by Connor Madsen | Jul 26, 2019 | Industry Intel
Vulnerability Exposes Dozens of U.S. Colleges
At least 62
U.S. colleges have been compromised after an authentication vulnerability
was discovered by hackers, allowing them to easily access user accounts. At several
of the compromised colleges, officials were tipped off after hundreds of
fraudulent user accounts were created within a 24-hour period. The
vulnerability that was exploited stemmed from a Banner software program that is
very widely used by educational institutions; however, many colleges had
already patched the flawed software versions and so were unaffected.
Data Breach Affects Lancaster University Applicants
Officials recently announced that a data breach compromised
the personal records of all 2019 and 2020 applicants of Lancaster
University. Additionally, some applicants have been receiving fraudulent tuition
invoices, which the University recommends recipients delete immediately. The
breach occurred sometime on Friday, and University officials quickly began
contacting the affected parties and securing their IT systems.
Facebook to Pay $5 Billion in FTC Fines
Nearly a year after the Cambridge Analytica discovery, the FTC
has issued a record fine of $5 billion to be paid by Facebook in recompense for
their deceitful use of the private information from their hundreds of millions
of their users. The staggering sum Facebook must pay sets a strong incentive
for all industries to handle their customers’ sensitive data with the
appropriate security and care, and also to address follow-up actions in the
wake of a breach more adequately than Facebook did.
Remote Android Trojan Targets Specific Victims
A new remote-access Trojan, dubbed Monokle,
has been spotted working through the Android™ community with a laundry list of
dangerous capabilities, most of which are designed to steal information from the
infected devices. To make Monokle even more dangerous, it can also install
trusted certificates that grant it root level access and near total control
over the device.
Fake Browser Update Distributes TrickBot
As TrickBot
continues its multi-year streak of mayhem for computer systems and sensitive
information, criminals created a new set of fake updates for the Google™ Chrome
and Mozilla™ Firefox browsers that would push a TrickBot download. The updates appear
to have originated at a phony Office365 site that does give users a legitimate
link to a browser download, though it quickly prompts the user to install an
update which installs the TrickBot executable.
by Austin Castle | Jul 23, 2019 | Home + Mobile
You’ve likely heard of the dark web. This ominous sounding shadow internet rose in prominence alongside cryptocurrencies in the early 2010s, eventually becoming such an ingrained part of our cultural zeitgeist that it even received its own feature on an episode of Law & Order: SVU. But as prominent as the dark web may be, few average internet users can properly explain what it is and the cyber threats it provides a haven for. Let’s step back from the pop culture mythos and dive into what makes the dark web so dark.
Don’t let cybercriminals steal your money or identity. Protect your devices with cloud-based security.
Open Web, Deep Web, and Dark Web:
Know the Difference
The open web, or surface web, is the internet we use
every day. This includes all the web content that can be found through search
engines and is accessed by traditional web browsers. Though you might find it
surprising that the open web accounts for just
5% of the internet. The rest is made up of the deep web.
The deep web is the section of the internet that is
not indexed by search engines and cannot be found through traditional search
methods. This means that the only way to access deep web content is through a
direct URL. While rumors about the deep web make it seem as if it is
exclusively used for nefarious purposes, content on the deep web is often
banal. It is largely comprised of school and university intranet systems, email
and banking portals, internal sites for businesses and trade organizations, and
even things like your Netflix or Hulu queues. Nothing to be afraid of there.
While the dark web is technically a part of the deep web, it takes anonymity a step further by using overlay networks to restrict access, often attracting users engaged in illicit activity. These networks use special anonymized software to grant users access; the largest and most famous of which is Tor. Tor stands for “The Onion Router,” which references its “onion routing” technique of using encapsulated layers of encryption to ensure privacy. Tor websites are most easily recognized by their “.onion” domains, and by the fact that they cannot be accessed through traditional web browsers. You may have heard stories about the NSA trying to shut Tor down, but don’t expect the services to go away soon. It has funding from high places, with a recent FOI request revealing that one of Tor’s largest financial contributors has long been the U.S. State Department—likely to offer encrypted communication options for State Department agents working in the field.
Is the Dark Web Illegal?
The dark web isn’t inherently illegal—the illegality comes
from how it can be used. Darknet markets, such as the infamous and now
defunct original Silk Road, showcase how thin the line is between legal and
illegal dark market activities. As long as what you are purchasing is legal, using a darknet market is
as lawful as making a purchase from any other online retailer. But buying
illicit drugs or human
organs? Yeah, that’s definitely illegal.
Although not as remarkable as some of the more grotesque items available, one of the most commonly found items for sale on the dark web is data. With a reported 281 data breaches in just the first quarter of 2019, we have already seen 4.53 billion records exposed this year alone. That’s potentially more than 4 billion chances for hackers to profit off the victimization of strangers, and a majority of them will use the dark web to do so. We have seen several high-profile data breaches resurface on the dark web—Equifax, Canva, Under Armor, and Evite all recently had their user data available for sale on darknet markets.
The Dark Web and Malware-as-a-Service
Beyond selling your data, the dark web can be used to
harvest it as well. Webroot Security Analyst, Tyler Moffitt, explains this
growing threat:
“Anyone can create malware in today’s landscape where
the dark web is very accessible,” says Moffit. “There are ransomware services
on .onion links that will allow you to input just a few bits of information,
like a bitcoin address, desired ransom, late fees, etc., and unique binaries
are generated to distribute however they like. The only ‘catch’ is that the
portal creator usually takes a cut (around 30%) for any ransom payments
made.”
These malware-as-a-service attacks mean that an attacker doesn’t even need to know how to execute one; they just need to know how to navigate to the portal. Therein lies the largest dark web danger for many consumers—anonymized cyberattacks available at the click of a mouse.
Keeping Your Data Off the Dark Web
Like a hydra with its multiple heads, black markets will likely
never be wiped out. When you shut one down, two more will pop up. Darknet
markets are just their newest evolution. While you can’t expect to see this
threat disappear anytime soon, you can take steps to keep your data secure and
off the dark web.
Using an up-to-date antivirus
solution will help stop malware from scraping your data on the dark
web. You can also lock
your credit (called freezing) to help prevent new credit lines being open
without additional information. Another recommendation is avoiding public WiFi without a
VPN, as it leaves you susceptible to a man-in-the-middle attack
(MITM). Even with these precautions, a breach may still occur. Keeping your
sensitive accounts secured with a trusted password manager can also help
prevent cyber attacks from spreading beyond their breach point.
Follow us on Facebook
and
Twitter to stay up to date on the latest threats to your online security
and privacy.
by Connor Madsen | Jul 19, 2019 | Industry Intel
Over 100 Million Accounts Exposed in Evite Breach
More than 100 million users of Evite
were exposed after the company’s servers were compromised earlier this year.
While the company doesn’t store financial information, plenty of other
personally identifiable information was found in the leaked database dump. The
initial figures for the breach were thought to be much lower, as another
database dump of 10 million Evite users was found on an underground marketplace
around the time they discovered the unauthorized access, though that site was
shut down soon after.
American Express Suffers Phishing Attack
Many American
Express customers recently fell victim to an email phishing attack that used
the uncommon tactic of hiding the URL domain when hovering over the hyperlink.
The attack itself, which requests the victim open a hyperlink to verify their
personal information before re-routing them to a malicious site, was reliably full
of spelling and grammar mistakes. The phishing landing page, though, looks
nearly identical to the real American Express site and even has a drop-down
list to catch multiple types of user accounts.
NHS Worries Over XP Machines
Over five years after Microsoft officially ceased support
for Windows
XP, the UK government has revealed that there are still over 2,000 XP
machines still being used by its National Health Services (NHS). Even after
becoming one of the largest targets of the 2017 WannaCry attacks, the NHS has
been incredibly slow to roll out both patches and full operating sytem upgrades.
While the number of effected systems, the NHS has over 1.4 million computers
under their control and is working to get all upgraded to Windows 10.
Google Defends Monitoring of Voice Commands
Following a media leak of over 1,000 voice
recordings, Google is being forced to defend their policy of having
employees monitor all “OK Google” queries. After receiving the leaked
recordings, a news organization in Belgium was able to positively identify
several individuals, many of whom were having conversations that shouldn’t have
been saved by the Google device in the first place. The company argues that
they need language experts to review the queries and correct any accent or
language nuances that may be missing from the automated response.
Monroe College Struck with Ransomware
All campuses of Monroe College were affected by a ransomware attack late last week that took down many of their computer systems. The attackers then demanded a ransom of $2 million, though it doesn’t appear that the college will cave to such exorbitant demands. Currently, the college’s systems are still down, but officials have been working to contact affected students and connect them with the proper assistance with finishing any coursework disrupted by the attack.
by Connor Madsen | Jul 12, 2019 | Industry Intel
Magecart Attacks See Spike in Automation
The latest attack in the long string of Magecart
breaches has apparently affected over 900 e-commerce sites in under 24
hours. This increase over the previous attack, which affected 700 sites, suggests
that its authors are working on improving the automation of these information-stealing
attacks. The results of these types of attacks can be seen in the latest major
fines being issued under GDPR, including one to Marriott for $123 million and
another to British Airways for a whopping $230.5 million.
Agent Smith Android Malvertiser Spotted
Researchers have been tracking the resurgence of an Android-based
malware campaign that disguises itself as any number of legitimate
applications to deliver spam advertisements. After being installed from a
third-party app store, the malware checks both a hardcoded list and the command-and-control
server for available apps to swap out for malicious copies, without alerting
the device owner. The majority of targeted devices have been located in southwestern
Asia, with other attacks showing up in both Europe and North America.
Third Florida City Faces Ransomware Attack
Almost exactly one month after the ransomware
attack on Lake City, Florida, a third Florida city is being faced a hefty
Bitcoin ransom to restore their systems after discovering a variant of the Ryuk
ransomware. Similar to the prior two attacks, this one began with an employee
opening a malicious link from an email, allowing the malware to spread through connected
systems. It is still unclear if the city will follow the others and pay the ransom.
British Airways Receives Record GDPR Fine
Following a data breach last year that affected over 500,000
customers, British Airways has been hit with a total fine amount of $230.5
million. The amount is being seen as a warning to other companies regarding
the severity of not keeping customer data safe, though it’s still much less
than the maximum fine amount of up to 4% of the company’s annual turnover.
Georgia Court System Narrowly Avoids Ransomware Attack
Thanks to the quick work of the IT team from Georgia’s
Administrative Office of the Courts (AOC), a ransomware attack that hit
their systems was swiftly isolated, leading to minimal damage. Even more
fortunate for the AOC, the only server that was affected was an applications
server used by some courts but which shouldn’t disrupt normal court
proceedings. Just days after the initial attack, the IT teams (aided by
multiple law enforcement agencies) were already in the process of returning to
normal operations without paying a ransom.
by Connor Madsen | Jun 28, 2019 | Industry Intel
Second Florida City Pays Ransom
Following the news that Riviera Beach, FL would pay the
ransom demanded by cyberattackers, the mayor of Lake
City, FL has announced that the city will be paying the demanded ransom of
$460,000 to restore access to their email and internal system servers. While law
enforcement agencies strongly recommend against paying the ransom and suggest
that victims instead attempt to recover encrypted files through backups or
other offline methods, many companies who fall prey to ransomware attacks do
not keep complete backups of their systems, so they may have no choice but to
pay.
Group Arrested in Domain Spoofing Scam
Several individuals were recently arrested for creating a spoof
domain for Blockchain.com, a site that allows users to access their
cryptocurrency wallets. The individuals in question successfully stole over $27
million’ worth of various currencies from roughly 4,000 victims by using their
spoofed site to steal wallet credentials. The group was captured in two
separate countries after more than a year of investigation.
Database for Insurance Marketing Site Exposed
A database belonging to MedicareSupplement.com, an insurance
marketing site, was found to be publicly accessible, exposing the records
of over 5 million customers. While it is unclear how long the database had been
improperly secured, the researcher who discovered it in mid-May promptly
reported it to the database owner. Amongst data exposed were nearly a quarter
million records that indicated specific insurance categories.
Report Reveals Countries Most Targeted by Ransomware
A new report has run the numbers to uncover the top five
countries most
targeted by ransomware. So far in 2019, the list includes the USA, Brazil,
India, Vietnam, and Turkey. During the first quarter of this year alone, the USA
took 11% of the attacks, with Brazil coming in right behind with 10% of the
total number of attacks. Even more concerning: the average ransom demand has
nearly doubled since this time last year, jumping from around $6,700 to ca. $12,700.
IoT Malware Bricks Devices
Researchers have just found a new type of malware, dubbed
Silex, that focuses on IoT
devices running with default credentials. The malware then bricks—i.e.,
breaks in an irreparable or unrecoverable fashion—the entire device. The Silex authors
claim to have distributed it with the specific intention of rendering devices
unusable to prevent lower level scripters from adding the devices to their
botnets. Fortunately, the authors did shut down the malware’s command servers,
though the already-distributed samples will continue their operations until
they have been removed by security.
by LeVar Battle | Jun 27, 2019 | Business + Partners, Managed Service Providers, Threat Lab
We are excited to announce Webroot® DNS Protection now runs on Google Cloud Platform (GCP). Leveraging GCP in this way will provide Webroot customers with security, performance, and reliability.
Security
Preventing denial of service (DoS) attacks is a core benefit of Webroot DNS Protection. Now, the solution benefits from Google Cloud load balancers with built-in DoS protection and mitigation, enabling the prevention of attack traffic before it ever hits the agent core.
“The big thing about Google Cloud is that it dynamically manages denial of service (DoS) attacks,” said Webroot Sales Engineer Jonathan Barnett. “That happens automatically, and we know Google has that figured out.”
Click here to learn why businesses need DNS protection.
Performance
With this release, Webroot DNS Protection now runs on the Google Cloud’s high-redundancy, low-latency networks in 16 regions worldwide. That means there’s no need for a Webroot customer in Australia to have a DNS request resolved in Los Angeles, when more convenient infrastructure exists close by.
“Google Cloud provides the ability to scale by adding new regions or new servers whenever necessary as load or need determines, nationally or internationally,” said Barnett. “This allows us to provide geolocation-appropriate answers for our customers, maximizing performance.”
Reliability
Because of GCP’s global infrastructure footprint, Webroot can quickly and easily provision more of Google’s servers in any region to ensure latency times remain low.
And because those regional deployments can be programmed to auto-scale with spikes in traffic, even drastically increasing loads won’t increase wait times for requests.
According to Barnett, “Even if Webroot were to take on a large number of customers in a short time period, say with the closing of a deal to offer DNS solutions to an enterprise-level client with a number of subsidiaries, our environments would automatically scale with the additional load.”
One more note on the release
Another key feature of the April DNS agent update regards switching communications from port 53, which is typically associated with DNS requests, to port 443, which is more commonly associated with SSL certificates.
The reason for this change is that, given port 443’s relevance to routine requests like banking sites and those accepting payment information, it is rarely constrained, modified, or controlled. This will reduce the need to configure firewalls or make other admin adjustments in order for Webroot DNS Protection to function as intended.
It’s good to be in good company
With Webroot DNS Protection now leveraging the GCP will power your network-level protection. Fewer outages, latency, and bottlenecks. Ready to experience Webroot DNS Protection for yourself? Try it free for 30-days here.
by Drew Frey | Jun 25, 2019 | Home + Mobile
It’s been more than a decade since Netflix launched its on-demand online streaming service, drastically changing the way we consume media. In 2019, streaming accounts for an astonishing 58 percent of all internet traffic, with Netflix alone claiming a 15 percent share of that use. But as streaming has become more common, so has the exploitation of streaming technologies. Some consumers stream illegally to cut costs, perceiving it to be a victimless crime. But as the saying goes: there’s no such thing as a free lunch. Streaming is no exception.
Browsing on public WiFi? Learn how to protect your network connection with a VPN.
Jailbreak!
By downloading illegal streaming apps from third-party sources
(i.e. outside of the Apple® App Store or Google™ Play), users may think they’re
capitalizing on a clever loophole to access free services. However, according
to a startling study conducted by Digital Citizens, 44 percent of households using pirated streaming services
experienced a cybersecurity breach of one or more of their devices. That means if
you use any type of illegal streaming device or app, you are six times
more likely to fall victim to a cybersecurity attack than households using
legal streaming services. Since a reported 12 million homes—in North America
alone) are actively using pirated streams, that means illegal streaming may
have led to up to 5 million potentially undetected breaches.
Why are illegal streams so attractive to cybercriminals?
Because you’re probably streaming using devices and applications that are
connected to your home network. Unfortunately, the firewall on the average home
router does not provide adequate security against attacks. Any malware
introduced by the streaming software is likely able to get through
successfully. If you’re using a Window® computer or device, that means the malware
can infiltrate not the device you’re actively using, but also any other Windows
devices using the same internet connection. By spreading itself across multiple
devices, malware makes its own removal that much more difficult. Pair these
details with the fact that illegal streaming users are less likely to report a
malicious app, illegal streams provide a haven for cybercriminals in which they
can easily attack users, infect their machines, steal their data, and hold
their files for ransom.
Cybersecurity breaches caused by illegal streaming can manifest
in many ways. For example, a popular illegal movie and live sports streaming
app was observed scraping
the connected WiFi name and password, as well as other sensitive information,
according to ThreatPost.
How You Can Stream
Safer
Ultimately, nobody can guarantee the security of an illegal stream.
The truth is that legal streaming is the only safer streaming. That doesn’t
mean you have to go through the giants, like Netflix or Hulu. Users can now access
many low-cost, legal streaming options—including a few that are ad-supported and are actually free. So
why put yourself and your family at risk for the sake of an illegal stream?
If you’re worried that someone with access to your WiFi network may be
streaming illegally, thereby putting you and your devices in danger, make sure
all of your devices are using up-to-date antivirus software to help stop cyberattacks and prevent malware infections. More
importantly, talk with your family and friends about the real cost of “free”
streaming. They’ll be more cautious once they fully understand the risks.
Looking for more home security education? Check out our Home + Mobile playlist on YouTube.
by Connor Madsen | Jun 21, 2019 | Industry Intel
Multiple Tesla Models Vulnerable to GPS Attacks
Though it’s not the only manufacturer to offer GPS
navigation in their vehicles, Tesla has once again suffered an attack on
their GPS autopilot features. These attacks were able to trick the car into
thinking it had arrived at an off-ramp more than two miles early, causing it to
start to merge and eventually turn off the road entirely, even with a driver
attempting to stop the action. Using off-the-shelf products, the test
conductors were able to gain control of Tesla’s GPS in less than a minute.
Oregon DHS Successfully Phished
The personally identifiable information for at least 645,000
Oregon
Department of Human Services (DHS) patients was illicitly accessed after a
successful phishing attack on nine DHS employees. The attack allowed the
hackers to obtain 2 million emails from the accounts, which contained
everything from names and birthdates to social security numbers and
confidential health information. Fortunately, the DHS issued a password reset
shortly after the initial breach that stopped the attackers from getting any
further and began contacting potential victims of the attack.
IP and Computer Blacklisting in New Ryuk Variant
The latest variant of the Ryuk
ransomware includes an IP blacklist and a computer name check prior to
beginning encryption. The IPs and computer name strings were likely implemented
to stop any encryption of Russian computer systems. After these checks, the
ransomware continues as normal using .RYK as the appended file extension and a
ransom note that points victims to make payments to one of two proton mail
accounts.
EatStreet Ordering Services Breached
A data breach is affecting the food ordering service EatStreet
and possibly all of its 15,000 partnered restaurants. Payment card information
for millions of customers using the app, along with some banking information
for the 15,000 business partners, is believed to have been compromised in the
breach. Though EatStreet quickly began improving their security and
implementing multi-factor authentication following the breach, the damage was
already done.
Fake System Cleaners on the Rise
While phony
system cleaner apps have been common for many years, a recent study shows
that user numbers for these apps has doubled from the same time last year to
nearly 1.5 million. These apps often appear innocent and helpful at the outset,
while others have begun taking an outright malicious approach. To make matters
worse, these apps are commonly installed to fix the very issues they later
create by slowing the computer down and causing annoying popups.
by Connor Madsen | Jun 14, 2019 | Industry Intel
Radiohead Refuses Ransom, Releases Stolen Tracks
The band Radiohead
recently fell victim to a hack in which 18 hours of previously unreleased
sessions were ransomed for $150,000. Rather than pay the ludicrous fee, the
band instead opted to release the tracks through Bandcamp for a donation to
charity. The unreleased sessions were stored as archived mini discs the band
created during the years surrounding their third album, “OK Computer.”
US Border Protection Breached by Contractor
A subcontractor
for the US Customs and Border Protection (CBP) agency is under scrutiny after
it was revealed that they had illicitly transferred thousands of images of both
license plates and travelers that had crossed the US/Mexico border in the last
month. In doing so, the subcontractor broke several mandatory security policies
written into a legal contract. While there is no sign of the images leaking
onto the dark web, there is very little redress for the exposed travelers without
proving actual harm.
Billions of Spam Emails Sent Everyday
The latest industry report on spam emails revealed
that around 3.4 billion fake/spam emails are distributed across the globe each
day. More worrisome is that the majority of these emails originate in the US
and regularly target US-based industries. While many industries have improved security
measures, larger enterprises have struggled to implement strong protection for
their entire staff.
Ransomware Hits Washington Food Bank
The Auburn Food Bank in the State of Washington recently fell victim to a ransomware attack that encrypted all but one of their computers, which was isolated from the internal network. Instead of paying the ransom, the nonprofit chose to wipe all computers, including their email server, and begin rebuilding from scratch. The ransomware variant has been claimed to be GlobeImposter 2.0, which requires the victim to contact the attacker to determine the ransom demanded.
Retro Game Site Breached
The account information was leaked for over 1 million users
of EmuParadise,
a retro gaming site that hosts all things gaming related. The breach, which
took place in April of 2018, affected 1.1 million IP and email addresses, many
of which were found in previous data breaches. It is still unclear how the
breach actually took place, though given the use of salted MD5 hashes for
storing user data it’s clear EmuParadise could have done more to properly
secure their users information.
by Connor Madsen | Jun 7, 2019 | Industry Intel
Quest Diagnostics Customers Affected by Third-Party Breach
The medical testing organization Quest
Diagnostics has fallen victim to a third-party data breach that could
affect nearly 12 million of their patients. AMCA, a collections agency that
works with Quest Diagnostics, noticed unauthorized access to their systems over
an eight-month period from August of last year through March 2019. The majority
of data targeted were Social Security Numbers and other financial documents,
rather than patient’s health records. The market offers a premium for such data.
Adware Installed by Millions of Android Users
Until recently, there were over 230 apps on the Google Play
store that had been compromised by a malicious
plugin that forced out-of-app advertisements on unsuspecting victims.
Globally, over 440 million individuals have installed at least one of these
compromised applications and have been affected by overly-aggressive
advertisements. While this SDK has been used legitimately for nearly a year, sometime
during 2018 the plugin began performing increasingly malicious behaviors, until
other developers caught on and began updating their own applications to remove
the plugin.
Chinese Database Exposes Millions of Records
A database belonging to FMC
Consulting, a headhunting firm based in China, was recently found by
researchers to be publicly available. Among the records are resumes and
personally identifiable information for millions of individuals, as well as
company data with thousands of recorded messages and emails. Unfortunately for
anyone whose information is contained within this database, in the two weeks
since being notified of the breach FMC has yet acknowledge the breach or take
steps to secure it.
Restaurant Payment Systems Infected
Customer who’ve patronized either Checkers
or Rally’s restaurants in recent months are being urged to monitor their
credit cards after the chain announced that they discovered card stealing
malware on their internal systems. While not all restaurant locations were
affected, the company is still working to determine the extent of the
compromised payment card systems and has offered credit monitoring services to
customers.
University of Chicago Medicine Server Found Online
Researchers have found a server belonging to University
of Chicago Medicine with personal information belonging to more than 1.6
million current and past donors. The data includes names, addresses, and even
marital and financial information for each donor. Fortunately, the researcher
was quick to inform the university of the unsecured ElasticSearch server and it
was taken down within 48 hours.
