One in five organizations have teetered on the brink of insolvency after a cyberattack. Can your company keep hackers at bay?
The post Cyberattacks: A very real existential threat to organizations appeared first on WeLiveSecurity
As scammers continue to ask people to take fake surveys, can you recognize some common telltale signs you're dealing with a scam?
The post Watch out for survey scams β Week in security with Tony Anscombe appeared first on WeLiveSecurity
The lead-up to the Canada Day festivities has brought a tax scam with it
The post Phishing scam poses as Canadian tax agency before Canada Day appeared first on WeLiveSecurity
Today, we released the latest issue of The Domain Name Industry Brief, which shows that the first quarter of 2022 closed with 350.5 million domain name registrations across all top-level domains, an increase of 8.8 million domain name registrations, or 2.6%, compared to the fourth quarter of 2021.1,2 Domain name registrations have increased by 13.2 million, or 3.9%, year over year.1,2
Check out the latest issue of The Domain Name Industry Brief to see domain name stats from the first quarter of 2022, including:
β’ Top 10 Largest TLDs by Number of Reported Domain Names
β’ Top 10 Largest ccTLDs by Number of Reported Domain Names
β’ ngTLDs as Percentage of Total TLDs
β’ Geographical ngTLDs as Percentage of Total Corresponding Geographical TLDs
To see past issues of The Domain Name Industry Brief, please visit verisign.com/dnibarchives.
The post Verisign Q1 2022 Domain Name Industry Brief: 350.5 Million Domain Name Registrations in the First Quarter of 2022 appeared first on Verisign Blog.
Itβs Social Media Day! How are you celebrating? Reposting your very first profile picture from a decade ago? Sharing your most-loved status update or the photo youβre most proud of? This year, consider commemorating the day by learning more about how to keep your information safe. Enjoy your favorite platform, but be on the lookout for scams, such as social engineering.Β
Social engineering is a cybercrime common to social media sites. It is a tactic where a cybercriminal lurks on peopleβs social media pages, gleaning personal information that they then use to impersonate them elsewhere.Β
With more than half of the global population on social media, you may think that a cybercriminal will never single you out from such a huge pool; however, it is possible.1 Luckily, you only have to make a few, easy changes to your online habits to keep your valuable private information just that: private. Check out these tips to make smart decisions and be more confident about your and your familyβs online security.Β
Think of the types of posts you share with your dozens β or even hundreds or thousands! β of followers: updates about your life, where you live, work, or favorite travel destinations, your hobbies, pets, family members, etc. All of these details, that only you and those closest to you should know, are a valuable commodity to cybercriminals. Plus, now that social media shopping is growing in popularity, the credit card information linked to accounts is sweetening the deal for cybercriminals.Β
Here are a few social engineering scams that are common to social media.Β Β
People commonly create passwords based on things, places, and people that are important. Have you ever published a 20 questions-style get-to-know-me post? Those contain a lot of valuable personally identifiable information (PII). With just a few of those details about your personal life, cybercriminals can make educated guesses at your passwords, a tactic called credential stuffing. If theyβre able to crack the code to one of your accounts, theyβll then input that password and login variations in several other sites, especially online banking portals, to see if they can gain entry to those too.Β
Youβve won! Send us your banking information and address, and youβll receive a package in the mail or a direct deposit to your bank account!Β Β
But did you enter a drawing for a prize? Very rarely does anyone win something just by being a follower of a certain page. If you receive a message similar to the above, itβs likely a phisher trying to draw more PII and sensitive banking information out of you. Or, the message may have links within it that redirect to an untrustworthy site. If you regularly enter social media contests, keep a list and only respond to legitimate ones. Also, never give your banking information out over social media, private messages, or email.Β
There are plenty of valid fundraisers and petitions circulating around social media; however, there are just as many social engineering scams that dupe social media users because they inspire a strong emotion in them. For example, there have been several scams around Ukrainian donation sites. Cybercriminals often use fear, anger, or sadness to inspire people to open their wallets and share confidential banking information.Β
Luckily, all it takes is a few smart habits to stop social engineers in their tracks. Consider the following tips and make these small changes to your social media usage:Β
At this point, youβve probably had several of your social media accounts active for over a decade. That means itβs time to do some cleaning out of your friends and followers lists. Itβs best to only accept requests from people you personally know and would actually like to keep in the loop about your life. A friend and follower request from strangers could be cyber criminals in disguise. Also, consider setting your account to private so that your posts are invisible to strangers.Β
Social engineering hacks often bank on people acting rashly and quickly because of strong emotion, either excitement, fear, sadness, or anger. If you see a post on your newsfeed or receive a direct message that gives you a tight window to respond and asks for PII, slow down and think before acting. Double-check the destination of every link in the message by hovering over it with your cursor and checking the link preview at the bottom of your browser screen. Be careful, because some link previews include slight misspellings of legitimate websites. As a great rule of thumb, be automatically skeptical of direct messages from people you do not personally know. And if a DM from a friend seems out of the ordinary, shoot them a text to confirm they actually sent it. It could be that their social media account was hacked and a criminal is spamming their followers.Β Β
A password manager will go a long way toward ensuring you have unique, strong passwords and passphrases for every account. Not reusing passwords makes credential stuffing impossible. McAfee True Key stores all your logins and passwords and guards them with one of the strongest encryption algorithms available. All you need to do is remember your master password. Itβs a great practice to also enable multifactor authentication whenever a website offers it. This makes it incredibly difficult for a cybercriminal to break into your online accounts with their educated guesses at your password.Β
Now that you know what to look for and the best tricks to be safe, you can feel more confident that youβre doing everything you can to protect your online accounts and private information. McAfee Protection Score can also help you take control of your online safety. This service allows you to monitor your current online safety and encourages you to take specific steps to improve it. Now you can enjoy digitally keeping in touch with your friends with peace of mind!Β
1Smart Insights, βGlobal social media statistics research summary 2022βΒ
The post Itβs Social Media Day! Hereβs How to Protect Yourself From Social Engineering Online appeared first on McAfee Blog.
If the promise of a cash prize in return for answering a few questions sounds like a deal that is too good to be true, thatβs because it is
The post Costco 40th anniversary scam targets WhatsApp users appeared first on WeLiveSecurity
War in Europe, a reminder for shared service centers and shoring operations to re-examine IT security posture
The post Do back offices mean backdoors? appeared first on WeLiveSecurity
On December 7, 2021, Google announced it was suing two Russian men allegedly responsible for operating the Glupteba botnet, a global malware menace that has infected millions of computers over the past decade. That same day, AWM Proxy β a 14-year-old anonymity service that rents hacked PCs to cybercriminals β suddenly went offline. Security experts had long seen a link between Glupteba and AWM Proxy, but new research shows AWM Proxyβs founder is one of the men being sued by Google.
AWMproxy, the storefront for renting access to infected PCs, circa 2011.
Launched in March 2008, AWM Proxy quickly became the largest service for crooks seeking to route their malicious Web traffic through compromised devices. In 2011, researchers at Kaspersky Lab showed that virtually all of the hacked systems for rent at AWM Proxy had been compromised by TDSS (a.k.a TDL-4 and Alureon), a stealthy βrootkitβ that installs deep within infected PCs and loads even before the underlying Windows operating system boots up.
In March 2011, security researchers at ESET found TDSS was being used to deploy Glupteba, another rootkit that steals passwords and other access credentials, disables security software, and tries to compromise other devices on the victimβs network β such as Internet routers and media storage servers β for use in relaying spam or other malicious traffic.
A report from the Polish computer emergency response team (CERT Orange Polksa) found Glupteba was by far the biggest malware threat in 2021.
Like its predecessor TDSS, Glupteba is primarily distributed through βpay-per-installβ or PPI networks, and via traffic purchased from traffic distribution systems (TDS). Pay-per-install networks try to match cybercriminals who already have access to large numbers of hacked PCs with other crooks seeking broader distribution of their malware.
In a typical PPI network, clients will submit their malwareβa spambot or password-stealing Trojan, for example βto the service, which in turn charges per thousand successful installations, with the price depending on the requested geographic location of the desired victims. One of the most common ways PPI affiliates generate revenue is by secretly bundling the PPI networkβs installer with pirated software titles that are widely available for download via the web or from file-sharing networks.
An example of a cracked software download site distributing Glupteba. Image: Google.com.
Over the past decade, both Glupteba and AWM Proxy have grown substantially. When KrebsOnSecurity first covered AWM Proxy in 2011, the service was selling access to roughly 24,000 infected PCs scattered across dozens of countries. Ten years later, AWM Proxy was offering 10 times that number of hacked systems on any given day, and Glupteba had grown to more than one million infected devices worldwide.
There is also ample evidence to suggest that Glupteba may have spawned Meris, a massive botnet of hacked Internet of Things (IoT) devices that surfaced in September 2021 and was responsible for some of the largest and most disruptive distributed denial-of-service (DDoS) attacks the Internet has ever seen.
But on Dec. 7, 2021, Google announced it had taken technical measures to dismantle the Glupteba botnet, and filed a civil lawsuit (PDF) against two Russian men thought to be responsible for operating the vast crime machine. AWM Proxyβs online storefront disappeared that same day.
AWM Proxy quickly alerted its customers that the service had moved to a new domain, with all customer balances, passwords and purchase histories seamlessly ported over to the new home. However, subsequent takedowns targeting AWM Proxyβs domains and other infrastructure have conspired to keep the service on the ropes and frequently switching domains ever since.
Earlier this month, the United States, Germany, the Netherlands and the U.K. dismantled the βRSOCKSβ botnet, a competing proxy service that had been in operation since 2014. KrebsOnSecurity has identified the owner of RSOCKS as a 35-year-old from Omsk, Russia who runs the worldβs largest forum catering to spammers.
The employees who kept things running for RSOCKS, circa 2016.
Shortly after last weekβs story on the RSOCKS founder, I heard from Riley Kilmer, co-founder of Spur.us, a startup that tracks criminal proxy services. Kilmer said RSOCKS was similarly disabled after Googleβs combined legal sneak attack and technical takedown targeting Glupteba.
βThe RSOCKS website gave you the estimated number of proxies in each of their subscription packages, and that number went down to zero on Dec. 7,β Kilmer said. βItβs not clear if that means the services were operated by the same people, or if they were just using the same sources (i.e., PPI programs) to generate new installations of their malware.β
Kilmer said each time his company tried to determine how many systems RSOCKS had for sale, they found each Internet address being sold by RSOCKS was also present in AWM Proxyβs network. In addition, Kilmer said, the application programming interfaces (APIs) used by both services to keep track of infected systems were virtually identical, once again suggesting strong collaboration.
βOne hundred percent of the IPs we got back from RSOCKS weβd already identified in AWM,β Kilmer said. βAnd the IP port combinations they give you when you access an individual IP were the same as from AWM.β
In 2011, KrebsOnSecurity published an investigation that identified one of the founders of AWM Proxy, but Kilmerβs revelation prompted me to take a fresh look at the origins of this sprawling cybercriminal enterprise to determine if there were additional clues showing more concrete links between RSOCKS, AWM Proxy and Glupteba.
Supporting Kilmerβs theory that AWM Proxy and RSOCKS may simply be using the same PPI networks to spread, further research shows the RSOCKS owner also had an ownership stake in AD1[.]ru, an extremely popular Russian-language pay-per-install network that has been in operation for at least a decade.
Google took aim at Glupteba in part because its owners were using the botnet to divert and steal vast sums in online advertising revenue. So itβs more than a little ironic that the critical piece of evidence linking all of these operations begins with a Google Analytics code included in the HTML code for the original AWM Proxy back in 2008 (UA-3816536).
That analytics code also was present on a handful of other sites over the years, including the now-defunct Russian domain name registrar Domenadom[.]ru, and the website web-site[.]ru, which curiously was a Russian company operating a global real estate appraisal business called American Appraisal.
Two other domains connected to that Google Analytics code β Russian plastics manufacturers techplast[.]ru and tekhplast.ru β also shared a different Google Analytics code (UA-1838317) with web-site[.]ru and with the domain βstarovikov[.]ru.β
The name on the WHOIS registration records for the plastics domains is an βAlexander I. Ukraincki,β whose personal information also is included in the domains tpos[.]ru and alphadisplay[.]ru, both apparently manufacturers of point-of-sale payment terminals in Russia.
Constella Intelligence, a security firm that indexes passwords and other personal information exposed in past data breaches, revealed dozens of variations on email addresses used by Alexander I. Ukraincki over the years. Most of those email addresses start with some variation of βuai@β followed by a domain from one of the many Russian email providers (e.g., yandex.ru, mail.ru). [Full disclosure: Constella is currently an advertiser on this website].
But Constella also shows those different email addresses all relied on a handful of passwords β most commonly β2222denβ and β2222DEN.β Both of those passwords have been used almost exclusively in the past decade by the person who registered more than a dozen email addresses with the username βdennstr.β
The dennstr identity leads to several variations on the same name β Denis Strelinikov, or Denis Stranatka, from Ukraine, but those clues ultimately led nowhere promising. And maybe that was the point.
Things began looking brighter after I ran a search in DomainTools for web-site[.]ruβs original WHOIS records, which shows it was assigned in 2005 to a βprivate personβ who used the email address lycefer@gmail.com. A search in Constella on that email address says it was used to register nearly two dozen domains, including starovikov.ru and starovikov[.]com.
A cached copy of the contact page for Starovikov[.]com shows that in 2008 it displayed the personal information for a Dmitry Starovikov, who listed his Skype username as βlycefer.β
Finally, Russian incorporation documents show the company LLC Website (web-site[.]ru)was registered in 2005 to two men, one of whom was named Dmitry Sergeevich Starovikov.
Bringing this full circle, Google says Starovikov is one of the two operators of the Glupteba botnet:
The cover page for Googleβs lawsuit against the alleged Glupteba botnet operators.
Mr. Starovikov did not respond to requests for comment. But attorneys for Starovikov and his co-defendant last month filed a response to Googleβs complaint in the Southern District of New York, denying (PDF) their clients had any knowledge of the scheme.
Despite all of the disruption caused by Googleβs legal and technical meddling, AWM is still around and nearly as healthy as ever, although the service has been branded with a new name and there are dubious claims of new owners. Advertising customer plans ranging from $50 a day to nearly $700 for βVIP access,β AWM Proxy says its malware has been running on approximately 175,000 systems worldwide over the last 24 hours, and that roughly 65,000 of these systems are currently online.
Meanwhile, the administrators of RSOCKS recently alerted customers that the service and any unspent balances will soon be migrated over to a new location.
Many people seem to equate spending time, money and effort to investigate and prosecute cybercriminals with the largely failed war on drugs, meaning there is an endless supply of up-and-coming crooks who will always fill in any gaps in the workforce whenever cybercriminals face justice.
While that may be true for many low-level cyber thieves today, investigations like these show once again how small the cybercriminal underground really is. It also shows how it makes a great deal of sense to focus efforts on targeting and disrupting the relatively small number of established hackers who remain the real force multipliers of cybercrime.