Monthly Archives: September 2016
It’s all over the press. Here is a quote from Reuters: “Yahoo Inc said on Thursday information associated with at least 500 million user accounts was stolen from its network in 2014 by what it believed was a “state-sponsored actor.”
The data stolen may have included names, email addresses, telephone numbers, dates of birth and hashed passwords (the vast majority with the relatively strong bcrypt algorithm) but may not have included unprotected passwords, payment card data or bank account information, the company said.
Right, that is how it usually goes. This whole disclosure smells like a professional crisis-handling exercise. Later, after more breach-investigation, they disclose that more credentials were stolen and that more data (credit cards) was exfiltrated than was known at the time of the discovery. It is disappointing that Yahoo doesn’t share more details about the hack, when it first discovered that it had been attacked.
It’s easy to blame Russia (likely) or China (unlikely) If I had to break the bad news that my company had been hacked, I would feel much happier saying that the attackers were “state-sponsored” rather than a bunch of 15-year-old kids working in their parents’ basement.
“The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network,” the company said. “Yahoo said it was working with law enforcement on the matter. It was not clear how this disclosure might affect Yahoo’s plan to sell its email service and other core internet properties to Verizon Communications Inc.
Yahoo launched an investigation into a possible breach in early August after a Russian hacker named “Peace” offered to sell a data dump of over 200 million Yahoo accounts on the darknet for just $1,800 including usernames, easy-to-crack password hashes, dates of birth and backup email addresses.
Based on the chart below this is the largest data breach ever – so far!!!
This is going to be a phishing paradise with significant fallout
Phishing attacks likely will be the number one possible fallout, with Yahoo user accounts being used for social engineering attacks. However, since many people use the same username and passwords across multiple sites, the other thing that will rear its ugly head is called “credential-stuffing”, a brute-force attack where attackers inject stolen usernames and passwords into a website until they find a match using the stolen Yahoo username and passwords.
Yahoo put a security announcement on their website and has started to send users notices that they need to change their password.
The bad guys are going to have field day with this, so BE CAREFUL!
We can expect to be confronted with a raft of Yahoo-related scams in our inbox. As a matter of fact, as I was preparing this article I received a phishing email along with an infected attachment in RTF or Rich Text Format. See below:
Can you identify all the “markings” of a fake email from the screen capture above? Let’s hope so – it’s time for all of us to be EXTRA VIGILANT when opening emails.
Have you been the target or victim of ransomware-wielding attackers? If so, your government needs you to come forward.
So says the FBI in a new public service announcement aimed at both individuals and businesses. The FBI says the effort is designed to get “victims to report ransomware incidents to federal law enforcement to help us gain a more comprehensive view of the current threat and its impact on U.S. victims.”
The bureau says that while anecdotal reports of crypto-locking attacks abound, it needs more precise information about attackers – ranging from the ransomware variant to the attacker’s bitcoin address – to help it pursue, disrupt and potentially arrest suspects. “While ransomware infection statistics are often highlighted in the media and by computer security companies, it has been challenging for the FBI to ascertain the true number of ransomware victims as many infections go unreported to law enforcement,” the FBI’s alert says.
The bureau has previously asked victims of everything from tech support scams to CEO fraud to come forward in efforts that parallel outreach by European law enforcement and security experts.
Security experts say that even if law enforcement agencies cannot act on every criminal report they receive, having victims come forward serves several essential purposes:
•Intelligence: Reporting crime gives law enforcement agencies a more accurate picture of attackers’ techniques so that they can attempt to track and ultimately disrupt them.
•Funding: Crime reports also help law enforcement agencies gauge the scale of the problem so they can devote sufficient resources as well as secure needed funding from legislators or other policymakers.
•Arrests: Amassing intelligence on cybercrime gangs helps investigators better correlate gangs’ activities, thus potentially helping them unmask and pursue the individuals involved as their attacks generate more clues. The FBI has previously noted that “much of the infrastructure being used by cybercriminals is hosted overseas,” and that it often works with international law enforcement agencies.
FBI Seeks 9 Data Points
The FBI is asking anyone who’s been the victim of a ransomware infection to file a report with the local FBI field office or via the website of the Internet Crime Complaint Center, or IC3. That’s a joint partnership between the FBI, the National White Collar Crime Center and the Bureau of Justice Assistance, which was set up to receive and investigate internet-related crime complaints.
Here’s the exact information being sought by the bureau:
•Date of infection;
•Ransomware variant, as identified on the ransom page or by the encrypted file extension;
•Victim company information – industry type, business size;
•How the infection occurred – link in email, browsing the internet, etc.;
•Requested ransom amount
•Attacker’s bitcoin wallet address – often listed on the ransom page;
•Ransom amount paid, if any;
•Overall losses associated with a ransomware infection, including the ransom amount;
•Victim impact statement.
Please Don’t Pay
In its public service request, the FBI again urges anyone who’s suffered a ransomware infection to never pay ransoms because it helps criminals refine their attacks and snare even more victims.
“Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom,” the FBI says. “Paying a ransom emboldens the hacker to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain.”
The FBI also notes that business realities may, of course, influence some organizations to pay the ransom. “While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees and customers.”
Legal experts say there appears to be no way for U.S. law enforcement agencies to prosecute anyone who pays a ransom, even if the money ends up in the hands of an individual or organization on the U.S. Treasury Department’s sanctions list, provided victims employ an intermediary. I’ve been told that some organizations are setting up such plans as well as stockpiling bitcoins in the event that they do fall victim to a related attack.
Anti-Ransomware Portal Offers Help
Some victims, however, can get the equivalent of a “get out of jail for free” card, thanks to ongoing efforts by security researchers to crack attackers’ weak crypto or otherwise exploit code-level flaws in attack code.
One related effort, the public/private No More Ransomware portal, says that since launching in July, it’s enabled 822 CoinVault and 941 Shade ransomware victims to decrypt their data for free.
While that’s good news, as the FBI noted earlier this year in an intelligence memo, don’t count on decryptors always being available, because they rely on attackers making coding errors. “Since the most sophisticated ransomware variants are practically impossible to defeat without obtaining the actor’s own private decryption keys, the FBI has focused on performing significant outreach to educate the public on ransomware and the importance of keeping backups and maintaining a level of operational security when using a computer,” the FBI’s memo states.
Thanks to KnowBe4 – an online internet safety and security training company for this new scam alert. There’s an unusual phishing email making the rounds which revealed a new scam you could soon find in your inbox.
Many online service providers like Microsoft, Google, Facebook, Twitter, and PayPal have adopted a policy to warn users via email when there is a possible security-related event like “unusual sign-in activity”.
Copies of these emails have been used for credential phishing for a few years, but the NEW problem is that these security notifications are now being used by bad guys as an attack vector for a tech support scam.
These new “phishing email” points victims to a 1-800 number where either a scammer picks up, or the victim gets sent to voice mail hell for a while and their number is queued for a fraudulent follow-up call like the one below.
PS: KnowBe4 uses HubSpot to host their website and for marketing automation so that is where this download link points to. It is safe to click, entertaining and instructive:
So, I suggest you send the following alert/information to your employees, friends and family. You’re welcome to freely copy/paste the information below for sharing.
“There is a new scam you need to watch out for. In the last few years, online service providers like Google, Yahoo and Facebook have started to send emails to their users when there was a possible security risk, like a log-on to your account from an unknown computer.
Bad guys have copied these emails in the past, and tried to trick you into logging into a fake website they set up and steal your username and password. Now, however, they send these fake security emails with a 1-800 number that they claim you need to call immediately.
If you do, two things may happen:
1) You get to talk right away with a real internet criminal, usually with a foreign accent, that tries to scam you. They claim there is a problem with your computer, “fix” it, and ask for your credit card.
2) You get sent to voice mail and kept there until you hang up, but your phone number was put in a queue and the bad guys will call you back and try the same scam.
Remember, if you get any emails that either promise something too good to be true, OR look like you need to do something to prevent a negative consequence, Think Before You Click and or this case before you pick up the phone.
If you decide to call any vendor, go to their website and call the number listed there. Never use a phone number from any email you may have received. Here is a real example of such a call. Don’t fall for it!