Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Transatlantic Cable ...

 News

This week on the Kaspersky Transatlantic Cable podcast, Ahmed, Dave, and I start out in the Far East with a look at South Korea’s investigation of the fees Google and Apple charge vendors for in-app purchases. The article spurs some debate; we three have pretty distinct opinions about the   show more ...

platform-versus-developer situation. From there, we head to California, where a man has been arrested for hacking into iCloud accounts for profit. Our third story takes us to the United Kingdom, where David’s people are looking to remove themselves from the GDPR. Is that a good thing? A pair of stories with a similar theme — adult entertainment — closes out the podcast. The first story examines TikTok users battling a Texas “whistleblowing” website where people can anonymously report abortion patients and anyone who helps them. Users who object to the site have been flooding the submission system with videos, including some, ahem, questionable Shrek content. The second considers OnlyFans’ course corrections on allowable content. If you liked what you heard, please consider subscribing and sharing with your friends. For more information on the stories we covered, see the links below: South Korea set to curb Google, Apple commission dominance California man hacked iCloud accounts to steal nude photos UK overhauls privacy rules and moves away from Europe’s GDPR TikTok is using Shrek porn to fight an anti-abortion website OnlyFans says it will suspend porn ban

image for Gift Card Gang Extra ...

 A Little Sunshine

Some of the most successful and lucrative online scams employ a “low-and-slow” approach — avoiding detection or interference from researchers and law enforcement agencies by stealing small bits of cash from many people over an extended period. Here’s the story of a cybercrime group that   show more ...

compromises up to 100,000 email inboxes per day, and apparently does little else with this access except siphon gift card and customer loyalty program data that can be resold online. The data in this story come from a trusted source in the security industry who has visibility into a network of hacked machines that fraudsters in just about every corner of the Internet are using to anonymize their malicious Web traffic. For the past three years, the source — we’ll call him “Bill” to preserve his requested anonymity — has been watching one group of threat actors that is mass-testing millions of usernames and passwords against the world’s major email providers each day. Bill said he’s not sure where the passwords are coming from, but he assumes they are tied to various databases for compromised websites that get posted to password cracking and hacking forums on a regular basis. Bill said this criminal group averages between five and ten million email authentication attempts daily, and comes away with anywhere from 50,000 to 100,000 of working inbox credentials. In about half the cases the credentials are being checked via “IMAP,” which is an email standard used by email software clients like Mozilla’s Thunderbird and Microsoft Outlook. With his visibility into the proxy network, Bill can see whether or not an authentication attempt succeeds based on the network response from the email provider (e.g. mail server responds “OK” = successful access). You might think that whoever is behind such a sprawling crime machine would use their access to blast out spam, or conduct targeted phishing attacks against each victim’s contacts. But based on interactions that Bill has had with several large email providers so far, this crime gang merely uses custom, automated scripts that periodically log in and search each inbox for digital items of value that can easily be resold. And they seem particularly focused on stealing gift card data. “Sometimes they’ll log in as much as two to three times a week for months at a time,” Bill said. “These guys are looking for low-hanging fruit — basically cash in your inbox. Whether it’s related to hotel or airline rewards or just Amazon gift cards, after they successfully log in to the account their scripts start pilfering inboxes looking for things that could be of value.” A sample of some of the most frequent search queries made in a single day by the gift card gang against more than 50,000 hacked inboxes. According to Bill, the fraudsters aren’t downloading all of their victims’ emails: That would quickly add up to a monstrous amount of data. Rather, they’re using automated systems to log in to each inbox and search for a variety of domains and other terms related to companies that maintain loyalty and points programs, and/or issue gift cards and handle their fulfillment. Why go after hotel or airline rewards? Because these accounts can all be cleaned out and deposited onto a gift card number that can be resold quickly online for 80 percent of its value. “These guys want that hard digital asset — the cash that is sitting there in your inbox,” Bill said. “You literally just pull cash out of peoples’ inboxes, and then you have all these secondary markets where you can sell this stuff.” Bill’s data also shows that this gang is so aggressively going after gift card data that it will routinely seek new gift card benefits on behalf victims, when that option is available.  For example, many companies now offer employees a “wellness benefit” if they can demonstrate they’re keeping up with some kind of healthy new habit, such as daily gym visits, yoga, or quitting smoking. Bill said these crooks have figured out a way to tap into those benefits as well. “A number of health insurance companies have wellness programs to encourage employees to exercise more, where if you sign up and pledge to 30 push-ups a day for the next few months or something you’ll get five wellness points towards a $10 Starbucks gift card, which requires 1000 wellness points,” Bill explained. “They’re actually automating the process of replying saying you completed this activity so they can bump up your point balance and get your gift card.” The Gift Card Gang’s Footprint How do the compromised email credentials break down in terms of ISPs and email providers? There are victims on nearly all major email networks, but Bill said several large Internet service providers (ISPs) in Germany and France are heavily represented in the compromised email account data. “With some of these international email providers we’re seeing something like 25,000 to 50,000 email accounts a day get hacked,” Bill said.  “I don’t know why they’re getting popped so heavily.” That may sound like a lot of hacked inboxes, but Bill said some of the bigger ISPs represented in his data have tens or hundreds of millions of customers. Measuring which ISPs and email providers have the biggest numbers of compromised customers is not so simple in many cases, nor is identifying companies with employees whose email accounts have been hacked. This kind of mapping is often more difficult than it used to be because so many organizations have now outsourced their email to cloud services like Gmail and Microsoft Office365 — where users can access their email, files and chat records all in one place. “It’s a little complicated with Office 365 because it’s one thing to say okay how many Hotmail connections are you seeing per day in all this credential-stuffing activity, and you can see the testing against Hotmail’s site,” Bill said. “But with the IMAP traffic we’re looking at, the usernames being logged into are any of the million or so domains hosted on Office365, many of which will tell you very little about the victim organization itself.” On top of that, it’s also difficult to know how much activity you’re not seeing. Looking at the small set of Internet address blocks he knows are associated with Microsoft 365 email infrastructure, Bill examined the IMAP traffic flowing from this group to those blocks. Bill said that in the first week of April 2021, he identified 15,000 compromised Office365 accounts being accessed by this group, spread over 6,500 different organizations that use Office365. “So I’m seeing this traffic to just like 10 net blocks tied to Microsoft, which means I’m only looking at maybe 25 percent of Microsoft’s infrastructure,” Bill explained. “And with our puny visibility into probably less than one percent of overall password stuffing traffic aimed at Microsoft, we’re seeing 600 Office accounts being breached a day. So if I’m only seeing one percent, that means we’re likely talking about tens of thousands of Office365 accounts compromised daily worldwide.” In a December 2020 blog post about how Microsoft is moving away from passwords to more robust authentication approaches, the software giant said an average of one in every 250 corporate accounts is compromised each month. As of last year, Microsoft had nearly 240 million active users, according to this analysis. “To me, this is an important story because for years people have been like, yeah we know email isn’t very secure, but this generic statement doesn’t have any teeth to it,” Bill said. “I don’t feel like anyone has been able to call attention to the numbers that show why email is so insecure.” Bill says that in general companies have a great many more tools available for securing and analyzing employee email traffic when that access is funneled through a Web page or VPN, versus when that access happens via IMAP. “It’s just more difficult to get through the Web interface because on a website you have a plethora of advanced authentication controls at your fingertips, including things like device fingerprinting, scanning for http header anomalies, and so on,” Bill said. “But what are the detection signatures you have available for detecting malicious logins via IMAP?” Microsoft declined to comment specifically on Bill’s research, but said customers can block the overwhelming majority of account takeover efforts by enabling multi-factor authentication. “For context, our research indicates that multi-factor authentication prevents more than 99.9% of account compromises,” reads a statement from Microsoft. “Moreover, for enterprise customers, innovations like Security Defaults, which disables basic authentication and requires users to enroll a second factor, have already significantly decreased the proportion of compromised accounts. In addition, for consumer accounts, adding a second authentication factor is required on all accounts.” A Mess That’s Likely to Stay That Way Bill said he’s frustrated by having such visibility into this credential testing botnet while being unable to do much about it. He’s shared his data with some of the bigger ISPs in Europe, but says months later he’s still seeing those same inboxes being accessed by the gift card gang. The problem, Bill says, is that many large ISPs lack any sort of baseline knowledge of or useful data about customers who access their email via IMAP. That is, they lack any sort of instrumentation to be able to tell the difference between legitimate and suspicious logins for their customers who read their messages using an email client. “My guess is in a lot of cases the IMAP servers by default aren’t logging every search request, so [the ISP] can’t go back and see this happening,” Bill said. Confounding the challenge, there isn’t much of an upside for ISPs interested in voluntarily monitoring their IMAP traffic for hacked accounts. “Let’s say you’re an ISP that does have the instrumentation to find this activity and you’ve just identified 10,000 of your customers who are hacked. But you also know they are accessing their email exclusively through an email client. What do you do? You can’t flag their account for a password reset, because there’s no mechanism in the email client to affect a password change.” Which means those 10,000 customers are then going to start receiving error messages whenever they try to access their email. “Those customers are likely going to get super pissed off and call up the ISP mad as hell,” Bill said. “And that customer service person is then going to have to spend a bunch of time explaining how to use the webmail service. As a result, very few ISPs are going to do anything about this.” Indictators of Compromise (IoCs) It’s not often KrebsOnSecurity has occasion to publish so-called “indicators of compromise” (IoC)s, but hopefully some ISPs may find the information here useful. This group automates the searching of inboxes for specific domains and trademarks associated with gift card activity and other accounts with stored electronic value, such as rewards points and mileage programs. This file includes the top inbox search terms used in a single 24 hour period by the gift card gang. The numbers on the left in the spreadsheet represent the number of times during that 24 hour period where the gift card gang ran a search for that term in a compromised inbox. Some of the search terms are focused on specific brands — such as Amazon gift cards or Hilton Honors points; others are for major gift card networks like CashStar, which issues cards that are white-labeled by dozens of brands like Target and Nordstrom. Inboxes hacked by this gang will likely be searched on many of these terms over the span of just a few days.

image for Spotlight: E-Commerc ...

 botnet

In this Spotlight podcast we’re joined by Benjamin Fabre of DataDome to discuss the evolving risks to organizations as e-commerce shifts from web pages to mobile applications and APIs. The post Spotlight: E-Commerce’s Bot and Mouse Game appeared first on The Security Ledger with Paul F. Roberts. Related   show more ...

StoriesEpisode 223: CISA Looks To Erase The Security Poverty LineSpotlight: Securing the Great Resignation with Code 42Encore Podcast: Is Autonomous Driving Heading for a Crash?

 Identity Theft, Fraud, Scams

According to Sucuri researchers, this phishing toolkit is actually a surprisingly feature-rich product sold to other black hat attackers that specifically targets banking login details.

 Laws, Policy, Regulations

The House began debate Wednesday on legislation that would require companies that own or operate parts of the nation's critical infrastructure to report a cyberattack or breach within 72 hours.

 Computer, Internet Security

Under the hood, the feature functioned by adding an isogeny-based key agreement to Google Chrome’s TLS negotiation component in order to harden an encrypted HTTPS connection.

 Malware and Vulnerabilities

More details about a now-patched vulnerability in Comcast’s XR11 voice remotes have emerged, which would have made it easy for a threat actor to intercept radio frequency (RF) communications.

 Malware and Vulnerabilities

QakBot continues to grow in terms of functionality, with even more capabilities and new techniques such as logging keystrokes, a backdoor functionality, and techniques to evade detection.

 Trends, Reports, Analysis

With RaaS evolving into a corporate structure, gangs are looking for negotiators. The role of negotiators is to extort victims into paying the ransom.

 Trends, Reports, Analysis

Apart from brute-forcing leaked credentials, attackers are impersonating both renowned brands and internal automated systems to trick targets into giving up their credentials or sending money.

 Feed

This Metasploit module bypasses the HTTP basic authentication used to access the /uapi-cgi/ folder and exploits multiple authenticated arbitrary command execution vulnerabilities within the parameters of various pages on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running   show more ...

firmware versions 1.12.0.27 and below as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user.

 Feed

CyberArk Credential Providers can be configured to retain passwords, password metadata, and other application properties in a local, encrypted cache file. Under certain conditions, the effective key space used to encrypt the cache is significantly reduced. For an attacker who understands the key derivation scheme and   show more ...

encryption mechanics, full access to the information used to derive the encryption key is sufficient to reduce effective key space to one. Even in cases where the information is not known, the encrypted cache files will likely be unable to withstand a brute force attack. However, the severity of this issue is partially mitigated by the privilege level required (root) for access. Versions prior to 12.1 are affected.

 Feed

Ubuntu Security Notice 5051-4 - USN-5051-2 introduced a regression in OpenSSL that affected only Ubuntu 14.04 ESM. This update fix the regression. Ingo Schwarze discovered that OpenSSL incorrectly handled certain ASN.1 strings. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly obtain sensitive information. Various other issues were also addressed.

 Feed

CyberArk's Credential Provider loopback communications on TCP port 18923 are encrypted with key material that has extremely low entropy. In all currently-known use cases, the effective key space is less than 2^16. For an attacker who understands the key derivation scheme and encryption mechanics, knowledge of the   show more ...

source port and access to the payloads of a given client-server exchange are sufficient to reduce effective key space to one. In cases where the source port is not known, the encrypted payloads will be unable to withstand a brute force attack. Additionally, the user identification mechanism used by CyberArk's Credential Provider is vulnerable to a race condition where an unauthorized/unprivileged user can submit one or more encrypted query requests. If the race is won, the attacker will be able to retrieve sensitive information including passwords and password metadata. Versions prior to 12.1 are affected.

 Feed

Red Hat Security Advisory 2021-3262-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.7.28.

 Feed

CyberArk Credential Providers and possibly other Vault components use credential files to store usernames and encrypted passwords. Under certain conditions, the effective key space used to encrypt the passwords is significantly reduced. For an attacker who understands the key derivation scheme and encryption   show more ...

mechanics, full access to the information used to derive the encryption key is sufficient to reduce effective key space to one. With partial access, the effective key space can vary depending on the information available, and a number of those variations are unlikely to withstand brute force attacks. Versions prior to 12.1 are affected.

 Feed

The U.S. Federal Trade Commission on Wednesday banned a stalkerware app company called SpyFone from the surveillance business over concerns that it stealthily harvested and shared data on people's physical movements, phone use, and online activities that were then used by stalkers and domestic abusers to monitor potential targets. "SpyFone is a brazen brand name for a surveillance business that

 Feed

Network Detection & Response (NDR) is an emerging technology developed to close the blind security spots left by conventional security solutions, which hackers exploited to gain a foothold in target networks. Nowadays, enterprises are using a plethora of security solutions to protect their network from cyber threats. The most prominent ones are Firewalls, IPS/IDS, SIEM, EDR, and XDR (which

 Feed

The operators of the Mozi IoT botnet have been taken into custody by Chinese law enforcement authorities, nearly two years after the malware emerged on the threat landscape in September 2019. News of the arrest, which originally happened in June, was disclosed by researchers from Netlab, the network research division of Chinese internet security company Qihoo 360, earlier this Monday, detailing

 Feed

A set of new security vulnerabilities has been disclosed in commercial Bluetooth stacks that could enable an adversary to execute arbitrary code and, worse, crash the devices via denial-of-service (DoS) attacks.  Collectively dubbed "BrakTooth" (referring to the Norwegian word "Brak" which translates   show more ...

to "crash"), the 16 security weaknesses span across 13 Bluetooth chipsets from 11 vendors such

 Feed

A now-patched high-severity security vulnerability in WhatApp's image filter feature could have been abused to send a malicious image over the messaging app to read sensitive information from the app's memory. Tracked as CVE-2020-1910 (CVSS score: 7.8), the flaw concerns an out-of-bounds read/write and stems from applying specific image filters to a rogue image and sending the altered image to

 Feed

Microsoft's Active Directory is said to be used by 95% of Fortune 500. As a result, it is a prime target for attackers as they look to gain access to credentials in the organization, as compromised credentials provide one of the easiest ways for hackers to access your data. A key authentication technology that underpins Microsoft Active Directory is Kerberos. Unfortunately, hackers use many

 Data loss

How to find your match on the Bumble dating app, convicted criminals make money out of cryptocurrency, and there are concerns about data in Afghanistan. All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and   show more ...

Carole Theriault, joined this week by … Continue reading "Smashing Security podcast #241: Flipping dating apps, and crypto rewards for criminals"

 Guest blog

Hundreds of millions of people around the world use dating apps in their attempt to find that special someone, but they would be shocked to hear just how easy one security researcher found it to pinpoint a user's precise location with Bumble. Read more in my article on the Hot for Security blog.

 Feed only

Graham Cluley Security News is sponsored this week by the team at 1Password. Thanks to the great folks there for their support! The shift to remote and hybrid work has created an ecosystem of new vulnerabilities, putting your critical data at risk. With less oversight into security protocols and employee behaviors,   show more ...

it’s more important than … Continue reading "Build a culture of security security and productivity in your business with 1Password"

2021-09
Aggregator history
Thursday, September 02
WED
THU
FRI
SAT
SUN
MON
TUE
SeptemberOctoberNovember