Tag Archives: Brian Krebs

Sextortion & leaked passwords revisited

A rather different type of extortion, originally published on Chainmailcheck, but reproduced here with some additional commentary.

Here’s an interesting article by Brian Krebs: Sextortion Scam Uses Recipient’s Hacked Passwords

The scammer claims to have made a video of the intended victim watching porn, and threatens to send it to their friends unless payment is made. Not particularly novel: the twist with this one is that it “references a real password previously tied to the recipient’s email address.” Krebs suggests that the scammer is using a script to extract passwords and usernames from a known data breach from at least ten years ago.

The giveaway is that very few people are likely to be using the same password now – and it’s unlikely that there are that many people receiving the email who might think that such a video could have been made. Still, it seems that some people have actually paid up, and it’s possible that a more convincing attack might be made sending a more recent password to a given email address, and perhaps using a different type of leverage.

[Commentary from Sophos here.]

Additional commentary from me since the Chainmailcheck article:

In a related *thread on Reddit, one comment indicated that there have also been attempts to log on to accounts associated with the same user using the leaked password, which I’d say amounts to a good reason for:

(a) Not using the same password across multiple accounts in general (though some people use a ‘throwaway’ password on ‘throwaway’ accounts where a later breach wouldn’t actually matter).

(b) Checking other accounts where you might have duplicated a password. It’s perfectly possible in such a case that the password is no longer current on the email account where the extortion mail was received, but not on other accounts, perhaps used less often.

One slightly disturbing feature of that Reddit thread is that it was sparked by an extortionate email to an admin account where the password given by the scammer was still current. Fortunately, the company concerned seems to have taken appropriate actions on seeing the email, but it’s a salutary reminder that administrators are not always any better at routine security measures than the rest of us.

*Hat tip to ESET’s Aryeh Goretsky for bringing it to my attention.

David Harley

Advertisements

AVIEN resource updates: July 15th 2018

Updates to Anti-Social Media 

(1) ESET: Facebook fined over data privacy scandal

You’re probably already aware of the gentle tap on the wrist administered by the UK’s Information Commissioner’s Office (ICO), but this does actually indicate why the penalty was so much less than you might have expected (in theory, up to 4% of the company’s total income).

(2) An article from The Next Web: Experts warn DeepFakes could influence 2020 US election – “Fake AI-generated videos featuring political figures could be all the rage during the next election cycle, and that’s bad news for democracy.”

(3) Graham Cluley: Facebook doesn’t want to eradicate fake news. If it did they’d kick out InfoWars – “Social networks giving sick conspiracy theorists a platform to spread hate.” Graham points out that InfoWars misinformation is also an issue on YouTube.

Updates to Meltdown/Spectre and other chip-related resources

John Leyden for The Register: Google’s ghost busters: We can scare off Spectre haunting Chrome tabs – “Site Isolation keeps pages fully separate on Windows, Mac, Linux, Chrome OS … Rather than solely defending against cross-site scripting attacks, the technology is now positioned as a necessary defence against infamous data-leaking Spectre CPU vulnerabilities, as a blog post by Google explained this week…”

Updates to Chain Mail Check

Brian Krebs: Sextortion Scam Uses Recipient’s Hacked Passwords

The scammer claims to have made a video of the intended victim watching porn, and threatens to send it to their friends unless payment is made. Not particularly novel: the twist with this one is that it “references a real password previously tied to the recipient’s email address.” Krebs suggests that the scammer is using a script to extract passwords and usernames from a known data breach from at least ten years ago.

The giveaway is that very few people are likely to be using the same password now – and it’s unlikely that there are that many people receiving the email who might think that such a video could have been made. Still, it seems that some people have actually paid up, and it’s possible that a more convincing attack might be made sending a more recent password to a given email address, and perhaps using a different type of leverage.

Commentary from Sophos here.

David Harley

The FBI and VPNFilter

Updates to Internet of (not necessarily necessary) Things

The Register: FBI to World+Dog: Please, try turning it off and turning it back on – “Feds trying to catalogue VPNFilter infections”

FBI alert: Foreign cyber actors target home and office routers and networked devices worldwide

Sophos commentary: FBI issues VPNFilter malware warning, says “REBOOT NOW” [PODCAST]

Comprehensive article (of course!) from Brian Krebs: FBI: Kindly Reboot Your Router Now, Please

Updates to GDPR page

Sophos: Ghostery’s goofy GDPR gaffe – someone’s in trouble come Monday!

 

David Harley

IoT resource/news updates

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

(1) Brian Krebs talks about the asymmetry in cost and incentives when IoT devices are recruited for DDoS attacks like one conducted against his site: Study: Attack on KrebsOnSecurity Cost IoT Device Owners $323K.

He observes: “The attacker who wanted to clobber my site paid a few hundred dollars to rent a tiny portion of a much bigger Mirai crime machine. That attack would likely have cost millions of dollars to mitigate. The consumers in possession of the IoT devices that did the attacking probably realized a few dollars in losses each, if that. Perhaps forever unmeasured are the many Web sites and Internet users whose connection speeds are often collateral damage in DDoS attacks.”

Some of his conclusions are based on a paper from researchers at University of California, Berkeley School of Information: the very interesting report “rIoT: Quantifying Consumer Costs of Insecure Internet of Things Devices.

(2) Product test specialists AV-Test conducted research into the security of a number of fitness trackers (plus the multi-functional Apple watch: Fitness Trackers – 13 Wearables in a Security Test. On this occasion, the results are fairly encouraging.

(3) Bleeping Computer: 5,000 Routers With No Telnet Password. Nothing to See Here! Move Along! – “The researcher pointed us to one of the router’s manuals which suggests the devices come with a passwordless Telnet service by default, meaning users must configure one themselves.”

(4) Help Net Security: Hacking for fun and profit: How one researcher is making IoT device makers take security seriously  Based on research by Ken Munro and Pen Test Partners.

David Harley

Social media memes and secret questions

Back in 2012, Virus Bulletin published an article of mine called Living the Meme about how meme-ish things shared on social media might be an invitation to give away information that could be useful to an attacker.

If I can quote myself (of course I can!)

Secret answers to security questions posed by banking sites and the like as a supplement to passwords, or for people who forget their passwords, are pretty stereotyped. Names of relatives, names of pets, first school, childhood address and so on are highly characteristic, so some security commentators suggest inventing answers to such questions rather than using real data. That’s a logical alternative to inventing your own challenge/response – which is rarely an option – and I’m all in favour of it, as long as it doesn’t contravene some legal or quasi-legal restriction.

In a recent article Brian Krebs makes a similar point, but cites a number of up-to-date examples where ‘seemingly innocuous little quizzes, games and surveys’ ask for information similar to that used for online accounts as ‘secret questions’: Don’t Give Away Historic Details About Yourself.

David Harley

Resources updates, 26 March 2018

Updates to Anti-Social Media

Updates to Specific Ransomware Families and Types

Updates to Cryptocurrency/Crypto-mining News and Resources

David Harley

22nd March Resources Update

Cryptocurrency/Crypto-mining News and Resources

Anti-Social Media

Mac Virus

Scammers using Dell support data?

If support scammers are using Dell customer data, as seems to be the case, Dell could certainly be more proactive in warning its customers, despite its own concerns about being seen as vulnerable to external or internal data leakage. But at least they’re now trying to gather info on the issue.

See my article here: Support Scammers Targeting Dell Customers with links to related articles by Brian Krebs, Dan Goodin et al.

Excerpt:

… not everyone who is [a Dell customer] has the technical grasp that Krebs’s correspondents seem to have. So perhaps it’s time Dell at least made more effort to notify people using its products (and especially its support services) that scammers may have such data, and that possession of such data shouldn’t be taken as some sort of validation of the bona fides of a cold-caller.

 Added to resources page, of course.

David Harley

Ransomware, the Cloud, and DDoS

Ransoming the Cloud

On the ransomware resources page, I recommended:

Back up your data to an external device. And to cloud services as well, if you like. Bear in mind, though, that if your data is backed up somewhere that’s ‘always on’ while you’re using your computer, there’s a risk that ransomware (or other malicious software) might be able to encrypt, delete or corrupt your backed-up data too. For the same reason, don’t try to reinstall backed-up files from an off-line resource (at any rate, a write-enabled offline resource) until you’re sure the malware is no longer present and active on your system.

In Ransomware a Threat to Cloud Services, Too Brian Krebs notes an instance where, when one of Children in Film’s employees opened an attachment passed off as an invoice: within 30 minutes, over 4,000 files on a cloud server, mounted as a local drive, had been encrypted by Teslacrypt. Fortunately, according to Krebs, the cloud hosting company kept daily backups and the company was able to use BleepingComputer’s TeslaDecoder to decrypt the files without paying the extortionists, but the inconvenience was still significant.

DDoS  Statistics

For Tripwire, David Bisson summarizes some of the detail from a report from cloud provider Akamai on trends in DDoS (Distributed Denial of Service) attacks, often associated with attempted extortion.

Cloud Security Alliance Survey

The Register reports that a CSA poll found that:

  • Some respondents would pay very large sums to extortionists to avoid data dumps
  • That gambling sites continue to be targeted with threats of DDoS attacks, often coinciding with major sporting events
  • That “… even police and law enforcement agencies [are] recommending organisations hit by the most water-tight ransomware encryption attacks to pay up to get their decryption keys.”

The article also suggests a link between the Hidden Tear open source code and the not-very-successful Linux.Encoder.

DD4BC

And here are a couple of items about the DD4BC (DDoS for BitCoin) gang:

  • ESET reports on Operation Pleiades in which several countries cooperated with Europol against the threat.
  • A related story from the BBC.

All items added to the ransomware resources page.

David Harley

iYogi tech support – sued by State of Washington

The name iYogi will not be unfamiliar to you, if you’ve been following how the tech support scam has been evolving over the past few years.

In Fake Support, And Now Fake Product Support I described how a legitimate and ethical AV company outsourced its support to the iYogi company  in India. This must have seemed at the time an entirely reasonable way of addressing a difficulty that faces security companies with a product version that is free to consumers: what happens when users of that product need support? Running a tech support operation is a significant cost even for companies that charge for all their products (time-limited trials excepted, of course). The idea was that Avast! customers would get free support for Avast!-related queries, but would then be offered an upgrade to a for-fee iYogi support package. However, the AV company’s understanding was that:

here at AVAST, we never phone our customers (unless they specifically ask us to of course) and none of the partners we work with do either.

Unfortunately, it seemed that iYogi’s understanding of the situation was rather different. According to Brian Krebs, reported incidents of tech support scam coldcalls from “Avast customer service” did indeed turn out to have originated with iYogi.

While someone describing himself as the co-founder and president of marketing at iYogi strongly denied any connection with the usual gang of out-and-out scammers, Avast! found it necessary to suspend its arrangement with the company. Avast!’s later arrangements for customer support are discussed on the company’s blog here.

iYogi’s recent activities seem to have continued to attract controversy.  A recent article from Help Net Security tells us that Washington State has announced a lawsuit against iYogi, alleging that ‘iYogi’s tactics are unfair and deceptive business practices that violate Washington’s Consumer Protection Act.’ The activities in which the company is alleged to have engaged have a familiar ring, involving deceptive online advertisements, misleading ‘diagnostics’, aggressive selling of support plans and the company’s own anti-virus software. In a twist I haven’t encountered before, the Washington suit filed in King County Superior Court claims that:

iYogi tells the consumer that upgrading to Windows 10 from Windows 7 or 8 costs $199.00 if the upgrade is done independently, but that the upgrade is “included” for free as part of iYogi’s five-year service package or for $80 as part of iYogi’s one-year package. In fact, an upgrade to Windows 10 is free for Windows 7 or 8 users who choose to do so independently. In addition, iYogi incorrectly tells consumers that their computers will stop working if they do not upgrade to Windows 10 soon.

Help Net quotes Microsoft as estimating that 71,000 residents of Washington lose $33m each year, a sizeable proportion of the 3.3m Americans who are estimated to lose $1.5b in a year.

 David Harley