InfoSec News Nuggets – 11/27/2018

Home / InfoSec News Nuggets / InfoSec News Nuggets – 11/27/2018

City of Valdez, Alaska admits to paying off ransomware infection

Officials from the city of Valdez, Alaska have admitted last week to paying $26,623.97 to hackers after the city’s IT network was crippled by a ransomware infection in July. “Valdez Police Department[…] reached out through our law enforcement channels for assistance with addressing the ransom demand,” said Bart Hinkle, Valdez police chief and operations section chief for the cyber incident response, in a press release last week. “Based on recommendations from several cyber-crimes specialists, the City engaged a specialty cyber-incident response and digital forensics firm based out of Virginia,” Hinkle added. “The firm anonymously contacted the attackers on the City’s behalf to investigate and possibly negotiate ransom terms.”

Walmart, Target, Best Buy take steps to curb gift card fraud

The changes include reducing purchase limits onstore-branded gift cards in a single transaction, limiting how much can be loaded onto the cards, and prohibiting the redemption of store-branded gift cards for other gift cards. Walmart, Target and Best Buy also bolstered training to help employees spot scams and warn potential victims. “By working collaboratively with these retailers, we’ve created a way for businesses to take proactive steps to prevent scams,” Underwood said in a statement. The National Retail Federation said gift cards are the most popular item on consumers’ wish lists for the 12th straight year, requested by 60 percent of7,313 people surveyed. Last month, the Federal Trade Commission said 26 percent of victims reporting scams between January and September said they paid with gift cards, up from just 7 percent in 2015.

How could passwordless Internet work

Microsoft has recently announced that its nearly 800 million users of services such as Outlook, Office or Skype now have the option to login to these platforms without using a password, as reported by specialists in digital forensics from the International Institute of CyberSecurity. The announcement is part of the plans of various companies to migrate to the use of the passwordless Internet through the implementation of WebAuthn,the key technology to complete this transition. According to cybersecurity and digital forensics specialists, the implementation of this technology involves the use of biometrics (such as facial or fingerprints recognition) or other authentication methods rather than continuing to use the username/password system.

Laptop search unravels scheme to fake death for insurance cash

According to court documents, Igor and his wife Irina Vorotinov, age 51, between September 2011 and March 2012 devised a scheme to defraud life insurance company Mutual of Omaha by faking the husband’s death so the wife could collect a $2m life insurance policy. The criminal complaint against Irina – who in 2016 pleaded guilty to mail fraud and engaging in a monetary transaction involving criminal proceeds, and was sentenced that year to 37 months in prison – explains that in June 2013, someone told the FBI that Igor was alive. That may explain why US Customs and Border Protection agents paid attention to Alkon and his fiancée. When the pair returned to the US from a trip to Moldova in November 2013, CBP agents seized their laptops. A warrant was issued shortly thereafter. On one of the devices, a Sony VAIO laptop,investigators found pictures of Igor taken in April and May 2013 in which he looked very much alive.

How I Lost and Regained Control of My Microchip Implant

It was just before midnight when I made the impulsive decision that would transform me into the world’s most useless cyborg. My friend and I had just left a free concert at the 25th annual DefCon, the world’s largest hacker conference, and were roaming the halls of the Las Vegas Caesars Hotel trying to decide what to do with the rest of our night.Then I received the fateful text message from a friend: “Biohacking village shutting down for the night, there’s a few more implants left.” I had made a few casual remarks over the weekend about wanting to get a near-field communications (NFC) chip implanted in my hand, but every time I went to visit the booth there had been a long wait. This would be my last chance to get chipped at the conference so we decided to stop by on our way out of the hotel.

Man charged after million dollar cryptocurrency theft

San Francisco resident Robert Ross first realised something odd was going on when his iPhone lost its signal on 26thOctober. But his cellphone signal wasn’t all that Ross had lost. Within minutes he had also lost his entire $1 million life savings, including the money he had stashed away for his two daughters’ college education.  According to media reports, prosecutors believe 21-year-old Manhattan resident Nicholas Truglia targeted the cellphones of Ross and a number of others in “SIM-swapping”attacks. SIM swap attacks (also sometimes called Port Out scams) are where fraudsters manage to trick the customers service staff of cellphone operators into giving them control of someone else’s phone number. This is sometimes done by a fraudster reciting personal information about their target to the cellphone company to convince them of their identity.

Secret Service cracks down on credit card skimming at gas pumps nationwide

Credit card skimmers beware. The U.S. Secret Service said it is kicking off the holiday season with a nationwide initiative to crack down on credit card skimming devices installed at gas stations. The operation, called “Operation Deep Impact,” was launched on Thanksgiving Day and is set to coincide with an increased demand for fuel over the holidays. “An estimated 54 million Americans will travel across town or across the country for Thanksgiving, and while doing so, many will buy gas for their cars,” read a statement from the government agency. “These annual increases in motor travelers on the road during holidays mean bigger paydays for card-skimming financial criminals who target victims at fueling stations.”

New Linux crypto-miner steals your root password and disables your antivirus

Malware targeting Linux users may not be as widespread as the strains targeting the Windows ecosystem, but Linux malware is becoming just as complex and multi-functional as time passes by. The latest example of this trend is a new trojan discovered this month by Russian antivirus maker Dr.Web. This new malware strain doesn’t have a distinctive name, yet, being only tracked under its generic detection name of Linux. BtcMine.174. But despite the generic name, the trojan is a little bitmore complex than most Linux malware, mainly because of the plethora of malicious features it includes.

Spotify Phishers Hijack Music Fans’ Accounts

A phishing campaign with a clever Spotify lurehas been spotted trying to harvest user credentials for the popular streaming service. Researchers at AppRiver detected the offensive earlier this month, in a campaign looking to compromise Spotify customers using bogus – but convincing– emails with the purpose of hijacking the owner’s account. The emails attempt to dupe users into clicking on a phishing link that would redirect them to a deceptive website. Once at the site, users were prompted to enter their username and password, where it would go directly into the bad guys’ repository of compromised things.

How to Shop Online Like a Security Pro

‘Tis the season when even those who know a thing or two about Internet scams tend to let down their guard in the face of an eye-popping discount or the stress of last-minute holiday shopping. Sohere’s a quick refresher course on how to make it through the next few weeks without getting snookered online. Adopting a shopping strategy of simply buying from the online merchant with the lowest advertised prices can be a bit like playing Russian Roulette with your wallet, for the simple reason that there are tons of completely fake e-commerce sites out there looking to separate the unwary from their credit card details.

Half of all Phishing Sites Now Have the Padlock

Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”. Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That’s up from25 percent just one year ago, and from 35 percent in the second quarter of2018.

The FBI Created a Fake FedEx Website to Unmask a Cybercriminal

The FBI has started deploying its own hacking techniques to identify financially-driven cyber criminals, according to court documents unearthed by Motherboard. The news signals an expansion of the FBI’s use of tools usually reserved for cases such as child pornography and bomb threats. But it also ushers in a potential normalization of this technologically-driven approach, as criminal suspects continually cover up their digital trail and law enforcement have to turn to more novel solutions.The two 2017 search warrant applications discovered by Motherboard both deal with a scam where cyber criminals trick a victim company into sending a largea mount of funds to the scammers, who are pretending to be someone the company can trust. The search warrants show that, in an attempt to catch these cybercriminals, the FBI set up a fake FedEx website in one case and also created rigged Word documents, both of which were designed reveal the IP address of the fraudsters. The cases were unsealed in October.

LinkedIn violated data protection by using 18M email addresses of non-members to buy targeted ads on Facebook

 LinkedIn, the social network for the working world with close to 600 million users, has been called out a number of times for how it is able to suggest uncanny connections to you, when it’s not even clear how or why LinkedIn would know enough to make those suggestions in the first place. Now, a run-in with a regulator in Europe illuminates how some of LinkedIn’s practices leading up to GDPR implementation in Europe were not only uncanny, but actually violated data protection rules, in LinkedIn’s case concerning some 18 million email addresses.

The United States’ toughest biometric privacy law is facing a challenge from Six Flags

 In 2008, Illinois passed a law that, a decadelater, remains the toughest standard for biometric privacy in the nation. The Biometric Information Privacy Act imposes strict rules on how companies can collect sensitive information from a person’s body, requiring consent before obtaining data like fingerprints. While other states have since passed similar laws, Illinois’ allows consumers to file lawsuits if they believe their rights have been violated under the law. This week, that led to the start of a major legal battle: the Illinois Supreme Court heard arguments on a challenge to the law that will decide when consumers can take action under the act.

How much for that app? U.S. top court hears Apple antitrust dispute

When iPhone users want to edit blemishes out of their selfies, identify stars and constellations or simply join the latest video game craze, they turn to Apple Inc’s App Store, where any software application they buy also includes a 30 percent cut for Apple. That commission is a key issue in a closely watched antitrust case that will reach the U.S.Supreme Court on Monday. The nine justices will hear arguments in Apple’s bid to escape damages in a lawsuit accusing it of breaking federal antitrust laws by monopolizing the market for iPhone apps and causing consumers to pay morethan they should.

Canadian banks hire ‘ethical hackers’ to improve and test cybersecurity Hackers are targeting Toronto-Dominion Bank’s internal systems at all hours using cutting-edge techniques, but the bank’s head of cybersecurity isn’t losing sleep over them — they work for him, after all. The bank established late last year an in-house “red team” of ethical hackers — cybersecurity professionals who attempt to hack a computer network to test or evaluate its security on the owners’ behalf — who conduct live attacks against its own networks continuously, said Alex Lovinger, TDBank’s vice-president of cyber threat management. “We’re doing it exactly how our adversaries would do it … So if we find a weakness or something like that, we can close it or address it before a real attacker,” he said.