Discord was originally created for gamers, but thanks to its handy system of “servers” (communities), channels, and private messages, it’s brought in all kinds of people, from study groups to common-interest clubs — including fans of cryptocurrency. On their servers, traders discuss the latest on show more ...
altcoins, investors share predictions, and scammers ponder how to cash in on both. We unpack the latest scheme and explain how not to fall for it. Beware of exchanges bearing gifts The scammers seek out victims on Discord cryptocurrency servers and send out private messages that appear to come from an up-and-coming trading platform giving away cryptocurrency. The reasons for such alleged generosity vary from message to message, but whether the exchange is supporting traders in difficult times or trying to attract new users, the thrust is always the same: The lucky addressee has been randomly chosen to receive an impressive payout in Bitcoin or Ethereum. The scam message promising free Ethereum looks something like this The message, replete with emoji, contains detailed instructions (and a code) for accepting the gift, as well as a link for registering on the cryptocurrency exchange. The link opens a site that looks like a cryptocurrency exchange, with an adaptive layout, savvy design, and the exchange rate info, charts, order books, and trading history that cryptocurrency traders would expect to see on a trading platform. Visitors will also find technical support and several language options. Someone clearly went to a lot of trouble to make the site look legit. The homepage of a fake cryptocurrency exchange where Discord users have been promised Bitcoin and Ethereum The attention to detail even extends to offering victims two-factor authentication to secure their accounts, plus antiphishing protection. Here, of course, the purpose is purely to add plausibility; the site’s true purpose is to transfer money from victim to criminal. The fake website prompts the victim to enable two-factor authentication and phishing protection To finish registration, the victim has to either make a small cryptocurrency deposit (now or later) or go through a Know Your Customer (KYC) identity check. The procedure is just like one you might find on a legitimate exchange, requiring contact details, a photo of an identity document, and a selfie taken with both a piece of ID and a sheet of paper with the address of the exchange, registration date, and signature. The scammers appear to be collecting a database to sell; many legitimate services, including financial ones, use such personal data sets to confirm users’ identities, so they fetch a nice price on the dark web. Also supporting our conjecture is the scammers’ insistence that photo IDs must not be marked in any way. The identity verification page asks for personal information, a photo ID, and a confirmation selfie After registration, it’s time to activate that prize key from the message in Discord and receive the payout. For victims who are still playing along, the system accepts the code, and the promised Bitcoin or Ethereum coins appear in their account. When the victim tries to move the coins from the exchange to their own wallet, however, they find only roadblocks. The scammers claim to need a top-up — in our case, 0.02 BTC or an equivalent amount in Ethereum or US dollars. (Any money sent to the scammers is gone for good, of course, and the prize was never real.) The fake exchange asks for a balance top-up in exchange for access to the prize The Internet is home to several such fake cryptocurrency exchanges, and forums and review sites already list warnings about them. How to guard against scammers Here are some simple rules: Never trust strangers, especially ones offering free money; Never share personal information with websites that you don’t trust 100%; Take particular care with official documents, and never send photos of them to anyone; Configure Discord’s privacy settings to avoid such offers; Use a reliable security solution. For example, Kaspersky Internet Security not only warns users about scam and phishing sites, but also protects their computers from malware.
Facebook, Instagram, TikTok, and Twitter this week all took steps to crack down on users involved in trafficking hijacked user accounts across their platforms. The coordinated action seized hundreds of accounts the companies say have played a major role in facilitating the trade and often lucrative resale of show more ...
compromised, highly sought-after usernames. At the center of the account ban wave are some of the most active members of OGUsers, a forum that caters to thousands of people selling access to hijacked social media and other online accounts. Particularly prized by this community are short usernames, which can often be resold for thousands of dollars to those looking to claim a choice vanity name. Facebook told KrebsOnSecurity it seized hundreds of accounts — mainly on Instagram — that have been stolen from legitimate users through a variety of intimidation and harassment tactics, including hacking, coercion, extortion, sextortion, SIM swapping, and swatting. THE MIDDLEMEN Facebook said it targeted a number of accounts tied to key sellers on OGUsers, as well as those who advertise the ability to broker stolen account sales. Like most cybercrime forums, OGUsers is overrun with shady characters who are there mainly to rip off other members. As a result, some of the most popular denizens of the community are those who’ve earned a reputation as trusted “middlemen.” These core members offer escrow services that – in exchange for a cut of the total transaction cost (usually five percent) — will hold the buyer’s funds until he is satisfied that the seller has delivered the credentials and any email account access needed to control the hijacked social media account. For example, one of the most active accounts targeted in this week’s social network crackdown is the Instagram profile “Trusted,” self-described as “top-tier professional middleman/escrow since 2014.” Trusted’s profile included several screenshots of his OGUsers persona, “Beam,” who warns members about an uptick in the number of new OGUsers profiles impersonating him and other middlemen on the forum. Beam currently has more reputation points or “vouches” than almost anyone on the forum, save for perhaps the current and former site administrators. The now-banned Instagram account for the middleman @trusted/beam. Helpfully, OGUsers has been hacked multiple times over the years, and its database of user details and private messages posted on competing crime forums. Those databases show Beam was just the 12th user account created on OGUsers back in 2014. In his posts, Beam says he has brokered well north of 10,000 transactions. Indeed, the leaked OGUsers databases — which include private messages on the forum prior to June 2020 — offer a small window into the overall value of the hijacked social media account industry. In each of Beam’s direct messages to other members who hired him as a middleman he would include the address of the bitcoin wallet to which the buyer was to send the funds. Just two of the bitcoin wallets Beam used for middlemanning over the past of couple of years recorded in excess of 6,700 transactions totaling more than 243 bitcoins — or roughly $8.5 million by today’s valuation (~$35,000 per coin). Beam would have earned roughly $425,000 in commissions on those sales. Beam, a Canadian whose real name is Noah Hawkins, declined to be interviewed when contacted earlier this week. But his “Trusted” account on Instagram was taken down by Facebook today, as were “@Killer,” — a personal Instagram account he used under the nickname “noah/beam.” Beam’s Twitter account — @NH — has been deactivated by Twitter; it was hacked and stolen from its original owner back in 2014. Reached for comment, Twitter confirmed that it worked in tandem with Facebook to seize accounts tied to top members of OGUsers, citing its platform manipulation and spam policy. Twitter said its investigation into the people behind these accounts is ongoing. TikTok confirmed it also took action to target accounts tied to top OGUusers members, although it declined to say how many accounts were reclaimed. “As part of our ongoing work to find and stop inauthentic behavior, we recently reclaimed a number of TikTok usernames that were being used for account squatting,” TikTok said in a written statement. “We will continue to focus on staying ahead of the ever-evolving tactics of bad actors, including cooperating with third parties and others in the industry.” ‘SOCIAL MEDIA SPECIALISTS’ Other key middlemen who’ve brokered thousands more social media account transactions via OGUsers that were part of this week’s ban wave included Farzad (OGUser #81), who used the Instagram accounts @middleman and @frzd; and @rl, a.k.a. “Amp,” a major middleman and account seller on OGUusers. Naturally, the top middlemen in the OGUsers community get much of their business from sellers of compromised social media and online gaming accounts, and these two groups tend to cross-promote one another. Among the top seller accounts targeted in the ban wave was the Instagram account belonging to Ryan Zanelli (@zanelli), a 22-year-old self-described “social media marketing specialist” from Melbourne, Australia. The leaked OGusers databases suggest Zanelli is better known to the OGusers community as “Verdict,” the fifth profile created on the forum and a longtime administrator of the site. Reached via Telegram, Zanelli acknowledged he was an administrator of OGUsers, but denied being involved in anything illegal. “I’m an early adaptor to the forum yes just like other countless members, and no social media property I sell is hacked or has been obtained through illegitimate means,” he said. “If you want the truth, I don’t even own any of the stock, I just resell off of people who do.” This is not the first time Instagram has come for his accounts: As documented in this story in The Atlantic, some of his accounts totaling more than 1 million followers were axed in late 2018 when the platform took down 500 usernames that were stolen, resold, and used for posting memes. “This is my full-time income, so it’s very detrimental to my livelihood,” Zanelli told The Atlantic, which identified him only by his first name. “I was trying to eat dinner and socialize with my family, but knowing behind the scenes everything I’ve built, my entire net worth, was just gone before my eyes.” Another top seller account targeted in the ban wave was the Instagram account @h4ck, whose Telegram sales channel also advertises various services to get certain accounts banned and unbanned from differed platforms, including Snapchat and Instagram. Snippets from the Telegram sales channel for @h4ck, one of the Instagram handles seized by Facebook today. Facebook said while this is hardly the first time it has reclaimed accounts associated with hijackers, it is the first time it has done so publicly. The company says it has no illusions that this latest enforcement action is going to put a stop to the rampant problem of account hijacking for resale, but views the effort as part of an ongoing strategy to drive up costs for account traffickers, and to educate potential account buyers about the damage inflicted on people whose accounts are hijacked. In recognition of the scale of the problem, Instagram today rolled out a new feature called “Recently Deleted,” which seeks to help victims undo the damage wrought by an account takeover. “We know hackers sometimes delete content when they gain access to an account, and until now people had no way of easily getting their photos and videos back,” Instagram explained in a blog post. “Starting today, we will ask people to first verify that they are the rightful account holders when permanently deleting or restoring content from Recently Deleted.” Facebook wasn’t exaggerating about the hijacking community’s use of extortion and other serious threats to gain control over highly prized usernames. I wish I could get back the many hours spent reading private messages from the OGUsers community, but it is certainly not uncommon for targets to be threatened with swatting attacks, or to have their deeply personal and/or financial information posted publicly online unless they relinquish control over a desired account. WHAT YOU CAN DO Any accounts that you value should be secured with a unique and strong password, as well the most robust form of multi-factor authentication available. Usually, this is a mobile app that generates a one-time code, but some sites like Twitter and Facebook now support even more robust options — such as physical security keys. Whenever possible, avoid opting to receive the second factor via text message or automated phone calls, as these methods are prone to compromise via SIM swapping — a crime that is prevalent among people engaged in stealing social media accounts. SIM swapping involves convincing mobile phone company employees to transfer ownership of the target’s phone number to a device the attackers control. These precautions are even more important for any email accounts you may have. Sign up with any service online, and it will almost certainly require you to supply an email address. In nearly all cases, the person who is in control of that address can reset the password of any associated services or accounts –merely by requesting a password reset email. Unfortunately, many email providers still let users reset their account passwords by having a link sent via text to the phone number on file for the account. Most online services require users to supply a mobile phone number when setting up the account, but do not require the number to remain associated with the account after it is established. I advise readers to remove their phone numbers from accounts wherever possible, and to take advantage of a mobile app to generate any one-time codes for multifactor authentication.
The web shell provides attackers with tools to work with files and databases on the targeted server, collect sensitive information, infect files, and conduct brute force attacks.
An advisory by the NSA and the FBI shares information on how Drovorub works, how it can be detected, and how organizations can protect their systems against attacks involving the malware.
Vermont Labor Department officials remain on damage control a day after revealing a massive data breach involving tens of thousands of 1099-G unemployment tax forms sent to the wrong people.
The leaked database contains information of over 472,695 members, including their display name, email address, MD5 hashed passwords, optional Skype account names, optional birthday, and IP address.
Cloud security company Digital Defense will join HelpSystems’ growing cybersecurity portfolio to enable customers to access a more comprehensive security assessment toolkit.
Oxfam Australia told BleepingComputer they are investigating the breach and reported it to the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC).
Kaspersky has released a decryptor for the Fonix Ransomware (also known as Xinof and Fonixcrypter), which launched in June 2020, that allows victims to recover their encrypted files for free.
All the backdoored browser add-ons have been taken down by Google and Microsoft as of December 18, 2020, to prevent more users from downloading them from the official stores.
SonicWall issued a patch for two vulnerabilities in its Secure Mobile Access 100 series products featuring 10.x firmware, which malicious actors exploited in an attack against the firm last month.
Zero-day flaws are a problem because they may be exploited for long periods of time before they're detected and dealt with. There were 24 of them in 2020, four more than in 2019.
The TeamTNT gang has ramped up its attacks on the cloud over the past few months, this time launching a new malware campaign targeting Kubernetes clusters that culminated in a crytpojacking operation.
Microsoft announced that Defender for Endpoint will now also help admins discover OS and software vulnerabilities affecting macOS devices on their organization's network.
Cisco has addressed multiple pre-auth RCE vulnerabilities affecting several small business VPN routers and allowing attackers to execute arbitrary code as root on successfully exploited devices.
Stormshield is a major provider of network security products to the French government, some used on sensitive networks, so it is being treated as a major security breach inside the French government.
Fraudsters had an early start anticipating the buzz surrounding tax filing season, with phishing campaigns impersonating the government agency as early as November 25, 2020, according to Bitdefender.
Major vulnerabilities have been discovered in the Realtek RTL8195A Wi-Fi module that could have been exploited to gain root access and take complete control of a device's wireless communications.
Account takeover incidents as a share of fraudulent activity in the financial services industry rose by 19 percentage points in 2020 compared with 2019, according to new figures from Kaspersky.
Hackers involved in the recent breach of IT group SolarWinds, one of the largest cyber incidents in U.S. history, likely had access to the company’s email system for almost a year.
Alejandro Mayorkas, the new DHS secretary, says his priorities include reviewing all available intelligence on the SolarWinds supply chain hack and scrutinizing government's cybersecurity programs.
Researchers identified two security bugs. One was a rate-limiting bypass under a non-default configuration, which defeats the purpose of the plugin, and the other was an unauthenticated reflected XSS.
The DoD’s Cyber Crime Center will soon be accepting applications for a limited number of companies within the defense industrial base to benefit from security researchers already working for it.
The losses stemmed "primarily because of the Company's need to temporarily suspend its electronic data interfaces with its customers," Forward Air said in SEC documents filed today.
A nascent malware campaign has been spotted co-opting Android devices into a botnet with the primary purpose of carrying out distributed denial-of-service (DDoS) attacks.
A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
The US Defense Advanced Research Projects Agency (DARPA) has reported back on its first ever security bug bounty program, saying the scheme has highlighted strengths as well as weaknesses.
As security practitioners, we need to consider a wider variety of possibilities for misuse of data and systems in our care, not just those that affect the majority of people.
The ENISA released its report on pseudonymisation for personal data protection, providing a technical analysis of cybersecurity measures in personal data protection and privacy.
An exploitable integer overflow and heap-based buffer overflow vulnerabilities exists in the PlanMaker document-parsing functionality of SoftMaker Office 2021's PlanMaker application.
According to a study by email security firm Avanan, email threats reported by users or other mechanisms take two to three hours of a SOC teams time per day, or 22.9% of a SOC team’s daily routine.
In a rapidly changing business environment, the role of the CISO has hugely expanded in its scope and responsibilities, a BT Security survey of over 7000 professionals from across the world reveals.
The security of open source software has rightfully garnered the industry’s attention, but solutions require consensus about the challenges and cooperation in the execution.
Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals show more ...
to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs).
Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command-line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software.
Red Hat Security Advisory 2021-0417-01 - AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat AMQ Broker 7.8.1 serves as a replacement for Red show more ...
Hat AMQ Broker 7.8.0, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include an information leakage vulnerability.
Ubuntu Security Notice 4721-1 - Simon McVittieg discovered that flatpak-portal service allowed sandboxed applications to execute arbitrary code on the host system. A malicious user could create a Flatpak application that set environment variables, trusted by the Flatpak "run" command, and use it to execute arbitrary code outside the sandbox.
Ubuntu Security Notice 4722-1 - It was discovered that ReadyMedia allowed subscription requests with a delivery URL on a different network segment than the fully qualified event-subscription URL. An attacker could use this to hijack smart devices and cause denial of service attacks. It was discovered that ReadyMedia show more ...
allowed remote code execution. A remote attacker could send a malicious UPnP HTTP request to the service using HTTP chunked encoding and cause a denial of service.
Red Hat Security Advisory 2021-0421-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling, denial of service, and use-after-free vulnerabilities.
Red Hat Security Advisory 2021-0420-01 - Quay 3.4.0 release. Issues addressed include HTTP request smuggling, buffer overflow, information leakage, integer overflow, out of bounds read, and out of bounds write vulnerabilities.
A nascent malware campaign has been spotted co-opting Android devices into a botnet with the primary purpose of carrying out distributed denial-of-service (DDoS) attacks. Called "Matryosh" by Qihoo 360's Netlab researchers, the latest threat has been found reusing the Mirai botnet framework and propagates through exposed Android Debug Bridge (ADB) interfaces to infect Android devices and ensnare
Phishing and Malware Among the major cyber threats, the malware remains a significant danger. The 2017 WannaCry outbreak that cost businesses worldwide up to $4 billion is still in recent memory, and other new strains of malware are discovered on a daily basis. Phishing has also seen a resurgence in the last few years, with many new scams being invented to take advantage of unsuspecting
Major vulnerabilities have been discovered in the Realtek RTL8195A Wi-Fi module that could have been exploited to gain root access and take complete control of a device's wireless communications. The six flaws were reported by researchers from Israeli IoT security firm Vdoo. The Realtek RTL8195A module is a standalone, low-power-consumption Wi-Fi hardware module targeted at embedded devices used
Today's admins certainly have plenty on their plates, and boosting ecosystem security remains a top priority. On-premises, and especially remote, accounts are gateways for accessing critical information. Password management makes this possible. After all, authentication should ensure that a user is whom they claim to be. This initial layer of security is crucial for protecting one's entire
Mensa - the social club for people with high IQs - is accused of not being so smart about security, an Indian TV journalist gets an unbelievable job offer from Harvard, and we take a look at what's being going on with GameStop short selling. All this and much more is discussed in the latest edition of the show more ...
award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Mark Stockley.
Security researchers at Google have claimed that a quarter of all zero-day software exploits could have been avoided if more effort had been made by vendors when creating patches for vulnerabilities in their software. Read more in my article on the Tripwire State of Security blog.
Graham Cluley Security News is sponsored this week by the folks at Orca Security. Thanks to the great team there for their support! Public cloud providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform keep their platforms secure, but customers are still responsible for securing the show more ...
workloads, data, and processes they … Continue reading "Orca’s “State of Public Cloud Security” report reveals how most cloud security breaches happen"