A Look Into the Pricing of Stolen Identities For Sale on Dark Web

source:  securitymagazine.com

 

After a data breach, much of that stolen personal and sometimes highly personally identifiable information (PII) is sold on markets residing within the dark web. But, how much does the sale of stolen information work, exactly, and how much money are criminals making from stolen data?

Comparitech researchers analyzedlistings across 40+ dark web marketplaces gathering data on how much stolen identities, credit cards and hacked PayPal accounts are worth to cybercriminals. 

Here are some key findings:

  1. Americans have the cheapest “fullz” (full credentials e.g. SSN, name, DOB etc), averaging $8 per record. Japan and the UAE have the most expensive identities at an average of $25. Not all fullz are the same. While SSN, name, and DOB are all fairly standard in fullz, other information can be included or excluded and thereby change the price. Fullz that come with a driver’s license number, bank account statement, or utility bill will be worth more than those without, for example. Some fullz even include photos or scans of identification cards, such as a passport or driver’s license.
  2. Prices for stolen credit cards range widely from $0.11 to $986. Hacked PayPal accounts range from $5 to $1,767.
  3. The median credit limit on a stolen credit card is 24 times the price of the card.
  4. The median account balance of a hacked PayPal account is 32 times the price on the dark web.

Credit cards, Paypal accounts, and fullz are the most popular types of stolen information traded on the dark web, but they’re far from the only data worth stealing, says Comparitech. Other types of stolen information usually for sale are: passports, driver’s licenses, frequent flyer miles, streaming accounts, dating profiles, social media accounts, bank accounts, and debit cards.

This data – most often stolen through phishing, credential stuffing, data breaches, and card skimmers – is bought and sold on dark web marketplaces. Here’s a few tips for avoiding those attacks, from Comparitech researchers: 

  • There’s not much an end user can do about data breaches except to register fewer accounts and minimize your digital footprint.
  • Keep an eye out for card skimmers at points of sale, particularly unmanned ones such as those at gas stations.
  • Learn how to spot and avoid phishing emails and other messages.
  • Credential stuffing can be avoided by using strong, unique passwords on all of your accounts.

For the full blog, please visit https://www.comparitech.com/blog/vpn-privacy/dark-web-prices/

SolarWinds hack: Amid Hardened Security, Attackers Seek Softer Targets

image - hacking

source: scmagazine.com

 

Reported theories by SolarWinds hack investigators that federal agencies and private companies were too busy focusing on election security to recognize vulnerabilities tied to the software supply chain are unfair and misleading, say cybersecurity experts that used to work in government.

And yet, those same experts acknowledge that such accusations offer an important cybersecurity lesson for businesses: organizations must ensure that their entire attack surface receives attention.

“There are a range of potential adversaries working against admins – nation states, hackers, criminal competitors – all with varying degrees of skill,” said John Caruthers, business information security officer at Evotek and a former supervisory special agent at the FBI. “Without addressing all components, the bad guys will find your network’s Achilles heel.”

Criticism unfair and unfounded?

The premise that election security efforts diverted attention and funding away from other federal cyber initiatives – thereby helping the SolarWinds attack go unnoticed as thousands of corporations and government agencie were compromised – was brought up last weekend in a New York Times article that cited comments from unnamed investigators.

Continue reading “SolarWinds hack: Amid Hardened Security, Attackers Seek Softer Targets”

image - hacking

Billions Spent on U.S. Defenses Failed to Detect Giant Russian Hack

source:  nytimes.com

The broad Russian espionage attack on the U.S. government and private companies, underway since spring and detected only a few weeks ago, is among the greatest intelligence failures of modern times.

 

WASHINGTON — Over the past few years, the United States government has spent tens of billions of dollars on cyberoffensive abilities, building a giant war room at Fort Meade, Md., for United States Cyber Command, while installing defensive sensors all around the country — a system named Einstein to give it an air of genius — to deter the nation’s enemies from picking its networks clean, again.

It now is clear that the broad Russian espionage attack on the United States government and private companies, underway since spring and detected by the private sector only a few weeks ago, ranks among the greatest intelligence failures of modern times.

Einstein missed it — because the Russian hackers brilliantly designed their attack to avoid setting it off. The National Security Agency and the Department of Homeland Security were looking elsewhere, understandably focused on protecting the 2020 election.

The new American strategy of “defend forward” — essentially, putting American “beacons” into the networks of its adversaries that would warn of oncoming attacks and provide a platform for counterstrikes — provided little to no deterrence for the Russians, who have upped their game significantly since the 1990s, when they launched an attack on the Defense Department called Moonlight Maze.

Something else has not changed, either: an allergy inside the United States government to coming clean on what happened.

Continue reading “Billions Spent on U.S. Defenses Failed to Detect Giant Russian Hack”

Quickbooks Logo

Quickbooks Logo

Quickbooks Logo

 

At quick glance, ‘expertly framed’ Quickbooks phishing email looks legit

source: scmagazine.com

Attackers impersonating Quickbooks on the Microsoft 365 platform create a sense of urgency to compel their victims to “promptly” pay fake invoices allegedly from a legitimate vendor, thereby opening them up to a future malicious act.

Such phishing attacks are growing increasingly common, according to blog post from researchers at Abnormal Security who have observed 900 “attacks in the mailboxes of over 20 different customers,” with the expectation that the rate will continue to tick upward as users flock to Quickbooks online services.

These latest attacks use spoofing to bypass traditional mail filters and gain legitimacy, sending emails that seem to originate from quickbooks@notification.intuit.com. The bad actors then prompt recipients to click on “Review and Pay,” which redirects them to http://parkburgerkuwait.com/loss[dot]php.

The attack is effective in part because the email is received on the same day the invoice is due, prompting the recipient to possibly act in haste without close scrutiny of the details. Among the red flags that may go overlooked: The suspicious landing page link or the headers that “reveal that the true sender domain is ‘airtelbroadband.in,’ which fails authentication,” said Abnormal researchers.

The bad actors have put considerable effort into creating a convincing email that Abnormal said, “is expertly framed,” using Inuit Quickbooks logos and links.

“Additionally, the email states at the bottom to check with the business owner before paying to avoid fraud, giving the recipient a false sense of security as it seems counterintuitive for an attacker to warn their target about their potentially malicious email,” the researchers said.

Though it’s unknown who the hackers were, early signs point to a group with the possible backing of a nation state.

source:  fastcompany.com

As if the world needed another challenge in 2020, hackers have been found to be targeting the cold supply chain for the COVID-19 vaccine, reports The Financial Times. The cold supply chain is critical in the deployment of the vaccine, which takes highly specialized equipment to keep vaccine doses at chillingly low temperatures so they can still be effective when administered to an individual.

The Pfizer vaccine needs to be store at at least -94ºF (-70ºC) and the Moderna vaccine needs to remain at -4ºF (-20ºC) to stay viable. If the systems that operate that supply chain—including the ones responsible for keeping the freezers online—are disrupted, the doses of the vaccine could become ineffective before they are administered.

The hacking attempts on the cold storage supply chain were first uncovered by IBM’s threat intelligence task force and targeted a cold chain platform operated by the Gavi vaccine alliance. The attack involved a phishing attempt to obtain login details for the cold supply chain systems. Currently, it’s unknown if the attackers were trying to steal trade secrets related to the cold supply chain—or if they were attempting to disrupt the supply chain itself.

Though it’s unknown who the hackers were, early signs point to a group with the possible backing of a nation state. Claire Zaboeva, a senior strategic cyber-threat analyst at IBM, said the attack “was an extremely well-researched and well-placed campaign. And that does potentially point to a very competent person or team.” As of now, it’s also unknown if the hackers succeeded in gaining access to the cold storage supply chain network.

 

COVID

“it’s also unknown if the hackers succeeded in gaining access”

 

 

 

 

source:  cyware.com

25 Vulnerabilities Chinese APT Groups Are Chasing Right Now

 

Cybercriminals are consistently scanning and exploiting publicly available security bugs. Recently, the National Security Agency (NSA) has published a 

report , detailing the top 25 vulnerabilities exploited by hackers, urging organizations in the U.S. public and private sectors to prioritize for action.

The top 25 vulnerabilities

According to the report, Chinese state-sponsored hackers were seen abusing these vulnerabilities to launch strategic hacking operations against a multitude of victim networks.
  • Most of these vulnerabilities belong to products related to remote access or external web services. Such products, accessible via the internet, are often exploited to gain initial access inside the victim’s network.
  • Exploits in the enterprise products including gateways (including Citrix ADC and Gateway, Symantec Messaging Gateway), VPN (Pulse Secure VPN), load balancers (F5 BIG-IP), etc. could provide direct remote access to the attackers.
  • Several vulnerabilities in the list target Windows OS and its services, such as Remote Desktop Services (Blukeep vulnerability), Netlogon (Zerologon), DNS server (SigRed), etc.
  • Additional products include business applications such as email servers (such as Microsoft Exchange, Exim mail), and application servers (such as Oracle WebLogic, Zoho ManageEngine, Adobe ColdFusion), that are being targeted by Chinese hackers.

Recent exploitation of these flaws

Not only Chinese hackers but several other low-level malware groups, ransomware gangs, and other state-sponsored hackers (including Russia, and Iran) were seen exploiting the above-mentioned vulnerabilities.
  • Threats actors such as TA505MuddyWater, and Ryuk were seen abusing the ZeroLogon vulnerability (CVE-2020-1472) to target public and private sector organizations.
  • Hackers were seen combining VPN (CVE-2019-11510) and Windows bugs to gain access to government networks, for which CISA and the FBI had issued prior warnings.
  • F5 BIG-IP (CVE-2020-5902), and Pulse Secure VPN servers (CVE-2019-11510) were also recently targeted by hackers.
  • In September, Iranian hacking group Pioneer Kitten was seen taking advantage of several unpatched vulnerabilities (CVE-2020-5902, CVE-2019-11510, and CVE-2019-19781) to target U.S. businesses and federal agencies.

The bottom line

The exploitation of such vulnerabilities could lead to the compromise of sensitive information related to a country’s policies, strategies, plans, and competitive advantage. Fortunately, all the vulnerabilities listed by researchers have patches available from their vendors. Thus, users are recommended to patch these and all other known vulnerabilities to avoid any undue risks to their infrastructure.

 

 

 

facebook logo

Facebook Details Malware Campaign Targeting Its Ad Platform

source: securityweek.com

Facebook on Thursday released a detailed technical report on a malware campaign that targeted its ad platform for years.

Referred to as SilentFade (Silently running Facebook ADs with Exploits), the malware was identified in late 2018 and the vulnerability it was exploiting to stay undetected was patched soon after. Facebook took legal action against the malware operators in December 2019.

The malware exploited a server-side flaw to persistently suppress notifications and ensure that the infected users would not be made aware of suspicious activity related to their accounts. This allowed SilentFade to abuse the compromised accounts and run malicious ads without the victims noticing anything.

Although the malware was first detected in the final week of 2018, the cyber-crime group behind it is believed to have been operating since 2016, constantly adapting to new Facebook features and likely expanding to other social platforms and web services as well.

Continue reading “Facebook Details Malware Campaign Targeting Its Ad Platform”

Report details how North Korean and Russian cybercriminals are cooperating

source:  scmagazine.com

Several companies, media outlets and the U.S. government have accused North Korean state-sponsored hackers of purchasing access to pre-hacked servers from criminal groups. But the connections to specific criminal groups have been a little more tenuous.

Now a new meta-analysis of previous reports from Intel 471 establish a likely connection to TrickBot.

TrickBot, as well as Dridex and TA505, are groupings of attacks linked to different Russian-speaking cybercriminals who sell access to victims’ machines in criminal forums. The North Korean Lazarus Group, which supplements an economy ravaged by sanctions with cybercrime, is known to use a variety of vectors to find initial access.

“I was skeptical about any North Korea / Russian criminal group links before writing this,” said Intel 471 chief executive Mark Arena, who wrote the report. “When open-source reporting is based on one or two instances of TrickBot and Lazarus in the same server, it’s possible that they were two separate attacks.”

Arena read through the various reporting on the overlap between criminal groups and Lazarus, contacted the researchers for information not contained in the reports and solicited additional information from other researchers.

What he found was a very clear chain in the reports showing TrickBot infections leading to malware only used infrequently in Lazarus-type attacks, which appears to be developed by Lazarus using the group’s fairly distinctive code.

Public reporting was less sufficient. A purported connection to Dridex appeared to be a researcher conflating different criminal groups. And when Arena contacted a BAE researcher who had given a presentation proposing a connection between TA505 and Lazarus, that researcher said the presentation was only meant to be taken as a theory. However, in speaking with practitioners who hadn’t made their work public, other people had independent suspicions of a link between the two that no longer appears to be active.

Arena told SC Media that knowing there is a connection between different actors gives defenders a chance to investigate a potential second problem when the first one is found. He added that if North Korea is likely to purchase access from one actor, it is likely to be willing to purchase from others. The choice of vendors shouldn’t be seen as set in stone.

““I was skeptical about any North Korea / Russian criminal group links before writing this…”  –Mark Arena,

source:  proofpoint.com

Twitter is a vital media and marketing platform with a massive audience base. With 330 millionmonthlyactive usersrecorded in 2019, it’s one of the biggest social media platforms and makes a significant contribution to brand visibility and growth. So, what happens when Twitter gets hacked?

On 15 July, attackers compromised several high-profile accounts, including Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos and Apple. The hijacked accounts, which have tens of millions of followers, sent a series of tweets proposing a classic bitcoin scam: “If you transfer cryptocurrency to a specific bitcoin wallet, they will receive double the money in return”. Approximately $180,000 was sent to those bitcoin wallets and, needless to say, no money was paid back. This scam demonstrates that having software security and crisis management plans in place is a “must-have” not a “should have”—now more than ever.  

So how did the attackers gain access? According to Twitter, they used a spear phishing attack to target Twitter employees by phone. After stealing employee credentials and getting into Twitter’s systems, attackers could target other employees who had access to account support tools.  Spear phishing is a more targeted version of phishing, an impersonation scam that uses email or other electronic communications to deceive recipients into handing over sensitive information.

This kind of attack reveals how imperative it is for organizations to implement people-centric cybersecurity framework. Attackers do not view the world in terms of a network diagram—they target human vulnerabilities across channels. The best way to combat attacks like these is to implement a complete social media security solution that scans all social networks and reports fraudulent activity. 

Continue reading “What the Latest Twitter Hack Can Teach Us About Social Media Security and Compliance”

source: bbc.com

A few days after the coronavirus lockdown began, Ciaran Martin’s phone pinged with a text message – the government was warning him he had left home three times and had to pay a fine.
As the official in charge of defending the UK against cyber-threats, he knew enough to spot a scam.
But it was also a sign he was unlikely to have a quiet end to his time as the first head of the National Cyber Security Centre (NCSC).
Speaking in his last few days in office, he says recent events have been an “unexpected vindication” of the decision to spin out part of the intelligence agency GCHQ so classified intelligence could be better shared to protect the UK.
Pandemic protection
Cyber-criminals were quick to exploit Covid-19, using it to persuade people to click on links or buy fake goods.
And that placed new demand on systems built to automate cyber-defences and spot spoof messages.
At the same time, the NCSC had to help government and public-sector organisations deal with the sudden increased dependence on technology, whether in the cabinet meeting over video link or the government sending out genuine text messages to the entire public.
But it was not just cyber-crime groups who were on the move.
Foreign spies also began to go after new targets.
And protecting universities and researchers seeking a coronavirus vaccine became an urgent new priority.
“Many of the people involved never thought they’d be in a case where they’d be talking to part of an intelligence service about resisting major nation state threats against their work,” Mr Martin says.
In July, the UK, along with the US and Canada, accused Russian intelligence of trying to steal research.
The accusation – known as an “attribution” – came because the NCSC could draw on GCHQ’s long history monitoring Russian hackers.
“We have built up significant knowledge of some of the major attack groups from the major nation states, including Russia, over more than two decades,” Mr Martin says.
“For a lot of the things that we were seeing in the high end of vaccine protection, it was detected by us because it was the more sophisticated end, where the attacker is trying harder not to get caught.”