just cdc.gov.

The results: some volunteers saw domains that nobody else did. The domains weren’t ordered consistently, either: in fact, the 19 domains returned for the “gun control” search were ordered in 31 different ways. Order of results is a significant factor, given the rapid fall-off of click-throughs corresponding to the order of links: link #1 gets ~40% of clicks, link #2 ~20%, link #3 ~10%, etc.

Given that the volunteers all searched at the same time, the variations aren’t attributable to people searching at different times and seeing different, time-shifting news results. Nor should the volunteers’ locations matter, given that DuckDuckGo changed all local links to be the same.

It didn’t matter whether volunteers were logged out of Google and in private browsing mode: the variations were about the same as in normal search mode.

It is, in fact, a misconception that “going incognito” provides anonymity, DuckDuckGo notes, given that websites use IP addresses and browser fingerprinting to identify people regardless of those steps. And as we’ve noted before, browsers have to temporarily store data from main memory in secondary processor caches and swap files squirrelled away in corners of the hard drives and OS-managed DNS caches, which is a lot to keep track of and means that forensics tools can often find wisps of data if they know where to look.

If you want to dig down into the data further, DuckDuckGo has made it available in two parts: Basic non-identifiable participant data, and raw data from the search results.

• duckduckgo-filter-bubble-study-2018_participants.xls contains the instructions DuckDuckGo sent to each participant, as well as their basic anonymized data.
• duckduckgo-filter-bubble-study-2018_raw-search-results.xls contains a separate sheet for search results per query and per mode (private and non-private). The results are listed as they appeared on the screen for each participant, showing both organic domains and infoboxes such as Top Stories (news), Videos, etc.

The code that DuckDuckGo wrote to analyze the data is open source and available on its GitHub repository.

If you want to read up on more options for bursting the filter bubble, you might want to take a look at this write-up we did last year about a self-hosted search option called Searx: an engine that submits searches without cookies or identifying information, meaning that the engines – including Google – don’t know anything about who’s searching.

As Naked Security’s Danny Bradbury notes in that article, there are multiple alternatives to Google: besides DuckDuckGo or Searx, there’s also Startpage, which also serves as something of a proxy for Google, in addition to Disconnect, which offers private search as part of its broader privacy protection and tracker blocking service.

Readers, what are you searching with, and how do you like it? Let us know in the comments below.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vb5UMpE_FeE/

Android’s December security bulletin arrived this week with another sizable crop of vulnerabilities to add to the patching list for devices running version 7.0 Nougat to version 9.0 Pie, including Google Pixel users.

Overall, December sees a total of 53 separate flaws and 21 assigned CVE numbers. (Qualcomm components add another 32 CVEs in mainly closed-source components.)

If there’s a theme this month, it’s probably remote code execution (RCE), which accounts for five of the 11 critical flaws listed, plus one flaw marked high.

Four of these were discovered in the Media Framework with another two in the core system, which could, in Google’s words:

Enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

This means that an attacker exploiting the flaws could remotely take over a vulnerable Android device – for example by sending you a booby-trapped image or talking you into clicking on a this-is-not-the-video-you-wanted-to-watch link.

Fortunately, according to Google, none of the listed flaws is being exploited in the wild.

Vendor-specific updates

Some third-party vendors also issue additional patches through their own updating systems.

Samsung’s maintenance release, for example, bundles 40 Samsung Vulnerabilities and Exposures (SVE) patches, including some that overlap with Google’s system updates.

Meanwhile, the latest patches for LG Vulnerabilities and Exposures (LVE) patches include three vulnerabilities rated high.

If you own a device from Nokia or Motorola, keep your eye on those companies’ websites for patch information as and when it becomes available.

When will devices get the updates?

If you own one of Google’s Pixel or Pixel XL smartphones, updates should be offered within days, with any specific fixes mentioned on the dedicated update page for those devices.

Beyond that, assuming you’re running a supported version of Android (effectively version 7.0 or later), it will depend on the device maker, model and possibly the network.

As we explained last month, Android updates are now denoted by one of two patch levels.

The latest update will appear as either ‘1 December 2018’ or ‘5 December 2018’ in Settings → About phone → Android security patch level.

If you see the first of the month, that means you have the Android updates up to that month but the vendor updates only up to the previous month (i.e. November).

However, if you’re lucky enough to see the fifth day of the month, that means you have updates from both Google and the device maker.

The chances are, unless you’re a Pixel owner, the date you’ll see for Android Patch Level here will be for August, September or October. December’s update may not be offered on your device until January or February 2019.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/n1PO7zhz8Og/

An ambitious project to map the DNA of a million Brits has experienced such sustained hack attacks that officials have had to shift the data to a Ministry of Defence (MoD) facility in Wiltshire.

Genomics England was probably hoping for a day of cheery PR after telling the world it had completed the “100,000 Genomes Project” started in 2013.

The project, a partnership with the UK’s National Health Service, included the genomes of 85,000 individuals, with tumour DNA from cancer patients bringing the total number of mapped genomes to 100,000.

Creaky NHS digital infrastructure risks holding back gene boffinry, say MPs

READ MORE

It was not to be, with The Telegraph quoting officials from the project saying they have had to fight off “multiple” foreign attacks on machines holding the data.

Hence, instead of holding the data itself, Genomics England said it was storing patients’ genetic data on servers at a Ministry of Defence facility in Corsham, Wiltshire, that is “home to the Joint Forces Command’s Information Systems and Services unit”.

As well as shifting the genomic data away from its own data centres, it’s worth noting that Genomics England claims the data it offers researchers is anonymous: “Our research data is de-identified for each and every participant. Their name, date of birth and all other personal details are stripped away.”

However, the data collected and retained internally is extensive: as well as health data relating to participants’ medical conditions, “we also collect as much other general medical data as possible from a participants medical records, over the whole of their life”, because genomics is relatively young and “we don’t yet know what is important”.

Genomics England chair Sir John Chisholm told the paper the organisation regularly tests its systems to ensure that attacks don’t succeed. The group’s chief scientist added that it pays an outside company – which it did not identify – to conduct pentests, and so far it hasn’t managed to get into its systems. “None of the well-known viral attacks have succeeded in causing any dysfunction in Genomics England,” said Chisholm. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/06/foreign_hackers_trying_to_steal_brits_dna/

Black Hat A Nigerian email scammer gang has evolved to the point where it has corporate-style specialist departments and uses commercial business intelligence data brokers to help plan its attacks.

According to infosec research biz Agari, a group of business email compromise (BEC) scammers it nicknamed “London Blue” has become so well organised that it has an entire division devoted to merging illicitly acquired information with data bought from legitimate business intelligence companies.

Agari’s senior director of threat research, Crane Hassold told a session at today’s Black Hat conference in London: “There’s a group of individuals whose job is to organise leads. There’s a group of individuals whose job it is to send out the BEC campaigns. And there’s a group whose job it is to receive the money, the malicious transactions, and pass this back up to the primary actors.”

The gang – so nicknamed because one of its principals was said to live in London, having given his identity away by tagging himself at various locations in Instagram – makes active use of “actual business intelligence”, according to Hassold.

“What we’re able to find is that this group is using legitimate sales leads services to identify potential targets in their campaigns. They’re using services that businesses all round the world use from a legit sales perspective to ID companies they might wanna offer their services to,” said Hassold.

The gang has five distinct departments in its structure that the infosec bods identified: lead generation; open source recon; testing (whether their phishing emails would send or not); BEC attack; and mule bank accounts.

“One of the things that they use … [is] a master database of nearly 50,000 targets that they’ve collected,” he continued. “It consists of financial executives and the like as a way to identify potential targets down the line.”

Many of those potential marks, he said, were people such as CFOs, financial controllers, directors, senior managers and company accountants from businesses spanning the US, the UK, Spain and more.

Once London Blue’s business intelligence wing has secured enough data, the active end of the gang starts sending carefully targeted phishing emails appearing to come from their marks’ superiors; perhaps the “CEO” sends an email to a financial controller with instructions to transfer money to a particular account and mark the transfer as coming from the expenses budget.

Even the people receiving the money are part of their own distinct division, said Hassold, who told the audience that “some could be unwitting” players in the gang’s scheme, their bank account credentials having been bought or rented from other criminals. However, Agari identified at least three with “historical criminal records”, raising the possibility that these ex-cons had turned back to a life of crime after failing to go straight.

Hassold said the researchers had also “identified emails being sent to potential mules”, which were worded to “make it seem like something legitimate is going on” and offering them inducements (“$500 to $1,000 a month, which for some people is a great sum of money”) to allow their bank accounts to be used by the gang. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/06/email_scammers_use_business_intelligence_services/

Apple has released a fresh set of security updates for its Mac and iOS software.

The December patches also address flaws in tvOS, Safari, and the Windows versions of iTunes and iCloud. They should all be installed as soon as possible, via the usual Software Update mechanism.

Baker’s dozen fixes for Mac owners, plus nine in Safari

For Macs, the updates will be delivered as Mojave 10.14.2, High Sierra security update 2018-003, or Sierra security update 2-18-006, depending on the version of macOS installed.

Each address a total of 13 CVE-listed flaws, including seven that would allow a dodgy application, rogue user, or malware on your system to escalate their privileges and gain control over the Mac. Those holes include two flaws in WindowServer (CVE-2018-4449, CVE-2018-4450), three in Kernel (CVE-2018-4444, CVE-2018-4461, CVE-2018-4435), one in Carbon Core (CVE-2018-4463), one in Disk Images (CVE-2018-4465), and one in IOHIDFamily (CVE-2018-4427).

The update also patches kernel memory disclosure by the Intel Graphics Driver (CVE-2018-4434), and Kernel (CVE-2018-4431), as well as another privilege elevation bug, this time in Airport (CVE-2018-4303), a memory disclosure flaw in the AMD driver (CVE-2018-4462), and a denial-of-service bug in Kernel (CVE-2018-4460).

Mac users will also want to get the Safari 12.0.2 patch to shore up nine vulnerabilities in the browser and its WebKit engine. All six of the WebKit bugs (CVE-2018-4437, CVE-2018-4464, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4438) can allow arbitrary remote code execution via a malicious web page, while the Safari flaws allow interface (CVE-2018-4439) or address bar (CVE-2018-4440) spoofing and sites not clearing from web history (CVE-2018-4445).

FaceTime, File Provider leaks plugged in iOS, tvOS tuned up

For iPhone and iPad owners, the December fixes will arrive as the iOS 12.1.1 release. The bundle includes all of the above mentioned Safari and WebKit patches, as well as the Airport, Disk Images, and Kernel fixes.

Flaws unique to iOS are a FaceTime bug (CVE-2018-4430) that leaks contact details, a File Provider bug (CVE-2018-4446) that can show application details, an interface spoofing flaw (CVE-2018-4429) in LinkPresentation, and a Profiles bug (CVE-2018-4436) that shows untrusted configuration profiles as being verified.

For AppleTV, the tvOS 12.1.1 release is being served up. It includes the Airport, Disk Images, Kernel, Profiles, and WebKit bug fixes. Basically, all of the bugs in components tvOS borrows from macOS and iOS.

Windows users, think of this as a warm up for next week

Those running Apple software on their Windows PCs will want to get the iTunes 12.9.2 and iCloud for Windows 7.9 updates. Because those apps rely on components of WebKit and Safari, the patches for Apple’s browser will need to be installed on the Windows apps as well. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/06/apple_macos_ios_security_updates/

An Australian parliamentary committee has nixed the idea of internet voting for federal elections Down Under, for now.

The Joint Standing Committee on Electoral Matters has delivered its report into the 2013 federal election, and in it, the body decided that there are plenty of ways technology can help elections – but ditching the country’s pencil-and-paper ballots isn’t one of them.

The committee said technology “is not sufficiently mature for an election to be conducted through a full scale electronic voting process.”

“Despite public enthusiasm for electronic voting, there are a number of serious problems with regard to electronic voting – particularly in relation to cost, security and verification of results”, the committee reported.

The committee noted that technology is getting more sophisticated – but at the same time, attackers’ ability to interfere with the technology is also advancing. That, the committee stated, puts at risk the integrity of both the electoral process, and the outcomes of elections.

More mundane technologies were strongly endorsed in the report.

In spite of the shambolic introduction of automated counting in the Australian Senate, the committee endorsed ballot scanning for that house. However, it should be delayed for House of Representatives elections: “It would be beneficial if the Senate scanning system was further developed before adopting the system for the House”, the report noted.

The committee supports a pilot of scanned counts for the House of Representatives for the 2019 election (due before May).

The other technology the committee endorsed is moving from paper voter lists to electronic versions.

This, the report said, would help with “absentee votes” (also known as declaration votes). If a voter is away from home on ballot day, they can still vote at any polling place, but the process is manual, cumbersome, and error prone.

The committee says electronic certified lists should be funded and rolled out before the 2019 election.

Russia doesn’t love us

The report also looked in detail at the possibility that like the Brexit campaign in the UK and the election of Donald Trump to the White House, Australia’s elections may have been targeted by disinformation campaigns.

NSW government finally released ‘net vote system review, says everything’s just fine

READ MORE

Bots are singled out for some attention, with the report expressing the optimistic view that they can be regulated: “It appears that laws need to evolve to bring transparency and regulation to their use.”

However, unlike overseas, the committee reckoned Russian trolls aren’t much interested in Australia: “Domestic and commercial communications” are more important, adding: “Further consideration of spam laws, privacy laws, advertising laws, and regulatory guidelines is warranted.”

A recommendation by the government majority on the committee that Australia implement voter ID laws was rejected in dissenting reports by the Labor opposition and the Greens.

Labor committee members noted that the recommendation appears in a report that didn’t contain any irregularities identified in the 2016 election. The Greens added that voter ID laws would disenfranchise groups such as the homeless, indigenous voters, and those escaping domestic violence. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/06/evoting_off_australias_agenda/

Employers must start broadening their search for experienced security professionals to include people with the right traits rather than the right skills.

At the beginning of the year, the World Economic Forum (WEF) released its annual Global Risks Report, in which the organization outlined the greatest risks to businesses around the world in 2018. Unsurprisingly, cyberattacks and data breaches both ranked in the top five.

The report is simultaneously doubtful that its findings will have any effect on the current cybersecurity skills gap, which is estimated to result in 3.5 million unfulfilled cybersecurity jobs by 2021. The bottom line is that cyberattacks continue to increase in scope and frequency, and we simply don’t have the manpower to address them.

This is a critical moment, and now is the time for us to act. Enlisting the next generation of skilled cyber professionals, as well as training existing employees, will help us build stronger defenses and restore confidence among Americans worried about their — and our nation’s — cyber safety.

The Issue at Hand
If demand for cybersecurity talent continues to increase, then we must strengthen our commitment to educating and training society in this domain as early as possible.

Luckily, today’s young adults are increasingly aware of and interested in cybersecurity jobs. At the same time, there’s been an increase in the number of cybersecurity-related courses and degrees offered at universities. In fact, some universities are collaborating with the private sector to build a new curriculum that more directly meets workforce need.

The bad news is that on-the-job training is scarce, mostly as a result of limited budgets and unclear roles and responsibilities. If organizations continue to fail at providing both non-cyber and cyber employees more formal training, businesses as well as policy and technology leaders agree that there will be serious implications for the world’s security, safety, and economic stability.

How We Move Forward
Many employers falsely believe that those interested in a career in cybersecurity must first have a penchant for technology. The truth is, as Marc van Zadelhoff, general manager of IBM Security, pointed out in the Harvard Business Review, “unbridled curiosity, passion for problem solving, strong ethics, and an understanding of risks” are all qualities that would make anyone well suited for a career in cybersecurity. Employers must start broadening their search to include people with the right traits, rather than the right skills, in order to start closing the workforce gap.

This is particularly important for attracting midcareer professionals looking to make a career change. Many of these people exist but don’t have the time or money to return to school for another degree. While their previous career path or degree may at first seem irrelevant, they are likely to bring new experiences and perspectives that would make them an ideal candidate.

Filling 3.5 million jobs by 2021, however, will require more than hiring midcareer professionals. Everyone today, regardless of the industry or position they work in, has a digital presence and must have an understanding of how to protect themselves, as well as their employers, online. To successfully grow cyber talent across industries, we must not focus solely on those who have specific cybersecurity skills. Rather, it should be the goal of every organization to arm those working in finance, communications, product, or even HR with cybersecurity knowledge. Cybersecurity is simply too complex for there to be only one individual appointed as the expert.

Enhancing cybersecurity awareness in the workplace starts with education, beginning in elementary school and continuing all the way through college. Both parents and teachers need to encourage young children to take part in cyber challenges or enroll in programs like GenCyber, which aims to help kids understand safe online behavior, and Think Like a Programmer, Girl Scouts of the USA’s new computer science curriculum.

The consequences of the cybersecurity talent gap have never been more serious; we must have a strong, informed, and ready pool of young adults capable of taking the lead for decades to come. To get there, we must encourage even more awareness and interest, enrichment activities, and career exploration incentive programs. If we do so, the improvement in closing the skills gap we’re already seeing will increase tenfold.

Related Content:

• 9 Traits of A Strong Infosec Resume
• The “Typical” Security Engineer: Hiring Myths Stereotypes
• How to Find a Privacy Job That You’ll Love ( Why)

John DeSimone, VP, Cybersecurity Special Missions, Raytheon
John DeSimone is vice president of cybersecurity and special missions for Raytheon Intelligence, Information and Services (IIS). He is an experienced cybersecurity and technology executive working within corporate … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/filling-the-cybersecurity-jobs-gap---now-and-in-the-future/a/d-id/1333368?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security firm turned the tables on attackers targeting its chief financial officer in an email-borne financial scam.

BLACK HAT EUROPE 2018 – London – Call it karma or just poor OpSec, but a prolific global cybercrime organization recently blew its cover after inadvertently targeting executives at a security firm.

The infamous Nigerian/UK group behind a rash of business email compromise (BEC) scams found itself on the other side of its own social-engineering scam when it posed as Agari CEO Ravi Kahtod in an Aug. 7 email sent to Raymond Lim, chief financial officer at Agari, an email security company.

Agari today disclosed details of both its unmasking of the group – which it has dubbed “London Blue” – as well as its inner workings. Security researchers at Agari flipped the equation on the attackers in an email exchange by posing as Lim’s assistant and drawing out enough details to drill down into the particulars of the group as well as the physical location of its operators in London.

“Our email filter caught [the BEC email],” says Crane Hassold, senior director of threat research at Agari and a former FBI investigator. Hassold’s team was ultimately able to extract the information, coupled with its own intel-gathering, to identify the two top execs of the gang, who live in and operate out of London.

The most striking finding, Hassold says, was that the operation used at least two legitimate lead-generation services that gave them more filtered intel for targeting C-level execs around the world, rather than having to cast a wide-net phishing campaign.

The lead-generation tools let them filter possible victims by role, location, and company size, for example, he says. The group purchased subscriptions to the tools, he says, which saved them time and labor. Among one list of 306 target victims that London Blue acquired in November 2017 was Agari CFO Lim, as well as California-based CFOs from a top private university, an enterprise data storage vendor, a well-known guitar manufacturer, casinos, hotels, and some small and midsize businesses.

Overall, the group has targeted some 50,000 CFOs worldwide across 82 countries, but mostly in the US, Agari found.

Like many of today’s BEC emails, the attackers didn’t bother to spoof the real email domain of the target; instead, they merely displayed the name “Ravi Khatod” in the email header. And there’s no malware required with BEC: It’s mainly a social engineering exploit.

Their initial email read:

Ray, we need to make a transfer today. Let me know if you can process now and I will send info. Thanks Ravi Khatod.

That’s when the cat-and-mouse operation began. Agari researchers, posing as Lim’s assistant Alicia, responded:

Ravi, Raymond is out this week and I will help you with the transfer. Would you please provide me with the transfer details? Also just a reminder, as you may know, all payments go out on Wednesday, which is tomorrow. So if you need to make another transfer or payment, please inform me so that I could take care of them together before tomorrow’s cut-off passes. Best Regards, Alicia

The email exchange went from there, with Agari gathering more money-mule account information.

Hassold says the group’s makeup of 20 to 25 individuals includes some 17 money mules spread around the US and Western Europe, and likely some members in Nigeria. At least three of the money mules have criminal records (including two sex offenders).

One transaction spotted by Agari was a $20,000 cashier’s check obtained by a money mule from a large US bank. While the transaction initially triggered a potential fraud alert at a local branch, the money mule social-engineered the bank’s fraud prevention group into approving it.

BEC as a Business
London Blue’s operation includes the lead generation, lead assignments/sales, the BEC emails and social engineering, and then the movement of the pilfered funds. “This is organized like a business,” Hassold says. “These cybercrime gangs are not just loosely affiliated low-level scammers.”

BEC is becoming one of the most popular – and successful – cybercrime attacks. According to the FBI Internet Crime Complaint Center, BEC scams total some $12 billion in losses. Agari says a BEC scam typically nets four victims out of every 100 tries via email, and the average payment query is $35,000.

Agari has been working with law enforcement in the UK and US to identify the actors in London Blue, including the two top execs, who have not yet been apprehended. “If they get arrested, that will take this group down,” Hassold says.

London blue is an “average” size BEC group, he says, among the 10 or more different Nigerian BEC groups Agari is tracking. 

How did Agari convince the attackers they were falling for the scam? “They may have had a red flag during our interactions, but their financial motivation was so strong that it overrides [their hesitation],” he says.

Related Content:

• Attackers Employ Social Engineering to Distribute New Banking Trojan
• Who’s At Greatest Risk for BEC Attacks? Not the CEO
• FBI: Email Account Compromise Losses Reach $12B
• 74 Arrested in International Email Scam Schemes

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/london-blue-bec-cybercrime-gang-unmasked/d/d-id/1333391?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Stop us if you’ve heard this one before: An Adobe Flash zero-day vulnerability is being actively targeted in the wild to hijack victims’ Windows PCs.

Researchers with Gigamon Applied Threat Research (ATR) and Qihoo 360 uncovered a phishing campaign that exploits CVE-2018-15982, prompting Adobe to today release an out-of-band emergency update to patch up the flaw.

In its current form, the attack bundles exploit code for the Flash zero-day (a use-after-free() bug) with an ActiveX call that is embedded within an Office document. The attacker delivers the document via a spear-phishing email. ATR noted that some of the samples appear to mimic documents from a Russian medical clinic, though others were not specifically targeted towards any one company or group.

When the target opens the poisoned Doc, the ActiveX plug-in calls up Flash Player to run the attack code. From there, CVE-2018-15982 is exploited and the malware looks to download its real payload; a remote control tool that collects system info, and relays it to a command and control system.

Did you hear? There’s a critical security hole that lets web pages hijack computers. Of course it’s Adobe Flash’s fault

READ MORE

ATR noted that the attack pattern bears a striking resemblance to the type of exploits performed by software from Hacking Team, the notorious Italian mercenary crew that pitches its services out to government agencies.

The researchers are hesitant, however, to declare this the definite work of Hacking Team, as opposed to a lookalike operation that mimics its techniques.

“While attribution is going to be difficult in this scenario given the evidence we had within the timeframe of analysis, it is really not needed for detection purposes,” ATR said.

“At best, it could aid the victim’s organization in determining intent and guiding response actions, but in reality, whether it is Hacking Team, a impersonator, or completely unrelated, the fact remains a valid zero-day might have been used to perform targeted exploitation against a victim.”

In the meantime, Adobe has issued a patch to address both CVE-2018-15982 and CVE-2018-15983, a separate DLL hijacking privilege escalation flaw reported by Souhardya Sardar of Central Model School Barrackpore.

Users and admins are advised to test and install the patches as soon as possible – or just dump the damn thing already. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/12/05/flash_zeroday_adobe/