Tag Archives: hacking

Privacy groups call for investigation into Experian hack

US consumer privacy groups have called for a Federal investigation into Experian, following a major hack at the credit database firm.

Experian claims personal data on 15 million T-Mobile US customers was stolen in the breach.

But the Public Interest Research Group (PIRG), backed by 28 other bodies, fears the hack may have extended to the rest of Experian’s credit database.

This holds personal information about some 200 million Americans, it said.

“A data security breach that affected Experian’s credit report files would be a terrifying and unmitigated disaster,” it added.

‘Troubling possibility’

The Experian breach occurred at Decisioning Solutions, a subsidiary of the credit agency which T-Mobile uses to process information on subscribers.

Names, birth dates and social security numbers were among data stolen, but not financial details, the firms said.

Experian has said the business was “completely separate” from its main credit bureau business, which was “not affected”.

But in a statement, PIRG’s consumer programme director, Ed Mierzwinski, urged both the Consumer Financial Protection Bureau and the Federal Trade Agency to investigate whether other Experian databases had been breached.

He said: “If the server holding the T-Mobile files was subject to fewer security protections than the full Experian credit reporting database, why?

“If it was subject to the same protections as the credit reporting server, doesn’t this raise the troubling possibility that the server holding highly sensitive credit and personal information of over 200 million Americans is vulnerable to a data hack by identity thieves?”

Credit cards

Breached before

Prominent cybercrime journalist Brian Krebs has also raised concerns about Experian’s internal data protection policies.

In a blog, published on 8 October, he claimed to have interviewed “half a dozen security experts” who recently left Experian frustrated with its approach.

“Nearly all described Experian as a company fixated on acquiring companies in the data broker and analytics technology space, even as it has stymied efforts to improve security and accountability at the firm,” he said.

Experian data has been breached before – such as in 2012, when an attack on an Experian subsidiary exposed social security numbers of 200 million Americans.

This prompted an investigation by at least four states, including Connecticut.

Commenting on PIRG’s campaign, an Experian spokesman said: “Experian understands the concerns raised and we are prepared to respond promptly to requests from regulatory agencies for more details about the incident.”

He added: “Security is a top priority for the company, and Experian is committed to continuous investments in upgrading talent, processes, and technologies needed to protect our systems.”

He said the firm had invested of “tens of millions of dollars” in the last three years to strengthen its security.

A number of lawsuits seeking class action status are under way against T-Mobile and Experian, on behalf of victims affected by the breach.

Tagged , , , ,

Webcam hacker spied on sex acts with BlackShades malware

A Leeds-based hacker used a notorious piece of malware called BlackShades to spy on people via their webcams.

Investigators from the National Crime Agency found images on the computer of Stefan Rigo, 34, including ones of people involved in sexual activity, some of whom were on Skype at the time.

Rigo was arrested in November last year during an international investigation.

He has been given a 20-week suspended sentence and placed on the sex offenders’ register for seven years.

Rigo targeted a variety of victims after gaining remote access to their computers’ webcams.

Incriminating images on his computer were discovered after a forensic examination.

Out of 14 confirmed individuals he spied on – roughly half were people he knew personally, an NCA spokesman told the BBC.

At a hearing in July, Rigo pleaded guilty to one count of voyeurism and another computer-related offence.

The court took Rigo’s guilty plea into account when handing down the 20 week sentence. As well as being placed on the sex offenders register, Rigo will have to complete 200 hours of unpaid work within the next 12 months.

Victims ‘unaware’

Investigators found and arrested Rigo after raiding two addresses in Leeds.

The hacker had used his ex-girlfriend’s details to purchase BlackShades, a remote access trojan (RAT) which allows for a high level of surreptitious control over a victim’s computer.

“The problem with RATs specifically is a lot of the time people don’t know they’re being affected,” the NCA spokesman said.

“In the case of Stefan Rigo that we were looking at, his victims weren’t aware.”

BlackShades has been around since 2010 and has been sold for as little as $40 (£26), explained Jens Monrad at cyber security firm FireEye.

“The application in itself is not that difficult to detect but typically the attackers will wrap some sort of exploit around the application,” said Mr Monrad.

“Even with patches the victim will still be vulnerable so long as there is a hole in the operating system.”

Mr Monrad recommended that computer users be careful of clicking on suspicious links or downloading dubious email attachments.

Cam scams

The criminal market for webcam hacking tools is highly active, according to Mr Monrad, since malicious hackers are often able to exploit their victims after taking covert images of them.

There have also been cases in which hackers sold access to specific cameras.

Connected security cameras in buildings may be at risk too, though there are sometimes difficulties in publicly discussing how secure they are.

One researcher recently cancelled a forthcoming talk on the issue following legal pressure from the manufacturers of widely-used surveillance cameras.

Gianni Gnesa was due to discuss “vulnerabilities found on major surveillance cameras and show how an attacker could used them to stay undetected” at the HITB GSEC security conference in Singapore.

The Register reports that a legal threat from one, unnamed, manufacturer resulted in Gnesa withdrawing his presentation.

Tagged , , , , , , ,

Cyber-thieves hit YouTube Fifa gamers

Six of the most successful Fifa video gamers to feature on YouTube have been targeted by cyber-thieves.

The hackers stole millions of Fifa coins, the games virtual currency, and sold players worth thousands of pounds.

They are thought to have convinced manufacturer EA Sports to transfer their victims’ Origin accounts to email addresses the hackers controlled.

Many other well-known players who do not make videos are also believed to have been hit.

AnesonGib, W2S, Nepenthez, Nick28T, Bateson87 and matthdgamer have more than five million YouTube subscribers between them.

Matthew Craig, the man behind matthdgamer, told the BBC: “There have been about 10 or more accounts which have been hacked over the last two weeks, me included.”

In a video, Nick28T said: “Basically, someone called in pretending to be me and… got in to my account.”

An EA representative said: “We encourage all Fifa players to secure their accounts with authentication and verification steps, which we outline on our help and our product sites.

“We are consistently working through our customer experience teams to secure accounts and make sure players are educated when account compromises are made.”

Mr Craig said EA had apologised to him about the attack and had moved quickly to help him once he had reported it.

“They got my account back, added four or five more security measures, and my account has been fine since,” he said.

Tagged , , , , , ,

New Android adware spotted loaded with root exploits — but you’re safer than you think

A new piece of Android malware is reportedly making the rounds in as many as 20 different countries, and if security firm FireEye is to be believed, it’s quite a nasty bit of code. The exploit, known as Kemoge, was spotted masquerading as a number of legitimate apps, but upon installation it attempts to gain root access on the device, which could allow an attacker to gain complete control. It sounds bad, but as usual, the truth is a bit less sensational than they’d have you believe.

Kemoge is a form of malicious adware, according to FireEye. It borrows the icons from other apps the encourage a user to trust it. The first hurdle for the malware authors to clear is actually getting users to install the app, which is only possible via a third-party app store. That means the user has to download the APK, allow unknown sources in the security settings, then launch the package. Not exactly an easy process.

The way Kemoge functions when deployed on a vulnerable device is actually pretty clever. It copies device information and beams it back to a command and control server first, then it starts inserting ads into the UI, which can pop up in any app or even on the home screen. So that’s annoying, but what it does next is downright malicious. Kemoge contains as many as eight exploits, which uses in an attempt to root the device. This could give the attacker full control over an infected phone. If the infected device is rooted, Kemoge immediately uninstalls any antivirus apps it finds. The exception would be Google Play Services, which runs Google’s antivirus scans. It’s impossible to remove Play Services from a device (even with root) if you still want anything to work.


Are you sufficiently frightened now? What’s described above is really the worst case scenario. The adware aspect of Kemoge should work on almost any device, assuming you go to the trouble of manually installing it. However, the root angle is much less certain. FireEye lists several of the root exploits contained in Kemoge, and they’re all quite old. There’s Motochopper, mempodroid, and a few general Linux kernel vulnerabilities. These are relics from the days when an APK could be used to root your phone. All modern versions of Android should be patched to protect against these flaws. Testing was done with a Nexus 7 running Android 4.3 (software from more than two years ago).

Root exploits are hard to develop on Android these days, but they aren’t always designed to bemalware. Many Android users want root access for their own use, and that’s where a lot of the exploits used by Kemoge come from — the enthusiast community. Many devices currently on the market don’t even have functional root exploits for people who want to root their phones, so it’s unlikely Kemoge has a magical unreleased exploit that can root your phone.

Bottom line — the old root methods employed by Kemoge don’t work on popular phones or people would be using them to intentionally root their devices. We’ve reached out to FireEye to get clarification on which versions of Android they’ve confirmed root access on and will update when and if they reply.

Your first line of defense from adware attacks like this is to simply get your apps from the Play Store or from a trusted source like F-Droid or APK Mirror. When you flip the unknown sources switch, you’re instantly less safe.

Update: FireEye got back to use and clarified all the exploits it detected in kemoge are public and several years old (2013 and earlier). They should be patched on all newer phones.

Tagged , , , , ,

Chinese Hackers Breached LoopPay, Whose Tech Is Central to Samsung Pay

Months before its technology became the centerpiece of Samsung’s new mobile payment system, LoopPay, a small Massachusetts subsidiary of the South Korean electronics giant, was the target of a sophisticated attack by a group of government-affiliated Chinese hackers.

As early as March, the hackers — alternatively known as the Codoso Group or Sunshock Group by those who track them — had breached the computer network of LoopPay, a start-up in Burlington, Mass., that was acquired by Samsung in February for more than $250 million, according to several people briefed on the still-unfolding investigation, as well as Samsung and LoopPay executives.

LoopPay executives said the Codoso hackers appeared to have been after the company’s technology, known as magnetic secure transmission, or MST, which is a key part of the Samsung Pay mobile payment wallet that made its public debut in the United States last week.

Like similar mobile payment systems from Apple and Google, Samsung Pay allows consumers to pay for goods using their Samsung smartphones with so-called near-field communications technology, which uses a wireless signal to send payment information from a phone to newer cash registers. But LoopPay’s MST technology has an advantage: It also works with older payment systems by emulating a commonly used magnetic stripe card.

The attackers are believed to have broken into LoopPay’s corporate network, but not the production system that helps manage payments, said Will Graylin, LoopPay’s chief executive and co-general manager of Samsung Pay. Mr. Graylin said that security experts were still looking through LoopPay’s systems, but that there had been no indication that the hackers infiltrated Samsung’s systems or that consumer data had been exposed.

LoopPay did not learn of the breach until late August, when an organization came across LoopPay’s data while tracking the Codoso Group in a separate investigation.

Both LoopPay and Samsung executives said they were confident that they had removed infected machines, and that customer payment information and personal devices were not affected. They added that there was no need to delay the introduction of Samsung Pay, which had its debut in the United States last week after executing more than $30 million worth of purchases in South Korea.

“Samsung Pay was not impacted and at no point was any personal payment information at risk,” Darlene Cedres, Samsung’s chief privacy officer, said in a statement. “This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network. The LoopPay corporate network issue was resolved immediately and had nothing to do with Samsung Pay.”

But two people briefed on the investigation, as well as security experts who have been tracking the Codoso hackers as they have targeted hundreds of victims around the world, said it would be premature to say what the hackers did and did not accomplish since they were discovered in August.

To start, the hackers were inside LoopPay’s network for five months before they were discovered. And the Codoso Group is known for maintaining a hidden foothold in its victims’ systems. Security experts say the group’s modus operandi is to plant hidden back doors across victims’ systems so that they continue to infiltrate their networks long after the initial breach.

In a multistage Codoso attack of Forbes in February, for example, the group infected the website of Forbes.com with malicious code that infected the site’s visitors. But that was just the start. From there, other members of the group used that foothold in visitors’ machines to search for valuable targets in the defense sector.

After a similar attack by another Chinese state-affiliated hacking group on the U.S. Chamber of Commerce in 2011, the chamber believed it had rid hackers from its network only to discover months later that an office printer and even a thermometer in one of its corporate apartments were still sending information back to computers in China.

Samsung introduced Samsung Pay in the United States just 38 days after LoopPay learned it had been breached. On average, it takes 46 days before an attack by hackers can be fully resolved, according to the Ponemon Institute, a nonprofit that tracks breaches. But the time to fix the damage is typically much longer in cases of sophisticated Chinese hackings like the one at LoopPay.

“Once Codoso compromises their targets — which range from dissidents to C-level executives in the U.S. — they tend to stay there for quite a long time, building out their access points so they can easily get back in,” said John Hultquist, the head of intelligence on cyberespionage at iSight Partners, a security firm. “They’ll come back to a previous organization of interest again and again.”

LoopPay hired two private forensics teams to investigate the breach on Aug. 21, just a month before it was set to bring Samsung Pay to the United States, according to Mr. Graylin. Both are still working the case.

But the investigation has been unusual from the start. LoopPay told the teams to look at different portions of its network. One of the firms, Sotoria, which is based in Charleston, S.C., was given a backup of LoopPay’s data and asked to leave the company’s headquarters after just three days.

Mr. Graylin said that was because the team was looking at LoopPay systems that he said fell outside the scope of the initial contract, in what Mr. Graylin described as an attempt to extract more fees. Even so, he said, LoopPay was still working with the company to resolve the breach.

Sotoria executives said they could not comment on the investigation. Mr. Graylin would not name the second computer forensics firm looking into the attack.

LoopPay has not notified law enforcement about the breach, Mr. Graylin said, because his firm believed no customer data or financial information had been stolen.

He also played down concerns that hackers might try to use the information they stole about his company’s technology in order to infiltrate Samsung Pay or create a copycat product. He said if such a thing emerged, LoopPay could file a patent lawsuit. What’s more, he said, it would be viable only if major banks, credit card companies and carriers were willing to team up with the copycat.

News of the breach at LoopPay comes at a particularly inopportune time for Samsung, which is locked in a bitter war for smartphone supremacy against Apple and its immensely popular iPhone, as well as a newer crop of less expensive devices from manufacturers like China’s Xiaomi.

Tagged , , , , , , , , ,

Sony hack’s invasion of privacy still grates on CEO

Nearly a year after a crippling hack, the studio’s boss says he was distressed by how some people combed leaked emails for embarrassing information.

Almost a year after a massive hack crippled Sony Entertainment, it’s still a sore subject with CEO Michael Lynton.

The breach, which was revealed in November, damaged computers, leaked financial documents, and revealed the inner workings of the studio. In addition to causing so much damage that the company essentially shut down for several weeks, hackers leaked then-unreleased movies and the personal information of more than 47,000 celebrities, freelancers, and current and former Sony employees.

But what seemed to capture the bulk of the attention was the release of a trove of embarrassing e-mails between executives at the film and TV arm of Japanese tech and media conglomerate Sony. For Lynton, the fervor with which some people combed through those emails was most troubling.

“The part that was distressing was the extent to which people decided to go through it,” Lynton said Tuesday at Vanity Fair’s New Establishment Summit in San Francisco. Speaking at a panel on the Sony hack and cybersecurity, Lynton said he still hasn’t reviewed the emails of his that were leaked.

“Of course, my correspondence was public, especially after Julian Assange decided to WikiLeaks it. But I haven’t even been back through it,” he said. Others have, though, and they aren’t coy about admitting it, he said.

“People come up to me at lunch and say, ‘I just read your correspondence with so-and-so, and it was interesting,'” he said. “To me, that’s an odd way to spend an afternoon.”

Lynton saved his harshest criticism for members of the media who chose to publish details of the emails, which often represented shocking invasions of privacy and caused damage to individual reputations. The contents of some emails sent by Sony Pictures’ co-chair Amy Pascal were linked to her eventual resignation.

“There was tremendous unrest among the folks at the studio…I don’t think it’s correct to be publishing those e-mails,” Lynton said. “I don’t think they were newsworthy. It sort of built on itself.”

Lynton isn’t the only tech figure to feel that way about the hack. Evan Spiegel, CEO of messaging service Snapchat, said in December that he was “angry” and “devastated” that information about his startup’s business plan was revealed in emails with Lynton that were part of the leak.

Traced by the FBI to North Korea, the hackers were apparently trying to prevent the release of the satirical movie “The Interview,” which depicts actors Seth Rogen and James Franco as TV journalists drawn into a CIA plot to assassinate North Korean leader Kim Jong-un. In response to threats against theaters, Sony initially canceled the movie’s release but relented in the face of mounting public pressure and criticism.

Sony Entertainment also came under fire from former employees, who sued the studio claiming that the personal information stolen in the hack made them vulnerable to identity theft. The lawsuit, which sought class-action certification, claimed Sony knew before the breach that its computer systems were not secure enough to protect confidential employee information, which included Social Security numbers, home addresses and health care records.

Court records showed in September that Sony had agreed to settle the lawsuit, although financial details were not revealed.

Tagged , , , , , ,

Edward Snowden interview: ‘Smartphones can be taken over’

Smartphone users can do “very little” to stop security services getting “total control” over their devices, US whistleblower Edward Snowden has said.

The former intelligence contractor told the BBC’s Panorama that UK intelligence agency GCHQ had the power to hack into phones without their owners’ knowledge.

Mr Snowden said GCHQ could gain access to a handset by sending it an encrypted text message and use it for such things as taking pictures and listening in.

The UK government declined to comment.

Mr Snowden spoke to Panorama in Moscow, where he fled in 2013 after leaking to the media details of extensive internet and phone surveillance by his former employer, the US National Security Agency (NSA).

He did not suggest that either GCHQ or the NSA were interested in mass-monitoring of citizens’ private communications but said both agencies had invested heavily in technology allowing them to hack smartphones. “They want to own your phone instead of you,” he said.

Mr Snowden talked about GCHQ’s “Smurf Suite”, a collection of secret intercept capabilities individually named after the little blue imps of Belgian cartoon fame.

“Dreamy Smurf is the power management tool which means turning your phone on and off with you knowing,” he said.

“Nosey Smurf is the ‘hot mic’ tool. For example if it’s in your pocket, [GCHQ] can turn the microphone on and listen to everything that’s going on around you – even if your phone is switched off because they’ve got the other tools for turning it on.

“Tracker Smurf is a geo-location tool which allows [GCHQ] to follow you with a greater precision than you would get from the typical triangulation of cellphone towers.”

Peter Taylor’s film Edward Snowden: Spies and the Law also covers:

  • The contentious relationship between the British government and social media companies. The intelligence agencies and the police want the companies to co-operate in detecting terrorist content but the programme learns that not all companies are prepared to co-operate to the extent that the agencies would like.
  • Documents leaked by Mr Snowden that appear to show that the UK government acquired vast amounts of communications data from inside Pakistan by secretly hacking into routers manufactured by the US company, Cisco.

‘Necessary and proportionate’

Mr Snowden also referred to a tool known as Paronoid Smurf.

“It’s a self-protection tool that’s used to armour [GCHQ’s] manipulation of your phone. For example, if you wanted to take the phone in to get it serviced because you saw something strange going on or you suspected something was wrong, it makes it much more difficult for any technician to realise that anything’s gone amiss.”

Once GCHQ had gained access to a user’s handset, Mr Snowden said the agency would be able to see “who you call, what you’ve texted, the things you’ve browsed, the list of your contacts, the places you’ve been, the wireless networks that your phone is associated with.

“And they can do much more. They can photograph you”.

Mr Snowden also explained that the SMS message sent by the agency to gain access to the phone would pass unnoticed by the handset’s owner.

“It’s called an ‘exploit’,” he said. “That’s a specially crafted message that’s texted to your number like any other text message but when it arrives at your phone it’s hidden from you. It doesn’t display. You paid for it [the phone] but whoever controls the software owns the phone.”


Describing the relationship between GCHQ and its US counterpart, he said: “GCHQ is to all intents and purposes a subsidiary of the NSA.

“They [the NSA] provide technology, they provide tasking and direction as to what they [GCHQ] should go after.”

The NSA is understood to have a similar programme to the Smurf Suite used by GCHQ on which it is reported to have spent $1bn in response to terrorists’ increasing use of smartphones.

Mr Snowden said the agencies were targeting those suspected of involvement in terrorism or other serious crimes such as paedophilia “but to find out who those targets are they’ve got to collect mass data”.

“They say, and in many cases this is true, that they’re not going to read your email, for example, but they can and if they did you would never know,” he said.

In a statement, a spokesperson for the UK government said: “It is long-standing policy that we do not comment on intelligence matters.

“All of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the Parliamentary Intelligence and Security Committee. All our operational processes rigorously support this position.”

The government believes Mr Snowden has caused great damage to the intelligence agencies’ ability to counter threats to national security.

Mr Snowden maintains he has acted in the public interest on the grounds that the surveillance activities revealed in the thousands of documents he leaked are carried out – in his words – “without our knowledge, without our consent and without any sort of democratic participation”.

Watch Peter Taylor’s film: Edward Snowden, Spies and the Law on Panorama on BBC One on Monday, 5 October at 20:30 BST or catch up later online.

Tagged , , , , , ,

One billion Android smartphones can be hacked with just a song

Second coming of Stagefright vulnerability discovered by researchers can infect almost every Android smartphone on the planet

A billion Android smartphones and tablets are at risk from a new bug that can infect devices when they preview audio or video files, a team of security experts have warned.

The security flaw carries many of the same features as the text message Stagefright bug that was discovered in July and was seen as the biggest hole in Android security ever reported.

Researchers at Zimperium zLabs, which reported the original bug, have dubbed it Stagefright 2.0, and warned that it can affect “almost every Android device” since version 1 in 2008.

Merely by using Android’s preview function to listen to or watch a specially-created MP3 or MP4 file, hackers could access an Android device’s code and make changes remotely, and in theory could track or steal information.

Users could be duped into visiting URLs that activate Android’s preview function, or perhaps more worryingly, the fault could be exploited if a hacker and victim were on the same public Wi-Fi network such as a coffee shop.

“The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue,” the researchers wrote.

“Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.”

Android owners could soon pay for digital content on their phones through their monthly bill

The two vulnerabilities – one which affects almost all Android devices and another that can attack those running Android 5.0 upwards – have been flagged to Google, which said it had shared an update with Android manufacturers.

It is also fixing the bug for its own Nexus devices with an update on October 5. Zimperium urged Android manufacturers to patch the problems as soon as possible.

The original Stagefright bug surfaced in July, and exploited a flaw in Google’s chat apps Hangouts and Messenger when they were sent multimedia video files.

Google rushed to fix the bug, fixing both apps, although some older versions of Android did not receive the updates.

Tagged , , , , , ,

Chinese smartphones mount massive web attack

More than 650,000 Chinese smartphones have been unwittingly enrolled in a massive attack that overwhelmed a web server.

The huge attack saw the target site hit with about 4.5 billion separate requests for data in one day.

The tidal wave of data was traced to a pool of booby-trapped adverts that had been seeded with malicious code.

The adverts seem to have been shown in apps popular in China, said Cloudflare, which uncovered the data deluge.

Analysis found that it relied on the widely used Javascript language as it tried to knock the site offline.

“It seems probable that users were served advertisements containing the malicious Javascript,” wrote Cloudflare security analyst Marek Majkowski in a blogpost.

What was not entirely clear, said Mr Majkowski, was how so many Chinese phone owners were tricked into visiting the pages hosting the booby-trapped adverts.

He speculated that the attack had worked because its creators had joined one of the networks that piped adverts to people as they browsed the web.

Many of these ad networks run live auctions with the available slots going to the firm that bids the highest. By bidding high, the cybercriminals seem to have won the right to get their adverts in front of lots of people, he said.

“Attacks like this form a new trend,” said Mr Majkowski. “They present a great danger in the internet – defending against this type of flood is not easy for small website operators.”

The target site received more web traffic in a day than the BBC’s news website gets in a month. Cloudflare did not name the company that ran the server that was hit.

Tagged , , , , , , ,

What Goes Around Comes Around: Russia Gets Hacked

Russia has been targeted in a hack attack, and China is one of the chief suspects. “There are attributes in the payload and the infrastructure that suggest the actor is Chinese, but we would hesitate to claim definitively that this is a Chinese attack, because all that information can be spoofed and proxied,” said Patrick Wheeler, director of threat intelligence at Proofpoint.

Russia has been a prime suspect in recent cyberattacks launched against U.S. government targets. However, Russia has been poked with the other end of the hacker stick.

For more than two months, hacker attacks originating in China have bedeviled Russia’s military and telecom sectors, researchers at Proofpointrevealed last week.

“We also observed attacks on Russian-speaking financial analysts working at global financial firms and covering telecom corporations in Russia, likely a result of collateral damage caused by the attackers’ targeting tactics,” wrote Thoufique Haq and Aleksy F, authors of the report.

The attacks began with carefully crafted emails designed to lure recipients into following a URL to a compressed archive file containing malicious software, or to open an infected Microsoft Word attachment, the researchers explained.

Once infected, a machine downloads a Remote Access Trojan, or RAT, called “PlugX.”

China Connection

“PlugX has been associated with state actors in the past,” said Patrick Wheeler, director of threat intelligence at Proofpoint. “It’s not seen as widely in cybercrime and financial theft as it is in state-sponsored activities.”

PlugX essentially creates a backdoor for attackers in the systems it’s installed on, he told TechNewsWorld. Its repertoire includes downloading malware; mapping systems it’s infected; managing, copying and exfiltrating files; moving laterally to infect other machines and networks; and shutting itself down and removing all traces of itself.

China is one of the chief suspects in the Russian attacks.

“There are attributes in the payload and the infrastructure that suggest the actor is Chinese, but we would hesitate to claim definitively that this is a Chinese attack, because all that information can be spoofed and proxied,” Wheeler said.

There seems to be little doubt, however, that the attack is backed by a nation state or hackers working for one.

“The payload suggests it’s a state-sponsored actor rather than a cybercriminal,” Wheeler observed.

“Cybercriminals are more often dropping things like banking Trojans and keyloggers and other information stealers that are designed to steal or divert funds,” he explained. “This is targeted toward stealing information, exploration, and gaining a foothold in the target organization.”

Fraud Migration

Credit card companies in recent months have been sending their customers new EMV cards with a metallic square in the left hand corner. The square is a computer chip designed to make physical transactions performed with the card more secure.

However, that’s not the case for virtual transactions, such as those performed online. For that reason, the move to reduce physical fraud may serve to push more of it to the virtual world.

The EMV system consists of two parts: the chip on the card; and a reader at the point of a purchase.

When an EMV card is read at the point of purchase, the credit card information is shared with the merchant in encrypted form. That contrasts with cards with magnetic strips, which share information in plain text.

Increased protection offline can lead to increased fraud online. In the United Kingdom, for example, online fraud rates temporarily spiked and “card-not-present” fraud continued to increase since EMV adoption in 2005 — 120 percent from 2004 to 2014.

This same trend likely will emerge in the U.S. after EMV technology becomes widely integrated.

Big Data to Rescue

“EMV affects online fraud because EMV will make it more difficult to use a counterfeit credit card offline,” said Jason Tan, CEO of Sift Science.

“These fraudsters are going to find their main source of income drying up, and they’re going to have to make money in other ways,” he told TechNewsWorld. “Online is lucrative because they can do things on scale and in an anonymous fashion.”

To counter online fraud, merchants will need to deploy systems that can identify likely fraudsters without irritating legitimate shoppers — systems that use machine learning and big data analytics to flag potential Net thieves.

Machine-learning systems can learn about a merchant’s customer base in real time to create an accurate prediction of risk.

“That can drastically improve the shopping experience for good customers, while keeping fraudsters out,” Tan said.

Bull’s-Eye on Healthcare

The healthcare industry was 200 percent more likely to encounter data theft and experienced 340 percent more security incidents and attacks than other industry averages, Raytheon Websense reported this week.

Red flags in recent years have highlighted the healthcare industry’s cyberweaknesses.

For example, the healthcare industry isn’t as resilient to system intrusions as other industries, according to an FBI report released last year.

A number of factors contributed to that, according to the report, including a mandatory January 2015 deadline to transition to electronic health records, lax cybersecurity standards, and more Internet-connected medical devices than ever before.

Moreover, the incentive for cracking into systems is higher in healthcare than in other industries. Medical data commands 10 times the price of financial data in the computer underworld, the FBI noted.

No Silver Bullet

“Healthcare data is valuable. It can create a complete picture of an individual patient that can be traded on the underground cyber economy or repurposed,” said Carl Leonard, a principal security analyst with Websense.

“It can be used for identity theft. It can be used for insurance fraud. It can be used to launch additional attacks on individuals,” he told TechNewsWorld.

The security challenges faced by the healthcare industry can be daunting, but they must be wrangled.

“There is no silver bullet, but there are leaps that healthcare providers can take to better position themselves. Patients are demanding that now. Boards, too, and execs are realizing the grave implications of suffering a data breach,” Leonard said.

“The desire to protect their environments is there,” he added. “They just need to figure out a right way to do that.”

Breach Diary

  • Sept. 14. Jaspen Capital Partners and Chief Executive Andriy Supranonok, both from Kiev, Ukraine, agree to pay US$30 million to U.S. Securities and Exchange Commission to settle civil case involving the theft of more than 150,000 press releases from three business news services. The releases, stolen beforfe they were made public, were used for making inside trades that netted an estimated $100 million in illegal profit over a five-year period.
  • Sept. 15. U.S. District Court Judge Paul Magnuson approves class-action status of banks filing lawsuit against Target over 2013 data breach that compromised some 40 million credit cards.
  • Sept. 15. Charlotte-Mecklenburg Schools in North Carolina have notified 7,600 job applicants that their personal information, including Social Security numbers, was shared with a contractor without proper authorization, The Charlotte Observer reports.
  • Sept. 17. Dmitriy Smilianets, 32, pleads guilty in American court to his role in conspiracy to breach the computer networks of a number of payment processing companies. It’s estimated that the conspirators stole information from 160 million credit cards.
  • Sept. 17. Eset discovers malware, Win32/Spy.Odlanor, that peeks at cards of opponents during online poker games at PokerStars and Full Tilt Poker.
  • Sept. 18. Comcast agrees to pay $33 million to California for accidentally publishing personal information of about 75,000 people who paid to keep the information private.
  • Sept. 18. Private medical data of millions of Americans has been exposed on the Internet through a public subdomain of Amazon Web Services, Gizmodo reports. The custodian of the data, Systema Software, confirmed the error and said it was investigating the incident.
  • Sept. 18. NHS Trust Hospital in the UK says it’s investigating a reported data breach at its Kettering General Hospital in which the Russian hacking group Horux used the facility’s email system to distribute spam advertising illegal goods on the Dark Web.
  • Sept. 18. Cybersecurity firm Sucuri reports that as many as 6,000 websites a day are being infected in a malware campaign that’s targeting WordPress sites. The infection redirects infected-site visitors to a server that attempts to push exploit kits to their computers.
  • Sept. 18. Ponemon Institute releases survey of some 600 IT and security executives that finds only 25 percent of them believe their organizations are cyber-resilient, and just 32 percent feel they can properly recover from a cyberattack.

Upcoming Security Events

  • Sept. 24. 110 Bitcoin or Else! 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Sept. 24. Malware’s Most Wanted: Cyber Espionage–Nation State APT Attacks on the Rise. Noon ET. Webinar sponsored by Cyphort. Free with registration.
  • Sept. 24-25. Owasp’s 12th Annual Security Conference. Hyatt Regency San Francisco, 5 Embarcadero Center, San Francisco. Registration: $995; student, $75.
  • Sept. 28-Oct. 1. ASIS 2015. Anaheim Convention Center, Anaheim, California. Through May 31 — member, $895; nonmember, $1,150; government, $945; student, $300. From June 1 through Aug. 31 — member, $995; nonmember, $1,250; government, $1,045; student, $350. From Sept. 1 through Oct. 1 — member, $1,095; nonmember, $1,350; government, $1,145; student, $400.
  • Sept. 29. The Mozilla Delphi Cybersecurity Study: Towards a User Centric Cybersecurity Policy Agenda. 12 noon ET. Berkman Center for Internet & Society, Harvard Law School, Wasserstein Hall, Milstein East C, Cambridge, Massachusetts. Free with RVSP, will also be webcast live.
  • Sept. 30. What Happened Next? Detecting an Attack in Real Time. 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Sept. 30-Oct. 1. Privacy. Security. Risk. 2015. Conference sponsored by IAPP Privacy Academy and CSA Congress. Bellagio hotel, Las Vegas. Registration: Before Aug. 29 — member, $1,195; nonmember, $1,395; government, $1,045; academic, $495. After Aug. 28 — member, $1,395; nonmember, $1,595; government, $1,145; academic, $495.
  • Oct. 2-3. B-Sides Ottawa. RA Centre, 2451 Riverside Dr., Ottawa, Canada. Free with registration.Oct. 6. SecureWorld Cincinnati. Sharonville Convention Center, 11355 Chester Rd., Sharonville, Ohio. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 6. UK Cyber View Summit 2015. 6 a.m. ET. Warwick Business School, 17th Floor, The Shard, 32 London Bridge, London, UK. Registration: 550 euros plus VAT.
  • Oct. 9-11. B-Sides Warsaw. Pastwomiasto, Anders 29, Warsaw, Poland. Free with registration.
  • Oct. 12-14. FireEye Cyber Defense Summit. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: before Sept. 19, $1,125; after Sept. 18, $1,500.
  • Oct. 14. Latest DDoS Attacks Trends–Excerpts from Arbor ATLAS Global Statistics. 10 a.m. ET. Webinar by Arbor Networks. Free with registration.
  • Oct. 14. Best Practices in DDoS Defense: Real World Customer Perspectives. 11 a.m. ET. Webinar sponsored by Networks. Free with registration.
  • Oct. 15. SecureWorld Denver. The Cable Center, 2000 Buchtel Blvd., Denver, Colorado. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 15-16. B-Sides Los Angeles. Dockweiler Youth Center and State Beach. Free.
  • Oct. 16-18. B-Sides Washington D.C. Washington Marriott Metro Center, 775 12th St NW, Washington, D.C. Free.
  • Oct. 17-18. B-Sides São Paulo. Pontifícia Universidade Católica de São Paulo, São Paulo, Brazil. Free.
  • Oct. 19-21. CSX Cybersecurity Nexus Conference. Marriott Wardman Park, 2660 Woodley Rd. NW, Washington, D.C. Registration: before Aug. 26 — member, $1,395; nonmember, $1,595. Before Oct. 14 — member, $1,595; nonmember, $1,795. After Oct. 14 — member, $1,795; nonmember, $1,995.
  • Oct. 28. The Cyber-Centric Enterprise. 8:15 a.m. ET. Virtual conference. Free with registration.
  • Oct. 28-29. SecureWorld Dallas. Plano Centre, 2000 East Spring Creek Parkway, Plano, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.Oct. 28-29. Securing New Ground. Conference sponsored by Security Industry Association. Millennium Broadway Hotel, New York City. Registration: Before Sept. 8 — member, $895; nonmember, $1,395; CISO, CSO, CIO, $300. After Sept. 7 — member, $1,095; nonmember, $1,495; CISO, CSO, CIO, $300.
  • Nov. 4. Bay Area SecureWorld. San Jose Marriott, 301 South Market St., San Jose, California. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 10. FedCyber 2015 Annual Summit. Tyson’s Corner Marriott, 8028 Leesburg Pike, Tyson’s Corner, Virginia. Registration: $395; academic, $145; government and military, free.
  • Nov. 11-12. Seattle SecureWorld. Meydenbauer Center, 11100 NE 6th St., Bellevue, Washington. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 24-25. Cyber Impact Gateway Conference. ILEC Conference Centre and Ibis London Earls Court, London, UK. Registration: Before Sept. 18 — end users, Pounds 1,699 plus VAT; solution providers, Pounds 2,699 plus VAT. Before Oct. 9 — end users, Pounds 1,799 plus VAT; solution providers, Pounds 2,799 plus VAT. Before Oct. 30 — end users, Pounds 1,899 plus VAT; solution providers, Pounds 2,899 plus VAT. Standard — end users, Pounds 1,999 plus VAT; solution providers, Pounds 2,999 plus VAT.
  • Dec. 12. Threats and Defenses on the Internet. Noon ET. Northeastern University, Burlington Campus, 145 South Bedford St., Burlington, Massachusetts. Registration: $6.
Tagged , , , , , ,