STE WILLIAMS

Suspects were operating on behalf of Iranian government and the Iranian Revolutionary Guard, US officials said.

The US Department of Justice today announced indictments of nine Iranian nationals for stealing more than 31 terabytes of data from over 140 universities, 30 companies, and five government agencies in the US as well as from victims in 21 other countries in one of the largest nation-state sponsored cyberattack campaigns ever prosecuted by the agency.

The alleged hackers worked on behalf of the Iranian government’s Islamic Revolutionary Guard, under the guise of an Iranian company called the Mabna Institute, where they were leaders, contractors, associates or hired hackers for Mabna, which first launched the attacks in 2013. In addition to the 176 universities worldwide hit by the attackers, other victims included the US Department of Labor, the Federal Energy Regulatory Commission (FERC), the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund. 

Some 8,000 professors’ accounts were hacked, and their stolen credentials and email passed to the IRGC as well as later sold in Iran via Megapaper.ir and Gigapaper.ir, websites where customers could access the online library systems of the hacked universities. 

The alleged hackers named in the indictment are Gholamreza Rafatnejad, Ehsan Mohammadi, Abdollah Karima aka Vahid Karima, Mostafa Sadeghi, Seyed Ali Mirkarimi, Mohammed Reza Sabahi, Roozbeh Sabahi, Abuzar Gohari Moqadam, and Sajjad Tahmasebi. They were each charged with multiple counts of conspiracy and unauthorized access to a computer, as well as aggravated identity theft. But prosecution depends on actual arrest or extradition to the US. The US does not have an extradition agreement with Iran.

“The numbers alone in this case are staggering, over 300 universities and 47 private sector companies both here in the United States and abroad were targeted to gain unauthorized access to online accounts and steal data. An estimated 30 terabytes was removed from universities’ accounts since this attack began, which is roughly the equivalent of 8 billion double-sided pages of text,” said FBI Assistant Director William F. Sweeney Jr. “It is hard to quantify the value on the research and information that was taken from victims but it is estimated to be in the billions of dollars. The nine Iranians indicted today now find themselves wanted by the FBI and our partner law enforcement agencies around the globe – and like other cyber criminals they will soon learn their ability to freely move was just limited to the virtual world only.”

According to the indictment, the Mabna Institute was under contract with the Iranian government as well as private entities for the operation, which began with a spear phishing campaign against more than 100,000 professors worldwide. They were able to infiltrate email accounts of some 8,000 of them, mostly in the US, but also in Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey, and the UK.

The hackers stole intellectual property from the universities, including academic journals, theses, dissertations, and electronic books.

Other US victims included three academic publishers, two media and entertainment companies, one law firm, 11 technology companies, five consulting firms, four marketing firms, two banking and/or investment firms, two online car sales companies, a healthcare company, an employee benefits company, an industrial machinery company, a biotechnology company, a food and beverage company, and a stock images company.

Those private sector victims were targeted via “password-spraying” methods that the hackers used to pilfer their credentials.  

DoJ Deputy Attorney General Rod Rosenstein said in a statement: “The Department of Justice will aggressively investigate and prosecute hostile actors who attempt to profit from America’s ideas by infiltrating our computer systems and stealing intellectual property. This case is important because it will disrupt the defendants’ hacking operations and deter similar crimes,” Rosenstein said.

Related Content:

• ‘Chafer’ Uses Open Source Tools to Target Iran’s Enemies
• Iranian Cyberspy Group Targets Aerospace, Energy Firms
• 8 Nation-State Hacking Groups to Watch in 2018
• 7 Indicted Iranian Nationals Now Hit with Sanctions by US Treasury

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/doj-indicts-9-iranians-for-hacking-into-hundreds-of-universities-ferc-dept-of-labor-others/d/d-id/1331358?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A recent study shows that there’s a clear winner in the ‘most used sports mascot’ password competition.

Everyone knows you shouldn’t use words like “password” as part of your secure password, but what about other words? What about sports team mascots? Keeper Security ran an analysis they’ve called “Password Madness” to check on which mascots win the most-used prize and the brackets have been filled.

Keeper Security ran their analysis on the massive database of 1.4 billion clear-text credentials 4iQ found on the dark web. What they found was a clear winner and loser.

According to a statement from Keeper Security, of all the passwords looked at, those containing “Tiger” and its variations (such as “T1ger”, “T1g3r”, etc.) appeared 187 percent more often than passwords containing variations of “Eagle,” the second-most common password set found, and nearly 850 percent more than the least common password, which was “Bluejay” and its variations.

Since many people re-use the same password on nearly every online account, patterns such as this open up hundreds of thousands of credentials to speedy hacking. Keeper Security recommends that users find other, less risky, ways of honoring their favorite sports teams.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/winners-and-losers-in-password-bracketology/d/d-id/1331359?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Mozilla Foundation has expressed its discomfort at the Cambridge Analytica revelations by pulling its ads from Facebook.

While the disappearance of Mozilla’s modest ad spend is hardly going to bring down The Social Network™, the organisation’s decision to “pause” its Facebook advertising came after Zuckerland tried to assure Mozilla that the conditions that prevailed in 2015 (when Cambridge Analytica breached its terms of service) had long been addressed.

Cambridge Analytica CEO suspended – and that’s not even the worst news for them today

READ MORE

On March 20, Mozilla made this statement on the scandal, asking Facebook to protect privacy “by default” [Good luck with that one – Ed], and saying its app permissions leave “billions of its users vulnerable without knowing it”.

Mozilla also launched a petition against apps that access data on people other than that of the individual who installed an app. Facebook apparently took exception to that. Here’s what Mozilla added on March 22:

Facebook reached out to us to discuss how we characterized their settings and to tell us that our original blog post overstated the scope of data sharing with app developers. What we described is an accurate characterization of what appears in Facebook’s settings.

What Facebook told us is that what we have written below is only true generally for third-party apps prior to 2015. Again, this isn’t clear in the user-facing tools and we think this needs to be fixed.

Mozilla remains unconvinced, and in the post that explained why it’s putting advertising on hold, the foundation’s Denelle Dixon wrote: “While we believe there is still more to learn, we found that its current default settings leave access open to a lot of data – particularly with respect to settings for third party apps.”

Mozilla says it will take a “wait and see” approach: if satisfied by what Mark Zuckerberg delivers in his promise to make privacy settings “more protective”, “specifically strengthening its default privacy settings for third party apps, we’ll consider returning”.

It’s feasible that Mozilla won’t be the last to review its ad spend. In the UK, advertiser organisation the Incorporated Society of British Advertisers (ISBA) is demanding answers on behalf of its roughly 3,000 brands.

The Society’s position statement says the data-slurp, micro-targeting, psychographics and exploitation “raise questions about the possibility that Facebook data has been, or is being used improperly elsewhere. ISBA is asking Facebook for a full account of further potential issues so that advertisers can take appropriate measures.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/23/advertisers_warn_facebook/

Purdue University researchers reckon they’ve cracked how to protect data against “disk-wipe” malware.

Led by Christopher Gutierrez, the team has created a shim of software that analyses write buffers before they reach storage, and if the write is destructive, it steps in to preserve the data targeted for destruction.

Dubbed R2D2 – “Reactive Redundancy for Data Destruction Protection” – their work will be published in the May issue of the journal Computers Security.

In this [PDF] pre-press version of the paper, the researchers explained their technique. The inspection is implemented in the virtual machine monitor (VMM) using virtual machine introspection (VMI).

“This has the benefit that it does not rely on the entire OS as a root of trust”, they wrote, and they claimed a latency penalty of between 1 and 4 per cent for batch tasks, and 9 to 20 per cent for interactive tasks.

Click to enlarge

The system has been tested against various secure delete tools and malware like Shamoon and Stonedrill, and they claim complete success against “all the wiper malware samples in the wild that we experimented with”.

R2D2 intercepts the open file and write file system calls on a guest VM. When it detects an open file request, it checks “all open system calls” to see if the file is already open for writing.

“If the system call requests a write permission, a policy determines if the file should be protected based on a blacklist or whitelist,” they wrote.

Whitelisted files are those not protected; if a blacklisted file is requested, “If the file is on the blacklist, we take a snapshot of the file system because the file is considered critical to system stability.”

If the attacker tries to open a file on neither list, “R2D2 takes a temporary checkpoint of the file system, and subsequent write system calls are analysed, according to analysis policy, to determine if the write is suspect”.

The pseudocode for the Open File VMI looks like this:

Algorithm 1 Open File VMI Pseudocode
if File is opened for writing then
if File is in Blacklist then
Create a Snapshot (Permanent)
Done
else if File is in Whitelist then
Done
else
Create Checkpoint (Temporary)
end if
end if

The “whitelist” of files that can be lost is to improve performance, they explained. For example, re-installing an operating system is irritating, but it’s better than losing user data. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/23/reactive_redundancy_for_data_destruction_protection_stops_shamoon_and_stonedrill/

Last year, GitHub added security scanning to its dependency graph and flicked the lid off a can absolutely crawling with bugs.

The code-sharing site kicked off vulnerability scanning late last year, focussing on known CVEs (Common Vulnerabilities and Exposures, an announcement list maintained by Carnegie-Mellon University) in Ruby and Javascript libraries.

GitHub runs the libraries through its Dependency Graph announced last year, to match the libraries to the CVEs.

When a vulnerable library is identified, the system raises an alert to a project’s admin in their dependency graphs and repository home pages.

GitHub announced the first run of the security checker turned up “over four million vulnerabilities in over 500,000 repositories”.

On that first pass, GitHub’s post said, 450,000 of the vulns were resolved by December 1, 2017. In the months since then, “our rate of vulnerabilities resolved in the first seven days of detection has been about 30 per cent. Additionally, 15 per cent of alerts are dismissed within seven days”.

More active projects get patched quicker, but that’s not quantified in the post. GitHub’s post noted that the seven-day fix metric was met by “for almost all repositories with recent contributions”.

If you’re the admin of a GitHub account and want to add security alerts to your repository, the instructions explaining how to do so are here. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/23/github_dependency_scanner/

Black Hat Asia Microsoft will soon prevent Windows from authenticating un-patched RDP clients to cap a March patch addressed a flaw that can allow lateral movement across a network from a compromised remote desktop protocol session.

CVE-2018-0886 allows remote code execution because Microsoft’s Credential Security Support Provider protocol (CredSSP), which lets an application delegate a user’s credentials from the client to the target server for remote authentication, does so before it checks the validity of a certificate. A man in the middle could therefore use the flaw to use good credentials to send a rogue certificate with a good public key to gain access to one machine.

From there, lateral movement across a network becomes possible and that’s just the sort of thing bad actors love.

The flaw was discovered by security company Preempt, which explained it the video below.

Youtube Video

Microsoft’s documentation for the patch said “Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers.”

“We recommend that administrators apply the policy and set it to ‘Force updated clients’ or ‘Mitigated’ on client and server computers as soon as possible.”

Cybercrooks are pimping out pwned RDP servers

READ MORE

The Microsoft advisory also mentions two planned actions to address the attack. On April 17th, 2018, an update to Microsoft’s RDP client “will enhance the error message that is presented when an updated client fails to connect to a server that has not been updated. And on May 8th, or perhaps later, “An update to change the default setting from Vulnerable to Mitigated” will arrive [Microsoft’s emphases – Ed].”

But Preempt personnel today told the Black Hat Asia conference in Singapore that the May patch will restrict use of un-patched RDP clients so that the vulnerability can’t be exploited. The firm’s people added that CVE-2018-0886 must be considered mitigated, not fixed, until the next Microsoft update, and that there’s a 60-day window for exploitation of the bug.

It therefore seems sensible to keep a close eye on May’s Patch Tuesday dump, not to assume that the March dump fixed the problem completely. It’s also worth looking for updates from vendors of third-party RDP clients, as they can also fall foul of this vulnerability. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/23/cve_2018_0886_credential_security_support_provider_protocol/

Updated IT systems used by the City of Atlanta, in the US state of Georgia, have succumbed to a ransomware attack, cutting off some online city services and potentially putting the personal information of employees and citizens at risk.

At a press conference held on Thursday afternoon, Atlanta Mayor Keisha Lance Bottoms said the extent of the attack remains unknown and is under active investigation. “This is a very serious situation,” she said.

She advised anyone who has given personal information to the City of Atlanta online that would have been stored in its servers to be vigilant about the potential misuse of that data and to check their online accounts for suspicious activity.

Richard Cox, Atlanta’s new COO, said Atlanta officials were made aware of the outage at 0540 on Thursday and that the incident has affected both public and internal applications used by the city.

“The City of Atlanta has experienced a ransomware cyber attack,” he said. “This attack has encrypted some of the city data. However we are still validating the extent of the compromise.”

Applications for paying city bills and accessing court information online have had outages, Cox said, while the departments responsible for public safety, water services operation and the airport are operating without incident.

Payroll systems for city employees is not affected, he said.

Cox said that the Atlanta officials are working with the FBI and the Department of Homeland Security, along with teams from Microsoft and Cisco, to investigate the attack.

Asked whether the city intends to pay the ransom, Mayor Bottoms said that hasn’t been determined. ®

Updated to add

Atlanta NBC affiliate WXIA reports that a screenshot provided by a city employee reveals the attackers want $51,000 to unlock the data. The news station says the malware involved resembles the “MSIL” or “Samas” (SAMSAM) ransomware strain that has been circulating since at least 2016.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/22/atlanta_pwned_by_ransomware_attack/

Black Hat Asia Paying for stuff with your smartphone is downright dangerous according to Zhe Zhou, a pre-tenure associate professor at Fudan University, who yesterday explained how three different payment methods can be cracked at Black Hat Asia in Singapore.

In a talk titled “All your payment tokens are mine: Vulnerabilities of mobile payment systems”, Zhe said mobile payments have two weaknesses: tokens aren’t encrypted; and tokens aren’t tied to a single transaction, so can be re-used and/or hijacked.

Zhe explained that mobile payments see smartphones generate a one-time token that’s passed to a point of sale terminal. Once the token’s exchanged and verified by a payments server somewhere, it won’t be accepted again. The trick to using harvested tokens is therefore to stop them ever making it to the point of sale terminal, then to use that token for another transaction of higher value before it expires.

Zhe said it’s possible to do so for smartphones that can emulate magnetic stripe cards. Smartphones can pull off that trick thanks to a technology called “Magnetic Secure Transmission” (MST) that sees them emit electromagnetic energy from the coil used for wireless charging. Phones so equipped send point of sale devices the same data they expect to detect when a card is swiped. Zhe said MST is expected to have a range of seven centimetres, but commercial-off-the shelf kit costing US$25 was able to detect the waves from a distance of two metres. In so doing they also stopped signal reaching point of sales terminals and harvested an unused token.

Windows 10 debuts Blue QR Code of Death – and why malware will love it

READ MORE

Payments using sound, a technique used by Google India’s “Tez” system can be hijacked in similar ways. Zhe said sound payments are often used in vending machines and it is not hard to record the codes, either from near the machine or with unexpected modifications. If the vending machine uses a wireless connection to verify the token, a jammer stops it from doing so. Again, the attacker ends up with a valid token.

Zhe’s most devious attack targeted the QR codes used as tokens for some payments. His tactic for such tokens was to surreptitiously turn on a smartphone’s front-facing camera to photograph the reflection of a QR code in a point of sale scanner’s protective cover. This attack also detects the configuration of the QR code and subtly changes its appearance to make it unreadable. The malware running the attack on the smartphone, however, manages to retain a perfect and usable QR code. The technique can also be used to craft malicious QR codes that, when used for smartphone-to-smartphone payments, see the victim machine directed to download and run malware.

The researcher said he revealed his exploits to the largest mobile payment provider in China, and that it quickly revoked versions of its apps and promised to ensure its wares seek out and destroy any process using phones’ front-facing cameras.

Zhe conclude by recommending that all token exchanges for mobile payments must be encrypted and add a challenge-response mechanism. He also said mobile payment tokens always be tied to a single transaction so that tokens can’t be re-used. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/23/mobile_payments_token_interception_talk_black_hat_asia/

Another whistleblower, this time a former Facebook insider, has told British MPs that covert, “utterly horrifying” data harvesting has been routine at the platform, that we’re likely talking about hundreds of millions of Facebook users affected by apps such as the one Cambridge Analytica (CA) got data from, and that Facebook has a history of hiding its head in the sand, likely frightened of being found liable for what it’s enabled developers to do with user data.

The first whistleblower was CA founder Christopher Wylie, who worked with Cambridge University professor Aleksandr Kogan to obtain the data used to create a tool that could be used to profile voters and influence the 2016 presidential election and Brexit campaign. Kogan has been linked to previously undisclosed Russian affiliations.

The latest whistleblower is Sandy Parakilas, the platform operations manager at Facebook responsible for policing data breaches by third-party software developers between 2011 and 2012. He told The Guardian that he’s disheartened by recent disclosures about how the company Global Science Research scraped tens of millions of Facebook profiles and gave the data to CA. CA is a voter-profiling company whose “psychographic profiling” was funded and used by conservative investors.

Facebook got itself into this mess, Parakilas told British MPs on Wednesday. He tried to warn the company: in fact, he shared his concerns with Facebook execs who were “among the top five” in the company, he said while giving evidence to Parliament’s Digital, Culture, Media and Sport committee.

(The Guardian has provided a summary of salient points from his evidence, given via video link.)

CA wasn’t an anomaly, Parakilas said. Other firms have likely exploited the same terms as CA did, and they likely took advantage of the fact that Facebook was hands-off. Parakilas got the impression that Facebook seemed to fear that an investigation into all the unvetted developers who’ve been given access to Facebook servers and the user data therein could lead to liability over policies or laws being broken in data breaches, he said.

If Facebook didn’t know, if it didn’t investigate what developers were up to, it could then claim that it was just a platform and hence not liable, Parakilas said. That sounds familiar: the “we’re just a platform, not a publisher” refrain was heard repeatedly during at least the start of the furor over fake news being disseminated on Facebook.

He had warned execs that this lax approach to security and utter lack of developer oversight could lead to a major breach like the CA one that exploded over the weekend, Parakilas told The Guardian:

My concerns were that all of the data that left Facebook servers to developers could not be monitored by Facebook, so we had no idea what developers were doing with the data.

When asked about what kind of control Facebook had over data accessed by outside developers, Parakilas said “none”:

Zero. Absolutely none. Once the data left Facebook servers there was not any control, and there was no insight into what was going on.

In fact, Parakilas always assumed “there was something of a black market” for Facebook data passed to external developers. When he told other execs that the company should proactively “audit developers directly and see what’s going on with the data,” execs told him to back off: he probably wouldn’t like what he’d see if he overturned that rock.

The gist of one Facebook executive’s response, he said:

Do you really want to see what you’ll find?

Parakilas’s interpretation of the comment:

Facebook was in a stronger legal position if it didn’t know about the abuse that was happening.

They felt that it was better not to know. I found that utterly shocking and horrifying.

Parakilas’ attempts to warn Facebook included a PowerPoint presentation he gave to senior execs in 2012. It included what he said was “a map of the vulnerabilities for user data on Facebook’s platform”.

I included the protective measures that we had tried to put in place, where we were exposed, and the kinds of bad actors who might do malicious things with the data. On the list of bad actors I included foreign state actors and data brokers.

Fed up by the lack of change, he left the company in 2012. Since then, he’s kept his concerns to himself. But that changed once Facebook lawyers gave testimony to the US Congress late last year about Russia’s attempt to sway the 2016 presidential election.

They treated it like a PR exercise. They seemed to be entirely focused on limiting their liability and exposure rather than helping the country address a national security issue.

In November, he wrote a scathing opinion piece published by the New York Times. In it, he said that Facebook doesn’t give a flying FarmVille fig about protecting users from abuse.

What it cares about is collecting data it can sell to advertisers, he said in the editorial, and the company can’t be trusted to regulate itself:

What I saw from the inside was a company that prioritized data collection from its users over protecting them from abuse. As the world contemplates what to do about Facebook in the wake of its role in Russia’s election meddling, it must consider this history. Lawmakers shouldn’t allow Facebook to regulate itself. Because it won’t.

Speaking of FarmVille, all of this is of course relevant to those of us who’ve taken Facebook quizzes or played games hosted on the platform. But you needn’t have done so yourself: if your friends played games or took personality quizzes like CA’s thisisyourdigitallife personality test, your data was more than likely pulled in and used to do things without your permission, such as what CA did: it created profiles of individual US voters in order to target them with personalized political ads.

That was enabled by a previous feature called friends permission. From 2007 on up to 2014, Facebook allowed developers to access the personal data of friends of people who used apps on the platform, without their knowledge or express consent. Parakilas doesn’t know how many developers got access to friends permission data before Facebook cut the umbilical cord, but he told The Guardian that he believes it’s in the tens or maybe even hundreds of thousands of developers.

Facebook got a 30% cut of transactions made through those games and apps. Obviously, there was little financial incentive for it to cut them off.

Meanwhile, Facebook CEO Mark Zuckerberg has apologized for this “breach of trust.” That breach has gone on for years, mind you: CA’s misuse of user data was discovered in 2015, yet it took until Friday for it to suspend the firm, its parent company, and founder/whistleblower Wylie from accessing the platform.

Zuckerberg said in a Facebook post on Wednesday that he’s “working to understand exactly what happened and how to make sure this doesn’t happen again.”

Some of the steps he’s pledged include investigating all apps that had access to “large amounts of data” before the platform reduced access in 2014. He said Facebook will conduct a “full audit” of any found to be up to suspicious activity. Developers who misused personally identifiable information (PII) will be banned, and affected users will be notified – including those whose information was used by CA.

Developers’ access will also be further pulled back. For example, if you haven’t used the platform within three months, access to your data will be cut. Also, the data given to apps when you sign in will be limited to name, profile photo, and email address.

Facebook is also going to un-bury the tool to see and edit what apps have access to your data: the tool is going to the top of Newsfeed.

Fine. But it leaves many unanswered questions about Facebook’s lack of developer vetting; its failure in doing even a single audit of developers, at least during Parakilas’ tenure; and its failure to verify that CA deleted data when it claimed to.

One thing to bear in mind is that during his time at Facebook, Parakilas said, the company was gung-ho to sign up developers to its platform, and access to this valuable user data was one carrot it dangled. In fact, he says that at least at the beginning of his tenure, he was told that in order to ban any developer’s app, he had to get Zuckerberg’s personal approval.

If you don’t trust Facebook as far as you can throw it, none of its proposed steps to protect user data will likely satisfy. Check out this article for more ways to protect your data, up to and including deleting your Facebook profile entirely.

Is it time? Even Facebook admitted recently that social media can be bad for you.

We knew it was bad, but this bad?

Please do let us know if you’re going to pull the plug.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BvpS5MkanjA/

America’s trade regulator the FTC has issued a warning over reports of a new data-harvesting operation that is targeting the victims of a previous scam.

The federal watchdog says someone is emailing people, claiming to be from the FTC and soliciting claim forms from the $586m Western Union settlement payout.

In this case, the scammers are taking the particularly low road of targeting people who have already fallen victim to one or more scams.

The emails ask recipients to fill out an attached claim form with personal information and details of Western Union transfers that they believe were fraudulently carried out in their names. As it turns out, the claim forms are actually fakes, and the information victims enter when filling them out (including name and home address) is in fact being harvested (and likely resold) by scammers.

“We’ve heard that people are getting official-looking emails about the Western Union settlement,” writes FTC staff attorney Karen Dodge.

“The thing to know is that you cannot apply for a refund by email.”

The emails reference a settlement the FTC agreed with Western Union in January of last year after the money-wiring service was accused of failing to protect customers from fraudulent transfer orders and cash shifted as part of money laundering or cybercrime operations. Western Union would eventually agree to pay the $586m settlement package to wronged customers who had been defrauded by fraudsters using its payment systems.

The FTC sent out notification letters (real ones) via snail mail starting in November, and the actual refund process is being done via a claim system on its website. The commission stresses that none of the process is done through email, especially by unsolicited messages.

No matter how many times government agencies issue reminders to the public that they don’t send official notifications out via unsolicited emails, such scams have long been a reliable way for scammers to net victims. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/22/ftc_scam_scammers_scamming_scammed_in_scam_scam/