image
A Romanian duo has been sentenced to jailtime for infecting 400,000 computers with malware that stole credentials and financial information, and scammed victims out of millions of dollars. The two Romanian hackers, Bogdan Nicolescu, 37, and Radu Miclaus, 37, were sentenced to 20 years and 18 years in prison, respectively, on Friday. The sentencing comes after the pair were each convicted in April by a federal jury in Ohio on 21 charges, including conspiracy to commit wire fraud, conspiracy to traffic in counterfeit service marks, aggravated identity theft, conspiracy to commit money laundering and 12 counts each of wire fraud. “These sentences handed down today reflect the dynamic landscape in which international criminals utilize sophisticated cyber methods to take advantage of and defraud, unsuspecting victims anywhere in the world,” said FBI Special Agent in Charge Eric Smith in a statement on Friday. “Despite the complexity and global character of these investigations, this investigation and prosecution demonstrate the commitment by the FBI and our partners to aggressively pursue these individuals and bring justice to the victims.” Since 2007, the two allegedly operated a cybercrime ring called “Bayrob Group” out of Bucharest, Romania. The group developed malware and distributed it through malicious emails to victims, purporting to be from companies like Western Union, Norton AntiVirus and the IRS. But when recipients clicked on an attached file, malware was installed…

Source

image
Phishers are out in force to scam aficionados of the Elder Scrolls Online video game into giving up their account details. The crooks are posing as developers for the game under the moniker “ElderScrollDevs,” and targeting those with PlayStation consoles (and possibly others), according to a Reddit post by a scam recipient. They’re sending random private messages to users warning of a purported security issue. “We have noticed some unusual activity involving this account,” reads the “warning.” “To be sure you are the rightful owner, we require you to response [sic] to this alert with the following Account information so that you may be verified.” The victims are then told that they have 15 minutes to fill in their email address, password and date of birth on the account, or else they will be blocked from the game: The phishing message. Click to enlarge. “Under the current circumstances, you have 15 minutes from opening this alert to respond with the required information. Failure to do so will result in an immediate Account Ban, permanently losing online access to our servers on all platforms, along with all characters associated with the account in question. Please be sure to double check your information spelling before sending.” The Elder Scrolls Online is a high-fantasy role-playing game (complete with elves, dwarves, orcs and so on), set on the continent of Tamriel. It was developed by ZeniMax Online Studios, and features a storyline indirectly connected with the…

Source

image
A marketing firm exposed hashed passwords and sensitive public relations documents of thousands of customers via a leaky Amazon S3 database – including big-name brands like GE, Dunkin’ Donuts, Forever 21 and more. Researchers with UpGuard in October discovered a misconfigured Amazon S3 storage bucket, originating from iPR Software, a hosted content management software platform for online newsrooms, websites and social-media communications. The database contained data belonging to clients using iPR Software’s platform, including the details of 477,000 clients’ media contacts, business entity account information, 35,000 hashed user passwords, assorted documents and administrative system credentials. Researchers also found various system credentials including iPR’s Twitter account credentials, a password for a MongoDB hosted on mongolayer.com, and a Google API access key. “The Amazon S3 storage bucket contained a large collection of files, some of which were configured for public access, totaling over a terabyte in size,” said researchers in a Monday post. “In addition to the database files, the storage bucket contained documentation from iPR developers, documents which appear to be marketing materials for client companies, and credentials for iPR accounts on Google, Twitter and a MongoDB hosting provider.” The contents of the bucket included both iPR’s internal resources for managing their own platform and the data about the company’s user accounts and client documents…

Source

image
Reddit has revealed that key U.S.-U.K. trade documents posted on its site were likely done so as part of a broader political-influence campaign that first appeared on Facebook and tied to Russia-based operatives. The online media aggregator says it has linked documents that were leaked on its site in October from a user called Gregoratior to a “vote-manipulation” campaign originating discovered on Facebook earlier this year and dubbed “Secondary Infektion.” “We were recently made aware of a post on Reddit that included leaked documents from the UK,” according to a statement Reddit posted on its platform. “We investigated this account and the accounts connected to it, and today we believe this was part of a campaign that has been reported as originating from Russia.” It is likely Reddit was responding to a report released earlier this month by cyber intelligence firm Graphika outlining efforts it believes were targeting British politicians and others by Secondary Infektion. “The similarities to Secondary Infektion are not enough to provide conclusive attribution but are too close to be simply a coincidence. They could indicate a return of the actors behind Secondary Infektion or a sophisticated attempt by unknown actors to mimic it,” wrote Graphika (PDF). The documents, among other things, suggest that United States is pressing the United Kingdom for a no-deal Brexit as part of a broader trade agreement that has the latter “practically standing on her knees” to come to a…

Source

image
A Colorado company that specializes in providing IT services to dental offices suffered a ransomware attack this week that is disrupting operations for more than 100 dentistry practices, KrebsOnSecurity has learned. Multiple sources affected say their IT provider, Englewood, Colo. based Complete Technology Solutions (CTS), was hacked, allowing a potent strain of ransomware known as "Sodinokibi" or "rEvil" to be installed on computers at more than 100 dentistry businesses that rely on the company for a range of services — including network security, data backup and voice-over-IP phone service. Reached via phone Friday evening, CTS President Herb Miner declined to answer questions about the incident. When asked about reports of a ransomware attack on his company, Miner simply said it was not a good time and hung up. The attack on CTS comes little more than two months after Sodinokibi hit Wisconsin-based dental IT provider PerCSoft, an intrusion that encrypted files for approximately 400 dental practices. Thomas Terronez, CEO of Iowa-based Medix Dental, said he's heard from several affected practices that the attackers are demanding $700,000 in bitcoin from some of the larger victims to receive a key that can unlock files encrypted by the ransomware. Others reported a ransom demand in the tens of thousands of dollars. In previous ransomware attacks, the assailants appear to have priced their ransom demands based on the number of workstation and/or server endpoints within the…

Source

image
As the 2020 Presidential election looms closer in the United States, a key focus will be on securing election infrastructure to prevent tampering. In a recent analysis, researchers found that email remains a potential weak link, with most counties failing to implement DMARC protections. DMARC (which stands for Domain-based Message Authentication, Reporting and Conformance) is an industry standard that flags messages where the “from” field in an email header has been tampered with. It ensures emails are authenticated before they reach users’ mailboxes and confirms that they have been sent from legitimate sources. If configured correctly, potential phishing emails can be stopped at the gateway, or redirected to the junk folder. DMARC policies are designed to be incremental, from a simple reporting-only system to a strict policy where messages failing authentication are rejected without being delivered or seen by the intended recipient. According to Valimail, only 5 percent of the country’s largest counties are using DMARC correctly. The firm analyzed the 187 domains used by election officials in the three largest counties (or parishes) for every state in the U.S., to determine whether each domain is protected from impersonation attacks by a correctly configured DMARC record with a policy of enforcement (p=quarantine or p=reject). A full 124 of these domains (66 percent) have no DMARC records, while 34 percent (63 domains) do have DMARC. Of those with DMARC, 11 domains (6…

Source

image
The Justice Department said this week that it is cracking down on money mules, i.e., middlemen who assist in fraud schemes by receiving money from victims and forwarding proceeds to foreign-based perpetrators. So far, feds say they have halted more than 600 domestic money mules – exceeding the 400 money mules stopped last year. Of these, more than 30 individuals were criminally charged for their roles in receiving victim payments and providing the fraud proceeds to accomplices. The Department of Justice (DoJ) said this is triple the number of criminal prosecutions brought against money mules in last year’s initiative. “The Money Mule initiative highlights the importance of partnership to stop fraud schemes, and it sends a message to all who are engaged in money mule activity that they will be caught and prosecuted,” said FBI Director Christopher Wray,in a statement this week. “I want to thank our state and local partners for all their efforts to protect the American people from these threats.” Money mules are typically involved in elder fraud schemes (such as scams where grandparents are called and told their grandchildren are being held for ransom in foreign countries); romance scams; lottery and sweepstakes scams; IRS and Social Security Administration impostor scams; veteran and social security benefit redirection scams; and technical-support scams. The Federal Bureau of Investigation (FBI) this week simultaneously warned of such scams, using an Oregon family as a…

Source

image
In this week’s Threatpost news wrap, editors Tara Seals and Lindsey O’Donnell break down the top infosec news, including: Authorities crack down on cybercrime group Evil Corp. with sanctions and charges against its leader, known for his lavish lifestyle. The developers behind a commodity remote-access tool (RAT) that allows full control of a victim’s computer has been taken down by Australian and global authorities. Feds are cracking down on money mules, middlemen who assist BEC schemes by receiving money from victims and forwarding proceeds to foreign-based perpetrators. Authorities say they have halted over 600 domestic money mules – exceeding last year’s 400 money mules stopped last year. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/12308033/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe) For direct download, click here. Write a comment Share this article: Government…

Source

image
A vulnerability in most Linux distros has been uncovered that allows a network-adjacent attacker to hijack VPN connections and inject rogue data into the secure tunnels that victims are using to communicate with remote servers. According to researchers at University of New Mexico and Breakpointing Bad, the bug (CVE-2019-14899), “allows…an attacker to determine if…a user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website.” In an advisory released this week, they noted that once a proof-of-concept exploit allowed them to determine a VPN client’s virtual IP address and make inferences about active connections, they were then able to use encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of connections. These allowed them to hijack TCP sessions and inject data into the TCP stream. Anatomy of an Attack An attack would require convincing a user to connect to a rogue wireless access point (or other internet connection) under the adversary’s control (imagine a coffee shop scenario, for instance). The attacker can then start scanning devices connected to the access point for active VPN sessions. To do this, the access point can send SYN-ACK packets to any connected devices, canvassing across the entire virtual IP space. When a SYN-ACK is sent to the correct virtual IP on the victim device, the device responds; when the SYN-ACK is sent…

Source

image
Facebook has sued a Chinese company that it alleges used malware to compromise hundreds of thousands of user accounts – and then used them to run “deceptive ads” promoting counterfeit goods. The company in question is Hong Kong-based ILikeAd Media International Company Ltd., which was incorporated in 2016. On its website (ilikead.com, which appears to be down) the company said it provides advertising and marketing services to businesses interested in advertising on Facebook, according to court documents. Facebook also sued Chinese software developer Chen Xiao Cong and marketing director Huang Tao in connection with the scheme. “To protect Facebook users and disrupt these types of schemes, we will continue our work to detect malicious behavior directed towards our platform and enforce against violations of our Terms and Policies,” said Jessica Romero, director of Platform Enforcement and Litigation and Rob Leathern, director of Product Management and Business Integrity with Facebook, in a Thursday statement. “Creating real-world consequences for those who deceive users and engage in cloaking schemes is important in maintaining the integrity of our platform.” Between 2016 up until August 2019, Long and Tao allegedly created malware, tricked victims into installing it, and then compromised their Facebook accounts. The malware was promoted through various forums and websites; once installed, it would then collect Facebook login credentials from the victims’ browsers, enabling…

Source