Hackers leak stolen COVID‑19 vaccine documents

The documents related to COVID-19 vaccine and medications were stolen from the EU’s medicines agency last month

The European Medicines Agency (EMA), which evaluates and approves medicines for the European Union (EU), has disclosed that cybercriminals have posted online a portion of the documents that are related to COVID-19 vaccines and were stolen in a cyberattack last month.

“The ongoing investigation of the cyberattack on EMA revealed that some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties have been leaked on the internet. Necessary action is being taken by the law enforcement authorities,” reads the EMA’s press release. However, the agency added that its systems are fully functional and the approval and evaluation timelines for the vaccines haven’t been derailed.

The agency, based in the Netherlands, first disclosed on December 9th, 2020 that it had suffered a cyber incident of unknown origin. The subsequent probe found that several documents belonging to third parties, presumably those belonging to companies working on the vaccines, had been illegally accessed.

Per the investigation, the data breach was limited to one IT application, with the threat actors directly targeting information involving COVID-19 medicines and vaccines. According to BleepingComputer, the data trove included “email screenshots, EMA peer review comments, Word documents, PDFs, and PowerPoint presentations”. The affected companies were notified about the incident in due course.

Following the disclosure of the attack, the pharmaceutical companies BioNTech and Pfizer revealed that they were among those whose documents were accessed. The companies, which partnered to develop and test a COVID-19 vaccine, have issued a joint statement addressing the breach:

“Today, we were informed by the European Medicines Agency (EMA) that the agency has been subject to a cyber attack and that some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed. It is important to note that no BioNTech or Pfizer systems have been breached in connection with this incident and we are unaware that any study participants have been identified through the data being accessed.”

Unfortunately, this may not be the last time we hear about cyberattacks and fraud attempts concerning COVID-19 vaccines and medication. In the run-up to New Year’s Eve, law enforcement authorities from around the world have been sounding the alarm about cybercriminals and fraudsters attempting to cash in on the vaccine rollout.

The US Department of Treasury is one of the latest agencies to have issued a stark warning about criminals’ attempts to exploit the rollout of the COVID-19 vaccines, including by falsely offering people to help them jump the line. Keep in mind that any such offers are fraudulent, and not only because  most countries have a vaccination strategy that prioritizes high-risk groups and medical professionals; indeed, trying to jump the queue may lead to stern fines. If you encounter similar offers or offers to buy a vaccine, it is most certainly a scam – just like any of the various coronavirus-themed scams that began to do the rounds soon after the pandemic began.

CES 2021: Router swarms invade your home (and know where you are)

New mesh Wi-Fi routers may be the answer to your wireless signal woes, but how about your privacy and security?

Wi-Fi is hard, especially powering the swarms of smart devices in the average home. To combat dead spots, metal surfaces which block or reflect signals, and distant garages too far to connect, manufacturers at CES are rolling out router swarms using the new Wi-Fi 6E rules. These smart devices will get Wi-Fi to the nooks and crannies, but also spy on you and know where you are.

Rather than having one central router that is in charge of reaching your whole home, new routers will form a mesh with a distributed brain that tracks when signals are having a hard time propagating and work around it. By placing lots of tiny little mesh nodes in different rooms, they can learn the RF environment by comparing signal propagation. They can even split signals into tiny slivers to better communicate if they run into interference. Since you affect signal propagation when you stand in a room, they even learn to work around you too. This also means they become de facto motion detectors, since they would know where you are (and aren’t).

Sold as an upgrade, these distributed surveillance devices will make your Wi-Fi work better, sometimes a lot better (due to better frequency management), and that’s how they’re sold. But so much for privacy in private spaces.

And what about security?

Many systems have a cloud component, allowing them to be remotely managed, or remotely managed directly by your ISP. But in the event of a breach – in an industry that lacks an enviable security track record and where time-to-market trumps security – bad actors would know way more about your home environment than you’d like.

Remote management woes currently rank near the top of our list of most vulnerable attack entry points. Putting remote management on every room in your house seems like a fresh new opportunity for hackers, since remote management channels would likely be enabled by default, speeding the onboarding process by ISP install crews.

RELATED READING: New Year’s resolutions: Routing done right

Customers want it anyway. If someone can “magically” log in and fix Wi-Fi woes – fine. They’ll even pay for it as an upsell in the form of managed Wi-Fi service. This service’s control panel has a view to every device that’s connected in your house, their signal strengths, data transfer rates, sites they visit, how long they’ve been online, and a host of other metrics. They can also be used as a sort of low-grade alarm.

As distributed routers burrow further and further into your private life, it seems clear that some invisible line would be crossed whereby they would collect personally identifiable information (PII), which would put them at legal odds in certain parts of the world. We’ll see what legislators think of the technology in the coming years.

Meanwhile, some customers are happy to pay an extra $10 a month to implement these surveillance systems, and hope for the best. If you’re in the market, CES is definitely the place for you to start.

5 common scams and how to avoid them

Fraudsters are quick to exploit current events for their own gain, but many schemes do the rounds regardless of what’s making the news. Here are 5 common scams you should look out for.

Cybercriminals can be very creative when it comes to swindling people out of money. They will use a variety of methods to target their victims ranging from impersonating government officials to creating fraudulent online marketplaces. Time and again they have proven to be very adaptable, tailoring their scams around various hot topics.

In recent months, many scams have capitalized on the COVID-19 pandemic, with the schemes impersonating health authorities or offering to sell protective equipment that was in short supply. Up to December 16th, the US Federal Trade Commission had received more than 275,000 reports of fraud and identity theft related to the pandemic, with the victims reporting losing US$211 million in total. These days, there are scams doing the rounds that attempt to cash in on the vaccine rollout.

Make no mistake, however; fraudsters don’t launch their campaigns only in the wake of public health emergencies or global events. The European Commission recently conducted a survey on consumers’ experience with fraud and scams and found that over half of the surveyed Europeans had experienced at least one of the types of scams they were surveyed about in the past two years.

Fraud comes in many forms, and we’ve rounded up 5 common schemes where con men try to trick victims out of their money at pretty much any time of the year and regardless of what’s making the news. We also share a bunch of tips on how you can avoid falling victim to the ploys.

Online shopping and auction scams

One of the many ways scammers like to target unsuspecting victims is through shopping scams. During the pandemic, there has been a surge of these scams especially due to the shortage of certain goods, such as face masks and hand sanitizer. More broadly, however, using a sophisticated design that may come complete with a stolen logo, fraudsters will create a fake retail website masquerading as a reputable vendor, and offer luxury products from famous brands for ridiculously low prices. However, once you make an order, you’ll either receive a counterfeit product or nothing at all, or worse if you shared your credit card info the criminals could rack up charges on it. Fraudsters have also taken to social media and started offering their goods there. Another similar tactic cybercriminals use to defraud victims is the auction scam. The fraudsters will create a bogus auction offering an item they don’t have, or copy a real listing, and once the prospective buyer wins the auction and pays the allotted price, the victim never receives the product.

RELATED READING: Online scams: Why we get duped

To lower the chances of losing money to such scams, you should always do your due diligence and research the vendor you are buying from by looking through their terms of service and privacy and return policies. You should also try to find reviews from other customers who have ordered from the website. If the vendor is asking you to share too much personal information, that should immediately be a red flag. Perhaps the best and safer advice would be just to purchase the product from a reputable vendor with a proven track record.

Money mule scams

Money mule scams can take various forms; however, the goal of the criminals behind them remains the same – to move money from illicit activities without being traced. To achieve their mission, the crooks will target their victims using various means – enticing them through work-from-home jobs, which isn’t an outlandish concept considering the current pandemic situation, or using online dating services to cultivate a relationship. Once they’ve earned the victim’s trust, they will send them money or a check and ask the victim to send it to someone else. There are various outcomes; depending on the scam, you might submit a fake check that will initially clear … but then bounce and your bank will ask you to repay it, or you may be moving money for a criminal element and you might find yourself in legal trouble.

The advice, in this case, is simple: if the remote job in question entails transferring money for the client to purported clients or contractors, don’t accept it; the risks associated with accepting such jobs online far outweigh any benefits. If your online love interest tries to coax you into sending money somewhere on their behalf, you should be suspicious and refuse to do so, especially if you’ve only ever met them online; romance scams abound and some victims blinded by love have ended up losing their life savings and in some cases had to face legal charges.

Lottery and prize-winning scams

Lottery and prize-winning scams, which fall under the advance-fee fraud category, usually start with the potential victim receiving an unsolicited email, phone call, or text message claiming that they won a large sum of money or some kind of a luxury prize. The message will include pressure tactics telling the victim that there is a limited time to respond and claim the prize, but to do that they will have to pay a fee that covers taxes or shipping costs, or other imaginary charges. Since the competition is bogus, the victim won’t receive any of these “winnings” after paying the faux fees.

RELATED READING: You have NOT won! A look at fake FIFA World Cup‑themed lotteries and giveaways

Alternatively, the victims may be solicited to take part in a competition or lottery with astronomical prizes and they are told that they can increase their chances by paying for secret tactics or more draws. The only result, however, will be the victim getting scammed out of money. It’s also worth noting that U.S. citizens partaking in foreign lotteries may be violating federal law, so besides losing money to a scam they could also be facing legal trouble.

To

Week in security with Tony Anscombe

Watch out for a new PayPal smishing campaign – Employee login credentials up for sale – WhatsApp to share more data with Facebook

If you use PayPal, you should watch out for a new SMS-based phishing campaign that targets people by claiming that their accounts have been “permanently limited”. Hundreds of thousands of login credentials belonging to the employees of leading gaming companies are being offered for sale on the dark web. WhatsApp is notifying users that starting from February 8th it will share more of their data with Facebook. All this – and more – on WeLiveSecurity.com.

Chrome, Firefox updates fix severe security bugs

Successful exploitation of some of these flaws could allow attackers to take control of vulnerable systems

Google and Mozilla are each urging users to patch serious vulnerabilities in their respective web browsers, Chrome and Firefox, that could be exploited to allow threat actors to take over users’ systems. The security fixes will be rolled out to Windows, Mac, and Linux over the next few days. Importantly, none of the flaws has been spotted as being abused in the wild.

Chrome

The new stable release of Chrome, 87.0.4280.141, brings 16 security fixes; and while the tech giant won’t disclose details for all of them until the majority of its userbase has received the updates, it did highlight patches for 13 vulnerabilities that were reported by external researchers.

Twelve flaws were classified as high-risk, while one was determined to be medium in severity. Most of the high-severity flaws are use-after-free bugs, i.e. memory corruption flaws, residing in various Chromium components. They could be exploited if a user visited or was redirected to a specially crafted web page in order to achieve remote code execution in the context of the browser, noted the Center for Internet Security.

Google paid more than US$110,000 to the security researchers for discovering and reporting the vulnerabilities.

The Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory urging users and system administrators to update the browser: “Google has released Chrome version 87.0.4280.141 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.”

Firefox

Meanwhile, Mozilla released a security update to address a critical-rated security loophole that is tracked as CVE-2020-16044 and affects browser versions prior to Firefox 84.0.2, Firefox for Android 84.1.3, and Firefox ESR 78.6.1.

“A malicious peer could have modified a COOKIE-ECHO chunk in an SCTP packet in a way that potentially resulted in a use-after-free. We presume that with enough effort it could have been exploited to run arbitrary code,” said Mozilla describing the attack vector.

The Stream Control Transmission Protocol (SCTP) is used for transporting multiple streams of data at the same time between two endpoints that are connected to the same network. The flaw in Firefox resides in how the protocol handles cookie data.

CISA took note of this vulnerability as well and issued an advisory urging both users and administrators to update their software to protect their systems from potential attacks.

You are indeed strongly encourage to update the browsers to their respective latest versions as soon as practicable. You can download the latest version of Chrome here and Firefox here. If you have automatic updates enabled, your browsers should update by themselves.

WhatsApp updates privacy policy to enable sharing more data with Facebook

Many users have until February 8 to accept the new rules – or else lose access to the app

In a major update to its Privacy Policy and Terms of Service, WhatsApp is notifying users in many parts of the world that as of February 8 it will share some of their data with Facebook, the chat app’s parent company. Importantly, users who won’t agree to the new terms will need to stop using the app or delete their accounts.

The notice is being shared via an in-app notification that maps the key updates to WhatsApp’s policies and terms of services. Those are divided into three key points – how the app processes user data, how businesses can use Facebook-hosted services with WhatsApp, and how the app partners with Facebook to offer integration across Facebook’s products.

Note, however, that users in Europe will be exempt from the service’s new data-sharing practices and are only shown the first two of the three points in the notice. WhatsApp’s director of policy for Europe, the Middle East and Africa (EMEA) Niamh Sweeney attempted to clear up some confusion that had arisen around the issue:

3/5 There are no changes to WhatsApp’s data-sharing practices in the Europe arising from this update. It remains the case that WhatsApp does not share European Region WhatsApp user data with Facebook for the purpose of Facebook using this data to improve its products or ads.

— Niamh Sweeney (@NiamhSweeneyNYC) January 7, 2021

How about the rest of the world, though? Here’s an important part of the platform’s updated ToS as it will apply to those users:

“As part of the Facebook Companies, WhatsApp receives information from, and shares information with, the Facebook Companies as described in WhatsApp’s Privacy Policy, including to provide integrations which enable you to connect your WhatsApp experience with other Facebook Company Products; to ensure security, safety, and integrity across the Facebook Company Products; and to improve your ads and products experience across the Facebook Company Products,”

RELATED READING: Hey there! Are you using WhatsApp? Your account may be hackable

At this point it is important to remember some of the key information that WhatsApp collects:

Your phone number that you used to create an account Your profile picture and profile information The phone numbers of your WhatsApp contacts Transaction and payments data Location information Information about your device such as the model, operating system, and mobile network Other information, including your IP address, device operations information, and identifiers

By agreeing with new terms and policy you will be effectively agreeing to Facebook and its subsidiaries having access to at least some of your data.

WhatsApp lists the information in the website’s FAQ section that focuses on security and privacy: “The information we share with the other Facebook Companies. includes your account registration information (such as your phone number), transaction data, service-related information, information on how you interact with others (including businesses) when using our Services, mobile device information, your IP address, and may include other information identified in the Privacy Policy section entitled ‘Information We Collect’ or obtained upon notice to you or based on your consent.”

Stolen employee credentials put leading gaming firms at risk

It’s hardly fun and games for top gaming companies and their customers as half a million employee credentials turn up for sale on the dark web

More than 500,000 login credentials linked to the employees of 25 leading game publishers have been found for sale on dark web bazaars, according to a report by threat intelligence company KELA. Threat actors have been increasingly targeting the gaming industry, including by harvesting and selling access credentials into the internal systems of top-tier game companies.

The firm found almost 1 million compromised accounts belonging to gaming clients and employees of major gaming companies, with half of them ending up for sale on the dark web over the past year. The criminals’ increased interest in the gaming industry could partly be chalked up to some effects of the COVID-19 pandemic, which has forced most people inside and online for their social activities, including for online gaming. With revenues estimated to reach almost US$200 billion by 2022, it’s no wonder the gaming industry has become a target for cybercriminals.

KELA has been tracking activities on the internet’s seedy underbelly for over two-and-a-half years and found compromised accounts that could provide access to the internal systems of almost every major gaming company. The accounts in question would grant entry to project management software, admin panels, virtual private networks (VPNs), and development-related environments, among others. Threat actors could wreak all manner of havoc, ranging from stealing company secrets, intellectual property and customer data to deploying ransomware on the company’s machines, which could lead to monetary and reputational damage.

Indeed, over the past few months, said KELA, criminals have been observed seeking access into the networks of a number of gaming companies. “We also detected an infected computer (bot) which had credential logs to plenty of sensitive accounts that could be accessed by attackers upon purchase: SSO, Kibana, Jira, adminconnect, service-now, Slack, VPN, password-manager and poweradmin of the company – all on a single bot – which strongly suggests that it’s used by an employee of the company with administrator rights,” according to KELA, adding that the asking price for the bot was less than US$10.

RELATED READING: Gaming industry still in the scope of attackers in Asia

Sadly, as the company also points out, employees remain one of the main points of access, especially due to credentials being leaked through third-party breaches. These types of credentials aren’t often monetized and can be freely found on dark web forums. Part of the problem could be blamed on their penchant for password reuse.

“We found that these credentials also include high-profile email addresses such as senior employees and email addresses which are generally a significant channel in the company – invoice, purchasing, admin, HR-related emails, support, and marketing are only some of the examples we noticed,” states the report.

Cybercriminals could use these accounts to carry out various spearphishing campaigns in the hunt for more valuable credentials, including those that would grant them access to the most sensitive parts of a company’s network. Alternatively, the login data could also be used to carry out Business Email Compromise (BEC) scams and other crimes.

As the gaming industry is steadily becoming a juicier target for criminals, companies would do well to invest in their cybersecurity, especially by providing security awareness training to their employees and raising awareness about the risks they face. Additionally, companies should institute proper password management policies that prevents password recycling and implement multi-factor authentication.

Would you take the bait? Take our phishing quiz to find out!

Is the message real or fake? Take our Phishing Derby quiz to find out how much you know about phishing.

Phishing comes in a number of forms and remains one of the most pervasive online scams, as both consumers and businesses face an incessant stream of unsolicited emails, texts and even phone calls where bad actors impersonate a trusted institution and attempt to purloin login data, money and identities. Indeed, per Google’s technology incubator Jigsaw, one in every 100 emails sent today is a phishing attempt.

Even more worryingly, many of these attempts are successful, which along with the ease with which these attacks can be unleashed helps explain the longevity of the technique. It’s no wonder then that the ability to recognize and avoid a phishing attack is such an important skill to master these days.

Which is also where our fun quiz comes in – go ahead and test yourself to see if you would outsmart the fraudsters! The test comes complete with brief explanations about why each message is real or fake.



Below are three more quizzes that you may also want to take. Indeed, why not also consider taking ESET’s cybersecurity awareness training?

Can you spot the phish? Take Google’s test
Would you get hooked by a phishing scam? Test yourself
This test will tell you how likely you are to fall for fraud

Stay safe in 2021!

31 Dec 2020 – 11:30AM

Newsletter Newsletter Discussion

New warning issued over COVID‑19 vaccine fraud, cyberattacks

Cybercriminals look to cash in on the vaccine rollout, including by falsely offering to help people jump the line

The US Department of Treasury has added its voice to a growing chorus of warnings about ransomware attacks, fraud and other cybercrimes that attempt to exploit the rollout of COVID-19 vaccines.

“The Financial Crimes Enforcement Network (FinCEN) is issuing this Notice to alert financial institutions about the potential for fraud, ransomware attacks, or similar types of criminal activity related to COVID-19 vaccines and their distribution,” reads an alert by FinCEN, a bureau of the Treasury Department.

The warning notes that “cybercriminals, including ransomware operators, will continue to exploit the COVID-19 pandemic alongside legitimate efforts to develop, distribute, and administer vaccines”. With that in mind, FinCEN urged banks and other financial institutions to keep an eye out for ransomware targeting vaccine distribution and the supply chains required to manufacture the vaccines.

In recent months, pharmaceutical companies, vaccine researchers and organizations involved in vaccine storage and transport have all been targeted by multiple cyber-espionage groups. This includes a campaign by the Lazarus group leveraging malware that ESET researchers had linked to the group.

Jump to the front of the line? Hardly

FinCEN’s alert also highlights schemes that pitch non-existent vaccines or counterfeit versions of approved vaccines, as well as ploys involving illegally diverting legitimate vaccines onto black markets.

“Already, fraudsters have offered, for a fee, to provide potential victims with the vaccine sooner than permitted under the applicable vaccine distribution plan,” said the agency.

A number of other agencies, notably the Federal Bureau of Investigation (FBI) and the Federal Trade Commission (FTC), as well as Interpol and Europol, have all sounded the alarm over various flavors of vaccine-themed fraud, as well as over offers of counterfeit vaccines that circulate on the dark web.

Some of these activities take the form of phishing attacks that target the general public. Using emails, text messages and phone calls, con artists attempt to trick people into divulging their personal data under the guise of assessing their eligibility for the vaccine, joining fabricated waitlists or getting a jab early.

As of December 16th, the FTC received 275,000 reports of fraud and identity theft related to the pandemic, with the victims reporting losing US$211 million in total. Scams exploiting the general anxiety surrounding COVID-19 have spread as fast as the coronavirus itself; earlier this year, we looked at a broad array of such fraudulent schemes in a series of articles, starting with this one.

Over the months, coronavirus-themed fraud involved everything from touting non-existent face masks, testing kits and miracle cures to extorting the targets, spewing out malware-laden emails, promoting fake donations, dispensing bogus health advice and disbursing bogus financial relief.

Staying safe

How can you stay safe while eagerly waiting your turn for vaccination? For starters, be wary of unsolicited communications offering early access to a vaccine, especially for a fee or in return for your personal data. Consult official sources for up-to-date information about vaccination and check with your known and trusted health care provider for additional guidance.

As ever, staying vigilant is the best way to avoid falling prey to a scam. Always avoid clicking on any links or downloading any attachments in emails or texts that come out of the blue from unknown sources. Use two-factor authentication at least on your most important online accounts, as well as reputable multi-layered security software with anti-phishing protection.

21 arrested after allegedly using stolen logins to commit fraud

UK police also give some food for thought to those on the verge of breaking the law

The long arm of the law has caught up with 21 people who are believed to have bought purloined login credentials on the now-defunct WeLeakInfo.com website and used them to break into other people’s online accounts and commit various cybercrimes.

Some of those arrested are also suspected of having used the criminal marketplace for trading in tools such as Remote Access Trojans (RATs) and crypters. The nationwide sting took place over a five-week period starting in the middle of November, according to the United Kingdom’s National Crime Agency.

“Through the identification of UK customers of WeLeakInfo, we were able to locate and arrest those who we believe have used stolen personal credentials to commit further cyber and fraud offences,” Paul Creffield from the NCA’s National Cyber Crime Unit was quoted as saying.

21 people have been arrested in a nationwide cyber crime crackdown targeting customers of an online criminal marketplace that advertised stolen personal credentials.

Read more ➡️ https://t.co/9OTnQyXHlI pic.twitter.com/k3YxfnrrCo

— National Crime Agency (NCA) (@NCA_UK) December 25, 2020

“Of those 21 arrested – all men aged between 18-38 – nine were detained on suspicion of Computer Misuse Act offences, nine for Fraud offences and three are under investigation for both,” said the agency. Some £41,000 (US$55,000) worth of bitcoin was seized.

In addition, the police visited another 69 people who had bought stolen personal information on WeLeakInfo to warn them against using the data. Many more such personal warnings are due to be dispensed over the coming months, said the agency.

In a way, the operation brings echoes of a global crackdown in 2018 on webstresser.org, the then-largest marketplace for hiring distributed denial-of-service (DDoS) attacks, and the subsequent public warning by law enforcement for buyers of such services.

RELATED READING: Cybercrime deterrence: 6 important steps

WeLeakInfo itself was impounded early this year, with two alleged operators nabbed in Northern Ireland and the Netherlands. In its heyday, the site claimed to allow searching through more than 12 billion records stolen in 10,000 data breaches. The data, which mainly consisted of username and password combinations, could be had dirt-cheap, with subscriptions starting from as little as US$2 – compare that to the damage after somebody pilfers your personal details for identity theft.

“Cyber criminals rely on the fact that people duplicate passwords on multiple sites and data breaches create the opportunity for fraudsters to exploit that,” said the NCA.

Indeed, one thing you can do to slash the risk of falling victim to identity theft is avoid making one of the most common and costly mistakes in people’s password habits – reusing login details across multiple accounts. This rampant practice is then often exploited for credential stuffing attacks, which were behind no fewer than 30 billion login attempts in 2018.

To help avoid falling prey to these and other attacks that may ultimately cost you dearly, read our article about various password-related mistakes. Additionally, here’s how you can check if your login details may have been compromised in a known security breach.