Ray‑Ban parent company reportedly suffers major ransomware attack

There is no evidence that cybercriminals were also able to steal customer data

Luxottica, the world’s leading eyewear producer, has allegedly fallen victim to a ransomware attack that affected its Italian and Chinese operations alike. The Italy-based eyewear giant – which boasts brands such as Ray-Ban, Oakley, and Persol in its portfolio as well as produces eyeglasses for fashion labels such as Burberry, Prada, Chanel, and Versace – appears to have been hit over the weekend.

Details of the alleged attack are not immediately clear, but according to BleepingComputer, customers began reporting that the company’s Ray-Ban, Sunglass Hut, LensCrafters, EyeMed, and Pearle Vision websites were down on Friday evening.

The site also quoted Italian security specialist Nicola Vanin, who confirmed the incident, but gave assurances that no data was stolen or leaked. Of late, a number of ransomware operators have indeed engaged in doxing – traversing their victims’ files looking for sensitive information, which they will then threaten to release unless they are paid an additional fee on top of the ransom.

RELATED READING: 5 ways cybercriminals can try to extort you

Meanwhile, a Luxottica employee claimed that the attack occurred on Sunday evening, affecting the company’s global operations, with some offices still reeling from the attack’s aftermath.

Per reports from the Italian press, Luxottica’s offices in Agordo and Sedico in the province of Belluno were experiencing IT problems, with employees receiving text messages that their shifts were suspended due to a “computer system failure”.

At the time of writing, all affected websites seem to be back up and running with no signs of the incident. The company itself has yet to comment on the issue.

Citing information from cybersecurity intelligence company Bad Packets, BleepingComputer wrote that Luxottica had a Citrix ADX controller device susceptible to the critical-rated CVE-2019-19781 vulnerability in Citrix devices.

Further reading:

Buying Ray-Bans? Don’t fall for this Facebook scam
Hitting emails and Facebook: Ray‑Ban scam is back

179 arrested in massive dark web bust

The sting is said to be the US Government’s largest operation targeting crime in the internet’s seedy underbelly

Law enforcement agencies from around the globe have swooped down on dozens of purveyors of illegal goods on the dark web. No fewer than 179 vendors of illicit goods have been handcuffed in an operation dubbed DisrupTor, which comprised several separate but complementary operations and was the result of a collective effort mostly by North American and European authorities.

Europe’s law enforcement agency, Europol, lauded the success of the raids in a press release, with Edvard Šileris, the director of its European Cybercrime Centre, saying: “Law enforcement is most effective when working together, and today’s announcement sends a strong message to criminals selling or buying illicit goods on the dark web: the hidden internet is no longer hidden, and your anonymous activity is not anonymous. Law enforcement is committed to tracking down criminals, no matter where they operate – be it on the streets or behind a computer screen.”

As noted by the United States’ Department of Justice, DisrupTor comes on the heels of two similar busts from the recent past. In March 2019, a global operation dubbed SaboTor resulted in the arrests of 61 suspected peddlers of illegal goods on the dark web. Two months later, another successful sting brought the takedown of Wall Street Market – the second-largest dark web online market dealing with the sale of illicit wares.

RELATED READING: Europol sets up EU‑wide team to fight dark web crime

The quantitative intelligence the operation yielded allowed investigators to identify suspects behind the accounts used to conduct illegal business. Which led to 179 sellers of illicit wares ending up in custody across Europe and the US, and the seizure of thousands of illegal goods including over US$6.5 million comprising both cash and cryptocurrencies as well as some 500 kilograms worth of addictive substances and drugs, and weapons.

US Attorney General Jeffrey Rosen touted the significance of the operation: “Criminals selling fentanyl on the Darknet should pay attention to Operation DisrupTor. The arrest of 179 of them in seven countries—with the seizure of their drug supplies and their money as well—shows that there will be no safe haven for drug dealing in cyberspace.”

While the investigations are still ongoing and law enforcement officers are busy identifying further suspects, arrests have been made in multiple countries. The United States leads the pack with 121 arrests, with Germany following suit on 42. The Netherlands nabbed eight suspects, while the United Kingdom detained four, Austria has apprehended three and Sweden captured one person.

Earlier this year, European law enforcement agencies were also able to crack an encrypted chat network, which ultimately led to the arrest of over 800 suspected criminals.

New tool helps companies assess why employees click on phishing emails

NIST’s tool can help organizations improve the testing of their employees’ phish-spotting prowess

Researchers at the US National Institute of Standards and Technology (NIST) have devised a new method that could be used to accurately assess why employees click on certain phishing emails. The tool, dubbed Phish Scale, uses real data to evaluate the complexity and quality of phishing attacks to help organizations comprehend where their (human) vulnerabilities lie.

Here’s a quick refresher: in its simplest form, phishing is an unsolicited email or any other form of electronic communication where cybercriminals impersonate a trusted organization and attempt to pilfer your data. Information such as access credentials can be then abused for further attacks or sold on the dark web and used to commit fraud or identity theft.

Therefore, any company or organization that takes its cybersecurity seriously conducts regular phishing training exercises to see if its employees can distinguish between real and phishing emails. These trainings aim to increase employee vigilance as well as teach them to spot signs of phishing attacks masquerading as legitimate emails, which in turn, prevents them from getting hooked and protects their organizations from monetary and reputational damage.

RELATED READING: Would you get hooked by a phishing scam? Test yourself

These exercises are usually overseen by Chief Information Security Officers (CISOs), who evaluate the success or failure of these exercises based on click rates – how often employees click on a phishing email. However, the results are not emblematic of the whole problem.

“The Phish Scale is intended to help provide a deeper understanding of whether a particular phishing email is harder or easier for a particular target audience to detect,” said NIST researcher Michelle Steves in the press release announcing the new tool.

Phish Scale looks at two main elements when assessing how difficult it is to detect a potential phishing email. The first variable the tool evaluates is ‘phishing email cues’ – observable signs, such as spelling mistakes, using personal email addresses rather than work emails, or using time-pressuring techniques.

Meanwhile, the second ‘alignment of the email’s context to the user’ leverages a rating system to evaluate if the context is relevant to the target – the more relevant it is, the harder it becomes to identify it as a phishing email. Based on a combination of these factors, Phishing Scale categorizes the difficulty of spotting the phish into three categories: least, moderate, and very difficult.

These can provide valuable insight into the phishing attacks themselves, as well as help ascertain why people are more or less likely to click on these emails.

RELATED READING: This test will tell you how likely you are to fall for fraud

Phish Scale aims to provide CISOs with a better comprehension of their click-rate data, so they don’t solely rely on the number output. “A low click rate for a particular phishing email can have several causes: The phishing training emails are too easy or do not provide relevant context to the user, or the phishing email is similar to a previous exercise. Data like this can create a false sense of security if click rates are analyzed on their own without understanding the phishing email’s difficulty,” NIST said.

While all data that was fed to the Phish Scale has originated from NIST, the institute hopes to test the tool on other organizations and companies to see if it performs up to standard. For further information on the tool and research behind it, you can delve into the article, Categorizing human phishing difficulty: a Phish Scale, published by the researchers Michelle Steves, Kristen Greene, and Mary Theofanos.

Mozilla fixes flaw that let attackers hijack Firefox for Android via Wi‑Fi

Attackers could have exploited the flaw to steal victims’ login credentials or install malware on their devices

Mozilla has patched a security flaw that could allow cybercriminals to hijack all vulnerable Firefox for Android browsers running on devices connected to the same Wi-Fi network. The vulnerability could be abused by black hats to force users to visit websites housing malicious content, which could then be used to execute phishing attacks or to download malware to their devices.

The bug, which resided in Firefox’s Simple Service Discovery Protocol (SSDP), was uncovered by security researcher Chris Moberly and affected Firefox for Android versions of 68.11.0 and below.

ESET malware researcher Lukas Stefanko has tested a proof-of-concept (PoC) exploit that takes advantage of the security hole, running the PoC on three devices connected to the same Wi-Fi router.

Exploitation of LAN vulnerability found in Firefox for Android

I tested this PoC exploit on 3 devices on same wifi, it worked pretty well.
I was able to open custom URL on every smartphone using vulnerable Firefox (68.11.0 and below) found by @init_string https://t.co/c7EbEaZ6Yx pic.twitter.com/lbQA4qPehq

— Lukas Stefanko (@LukasStefanko) September 18, 2020

“This is a serious issue that allows to trigger any Android Intent on the same Wi-Fi network without any user interaction if you have a vulnerable version of Firefox for Android installed on your device,” said Stefanko.

He went on to warn that successful exploitation of the bug could lead to a phishing attack on public Wi-Fi networks, by requesting personal user information or login credentials from all users connected to the network who were running unpatched versions of the browser. “It makes exploitation of this issue really easy,” he added.

In a write-up of the problem on his GitLab page, Moberly explained that vulnerable versions of the Firefox browser routinely send out SSDP discovery messages, looking for second-screen devices connected to the same local network that they can cast to (imagine a Chromecast, Roku, or similar gizmo).

Devices connected on that local network can respond to these broadcasted messages, providing the location of an XML (eXtensible Markup Language) file containing their configuration details, which Firefox will then attempt to access.

However, that’s the moment when cybercriminals could make their move. “Instead of providing the location of an XML file describing a UPnP device, an attacker can run a malicious SSDP server that responds with a specially crafted message pointing to an Android intent URI. Then, that intent will be invoked by the Firefox application itself,” said Moberly, shedding some light on how the vulnerability could be exploited. The security researcher added that he reported the vulnerability to Mozilla.

The bug has been fixed with the release of Firefox for Android 79, the direct successor to version 68.11.0. If you’re a Firefox for Android user, we suggest that you check whether you use the browser’s version 79, or even better, its latest version (80); if not, you should update your browser immediately.

Week in security with Tony Anscombe

Zoom now supports two-factor authentication. A cyber attack, which affected 14 inboxes belonging to Quebec’s Department of Justice, was confirmed by ESET researchers.

Zoom now supports phone calls, text messages and authentication apps as forms of two-factor authentication. Sports and training data are more sophisticated and affordable than ever. With the democratization of (sports) performance data, are your personal information safe? A cyber attack, which affected 14 inboxes belonging to Quebec’s Department of Justice, was confirmed by ESET researchers. All this – and more – on WeLiveSecurity.com.

5 ways cybercriminals can try to extort you

When it comes to coercing people into parting with their money, cybercriminals seem to have an endless bag of tricks to choose from. There are some tricks, that they favor more than others, one of which is extortion. According to the FBI’s latest Internet Crime Report, US victims of extortion lost some US$107.5 million to these crimes last year.

One thing to keep in mind is that blackmailers won’t just stick to one trick but will employ multiple flavors of extortion to try to force their victims into doing their bidding – be  it paying them a handsome sum or even performing tasks on their behalf.

Ransomware

Ransomware is by far one of the best-known examples of extortion employed by hackers around the globe, with targets ranging from companies, through governments to individuals. The basic premise is that your device will be infested by ransomware using one of the various tactics hackers employ, such as duping you into clicking on a malicious link found in an email or posted on social media or shared with you through a direct instant message.

After the malware makes its way into your device: it will either encrypt your files and won’t allow you to access them, or it will lock you out of your computer altogether, until you pay the ransom. It is also worth mentioning that some ransomware groups have added a new functionality; a form of doxing wherein they traverse your files looking for sensitive information, which they will threaten to release unless you pay them an additional fee.  This could be considered a form of double extortion.

Before wondering whether to pay or not, you should check if a decryption tool has been released for the ransomware strain that has infested your device; also, the answer is: don’t pay. For additional advice on protecting against ransomware attacks, you can check out our  excellent, in-depth article Ransomware:Expert advice on how to keep safe and secure.

Hack and extort

The title is pretty much self-explanatory, but to make things abundantly clear, the extortionist will infiltrate your device or online accounts, go through your files looking for any sensitive or valuable data,and steal it. Although it may echo ransomware in some respects, in this case, the breaking-and-entering of your device is done manually and the cybercriminal will have to invest time and resources into doing so. Well, unless your password was part of a large-scale data breach, in which case the effort put insignificantly drops. The successfully targeted individual then receives an email in which the criminal tries to coerce the intended victim into paying by threatening to expose this data, listing examples for added effect.

To protect yourself, you should consider encrypting your data and adequately securing all your accounts using a strong passphrase, as well as activating two-factor authentication whenever it is available.

Plugging in a strange USB drive – What could possibly go wrong?

While wanting to return a found USB flash drive is commendable, you should avoid taking unnecessary risks, lest your device get infested and your data compromised.

External data storage devices have been around almost as long as computers have existed. Magnetic tape and floppy disks, which were once the dominant media, are now mostly fond memories, while optical discs are mostly used in gaming consoles. For the past 20 years, the dominant player on the external storage scene has been the USB flash drive. No wonder: over the years, their storage capacity has increased, and their prices have dropped.

However, even if the humble flash drive has withstood the test of time – at least for now – it has been associated with a number of risks. Especially, due to its small form factor, portability, and ease of access, it can be used to smuggle data out of companies or used to deliver a malware payload that could wreak havoc on systems.

Let’s look at the proper cybersecurity practices you should use when handling strange flash drives lying around that you may have stumbled upon.

Oh look, someone dropped a flash drive!

If there were one piece of advice we could give when it comes to stumbling upon a lost flash drive, it would be just to give it to the authorities or drop it off at the lost and found office or box. That would be the end of it, and you’d feel good about yourself.

However, since good Samaritans haven’t died out just yet and people are naturally curious creatures; in an effort to help satisfy their curiosity, many will plug such a “found” flash drive into their devices to learn more. The stories aren’t just anecdotal; research has shown that people are prone to sticking unknown flash drives into their computers.

Unfortunately, cybercriminals often use a “lost” flash drive as a social engineering tactic, hoping that their targets will do just that. Since the person plugging the drive in has no idea what it contains, it might be opening Pandora’s box.

This could lead to various forms of malware making their way into the device. Your computer could get locked up by ransomware or a keylogger could be recording your every keystroke … allowing hackers to get hold of your access credentials to various accounts, ranging from social media to financial institutions.

If you’ve plugged an afflicted drive into your work computer, then it gets a lot worse – certain types of malware can propagate across a company’s whole infrastructure, infesting it. If you think that sounds far-fetched, then you need only to remember the infamous Stuxnet malware, which is thought to have spread with the help of malicious USB flash drives. And let’s not forget the BadUSB malware, which could have allowed black hats to gain complete control of a machine, spy on users, and even steal data.

What should I do?

If, even after considering all the risks, you decide to plug an unknown USB drive into your device, there are certain steps you can take to mitigate the risks of your device being infested.

To start, you should always keep your devices patched and updated to the latest versions of the operating system and software available. Using a reputable and up-to-date endpoint security solution is also advised since it can protect you from many of the risks posed by malicious USB sticks as well as other threats.

Whenever you plug an external device into one of your computer’s USB ports it might start up via the Autorun feature. Disable Autorun so that your device won’t open any USB drive – including ones that might possibly contain malicious content. You should also use your endpoint security solution to run a scan on the drive; it should detect most threats and notify you if it finds anything suspicious. Furthermore, many security solutions automatically detect USB device insertion and can be configured to scan any newly inserted devices automatically.

While these solutions may look simple at first glance, they can go a long way to protecting you against attacks and breaches originating from a potentially malicious flash drive. Handling strange flash drives is just one piece of the puzzle – to find out how to secure your own devices, stay tuned for our next article.

Sports data for ransom – it’s not all just fun and games anymore

However, change lay just around the corner. With wireless communication standards beginning to proliferate in the early 2000s, the missing element was the transformation and integration of personal communications and computing. From there, data-driven sports tech could go fully commercial.

Integration – enter the era of smartphones

In the year 2000, mobile phones began to connect to the nascent 3G network. With the 1st generation iPhone released January 9th, 2007 – followed by the first Android device in September 2008 – data-driven sports technology and consumers’ appetite for social sharing were on a collision course.

The introduction of smartphones allowed user access to multiple service types as well as other devices. This included devices with other communications standards such as Bluetooth and ANT+, which are popularly used with heart rate monitors and speed sensors. With these protocols, small or clumsy dedicated devices could be paired to smartphones with substantially better user interfaces, more processing power and internet access – further connecting them to social media, emails and servers.

A boom of data

The age of Big Data was (also) upon us, and it seemed that sports data would remain a small component of the infinite data stream unleashed from a diversity of new forms of tracking and analysis. However, for millions, human curiosity latched on to sports data as interesting, motivational and, social.

When devices that could couple heart rate, cadence (rate bike pedals are turned or steps taken per min.), speed, altitude and precise geolocation met social media, a new industry exploded. The sports data-verse opened by SRM, led other device manufacturers like Garmin, followed by FitBit, Apple, Samsung and Wahoo – to name a few – to provide the (data) fodder for users to engage with their data via sports apps like Strava, Zwift and other platforms where they could record, analyze, share, congratulate, cajole and battle over who is fastest or fittest anywhere in the world. This combination proved addictive.

For context, Strava claimed 50 million members in February 2020, adding a million more every month, and members uploading “more than 1 billion activities in the last 13 months”. Essentially, athletes upload data gathered on sports computers (+sensors) or via watches from Apple or Samsung, subsequently uploading their results along with location data to platforms like Strava.

You know you are addicted when they take it away

As we can all attest, social media users can be obsessive, very possibly matched or outdone by athletes – whether amateur or professional. For sure, cyclists, triathletes and hikers using Strava and similar platforms, alongside hardware by Garmin, Apple, or devices like Wahoo’s ELEMNET bike computer, accumulate massive amounts of data that foster their own data addictions.

So, when the links between sensor technologies and social spaces built up around websites like Garmin Connect get broken, users get upset! Cyclists won’t have to imagine too hard how users of relative newcomer, Zwift – a virtual cycling paradise, might feel if access, in-app avatars or data got cryptolocked.

Figure 2. A Zwift user with “smart” trainer and TV
Source: https://news.zwift.com/en-WW/media_kits/

The runaway success of platforms like Zwift, a virtual turbo trainer game that enables riders to join other cyclists in a virtual environment by linking a bicycle turbo/resistance trainer to a computer, smartphone or smart TV, demonstrate the stakes. During the coronavirus lockdown stakes have risen quickly with Zwift’s user numbers massively boosted and even pro cyclists moving to adopt the platform in absence of outdoor racing. Looking at numbers of concurrent users on a given day (Peak Zwift), on Jan 21st, 2020, Zwift recorded 16,512; by April 5th, this had grown to 34,940 concurrent users. Sports + Data is strutting its stuff!

Ransomware hurts in new ways

Recently, the wider sports data boom stumbled when it was reported that market leading GPS and fitness tracking vendor Garmin suffered a major security breach. “Garmin, was the victim of a cyberattack that encrypted some of our systems on July 23rd, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation,” reads the company’s announcement.

Subsequently, it was established that a ransomware attack took place impacting its systems. Forensics shows with high likelihood that the malware in question is WastedLocker, in this case wielded by the organized crime group known as Evil Corp.

For users, the multi-day day outage prevented them from logging data and thus posting it. However, other recent ransomware incidents have demonstrated that cybercriminals not only deny access to data, but actually steal it via of doxing and random data leaking, then moving to auctioning stolen data on dedicated underground sites, and even forming “cartels” to attract more buyers.

Reports around Garmin’s incident certainly don’t confirm this, but post-WastedLocker, this industry should reassess risk, and the value of users’ sports data, including personally identifiable information and location, and based on employment of devices enabling multiplatform integration. Under these circumstances, the value of “sports data” quickly takes on a level of seriousness akin to health data.

With this incident, a new way for cybercriminals to pressure businesses into paying ransoms has unfolded. As such, we can imagine that many other companies could fall prey to similar patterns of abuse. Fitness center franchises, personal trainers, physical therapists and their natural overlap with healthcare providers all offer a negative synergy.

Alternatively, and outside of sports, we can imagine the knock-on effects of malware attacks on the recent explosion of food delivery services. Often on a tight budget and employing both location data and customer databases with personally identifiable information, these types of businesses could also be prone to ransomed data and, in some cases, may have lower levels of cybersecurity maturity than the service providers focused on sports data.

Shifting security to a higher gear

If you are an athlete, be mindful of how your data, as well as device and service integration can open you up to new threat

Zoom makes 2FA available for all its users

Zoom now supports phone calls, text messages and authentication apps as forms of two-factor authentication  

Zoom is rolling out support for two-factor authentication (2FA) across its web, desktop, and mobile applications, allowing users to double down on the security of their accounts with an extra layer of protection. 

For context, 2FA systems require users to pass authentication challenges that need responses from two different factors. There are three classic authentication factors that are commonly used – something you know like a password or PIN code, something you have such as physical keys  or authentication apps, and something you are, this includes biometrics like fingerprints or retina scans. 

The videoconferencing platform announced the new security feature in a blog stating: “Zoom’s enhanced Two-Factor Authentication (2FA) makes it easier for admins and organizations to protect their users and prevent security breaches right from our own platform.” In a statement provided to The Verge, the company confirmed that it is making the feature available to all its users across the board, including those using its free plan. 

Zoom also described the ways users can authenticate themselves while signing into their accounts, “With Zoom’s 2FA, users have the option to use authentication apps that support Time-Based One-Time Password (TOTP) protocol (such as Google Authenticator, Microsoft Authenticator, and FreeOTP), or have Zoom send a code via SMS or phone call, as the second factor of the account authentication process.” 

RELATED READING: Privacy watchdogs urge videoconferencing services to boost privacy protections

While using SMS text messages as a form of two-factor authentication is better than not using one at all, it’s better to opt for one of the supported authentication apps, especially since it makes it more difficult for cybercriminals to access your account even if you become a target of a SIM swapping attack. 

The video communication company also allows users to use recovery codes to sign into their accounts in the event that their device gets lost or stolen. You can check out the whole process of activating 2FA as well as using recovery codes on the platform’s help center 

With the COVID-19 pandemic surging outside forcing a lot of companies to transition to remote working, Zoom, and other videoconferencing and communication services have enjoyed a boost in popularity. However, the company has also been in the spotlight due to the privacy and security issues it had been experiencing after users flocked to its platform in large numbers. If you’re a Zoom user, you should also check out our article on getting your Zoom security settings right 

Week in security with Tony Anscombe

ESET researchers have discovered and analyzed CDRThief, a malware that targets Voice over IP (VoIP) softswitches. Righard Zwienenberg deep in the lead-offering business and invites us to take steps to mitigate this problem. Finally, an overview of the TikTok pairing feature, which gives parents greater control over how their children interact with the app All

ESET researchers have discovered and analyzed CDRThief, a malware that targets Voice over IP (VoIP) softswitches. Righard Zwienenberg deep in the lead-offering business and invites us to take steps to mitigate this problem. Finally, an overview of the TikTok pairing feature, which gives parents greater control over how their children interact with the app All this – and more – on WeLiveSecurity.com.