Monthly Archives: October 2017

Pizza Hut Notifies Customers of Data Breach

American restaurant chain Pizza Hut has notified customers of a data breach that might have exposed some of their personal and financial information.

On October 14, the Italian-American cuisine franchise wrote to a portion of its customer base about an “unauthorized third party intrusion” involving its website. Pizza Hut thinks that the incident might have affected individuals who placed an order using the company’s website or mobile application during the 28-hour period stretching from the morning of October 1st to around midday on October 2nd.

If that’s the case, it’s possible the event exposed customers’ personal and financial information including their names, street addresses, email addresses, and payment card details.

The food chain goes on to say in its letter that it’s since terminated the instance of unauthorized access:

“Pizza Hut identified the security intrusion quickly and took immediate action to halt it. The security intrusion at issue impacted a small percentage of our customers and we estimate that less than one percent of the visits to our website over the course of the relevant week were affected. That said, we regret to say that we believe your information is among that impacted group.”

A portion of Pizza Hut’s letter sent to affected customers. (Source: Bleeping Computer)


A Pizza Hut call center operator confirmed that the intrusion is believed to have affected 60,000 customers, reports The Sacramento Bee.

Upon learning of the incident, more than a few of these consumers took to social media. Many vented their frustration about having learned of the data breach two weeks after it occurred.


Such a delay isn’t necessarily a bad thing, however. Pizza Hut could have waited to notify customers to prevent other hackers from learning of the data breach. It could also have decided to forestall disclosure until it knew exactly how many customers were involved and what kinds of information the incident might have compromised.

Anyone who has received a notice from Pizza Hut should watch their bank accounts and credit statements for suspicious activity. If any unauthorized transactions pop up, they should notify their card issuer immediately.

News of this incident follows several months after Arby’s Restaurant Group, Inc. confirmed a breach of its payment systems at its corporate restaurant locations.


via:  tripwire



Cryptocurrency mining affects over 500 million people. And they have no idea it is happening.

This autumn the news spread that some websites had been making money by mining cryptocurrencies in their users’ browsers. AdGuard has been among the first to add protection from this hidden activity. AdGuard users now receive warnings if a website has been trying to mine, and the users are given the option to let it continue or to block the mining script from running.

They decided to research the issue more so that we could understand its scale and impact. On the Alexa list of the top one hundred thousand websites, they looked for the codes for CoinHive and JSEcoin, the most popular solutions for browser mining in use now.

We found 220 sites that launch mining when a user opens their main page, with an aggregated audience of 500 million people. These people live all over the world; there are sites with users from the USA, China, South American and European countries, Russia, India, Iran… and the list goes on.

220 sites may not seem like a lot. But CoinHive was launched less than one month ago, on the 14th of September.

How much money have these websites made? We estimate their joint profit at over US $43,000. Again, right now it’s not millions, but this money has been made in three weeks at almost zero cost.

Examining the website list more closely, we discovered that many of them are from the “gray zone”, mostly pirate TV and video sites, Torrent trackers and porn websites. Judging from these characteristics, we begin to wonder if browser mining is a bad thing and if it should be banned from the Internet.

There may be a further explanation for the fact that browser mining is found mostly on websites with a shady reputation. These sites traditionally have trouble making money through advertising, so they are open to experiments and innovation. Porn sites have always been early adopters; a lot of new tech solutions were actually invented by porn site developers and later copied by other webmasters.

In fact, it was the largest torrent search engine, The Pirate Bay, that made CoinHive famous by being caught using it. But among the “early adopters” of CoinHive were the Web properties of CBS’s Showtime network, and CoinHive disappeared from the CBS sites shortly after media coverage of this activity began to break out. The assumption was made that the mining had been a private initiative of some adventurous Webmaster within the Showtime network.

The company’s video streaming platforms are the exact type of websites that are good for mining: They boast a huge audience that keeps their site open in their browsers for a long time.

The problem with in-browser mining is not that it’s a bad thing by itself. There are no good and bad tools and technologies, but there are good and bad ways to use them.

The ethical way for a website to earn money by mining through its audience’s computers is to ask the audience for permission first, and to allow them the possibility to opt out. Actually, such a practice could make mining even more ethical than ads. After all, nobody asks us if we would like to see ads on a website. Mining parasitizes the user’s CPU, where ads parasitize the user’s attention, emotions, bandwidth, and often, their laptop or smartphone battery, and supports an industry of personal data harvesting that is a big headache in of itself.

The CoinHive team has issued a statement calling on website operators to inform their users about the mining operations and to ask for user permission to do this. However, we believe that it is very hard for them to force this recommendation into action; for example, they cannot forbid stealth mining.

But there are other ways to get miners to behave themselves. A popular CDN service called Cloudflare recently started to suspend accounts and deny service to sites that mine without user permission. A number of ad blockers and antivirus programs also added features that block browser mining.

At AdGuard they have also updated their apps in order to restrict mining. But they do not accomplish this by simply silently blocking it. Instead, they offer their users the choice to let a site mine, or to forbid it to launch mining in their browsers. With this approach, they achieve two goals at the same time: prevent hidden mining and expose websites attempts to abuse the technology.

Cryptocurrency mining on websites honestly does promise great possibilities. But these could be lost if abusive practices continue.

Why exactly is it so promising? Experts presently say that only sites with really huge audiences can make even somewhat substantial money on mining. Is this then just a game for a few, who actually don’t need any new monetization tools, since a big audience pays off perfectly with ads?

We see several reasons to believe in a big future for mining on sites:

  1. Cryptocurrencies are growing rapidly; existing currencies grow in value and new ones appear. Mining will eventually become more profitable.
  2. Mining may not promise huge profits, but neither do ads. An audience of a website might be big, but not “expensive” from the marketing point of view.
  3. Any alternative to advertising is a good thing. Ads annoy, so more and more people use ad blockers and simply do not see ads. Ads, after all, abuse users’ device resources — the same thing mining is criticized for. But what do we have besides ads, if we want a non-ecommerce website to feed us or at least to feed itself? We know that ideas like paid subscriptions and donations are truly at the end of the list. Of course, there are vehicles like crowdfunding, investments, and IPOs, but to put it mildly, these sources of capital are not accessible for everyone.

This is why we propose not to relegate cryptocurrency mining to the dark side by blocking it. We should harness this young and vigorous beast for our own common good.

  • UPDATE 1: Initially, the article contained a mistake – 220 of 100k is 0.22%, not 2.2%.
  • UPDATE 2: CTO of the largest website detected, (60M monthly visitors) said that they had removed the CoinHive code.
  • Full infographics image is here.
  • Raw research data.
  • We used SimilarWeb to analyze web traffic for each site.


Check out  How to block cryptocurrency mining in web browser with chrome extensions and other free ways.


via:  adguard

Commit a crime? Your Fitbit, key fob or pacemaker could snitch on you.

Law enforcement entities are turning to Fitbits and similar internet-connected devices for information regarding criminal investigations.

The firefighter found Richard Dabate on the floor of his kitchen, where he had made a desperate 911 call minutes earlier, court records show. Bleeding and lashed to a chair with zip ties, the man moaned a chilling warning: “They’re still in the house.”

Smoke hung in the air, and a trail of blood led to a darkened basement, as Connecticut State Police swarmed the large home in the Hartford suburbs two days before Christmas in 2015.

Richard, 41, told authorities a masked intruder with a “Vin Diesel” voice killed his wife, Connie, in front of him and tortured him. Police combed the home and town of Ellington but found no suspect.

With no witnesses other than Richard Dabate, detectives turned to the vast array of data and sensors that increasingly surround us. An important bit of evidence came from an unlikely source: the Fitbit tracking Connie’s movements.

Others from the home’s smart alarm systems, Facebook, cellphones, email and a key fob allowed police to re-create a nearly minute-by-minute account of the morning that they said revealed Richard’s story was an elaborately staged fiction.

Undone by his data, Richard was charged with his wife’s murder. He has pleaded not guilty.

The case, which is in pretrial motions, is perhaps the best example to date of how Internet-connected, data-collecting smart devices such as fitness trackers, digital home assistants, thermostats, TVs and even pill bottles are beginning to transform criminal justice.

The ubiquitous devices can serve as a legion of witnesses, capturing our every move, biometrics and what we have ingested. They sometimes listen in or watch us in the privacy of our homes. And police are increasingly looking to the devices for clues.

The prospect has alarmed privacy advocates, who say too many consumers are unaware of the revealing information these devices are harvesting. They also point out there are few laws specifically crafted to guide how law enforcement officials collect smart-device data.

Andrew Ferguson, a University of the District of Columbia law professor, says we are entering an era of “sensorveillance” when we can expect one device or another to be monitoring us much of the time. The title of a law paper on the topic put the prospect this way: “Technology is Killing Our Opportunity to Lie.”

The business research company Gartner estimates 8.4 billion devices were connected to the internet in 2017, a 31 percent increase over the previous year. By 2020, the company estimates there will be roughly three smart devices for every person on the planet.

“Americans are just waking up to the fact that their smart devices are going to snitch on them,” Ferguson said. “And that they are going to reveal intimate details about their lives they did not intend law enforcement to have.”

– – –

The Dabates’ yellow Colonial was festively decorated with wreaths on the windows the morning of Dec. 23, 2015. Richard, Connie and their two boys, ages 6 and 9, bustled around getting ready for the day.

To many of their acquaintances, the family appeared to be an ordinary one in a quiet bedroom community. Richard was a network administrator, and Connie worked as a pharmaceutical sales representative.

Joann Knapp, a former neighbor of the Dabates, fondly recalls Connie popping over to her house to ask her out for walks while Knapp was having a difficult pregnancy. Knapp said Connie and Richard appeared to have a happy – even passionate – marriage.

“They couldn’t keep their eyes off each other,” Knapp said. “It was a look that you would want.”

But behind that public face, Connie’s killing would reveal a darkly tangled relationship and a major secret.

Richard and his attorney did not respond to requests for comment. Richard gave a detailed — but shifting — account of Connie’s killing to detectives over six hours on the day of the slaying. It is contained in his arrest warrant.

On the drive to work that morning, Richard said, he got an alert on his phone that the home’s alarm had been triggered. He said he shot an email to his boss and returned home, arriving there between 8:45 a.m. and 9 a.m.

Richard told police he heard a noise on the second floor and found a hulking intruder wearing camouflage and a mask inside the walk-in closet of the master bedroom. The intruder demanded his wallet at knifepoint.

Soon after, Connie returned home from an exercise class; Richard told investigators he yelled at her to run. Connie fled into the basement, and the intruder followed.

When Richard arrived on the lower level, he made his way through darkness, finding the man pointing a gun at Connie’s head. Richard said that the gun was his own and that Connie must have removed it from a safe to defend herself.

Richard said he charged but heard a deafening blast and fell. When he got up, Connie was slumped on the ground. Police would later determine the gunshot hit her in the back of her head.

The intruder disabled Richard and then zip-tied one of Richard’s arms and one of his legs to a folding chair, according to the account.

The intruder jabbed Richard with a box cutter. The man also started a fire in a cardboard box using a blow torch, which he then turned on Richard’s ankle.

Richard told investigators he saw an opening: He jammed the blow torch in the man’s face and singed it. The intruder ran out.

Richard said he crawled upstairs with the chair still attached, activated the panic alarm, called 911 and collapsed. The firefighter found him soon after.

– – –

The chaotic scene inside the Dabate home had all the hallmarks of a home invasion, but a few details would prompt investigators to take a closer look.

Dogs brought in to track the suspect could find no scent trails leaving the property and circled back to Richard, according to arrest records. Richard also aroused suspicion when detectives asked whether their probe would reveal any problems between him and Connie.

He took a deep breath and offered: “Yes and no.”

Richard told a bizarre story. He said that he had gotten a high school friend pregnant and that it was Connie’s idea. He said the three planned to co-parent the child, since his wife wanted another baby but could not have one for health reasons.

Later, Richard changed his story, saying that the pregnancy was unplanned and that he had a romantic relationship with the friend. Detectives found no evidence Connie knew of the pregnancy.

“This situation popped up like a frickin’ soap opera,” Richard told detectives.

The admission pointed toward a possible motive for Connie’s killing, but it would be the data detectives uncovered that would give them evidence to conclude his story was a lie.

Detectives had noticed Connie was wearing a Fitbit when they found her body.

They requested the device’s data, which showed she had walked 1,217 feet after returning home from the exercise class, far more than the 125 feet it would take her to go from the car in the garage to the basement in Richard’s telling of what happened.

The Fitbit also registered Connie moving roughly an hour after Richard said she was killed before 9:10 a.m. Facebook records also cast doubt on Richard’s timeline, showing Connie had posted as late as 9:46 a.m.

Detectives would also come to doubt that Richard left home that morning, after examining data from his home alarm system and his email account.

Records indicate he used a key fob to activate his home alarm from his basement at 8:50 a.m. and then disabled it at 8:59 a.m. from the same location.

Richard also told investigators he emailed his boss from the road after getting the alert about the alarm. But records from his Microsoft Outlook account showed he sent the email from the IP address associated with his home.

Combined, the data punched major holes in Richard’s story. Police obtained an arrest warrant for him in April.

The high school friend of Richard’s told authorities he had said he planned to serve divorce papers on Connie the week she was killed. Richard had texted her the night before Connie’s death: “I’ll see you tomorrow my little love nugget.”

– – –

The Dabate case is just one of a handful in which law enforcement officials have resorted to smart-device sleuthing.

In September 2016, an Ohio man told authorities he awoke to find his home ablaze, but police quickly suspected he set the fire himself. They filed a search warrant to get data from his pacemaker.

Authorities said his heart rate and cardiac rhythms indicated the man was awake at the time he claimed he was sleeping. He was charged with arson and insurance fraud.

Prosecutors in a 2015 Arkansas murder case sought recordings from the suspect’s Amazon Echo when a 47-year-old man was found floating in the suspect’s hot tub after a night of partying. Authorities thought the voice-activated assistant may have recorded valuable evidence of the crime. challenged the search warrant in court, saying that the request was overly broad and that government seizure of such data would chill customers’ First Amendment rights to free speech. But the challenge was eventually dropped because the suspect agreed to allow Amazon to turn over the information.

(Amazon chief executive Jeffrey Bezos is the owner of The Washington Post.)

Virginia State Police Special Agent Robert Brown III of the High Technology Division said the current trickle of such smart-device cases will probably soon become a flood.

“It will definitely be something in five or 10 years, in every case, we will look to see if this information is available,” Brown said.

Amazon and Fitbit said in statements that they won’t release customers’ data to authorities without a valid legal demand, but they declined to say how many such requests they have received from law enforcement.

“Respect for the privacy of our users drives our approach,” Fitbit said in its statement.

Ferguson, the law professor, said a case before the Supreme Court could be key in determining how exposed smart-device data is to searches by law enforcement.

In 2011, investigators in Detroit obtained months of cellphone location data on a suspect in a robbery investigation without a search warrant. Timothy Carpenter was later convicted, in part on this information gleaned from cellphone companies.

Carpenter is arguing in his appeal that such cellphone location data is so powerful it should be covered by the protections of the Fourth Amendment and that police should be required to get a search warrant to obtain it.

Courts have long held that people who voluntarily disclose information to a bank, cellphone company or other third party have no reasonable expectation of privacy. Ferguson said that since many smart devices transfer data to company servers, this third-party doctrine could apply to them, as well.

Ferguson said a ruling against Carpenter might clear the way for authorities to seek smart-device data stored on those servers without a warrant.

“In a world of truly ubiquitous connectivity where we are recording our heartbeat, our steps, our location if all of that data is now available to law enforcement without a warrant, that is a big change,” he said. “And that’s a big invasion of what most of us think our privacy should include.”


via: chicagotribune

Hyatt Hotels discovers card data breach at 41 properties

Hyatt Hotels Corp (H.N) said on Thursday it had discovered unauthorized access to payment card information at certain Hyatt-managed locations worldwide between March 18, 2017 and July 2, 2017.

Hyatt said the incident affected payment card information, such as, cardholder name, card number, expiration date and internal verification code, from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. (

The owner of Andaz, Park Hyatt and Grand Hyatt chain of hotels said a total of 41 properties were affected in 11 countries, with China accounting for 18 properties, the most among impacted countries.

Seven Hyatt properties were affected at U.S. locations, including three in Hawaii, three in Puerto Rico and one in Guam.

The Chicago, Illinois-based company said its cyber security team discovered signs of the unauthorized access in July and launched an internal investigation, completed on Thursday, that resolved the issue and took steps to prevent this from happening in the future.

This is not the first time Hyatt is facing data breach problem at its hotels.

In late 2015 Hyatt said its payment processing system was infected with credit-card-stealing malware, that had affected 250 hotels in about 50 countries.


via:  reuters

Microsoft’s mystery update arouses anger, suspicion among Windows 10 users

Microsoft’s update servers are pushing out a new Photos Add-on app, with no explanation of what it does. Windows 10 users aren’t taking it well.

Microsoft’s update servers began pushing out a mysterious new app recently, and the new arrival is stirring up suspicion and anger among some Windows 10 users.

The new app is called Photos Add-on, and its entry in the Windows Store offers few clues about what it is or does.


This mystery app has drawn caustic reviews from suspicious Windows 10 users.

On my test systems, the new app appeared as part of Windows updates delivered on October 10. Based on ratings and reviews in the Store, other Windows 10 users saw the update as early as October 1.

More than 70 percent of the early reviews have given the mystery add-on a 1 star rating, with reviewers adding comments like these:

  • Installed without permission
    I didn’t ask for this, I didn’t approve this, I didn’t even know you were planning on installing this. When will you get it that people don’t want YOU to decide what gets installed on MY computer. Stop it already.
  • Forced install
    Not cool, MS.
  • Don’t install without asking
    I have no idea what this even does. Why do I have it and why didn’t I have a choice?

So, what is the mystery app? The answer turns out to be relatively innocuous.

It is indeed an update for the built-in Photos app, included with every copy of Windows 10. Its official name is Photos.DLC.Main (DLC apparently stands for “downloadable content”), and it’s listed in Settings > Apps > Apps & Features. Find the Photos app, click Advanced Options, and look under the App Add-ons & Downloadable Content heading:


The Photos add-on can be uninstalled, although there’s no reason to do so.

Ad far as I can tell, this is the first public release of a feature that was announced 18 months ago, as part of a Windows 10 preview build delivered in April 2016:

You will also be able manage app add-ons and downloadable content [in Settings] if the app supports this capability as discussed at Build 2016. While there are currently no apps that support add-ons or downloadable content in the Store, please stay tuned for availability of apps that do once they are released.

The add-on model is documented in this reference page for the Universal Windows Platform API. A source with knowledge of this add-on told me that it’s part of an architectural change that will allow Microsoft to deliver new functionality and content updates to the Photos app, including 3D effects, filters, and text.

It’s also yet another example of an unforced error on Microsoft’s part. Even a tiny amount of documentation in the listing for this add-on would have tamped down the suspicion. Instead, it’s fresh fuel for conspiracy theorists.


via: zdnet

Equifax website borked again, this time to redirect to fake Flash update

In May credit reporting service Equifax’s website was breached by attackers who eventually made off with Social Security numbers, names, and a dizzying amount of other details for some 145.5 million US consumers. For several hours on Wednesday, and again early Thursday morning, the site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors’ computers with adware that was detected by only three of 65 antivirus providers.

Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp// that looked like this:


He was understandably incredulous. The site that previously gave up personal data for virtually every US person with a credit history was once again under the influence of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he’d see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once.

Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. The picture above this post is the higher-resolution screenshot he captured during one visit. He also provided the video below. It shows an Equifax page redirecting the browser to at least four domains before finally opening the Flash download at the same page.



The file that got delivered when Abrams clicked through is called MediaDownloaderIron.exe. This VirusTotal entry shows only Panda, Symantec, and Webroot detecting the file as adware. This separate malware analysis from Packet Security shows the code is highly obfuscated and takes pains to conceal itself from reverse engineering. Malwarebytes flagged the site as one that pushes malware, while both Eset and Avira provided similar malware warnings for one of the intermediate domains,



It’s not yet clear precisely how the Flash download page got displayed. The group-sourced analysis here and this independent assessment from researcher Kevin Beaumont—both submitted in the hours after this post went live—make a strong case that Equifax was working with a third-party ad network or analytics provider that’s responsible for the redirects. In that case, the breach, technically speaking, isn’t on the Equifax website. But even if that’s true, the net result is that the site is arguably compromised in some way, since administrators can’t control the pages visitors see when they’re trying to use key functions, some which require visitors to enter Social Security numbers.

Several hours after this post went live, an Ars reader e-mailed to say he recently encountered a sketchy ad when putting a temporary fraud alert on his Equifax file. The reader wrote:

When I clicked it (from Gmail on Android) I was redirected to a spam page shortly after seeing the Equifax credit file form. I thought maybe it was an anomaly because it didn’t happen again. But after reading your article about how sometimes hacks will redirect randomly I tried the link again just now and sure enough I got a spam page again ( saying I won an iPhone X). This is Chrome-in-a-tab from Gmail so i don’t believe there’s any extensions or other malware on my device that could have caused this redirect.



In the hour this post was being reported and written, Abrams was unable to reproduce the redirects leading to the malicious download, but he said they returned early Thursday morning. Shortly after that, a section of the site was taken down. In an e-mail sent mid Thursday morning, an Equifax representative wrote:

We are aware of the situation identified on the website in the credit report assistance link. Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline. When it becomes available or we have more information to share, we will.

Post updated at several times on the morning of 10/12/2017 Pacific time to discuss ad networks and add details of ad served on reader. The word “hacked” was removed from the headline to reflect the possibility the redirects are the result of a third-party malvertising campaign.


via:  arstechnica

How Cybercriminals Change Tactics During Their Cyber Attacks

Here’s how online criminals use the surprise factor to spread malware.

Cyber attacks continue to rise and impact both organizations and home users worldwide. Despite all the efforts and prevention measures taken by everyone, these attacks keep wreaking havoc, with no signs of slowing downs.

Why are these online threats still spreading? How do cyber criminals manage to change tactics during their attacks?

With these questions in mind, we will look into the threat landscape to see how malware authors have switched to more sophisticated attack vectors. They are now using more advanced and complex technology to find their next targets, infect various devices, and get access to users’ sensitive data.

Have you noticed that cyber criminals became ingenious during attacks and use a surprise factor?

This year, WannaCry was the largest global ransomware attack in the Internet history.

Why was this cyber attack a success for cyber criminals? What was different from the rest of attacks? It had a low detection rate. Attackers exploited a vulnerability in Windows system that allowed it to move laterally within networks and infect hundreds of computers. They used a leaked NSA exploit called EternalBlue, for quickly spreading malware and infecting a large number of computers.

This is just one of the examples that we’ll discuss in this article, so you can understand how online criminals are changing their ways.

How cyber attacks have evolved in 2017

So far, 2017 has proved to be a productive year for cybercriminals, as we witnessed a large number of new cyber attacks hitting the malware market. From the massive WannaCry ransomware of “unprecedented level” to the (non)Petya outbreak, from the historical Equifax data breach to the recent CCleaner incident; they come in all shapes and sizes, are difficult to be anticipated and cause a lot of damage.

It seems that this year cyber attacks are happening at a higher frequency than previous years, and still have a high impact rate. Everyone has been (and is) suffering from these large-scale attacks, whether they lose their valuable data or businesses are being disrupted. Everyone is vulnerable, but we can always learn to become more resilient to such attacks and take cyber security more seriously.

For example, the mid-year CheckPoint Research for 2017 found that most global regions have been hit by ransomware, already a mainstream and a widespread security threat.

The ransomware invasion has increased significantly this year with a big impact and causing data leakage/important financial loss for both organizations and home users. It continues to dominate the threat landscape and also affect important sectors such as hospitals, banks, universities, Government, law firms, mobile users.

The financial consequences of the cyber attacks don’t seem to be on a positive note, as the global average costs of cybercrime continue to increase. A recent “Cost of CyberCrime” Study conducted by Ponemon Institute and jointly developed by Accenture, has shown that cost of cybercrime is now 23 percent more than last year and is costing organizations, on average, US$11.7 million.

Source: Accenture

Inside the mind of cybercriminals

You might wonder: what’s inside the mind of a cyber criminal? What motivates these bad guys to take malicious actions and steal other people’s sensitive information? Is it just money or are they looking to show off?


Often, technology is being used against us, and not to our benefit, as expected. This happens with skilled people who are tech-savvy and know how to operate efficiently.They can reach these days further than before, into our private lives, our homes or work offices. And most of the time, we can’t do nothing about it.

Here’s how hackers approach an attack:

Source: MIT Sloan Management Review

Putting yourself in the shoes of cybercriminals gives you more insights of their behaviour and the way they think. They tend to be intelligent and creative individuals who enjoy taking risks, have a keen interest in computer science and are often labeled as geeks. Good social and communications skills are also required, as they might use them to easily manipulate victims or to better perform various critical actions. Sometimes they operate alone, sometimes they are organized in a group.

Cybercriminals now change tactics during attacks

As we live in an interconnected world, cyber attacks seem to become a cliche in today’s society. Without any doubts, we are more and more addicted to our smart devices and apps/software programs that should make our lives easier. While they are designed to help us better communicate and interact, they are vulnerable to online threats.

The vulnerability issue of our devices is linked with the fact that software isn’t 100% secure or perfect. It might have small flaws and fail at some point. Despite the engineers’ efforts of covering all the technical aspects and trying to make software better, computers become easy targets for the bad guys. What matters is to build quality software.

Having a world with less software is not an option. The software is actually doing stuff that is helping us. So this should not be an excuse for deploying vulnerable software, but an incentive to make software better.” said Walter Belgers in an interview for DefCamp.

As expected, in many cases, cyber criminals take advantage of the vulnerable software, exploit flaws and start spreading malware. But they aim to do this in ways that are difficult to anticipate and, consequently, challenging to stop.

Cyber attacks have been happening for years, as malicious hackers focus on stealing money, financial data, intellectual property or simply disrupting the a company’s operations. What has changed is the modus operandi of cyber criminals. They’ve become more skilled and use new workarounds to help them avoid the usual security tactics employed by organizations worldwide. They seem to know which tactics (will) work.

The following examples are proof of the cyber criminals’ level of ingenuity.

1. Leveraging vulnerabilities that affect widely used types of software

During the massive WannaCry ransomware, cyber criminals used theEternalBlue method for quickly spreading malware and infecting a large number of computers. The reason why this particular malicious campaign became so extensive is that it exploited a vulnerability in Windows system that allowed it to move laterally within networks and infect other computers.

It’s the same type of ransomware that hasn’t changed, but cybercriminals decided to use a different tactic: exploiting an unpatched vulnerability found in a piece of software used on a global scale. This ransomware outbreak was different because of its self-replicating abilities that enabled it to spread fast and affect many companies and public institutions worldwide.

2. Changing the type of malware delivered during the same cyber attack

Petya (Petya.A, Petya.D, or PetrWrap) was another ransomware outbreak similar to WannaCry, that spread fast, but changed the type of malware from ransomware to wiper. Unlike WannaCry, it used multiple attack vectors and dropped a malware cocktail meant to encrypt and then take in and exfiltrate as much confidential data as possible. The purpose of a wiper is to destroy and damage, while ransomware is mainly focused on making money.

Using a different type of malware during cyber attacks is another surprise factor from cyber criminals. Malware cocktails proved to have a high rate of success with the Cerber ransomware campaign where they injected malicious scripts to drive infection rates.

In another malicious campaigns, attackers used GootKit and Godzilla info stealers to collect and steal victims’ financial information. These types of banking Trojans are part of a more complex malware cocktail, that can include rootkits, worms or other malware that enslave a computer to a botnet. Cyber criminals used these info stealers to compromise users of various online banking solutions.

This type of malware with a low detection rate was also used during the (non)Petya ransomware outbreak. Attackers decided to change the type of malware from ransomware to wiper, and they also dropped a malware cocktail to encrypt users’ files.

3. Changing ransomware extensions to delay strain detection

Not only are spam campaigns more frequent, but they’re also larger in scale and use new infection vectors. Locky ransomware made its appearance again and the most recent campaign used a new extension called .lukitus to encrypt files.

Locky stands out from the pack, because of its frequent attacks, but other ransomware strains have applied the same tactic in the past years as well.

Each time a new extension pops up, victims wonder how they can retrieve their data and it usually takes a few days, depending on the strain’s complexity, to figure out what the type of malware really is.

4. Using auto-updating elements to automate new payload delivery

Attackers also turned to auto-updating links in malicious emails, which is a fairly new tactic. This approach was different because “the file exploits a Microsoft Word feature that can make files automatically update links included in them as soon as they are opened”.

The same attack can thus be used to deliver multiple types of malware, depending on the attacker’s objectives.

We recommend keeping an eye on these malicious spam emails!

Source: Helpnet Security

5. The matrioshka social engineering attack

For the malware threat discovered via Facebook Messenger, cyber criminals used a slightly different form of social engineering.

The unusual factor comes from the various angles used in the same attack. Online criminals employed a malicious browser extension for Chrome and Firefox and a binary package that installed adware on users’ computers.

They tried to trick people by convincing they access a legitimate link from one of their Facebook friends, so they can click on the malicious link. The message included a BIT.LY link which had a video with the person’s name.

Although this approach to luring victims with malicious links in social media messages is not new, it still works to the dismay of many home users.

6. Spoofing gets more difficult to identify

Spoofing attacks have changed and became more difficult to be spotted. During an email spoofing attack, the malicious hackers disguise and sent a fake email which looks similar to the original one. Cyber criminals aim at making victims believe they receive a genuine email from the real sender, while it is quite difficult for the untrained user to spot the suspicious elements.

During a new Locky spam campaign, cyber attackers used these tactics to spoof Dropbox, and here’s how a misleading email looks like as opposed to the legitimateone:

As you can see, attackers are getting better and better at impersonating legitimate entities. With so many online accounts, it’s becoming increasingly difficult to identify spoofing or phishing, which leads to more users getting compromised.

Filtering this kind of threats and educating users to identify them proactively is an uphill battle that will certainly continue in the next years.

7. Proof of concept attacks targeting widespread vulnerabilities get scarier

Last month, researchers warned about a new attack vector – known as “Blueborne” – can potentially enable cyber attackers to spread malware through thin air and potentially infect all devices that include Bluetooth wireless technology. This method of operation was different from two points of view: zero human interaction and no Internet connection. The result? More than 5.3 billion devices across Android, Windows, iOS, or Linux were found vulnerable to BlueBorne!

These are proof of concept attacks and similar to car hacking that happened a few years ago.  We could anticipate that such attacks might become a reality showing us how easily attackers can take advantage of vulnerabilities in software or hardware to compromise our devices.

Source: Google Play

8. Everyone’s data is (now) leaked

Data breaches have reached catastrophic proportions. The recent Equifax data breach has potentially impacted 145.5 million US consumers who might have had their sensitive personal information exposed. During this attack, cyber criminals took advantage of a security hole in the Apache Struts web application framework (CVE-2017-5638), the one supporting the Equifax online dispute portal web application. Failing to install the security updates can lead to massive business disruption and many other negative effects.

This only gives cyber criminals a massive amount of confidential information about potential victims that they won’t shy away from using in the next months.

9. Spambots on steroids

Emails are still an easy target for cyber criminals and the recent (yet biggest) data dump confirms it. Over 700 million of email addresses (and passwords) were exposed online with the help of a spambot operation, which sent out emails en masse to people hoping they’ll be tricked into clicking on them.

This massive spam operation showed us how vulnerable our inboxes are, and why attackers can easily plan a spam campaign to spread malicious code and infect as many users as possible.

I found out that cyber criminals use the surprise factor during cyber attacks


10. Sophisticated supply-chain attacks with deeper geopolitical implications

Supply-chain attacks that involve exploiting vulnerabilities in the supply network used by a specific organization are not new. But the way cyber criminals used the backdoor tactic and managed to infiltrate malware into two versions of CCleaner, the popular PC cleaner software application, is. Not only did they potentially impact millions of devices and their users, but they also affected IT infrastructure and led to severe business disruption.

But the story doesn’t end here, as investigations are still under way, the geopolitical implications of this attack seem to ramificate.

At the recent Virus Bulletin 2017 conference, Jakub Kroustek and Jiri Bracek shared technical details on the attack and said there are more than three stages of this attack.

“This suggests it was very targeted and used only against a specific group of users,” Bracek said.

Protection guide against malware threats

In the context of the sophisticated nature of modern cybercriminals, both organizations and home users should acknowledge this threat and understand the importance of software patching. This is why we need to prioritize things by proactively changing our behaviors in a way that will enhance our security online.

Knowing that the online landscape isn’t safe anymore, securing our valuable data should be on top of everyone’s list of priorities.

Here are some useful ways to maximize your protection against these attacks:

  • Keep all your software up to date, and install  the latest updates, as soon as possible. Having the system up to date and protected with multiple layers of security decrease the chances of being infected with malware.
  • Use unique and strong passwords with the help of a password manager program.It’s worth reminding not use the same password for all your email/social accounts, as it gets easier to be hacked and every account will be vulnerable.
  • Secure your data and have at least two backups for them: an external hard drive and another one in a cloud system. Also, check to see if your backups are intact and can be restored if needed.
  • When cyber criminals launch a new attack, they use various tactics and businesses with an outdated infrastructure or software are the most vulnerable to such online threats. This is why it is essential for businesses to keep their infrastructure up to date and actively defend it by closing potential holes in cyber security.
  • To enhance protection, it is recommended to use an antivirus program and aproactive cyber security software solution (together).
  • Users need to change their “it can’t happen to me” mindset and focus on education themselves to stay safe online. Cyber security education is essential for everyone to have minimum cyber security knowledge, so they can easily discern the good from the bad, and be safer in the online landscape.

What can we learn from cyber criminals’ malicious actions so we can have the best defense against their criminal tactics? We have to keep on investigating what makes them tick and always have a proactive behavior and react to attacks in a timely manner.


via:  heimdalsecurity

Accenture left a huge trove of highly sensitive data on exposed servers

The four exposed servers had no password, but contained the “keys to the kingdom.

Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers.

The servers, hosted on Amazon’s S3 storage service, contained hundreds of gigabytes of data for the company’s enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.

The data could be downloaded without a password by anyone who knew the servers’ web addresses.

Chris Vickery, director of cyber risk research at security firm UpGuard, found the data and privately told Accenture of the exposure in mid-September. The four servers were quietly secured the next day.

According to Vickery, the four servers contained data that amounted to the “keys to the kingdom,” he told ZDNet on a call last week.

Each server contained a range of different types of credentials, including private signing keys that could be used to impersonate the company, and passwords — some of which were stored in plaintext.

Vickery said he also found Accenture’s master keys for its Amazon Web Service’s Key Management System (KMS), which if stolen could allow an attacker full control over the company’s encrypted data stored on Amazon’s servers.

Kenneth White, a security expert, said the exposure of master keys is as “bad as it gets for a cloud service provider.”

“Whatever assets and infrastructure was being protected by this KMS master key must be assumed to be completely compromised,” said White.

One of the other servers contained a folder that stored keys and certificates that could be used to decrypt traffic between Accenture and its customers as it traveled across the internet. Vickery said he also found credentials that appear to relate to Accenture’s access to Google’s Cloud Platform and Microsoft’s Azure, which could give an attacker further access to the company’s cloud assets, as well as virtual private network keys, which could have allowed an attacker to access Accenture’s internal corporate network.

According to Vickery, the largest server contained over 137 gigabytes of data, which included large databases of credentials, some of which appeared to relate directly to Accenture customers. Vickery also found almost 40,000 passwords in one backup database — the vast majority were stored in plaintext.

When ZDNet first reached out to Accenture, the company downplayed the exposure, saying the data was less than half a percent of its cloud service, and that “none of our client’s information was involved and there was no risk to any of our clients,” citing the company’s “multi-layered security model.”

When we challenged that assertion based on the information Vickery had seen, a spokesperson later said that an investigation was ongoing.

“We closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system,” the spokesperson said.

Accenture isn’t the first company to be stung by this kind of data exposure. In recent months, a spate of high-profile companies, including phone companies and voter records analytics firms, have exposed sensitive data because they allowed their Amazon cloud servers to sit open and unsecured.

Vickery said that Accenture was likely using the Amazon servers to migrate data from development to production. While some of the data he found included test accounts, he said many of the credentials “would have led me to plenty of client data if I had been willing to take advantage of it.”

There was no way to know for sure as doing so would fall foul of US computer hacking laws, he said.

“But if I have credentials for their production environments, it’s pretty safe to say anyone using Accenture’s Cloud Platform was at great risk,” Vickery told ZDNet.

UpGuard’s Dan O’Sullivan, who blogged about the data discovery, said hackers could have done an “untold amount of financial damage” to Accenture and any of its cloud-using customers.

We asked if anyone else had accessed the servers, the spokesperson said its logs showed access “by only a single non-authorized IP address which we traced back to a data security consultant who contacted us about about two weeks ago,” referring to Vickery.

We reached out to several companies whose credentials appeared in the data.

None of the companies would speak on the record prior to publication. But one company said when they contacted Accenture, the company told them it was “not aware” of any breach or exposure.

When asked, a spokesperson would not say if any Accenture customers had been informed of the data exposure.


via:  zdnet Breached! 4th Major Business entity that is Breached within a span of 30 Days

One of world’s leading market research company Forrester has confirmed a data breach on the infrastructure hosting their website

Forrester helps customers to take decisions on launching their new product or service based on the existing and potential impact of technology.

After Equifax, Deloitte, Disqus, Forrester is the 4th business entity to be reported as breached in a span of 30 days.

The company said on Friday that the breach occurred during last week and it is still unknown who is behind this breach.

The hacker accessed the accounts using a stolen valid user credentials. Using that access, hackers stole the research reports which were made available to customers.

Steven Peltzman, Forrester’s Chief Business Technology Officer, said that: “There is no evidence that confidential client data, financial information, or confidential employee data was accessed or exposed as part of the incident.”

The company said that no sensitive information was stolen, but the market research data of their customers can be very useful for the economic espionage hacker group.

Based on the stolen data hackers can find out what all technologies are used by their clients and which all are the products ready to launch. Hackers can also sell this information in dark web marketplaces.

“We recognize that hackers will attack attractive targets — in this case, our research IP. We also understand there is a tradeoff between making it easy for our clients to access our research and security measures, We feel that we have taken a common-sense approach to those two priorities; however, we will continuously look at that balance to respond to changing cybersecurity risk,” said George F. Colony, Chairman and Chief Executive Officer of Forrester.

Forrester said that the investigation is still going on and it has informed the Law and Enforcement Authorities to take necessary actions and do the needful.

You may be interested in reading: Breach in Deloitte Exposes Clients Confidential Information.


via:  securereading

VPN logs helped unmask alleged ‘net stalker, say feds

PureVPN assisted investigation of suspect.

Virtual private network provider PureVPN helped the FBI track down an Internet stalker, by combing its logs to reveal his IP address.

The Department of Justice announced on Friday the arrest of Ryan Lin, a 24-year-old from Newtown, Massachusetts, on charges that he cyber-stalked a former room-mate.

According to the complaint [PDF] against Lin in the Massachusetts District Court, his alleged campaign against Jennifer Smith included doxxing (including posting passwords to her online accounts), posting intimate photos with the suggestion they were of Smith (though without her face), rifling her personal journal and emailing private information to her contacts, posting fake profiles of her to sites “dedicated to prostitution, sexual fetishes, and other sexual encounters”, bomb threats, tricking a friend of Smith’s into calling the police to her house, death and rape threats, and sending “images that likely constitute child pornography” to her family and friends.

The Feds allege Lin used various privacy services: logging in via Tor, to conceal his IP address; VPN services; anonymized international texting services; and offshore private email providers.

However, the complaint revealed, he made a fundamental error by using a work computer for some of his campaign, and even though he’d been terminated and the OS reinstalled on the machine, there were footprints left behind for investigators to associate Lin with the 16-month campaign against Smith.

Key details turned up by investigators included:

  • Lin’s most-visited Website was the TextNow anonymous texting service;
  • Lin had a Proton Mail account;
  • There were “artefacts” indicating he used PureVPN; and
  • Similar artefacts suggesting he’d accessed his Gmail account from the machine.

“Further, records from PureVPN show that the same email accounts – Lin’s Gmail account and the teleprtfx Gmail account – were accessed from the same WANSecurity IP address,” the document stated.

And that’s where the surprise came in – at least for those who believed a VPN is a complete protection: “Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses,” claim the Feds (allegedly, those IP addresses were at Lin’s work and home addresses).

The investigators claim that tweets from Lin showed he was aware there was some risk of logging from VPN providers. As recently as June, he posted a tweet critical of provider IPVanish about its logging claims:

“There is no such thing as a VPN that doesn’t keep logs. If they can limit your connections or track bandwidth usage, they keep logs.”

If found guilty, Lin faces up to five years in prison and up to three years of supervised release.

Pure VPN’s privacy policy states: “We will only share information with authorities having valid subpoenas, warrants [and] other legal documents…provided we have the record of any such activity.


via:  theregister