Login
Ransomware revenue plunges to $456 million in 2022 as more victims refuse to pay up. Here's what to make of the trend.
The post Ransomware payments down 40% in 2022 – Week in security with Tony Anscombe appeared first on WeLiveSecurity
Well and truly back into the swing of things in the new year, I think what I've found most satisfying this week is to sit down and pump out a decent blog post on something technical. It's an itch I just haven't had enough time to scratch properly in recent times and I really hope Pwned or Bot makes up for that. I love that it's generating discussion (both for and against) and that it's causing people to stop and think about how we establish the legitimacy of identities in an increasingly bot-centric world. I hope you enjoy this week's update and all the conversation surrounding it.
As enterprises around the world continue to move to the cloud, cybercriminals are following right behind them.…
T-Mobile today disclosed a data breach affecting tens of millions of customer accounts, its second major data exposure in as many years. In a filing with federal regulators, T-Mobile said an investigation determined that someone abused its systems to harvest subscriber data tied to approximately 37 million current customer accounts.
Image: customink.com
In a filing today with the U.S. Securities and Exchange Commission, T-Mobile said a “bad actor” abused an application programming interface (API) to hoover up data on roughly 37 million current postpaid and prepaid customer accounts. The data stolen included customer name, billing address, email, phone number, date of birth, T-Mobile account number, as well as information on the number of customer lines and plan features.
APIs are essentially instructions that allow applications to access data and interact with web databases. But left improperly secured, these APIs can be leveraged by malicious actors to mass-harvest information stored in those databases. In October, mobile provider Optus disclosed that hackers abused a poorly secured API to steal data on 10 million customers in Australia.
T-Mobile said it first learned of the incident on Jan. 5, 2023, and that an investigation determined the bad actor started abusing the API beginning around Nov. 25, 2022. The company says it is in the process of notifying affected customers, and that no customer payment card data, passwords, Social Security numbers, driver’s license or other government ID numbers were exposed.
In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver’s license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company. That breach came to light after a hacker began selling the records on a cybercrime forum.
Last year, T-Mobile agreed to pay $500 million to settle all class action lawsuits stemming from the 2021 breach. The company pledged to spend $150 million of that money toward beefing up its own cybersecurity.
In its filing with the SEC, T-Mobile suggested it was going to take years to fully realize the benefits of those cybersecurity improvements, even as it claimed that protecting customer data remains a top priority.
“As we have previously disclosed, in 2021, we commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity,” the filing reads. “We have made substantial progress to date, and protecting our customers’ data remains a top priority.”
Despite this being the second major customer data spill in as many years, T-Mobile told the SEC the company does not expect this latest breach to have a material impact on its operations.
While that may seem like a daring thing to say in a data breach disclosure affecting a significant portion of your active customer base, consider that T-Mobile reported revenues of nearly $20 billion in the third quarter of 2022 alone. In that context, a few hundred million dollars every couple of years to make the class action lawyers go away is a drop in the bucket.
The settlement related to the 2021 breach says T-Mobile will make $350 million available to customers who file a claim. But here’s the catch: If you were affected by that 2021 breach and you haven’t filed a claim yet, please know that you have only three more days to do that.
If you were a T-Mobile customer affected by the 2021 incident, it is likely that T-Mobile has already made several efforts to notify you of your eligibility to file a claim, which includes a payout of at least $25, with the possibility of more for those who can document direct costs associated with the breach. OpenClassActions.com says the filing deadline is Jan. 23, 2023.
“If you opt for a cash payment you will receive an estimated $25.00,” the site explains. “If you reside in California, you will receive an estimated $100.00. Out of pocket losses can be reimbursed for up to $25,000.00. The amount that you claim from T-Mobile will be determined by the class action administrator based on how many people file a legitimate and timely claim form.”
There are currently no signs that hackers are selling this latest data haul from T-Mobile, but if the past is any teacher much of it will wind up posted online soon. It is a safe bet that scammers will use some of this information to target T-Mobile users with phishing messages, account takeovers and harassment.
T-Mobile customers should fully expect to see phishers taking advantage of public concern over the breach to impersonate the company — and possibly even send messages that include the recipient’s compromised account details to make the communications look more legitimate.
Data stolen and exposed in this breach may also be used for identity theft. Credit monitoring and ID theft protection services can help you recover from having your identity stolen, but most will do nothing to stop the ID theft from happening. If you want the maximum control over who should be able to view your credit or grant new lines of credit in your name, then a security freeze is your best option.
Regardless of which mobile provider you patronize, please consider removing your phone number from as many online accounts as you can. Many online services require you to provide a phone number upon registering an account, but in many cases that number can be removed from your profile afterwards.
Why do I suggest this? Many online services allow users to reset their passwords just by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over your phone number thanks to an unauthorized SIM swap or mobile number port-out, divorce, job termination or financial crisis can be devastating.
T-Mobile US today said someone abused an API to download the personal information of 37 million subscribers.…
The personal information of 35,000 PayPal users was exposed in December, according to a notification letter sent to the online payment company's customers this week.…
The amount of money paid to ransomware attackers dropped significantly in 2022, and not because the number of attacks fell.…
Faculty and students at the University of Texas at Austin (UT) this week became the latest members of a public US university to lose access to Chinese video app TikTok via campus networks.…
Email marketing service Mailchimp has confirmed intruders have gained access to more than 100 customer accounts after successfully deploying a social engineering attack.…
Hello, is it me you’re looking for? Fraudsters still want to help you 'fix' a computer problem you never had in the first place.
The post Tech support scammers are still at it: Here’s what to look out for in 2023 appeared first on WeLiveSecurity
A Norwegian maritime risk management business is getting a lesson in that very area, after a ransomware attack forced its ShipManager software offline and left 1,000 ships without a connection to on-shore servers. …
It's fascinating to see how creative people can get with breached data. Of course there's all the nasty stuff (phishing, identity theft, spam), but there are also some amazingly positive uses for data illegally taken from someone else's system. When I first built Have I Been Pwned (HIBP), my mantra was to "do good things after bad things happen". And arguably, it has, largely by enabling individuals and organisations to learn of their own personal exposure in breaches. However, the use cases go well beyond that and there's one I've been meaning to write about for a while now after hearing about it firsthand. For now, let's just call this approach "Pwned or Bot", and I'll set the scene with some background on another problem: sniping.
Think about Miley Cyrus as Hannah Montana (bear with me, I'm actually going somewhere with this!) putting on shows people would buy tickets to. We're talking loads of tickets as back in the day, her popularity was off the charts with demand well in excess of supply. Which, for enterprising individuals of ill-repute, presented an opportunity:
Ticketmaster, the exclusive ticket seller for the tour, sold out numerous shows within minutes, leaving many Hannah Montana fans out in the cold. Yet, often, moments after the shows went on sale, the secondary market flourished with tickets to those shows. The tickets, whose face value ranged from $21 to $66, were resold on StubHub for an average of $258, plus StubHub’s 25% commission (10% paid by the buyer, 15% by the seller).
This is called "sniping", where an individual jumps the queue and snaps up products in limited demand for their own personal gain and consequently, to the detriment of others. Tickets to entertainment events is one example of sniping, the same thing happens when other products launch with insufficient supply to meet demand, for example Nike shoes. These can be massively popular and, par for the course of this blog, released in short demand. This creates a marketplace for snipers, some of whom share their tradecraft via videos such as this one:
"BOTTER BOY NOVA" refers to himself as a "Sneaker botter" in the video and demonstrates a tool called "Better Nike Bot" (BnB) which sells for $200 plus a renewal fee of $60 every 6 months. But don't worry, he has a discount code! Seems like hackers aren't the only ones making money out of the misfortune of others.
Have a look at the video and watch how at about the 4:20 mark he talks about using proxies "to prevent Nike from flagging your accounts". He recommends using the same number of proxies as you have accounts, inevitably to avoid Nike's (automated) suspicions picking up on the anomaly of a single IP address signing up multiple times. Proxies themselves are a commercial enterprise but don't worry, BOTTER BOY NOVA has a discount code for them too!
The video continues to demonstrate how to configure the tool to ultimately blast Nike's service with attempts to purchase shoes, but it's at the 8:40 mark that we get to the crux of where I'm going with this:
Using the tool, he's created a whole bunch of accounts in an attempt to maximise his chances of a successful purchase. These are obviously just samples in the screen cap above, but inevitably he'd usually go and register a bunch of new email addresses he could use specifically for this purpose.
Now, think of it from Nike's perspective: they've launched a new shoe and are seeing a whole heap of new registrations and purchase attempts. In amongst that lot are many genuine people... and this guy 👆 How can they weed him out such that snipers aren't snapping up the products at the expense of genuine customers? Keeping in mind tools like this are deliberately designed to avoid detection (remember the proxies?), it's a hard challenge to reliably separate the humans from the bots. But there's an indicator that's very easy to cross-check, and that's the occurrence of the email address in previous data breaches. Let me phrase it in simple terms:
We're all so comprehensively pwned that if an email address isn't pwned, there's a good chance it doesn't belong to a real human.
Hence, "Pwned or Bot" and this is precisely the methodology organisations have been using HIBP data for. With caveats:
If an email address hasn't been seen in a data breach before, it may be a newly created one especially for the purpose of gaming your system. It may also be legitimate and the owner has just been lucky to have not been pwned, or it may be that they're uniquely subaddressing their email addresses (although this is extremely rare) or even using a masked email address service such as the one 1Password provides through Fastmail. Absence of an email address in HIBP is not evidence of possible fraud, that's merely one possible explanation.
However, if an email address has been seen in a data breach before, we can say with a high degree of confidence that it did indeed exist at the time of that breach. For example, if it was in the LinkedIn breach of 2012 then you can conclude with great confidence that the address wasn't just set up for gaming your system. Breaches establish history and as unpleasant as they are to be a part of, they do actually serve a useful purpose in this capacity.
Think of breach history not as a binary proposition indicating the legitimacy of an email address, rather as one of assessing risk and considering "pwned or bot" as one of many factors. The best illustration I can give is how Stripe defines risk by assessing a multitude of fraud factors. Take this recent payment for HIBP's API key:
There's a lot going on here and I won't run through it all, the main thing to take away from this is that in a risk evaluation rating scale from 0 to 100, this particular transaction rated a 77 which puts it in the "highest risk" bracket. Why? Let's just pick a few obvious reasons:
Any one of these fraud factors may not have been enough to block the transaction, but all combined it made the whole thing look rather fishy. Just as this risk factor also makes it look fishy:
Applying "Pwned or Bot" to your own risk assessment is dead simple with the HIBP API and hopefully, this approach will help more people do precisely what HIBP is there for in the first place: to help "do good things after bad things happen".
Updated More than 4,000 public-facing Sophos firewalls remain vulnerable to a critical remote code execution bug disclosed last year and patched months later, according to security researchers.…
A bill proposed by Washingston state lawmakers would make it illegal for period-tracking apps, Google or any other website to sell consumers' health data while also making it harder for them to collect and share this personal information.…
Written by James Schmidt
Editor’s Note: We often speak of online scams in our blogs, ones that cost victims hundreds if not thousands of dollars. This account puts a face on one of those scams—along with the personal, financial, and emotional pain that they can leave in their wake. This is the story of “Meredith,” whose aunt “Leslie” fell victim to an emerging form on online elder fraud. Our thanks to James for bringing it forward and to “Meredith’s” family for sharing it, all so others can prevent such scams from happening to them.
“Embarrassing. Simply embarrassing.” She shook her head. “It’s too raw. I can’t talk about it right now. I need time.”
Her aunt had been scammed. To the tune of $100,000 dollars. My colleague—we both work in the security industry—felt a peculiar sense of loss.
“I work in this industry. I thought I’d done everything right. I’ve passed on enough warnings to my family and friends to ensure they’d avoid the fate of the scammed. Simply because I’m in this industry does not imply my circle is always aware of all the threats to them, even if I do my best to teach them.”
“My mental state, recently, borders on shame; this feeling, you know? How could someone working in my industry have something like this happen to a family member?”
I told her many people working in other industries cannot control what happens to people in their families even if people in that industry had knowledge that could have helped them or otherwise avoided a problem altogether.
“I know, but this simply should never have happened! My aunt is one of the smartest, most conscientious people I know, and she fell for this. It’s crazy and I can’t wrap my head around it.”
My colleague, let’s call her Meredith (not her real name as she’s a bit ashamed to know this happened to a family member), told me the beginnings.
Let’s call her aunt Leslie.
Her story unfolds, the overall picture a pastiche of millions of people in the United States today. Her aunt is retired, bored, lonely, and isolated. She feels adrift without something to occupy her time; she was looking for companionship, connections, someone (anyone) to talk to. Her feelings intensified during the pandemic. She morphed into perfect prey for scammers of what is now known as the “Pig Butchering Scam.”
The term “Pig Butchering” has a visceral and raw feel to it, which falls right in line with how brutal this scam can be. It’s a long con game, where the scammer befriends the victim and encourages them to make small investments through the scammer, which get bigger and bigger over time. The scammer builds trust early with what appear to be small investment wins. None of it is legit. The money goes right into the scammer’s pocket, even as the scammer shows the victim phony financial statements and dashboards to show off the bogus returns. Confidence grows. The scammer wrings even larger sums out of the victim. And then disappears.
It was a targeted attack that started innocuously enough with a “fake wrong number”. An SMS arrives. A text conversation starts. The scammer then apologizes but tells Leslie someone gave them the number to initiate the text.
The scammer then uses emotional and psychological techniques to keep Leslie hooked. “How are you, are you having a nice day?” Leslie, being bored and interested, engages willingly.
The scammer asks to talk directly, not via text: and a phone conversation ensues. The scammer proceeds to describe—in very soothing detail—what they are doing, helping people, like Leslie, invest their “hard-earned money” into something that will make them more money, to help them out in retirement.
Of course, it is too good to be true.
“The craziest part of all of this is my aunt refuses—to this day—to believe she’s been scammed!”
She still thinks this scammer is a “friend” even though the entire family is up in arms over this, all of whom beg her aunt to “open her eyes.”
“My aunt still thinks she’d going to see that money again, or even make some money, which is crazy. The scammers are so good at emotional intelligence; really leveraging heartstrings and psychological makeup of the forlorn in society. My aunt finally agreed to stop sending more money to the scammers, but only after the entire family threatened to cut her off from the rest of the family. It took a lot to get her to stop trusting the scammers.”
Meredith feels this is doubly sad as the aunt in question is not someone they’d ever imagine would in this predicament. She was always the upright one, always the diligent and hardworking and the best with money. She is smart and savvy and we could never imagine her to be taken by these people and taken so easily. It boggles the mind.”
She did start to change in the last few years. And the pandemic created a weird situation. Retirement, loneliness from loss of a partner, and the added burden of the pandemic created a perfect storm for her to open herself up to someone willingly, simply for the sake of connection.
“No one deserves this. It has rocked my family to the core. It is not only about the money, but we’ve found family bonds stretched. She believes these random people, these scammers, more than she believes her own family. Have we been neglectful of our aunt? Does she no longer put her faith in people she knows, rather gives money to complete strangers?”
Being a security professional does not provide magical protection. We are more aware of scams and scammers, and how they work, and what to look for, and we try to do all we can to keep our family aware of scams out there in the big wide world, but we are human. We fall short.
Diligence is action. Awareness is action. Education is action.
We need to be better, all of us, at socializing risky things. We need to consistently educate our family and friends to protect themselves, not only via security software (which everyone should have as default) but by providing tips and tricks and warnings for things we all need to be on the lookout. This is not a one-time thing. The cliché holds true: “If you see something say something.” Repetition helps.
In today’s world, the need for protecting people’s security, identity, and privacy is critical to keeping them safe. Scammers long stopped focusing on attacking only your computer. Now focus more than ever on YOU: your identity, your privacy, your trust. If they get you there, they soon get your money.
As for contributing factors to scammers success with their victims, such as loneliness, isolation, and boredom, they all have remedies. Make connections with your loved ones, especially those easily tagged as vulnerable, those you feel might be at risk. Reach out. It may be hard sometimes due to distance and other factors but make it a point to connect. There is a reason these scammers are succeeding. They are stepping into roles of companions to people who are desperate for connection.
Most people are greatly saddened at seeing other people being “taken.” Let’s work together to help stop the scammers.
Look out for each other, and get your people protected!
Editor’s Closing Note:
If you or someone you know suspects elder fraud, the following resources can help:
For further reading on scams and scam prevention, check out the guides in our McAfee Safety Series, which provide in-depth advice on protecting your identity and privacy—and your family from scams. They’re ready to download and share.
The post A Scam in the Family—How a Close Relative Lost $100,000 to an Elder Scam appeared first on McAfee Blog.
It’s common practice to pull down the window shades at night. Homeowners invest in high fences. You may even cover the PIN pad when you type in your secret four-digit code at ATMs. Privacy is key to going about your daily life comfortably in your surroundings. Why shouldn’t privacy also extend to your digital surroundings?
This Data Privacy Day, round out your privacy protection toolbox with McAfee’s help so you can live your best online life safely.
An easy way to instantly boost the privacy of your every online move is to always connect to a virtual private network (VPN). A VPN scrambles your connected device’s internet session, meaning that it’s impossible for a cybercriminal to eavesdrop on your online comings and goings. VPNs are especially crucial for when you connect to public Wi-Fi networks or networks for which you cannot vouch for their security. Cybercriminals often lurk on public Wi-Fi networks at hotels, coffee shops, and libraries and pounce on users who connect their devices without the protection of a VPN.
Digital privacy not only implies remaining hidden from nefarious eyes, but also from the prying eyes of pesky advertisers. A VPN can assist with that too! When you have a VPN enabled, it confuses advertisers and targeted ads. The less information they have, the more privately you can surf online.
To improve your online privacy, it’s important to first know how safe you currently are. When you can identify your weakest digital privacy habits, you can make targeted improvements to them. Luckily, McAfee Protection Score can help you do just that! Protection Score is a helpful privacy tool that rates your current digital safety. Then, based on your score, the tool offers suggestions on how to boost your score.
For instance, Protection Score searches for your personally identifiable information (PII) on the dark web. If it finds a copy of your government ID or your financial records on a dubious site, your score will tank. While it may be alarming to have a low Protection Score, you can feel good that you’re making positive waves, hopefully before a cybercriminal takes advantage of your PII and uses it to steal your identity.
There are several easy ways to boost your score that require very little effort but have a huge payoff. Connecting to a VPN and running an antivirus scan on your device are just two things you can do and each only takes a few seconds. Changing your habits and turning your online safety around doesn’t have to be overwhelming! In some cases, there are services that’ll even do the work for you, like the service we’ll talk about next.
To round out your privacy protection toolbox, consider signing up for McAfee Personal Data Cleanup. This service is a great companion to Protection Score. While Protection Score identifies all the areas where you can improve your security, Personal Data Cleanup is a service that will remove your information from the web’s riskiest sites.
Did you know that, on average, a person has their PII for sale on 31 sites? Plus, 95% of people haven’t even given their permission and have their personal information for sale on data brokerage sites. Data brokerage sites are legal and anyone can buy your information. Online advertisers are the usual clients, but a cybercriminal can jump in and buy valuable PII, as well.
You should care about data privacy every day not just when the calendar reminds you on Data Privacy Day. Take the steps and invest in the right solutions to shore up your online defenses. McAfee+ Ultimate is an all-in-one service that includes unlimited VPN, Protection Score, a full-service Personal Data Cleanup, and 13 other high-quality identity, privacy, and device security tools.
Live your online life more confidently with McAfee, knowing that cybercriminals are less likely to slip by and damage your credit, identity, or online reputation.
The post 3 Tools to Round Out Your Privacy Protection Toolbox appeared first on McAfee Blog.
When the Internet Engineering Task Force (IETF) announced the TLS 1.3 standard in RFC 8446 in August 2018, plenty of tools and utilities were already supporting it (even as early as the year prior, some web browsers had implemented it as their default standard, only having to roll it back due to compatibility issues. Needless to say, the rollout was not perfect).
Toward the end of 2018, EMA conducted a survey of customers regarding their TLS 1.3 implementation and migration plans. In the January 2019 report, EMA concluded:
Some participants’ organizations may find they have to go back to the drawing board and come up with a Plan B to enable TLS 1.3 without losing visibility, introducing unacceptable performance bottlenecks and greatly increasing operational overhead. Whether they feel they have no choice but to enable TLS 1.3 because major web server and browser vendors have already pushed ahead with it or because they need to keep pace with the industry as it embraces the new standard is unclear. What is clear is that security practitioners see the new standard as offering greater privacy and end-to-end data security for their organizations, and that the long wait for its advancement is over.
When EMA asked many of the same questions in an updated survey of 204 technology and business leaders toward the end of 2022, they found that nearly all the conclusions in the 2018/2019 report still hold true today. Here are the three biggest takeaways from this most recent survey:
While regulatory frameworks and vendor controls continue to push the adoption of the TLS 1.3 standard, adoption still comes with a significant price tag – one that many organizations are just not yet ready or able to consume. Technology improvements will increase rates of adoption over time, such as Cisco Secure Firewall’s ability to decrypt and inspect encrypted traffic. More recent and unique technologies, like Cisco’s encrypted visibility engine, allow the firewall to recognize attack patterns in encrypted traffic without decryption. This latter functionality preserves performance and privacy of the encrypted flows without sacrificing the visibility and monitoring that 94% of respondents were concerned about.
Readers wishing to read the full EMA report can do so here and readers wishing to learn more about Cisco Secure Firewall’s encyrpted visibility engine can do so here.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
FreshRSS 