Industry Intel

It’ll cost you a buck. Just like everyone else’s. The use of a Social Security Number (SSN) as unique identifiers has long been a contentious subject. SSNs were never intended to be used for identification, and their ubiquitous abuse for identification and authentication has lead me to call them “Social Insecurity Numbers,” or SINs.

There was a time when my response to a breach that leaked SSNs was “the horror, the horror.” Now my cynical reaction is “big deal, they stole my public information… again.” Yes, I know it’s improper for a security expert to feel this way, but an improper response is sometimes still the correct response. 

Let me walk you through both sides of the issue: the horror and the dispassion.

The Horror

When aliens visit our lifeless planet in 2525, they will run DNA tests on our remains and they will catalog or index us by our SINs. That’s one of the things that makes the theft of SSNs worrisome. SSNs do not expire. A person may expire, their SSN does not. Social security numbers are not reused. They just stop being used. Funds may be paid to surviving spouses and children, but after that the SSNs are a permanent entry in a database.

Let’s put this into perspective. Of all of the credit cards issued between 1946 and 2012, virtually none are valid. Of all of the compromised credit cards issued between 2012 and 2018, very few remain valid. Sometimes the cards are replaced before they’re fraudulently used, and other times fraudulent use results in the cancellation of the cards. In either case, the cards are simply replaced with new account numbers. 

Compare this to SSNs. Of all of the SSNs issued since 1934, well… Have you ever see an expiration date on a Social Security card? You can change your credit card number. You can change bank. You can change your career, your doctor, your vet, your clothes, or your mind. But unless you enter the United States Federal Witness Protection Program, your SSN isn’t changing. (Actually, that’s a bit overstated. Under certain circumstances you can get a new SSN, but your SSN simply being compromised does not qualify you to change SSNs.)

According to a study published by Javelin, more social security numbers were involved in breaches in 2017 than credit cards. Think about that for a moment. Do you know anyone who has had a fraudulent purchase made on their credit card? Here’s where the problem becomes insidious. Credit card fraud is loud. You can hear it coming. I have alerts set up on my bank accounts so that I know each time a charge is made. I am alerted through text and email. One fraudulent charge and I know. I can act. 

But SSNs are quiet. Multiple applications for credit cards can be made simultaneously, but you’re not likely to find out very quickly. Pair this with a compromised email account, and you could be in big trouble. For me, it’s of serious concern.

The Dispassion

Why don’t I worry about my SSN being leaked? Because it’s already been leaked multiple times in multiple breaches. 

How do I know that? 

I don’t, I just assume it has been. Why? Because my SSN has been vulnerable to theft for decades, and there are so many compromised SSNs stocking the dark web that they’re a cheap commodity. You might even expect to encounter a “buy five credit card numbers get two SSNs free” deal, or to see them sold by the dozen, like Kleenex at Costo.  

According to Brian Stack, the Vice President of Dark Web Intelligence at Experian, Social Security numbers sell for only $1 on the dark web. In the massive Marriot breach, it wasn’t my SSN I was worried about, it was my loyalty program information. My loyalty program information is worth 20 times more than my SSN on the dark web. Loyalty program points can be used to buy travel or merchandise in airline shopping malls.

For several years, “assume the breach” has been the mindset of many security professionals, meaning that we should assume a company will be breached, or already has been breached, and we should be clear-eyed about it. It is a call to action. Put mitigations and remediation processes in place. Have an action plan. 

For the public, and I cannot emphasize this enough, this means you should assume it was your data that was compromised in the breach, and put a remediation plan in place. If the businesses holding your data assumes your data is toast, then you should too.

What You Can Do

So, if we’re adopting the fatalist position on SSN theft, but still want to protect ourselves, what’s a person to do?

• Credit freezes and fraud alerts. Both are good proactive defenses. The Federal Trade Commission (FTC) is a good place to start if you don’t know how. For information about credit freezes, check here. For information about fraud alerts and extended fraud alerts, take a look here and here.
• Use two-factor authentication. Gmail, Facebook, Twitter, and other sites offer two-factor authentication. Typically, this means you’ll need to respond to a text or email in order to log into your account. This makes it harder for the bad guys to hijack it. Not impossible, but significantly more difficult.
• Take advantage of alerts offered by financial institutions. If someone tries to log into my bank account or make a charge on my credit or debit card, I will know it immediately. 
• Be Prepared for Identity Theft. Once again, the FTC consumer information page on identity theft is a great resource for consumers, security evangelists, and businesses alike on how to build a strong defensive posture.

Identity theft is real, it can be devastating, and you need to be prepared for it. But reports of breaches that include SSNs tell me what I already know; my SSN is in the hands of cybercriminals. It has been for years.

So no, I’m not going to tell you my SSN. You’ll have to pay your dollar for it, just like everyone else.

This is the first of a three-part report on the state of three malware categories: miners, ransomware and information stealers.

In Webroot’s 2018 mid-term threat report, we outlined how cryptomining, and particularly cryptojacking, had become popular criminal tactics over the first six months of last year. This relatively novel method of cybercrime gained favour for being less resource-intensive and overtly criminal when compared to tactics involving ransomware. But mining cases and instances of mining malware seem to have dropped off significantly in the six months since this report, both anecdotally and in terms of calls to our support queue. 

The crytpo world has gone through significant turmoil in this time, so it’s possible the reduced use of malicious cryptojacking scripts is the result of tanking cryptocurrency values. It’s also possible users are benefitting from heightened awareness of the threat and taking measures to prevent their use, such as browser extensions purpose-built to stop these scripts from running. 

Setting aside the question of why for a moment, let’s take a look at some stats illustrating that decline during that time period.

Cryptojacking URLs seen by Webroot over six months beginning 1 July through 31 December, 2018, Webroot SecureAnywhere client data. 

New miner malware seen by Webroot 

Data from six months beginning 12 July through 9 Jan, 2019, Webroot data, units logarithmic.

Monero mining profitability ($)

Data covering six months from 12 July – 9 Jan, 2019, Bit Info Charts, units logarithmic

Monero price ($)

Data covering six months from 12 July through 9 Jan, 2019, World Coin Index

Interpreting the data

None of the graphs are identical, but without too much statistical comparison, I think a broad trend can be seen: malicious mining is on the decline alongside a general decline in coin value and coin mining profitability. 

Profitability affecting criminal tactics is of course not surprising. The flexibility of exploit kits and modern malware campaigns like Emotet mean that cybercriminals can change tactics and payloads quickly when they feel their malware isn’t netting as much as it should.

Thanks to the dark web, criminal code has never been easier to buy or rent than in recent years, and cryptocurrencies themselves make it easy to swap infection tactics while keeping the cash flowing. Buying or renting malicious code and malware delivery services online is easy, so the next time the threat landscape changes, expect criminals to quickly change with it. 

Should I still care about miners?

Yes, absolutely. 

Cryptocurrency, cryptomining, and malicious cryptomining aren’t disappearing. Even with this dip, 2018 was definitely a year of overall cryptocrime growth. Our advanced malware removals teams often spot miner malware on machines infected by other malware, and it can be an indication of security holes in need of patching. And any illegal mining is still capable of constantly driving up power bills and frustrating users.

Where are cybercriminals focused now?

Information theftis the current criminal undertaking of choice, a scary development with potentially long-lasting consequences for its victims that are sometimes unpredictable even to thieves. The theft, trade, and use for extortion of personal data will be the focus of our next report.

What can I do?

Cryptojacking may only be on the decline because defences against them have improved. To up your chances of turning aside this particular threat, consider doing the following:

• Update everything. Even routers can be affected by cryptojacking, so patch/update everything you can.
• Is your browser using up lots of processor? Even after a reset/reinstall? This could be a sign of cryptojacking.
• Are you seeing weird spikes in your processor? You may want to scan for miner infections.
• Don’t ignore repeated miner detections. Get onto your antivirus’ support team for assistance. This could be only the tip of the iceberg.
• Secure your RDP.

What can Webroot do?

Webroot SecureAnywhere®antivirus products detect and remove miner infections, and the web threat shield blocks malicious cryptojacking sites from springing their code on home office users. For businesses, however, the single best way to stop cryptojacking, is with DNS-level protection. DNS is particularly good at blocking cryptojacking services, no matter how many sites they try to hide behind.

Persistent mining detections might point to other security issues, such as out-of-date software or advanced persistence methods, that will need extra work to fix. Webroot’s support is quick and easy to reach.

In the end, cryptomining and cryptojacking aren’t making the same stir in the cybersecurity community they were some months ago. But they’ve far from disappeared. More users than ever are aware of the threat they pose, and developers are reacting. Fluctuations in cryptocurrency value have perhaps aided the decline, but as long as these currencies have any value cryprojackers will be worth the limited effort they require from criminals.

Watch for the use of cryptominers to be closely related to the value of various cryptocurrencies and remain on the lookout for suspicious or inexplicable CPU usage, as these may be signs that you’re being targeted by these threats. 

And of course, stay tuned to the Webroot blog for information on the latest threat trends.

Amazon User Receives Thousands of Alexa-Recorded Messages

Upon requesting all his user data from Amazon, one user promptly received over 1,700 recorded messages from an Alexa device. Unfortunately, the individual didn’t own such a device. The messages were from a device belonging to complete stranger, and some of them could have easily been used to find the identity of the recorded person. While Amazon did offer the victim a free Prime membership, it’s cold comfort, as these devices are constantly recording and uploading everyday details about millions of users. 

San Diego School District Hacked

In a recent phishing scheme, hackers successfully gained the trust of a San Diego Unified School Districtemployee and obtained credentials to a system that contained student, parent, and staff data from the past decade. The database mostly consisted of personal data for over half a million individuals, but also included student course schedules and even payroll information for the District’s staff. 

Data Breach Affects Hundreds of Coffee Shops

Attackers were able to access payment data for 265 Caribou Coffee shopsacross the United States. The breach could affect any customers who made purchases between the end of August 2018 and the first week of December. The company recommends that any customers who may have visited any of their locations across 11 states engage a credit monitoring service to help avoid possible fraud.

FBI Shuts Down DDoS-for-Hire Sites

At least 15 DDoS-for-Hire siteshave been taken down in a recent sweep by the U.S. Justice Department, and three site operators are currently awaiting charges. Some of the sites had been operating for more than 4 years and were responsible for over 200,000 DDoS attacks across the globe. This is the second in a series of government-led cyberattack shutdowns over the last year. 

Email Scam Offers Brand New BMW for Personal Info

A new email scam is informing victims that they’ve just won a 2018 BMW M240iand over $1 million dollars, which they can easily claim if they provide their name and contact information. Victims who provide their contact details are then contacted directly and asked to give additional information, such as their social security number and credit or bank card details. If you receive this email or one like it, we recommend you delete it immediately, without opening it. 

Facebook API Bug Reveals Photos from 6.8 Million Users

Facebook announced this week that an API bug had been found that allowed third-party apps to access all user photos, rather than only those posted to their timeline. The vulnerability was only available for 12 days in mid-September, but could still impact up to 6.8 million users who had granted apps access to their photos in that time.

Children’s Charity Falls Victim to Email Scam

Over $1 million was recently diverted from a children’s charity organization after hackers were able to gain access to an internal email account and begin creating false documents and invoices. Due to a lack of additional authentication measures, the funds were promptly transferred to a Japanese bank account, though insurance was able to compensate for most of the loss after the scam was finally discovered.

Email Extortion Scams Now Include Hitmen

The latest in a series of email extortion campaigns promises its victims will be executed by a hitman if a Bitcoin ransom of $4,000 isn’t paid within 38 hours. Given such poorly executed scare tactics, it comes as no surprise that the payment account has still not received any funds after several days. Hopefully, as the threats of violence leads to victims contacting law enforcement rather than paying the scammers, these types of scams will become more rare.

Hackers Force Printers to Spam PewDiePie Message

Nearly 50,000 printers around the world have been spamming out a message suggesting subscribing to PewDiePie on YouTube and recommending the recipient improve their printer security. The group behind the spam has stated they want to raise awareness of the real threat of unsecured devices connected to the internet and how they can be used maliciously. In addition to sending print-outs, attackers could also steal data being printed or modify documents while they are being printed.

Cybersecurity Audit Shows Major Vulnerabilities in U.S. Missile Systems

A recent report showed that U.S. ballistic missile defense systems have consistently failed security audits for the past five years. Some of the major flaws included a lack of encryption for data stored on removable devices, patches reported in previous years that remained untouched, and the regular use of single-factor authentication for entire facilities. Physical security issues that could leave highly-sensitive data exposed to anyone willing to simply try to access it were also detailed in the report.

Touch ID Used to Scam Apple Users

Two apps were recently removed from the Apple App Store after several users reported being charged large sums of money after installing the app and scanning their fingerprint. Both apps were fitness-related and had users scan their fingerprint immediately so they could monitor calories or track fitness progress. But the apps launched a payment confirmation pop-up with the user’s finger still on the device to charge any card on file for the account. Luckily, the apps were only available for a brief period before being removed and refunds issued.

Signet Jewelers Expose Customer Order Data

Signet Jewelers, the parent company for Kay and Jared jewelers, was informed last month by an independent researcher of a critical flaw in their online sites. By simply altering the hyperlink for an order confirmation email, the researcher was able to view another individual’s order, including personal payment and shipping information. While Signet resolved the issue for future orders, it took additional weeks to remedy the flaw for past orders.

WeChat Ransomware Hits over 100k Chinese Computers

In the five days since December began, a new ransomware variant dubbed WeChat Ransom has been spreading quickly across China. With over 100,000 computers currently infected and thousands more succumbing each day, WeChat has made a significant mark. Though it demands a ransom of only roughly $16 USD, the variant quickly begins encrypting the local environment and attempts to steal login credentials for several China-based online services. Fortunately, Tencent banned the QR code being used to send ransom payments and disabled the account tied to it.

Nearly 100 Million Users Compromised in Quora Breach

Servers containing sensitive information for nearly 100 million Quora.comusers were recently compromised by unknown hackers. In addition to personal information about users, any posts or messages sent over the service were also breached. While informing affected users of the leak, Quora stated that all password data they store was fully encrypted using bcrypt, which makes it considerably more expensive and time-consuming for the hackers to break the algorithms and obtain the data. 

Marriott Hotels Breach Leaves Half a Billion Users Vulnerable

In one of the largest data breaches to date, Marriott International is under fire for exposing the personal data of nearly 500 million individuals. A class-action lawsuit has been filed against the hotel chain. For many victims, their names, home addresses, and even passport information was available on an unsecured server for nearly four years after the company merged with Starwood, whose reservation systems were already compromised.

Infowars Online Site Compromised by MageCart Attack

Earlier this week, a security researcher found payment card-stealing scripts running on the Infowars online site. The scripts managed to stay active for nearly 24 hours. At least 1,600 users of the site may have been affected during this period, though many were returning customers who wouldn’t have had to re-enter their payment information into the compromised forms. As of writing, the malicious scripts being used by Magecart are active on nearly 100 other online stores, with almost 20% getting re-infected within a two-week period.

Scammers Syphon €19 Million From French Film Company

A lawsuit recently revealed that savvy scammers successfully took nearly €19 million through a series of unauthorized transfers from a spoofed personal email address of the company’s CEO. After requesting additional information from the scammers, who continued to provide highly-detailed documents suggesting their legitimacy, several payments were transferred from the company’s main cash pool with promises of a quick payback from the scammers.

Chinese Headmaster Caught Cryptomining on School’s Systems

The headmaster of a Chinese school was fired after staff discovered an excessively high power bill previously written off as a faulty HVAC system was actually caused by several cryptomining rigs running off the school’s electricity. The headmaster brought the mining machines into the school in mid-2017 and evaded blame for the excess power consumption until the physical proof was discovered. While it appears no other harm was done, cryptomining software can be dangerous, as you can never be sure nothing else is bundled with it.

New Botnet Exploits Unpatched Bug in Over 100,000 Devices

Researchers have been monitoring a relatively new botnet that is currently controlling over 100,000 devices, including 116 device types from multiple manufacturers. By taking advantage of well-known bugs within Universal Plug n Play, hackers can quickly take control of the device and begin monitoring traffic from outside of the network.

Cathay Pacific Airlines Cyberattack Occurred Over Several Months

After originally claiming a data breach had taken place last month, affecting 9.4 million customers, new findings have shown the attacks have been happening regularly since March. Even though local laws didn’t require the company to notify authorities regarding a data breach, it is still surprising that it has taken almost nine months to determine what data had been exposed and what hadn’t.