Google recalls Titan Bluetooth keys after finding security flaw

by

Google had egg on its face this week after it had to recall some of its Titan hardware security keys for being insecure.

Titan is Google’s name for its family of hardware security keys that provide two-factor authentication (2FA) for web users.

Launched in July 2018, they offer a level of physical authentication to complement website passwords. Google provides the Titan key for accessing your Google accounts, but you can also use it with other accounts that support the FIDO U2F standard for hardware keys.

When you switch on hardware key support in a website, it asks you to present your Titan key along with your password before it will let you in. This stops thieves who steal your password from accessing your web account.

How do you present your Titan key? It comes in two flavours: a USB key that you plug into your computer, and a Bluetooth-based key that connects wirelessly to your device. This works with computers and with your smartphone, giving mobile users extra protection for their web accounts.

The problem lies with the Bluetooth key, and in particular with its implementation of Bluetooth Low Energy (BLE). This is the protocol it uses to communicate wirelessly with the device it’s authenticating to.

In normal operation, you’d first register your BLE-enabled Titan key with the web service you’re using, generating a secret that is stored on the key.

Whenever you want to access the web-based service, you enter your username and password as you would normally, but the site also asks you to use your hardware key. You press a button on your Titan key. The key uses BLE to connect with your computer or mobile device and send it the secret. The browser on your device then sends the secret on to the web service, which verifies that you’re legit.

So far, so good.

The problem, however, is that Google misconfigured the BLE implementation, so it was insecure. It allows a so-called Man in The Middle (MiTM) attack, in which someone could get between your Titan key and the device it’s communicating with. That person could then intercept communications from the key and use them to sign in as you.

Fortunately, the attack can’t be pulled off from the other side of the world: an attacker has to to be within about 10 meters; has to launch their attack just as you press the button on your Titan key; and needs to know your username and password in advance.

But anyone else in the same coffee shop as you, for example, automatically satisfies the first two conditions, so this sort of attack is definitely possible.

The issue only affects the Bluetooth-enabled keys, not those that you plug into a USB port. To solve it, Google has recalled affected keys and offered a free replacement.

The company also argued that the security flaw still renders the Titan keys more secure than relying just on your password for access:

It is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device).

Google made its own Titan key rather than partner with key manufacturer Yubico, which created the U2F standard with Google in 2014. Yubico threw shade at Google’s Bluetooth choice last year arguing:

While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.

Google’s Bluetooth misstep bolsters Yubico’s point. It also won’t do any favours for the concept of hardware keys overall.

Hacking gang stole millions in cryptocurrency via SIM swaps

by

Six people have been indicted for allegedly being SIM card swappers who stole victims’ identities and their cryptocurrency, and three mobile phone company employees have been indicted for allegedly accepting bribes to help them steal subscribers’ identities.

On Thursday, federal prosecutors in the US Attorney’s Office for the Eastern District of Michigan said that the six alleged hackers are part of a hacking gang called “The Community.” The gang allegedly carried out seven attacks that netted a cryptocurrency haul valued at more than US $2.4 million.

The unsealed indictment charges Conor Freeman, 20, of Dublin, Ireland; Ricky Handschumacher, 25, of Pasco County, Florida; Colton Jurisic, 20, of Dubuque, Iowa; Reyad Gafar Abbas, 19, of Rochester, New York; Garrett Endicott, 21, of Warrensburg, Missouri; and Ryan Stevenson, 26, of West Haven, Connecticut, with conspiracy to commit wire fraud, wire fraud and aggravated identity theft.

How the crooks swing a SIM swap

As we’ve explained, SIM swaps work because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number …and your telephonic identity.

That comes in handy when you get a new phone or lose your phone: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number.

But if a SIM-swap scammer can get enough information about you, they can just pretend they’re you and then social-engineer that swap of your phone number to a new SIM card that’s under their control.

By stealing your phone number, the crooks start receiving your text messages along with your phone calls, and if you’ve set up SMS-based two-factor authentication (2FA), the crooks now have access to your 2FA codes – at least, until you notice that your phone has gone dead, and manage to convince your account providers that somebody else has hijacked your account.

Prosecutors allege that The Community got control of victims’ mobile phone numbers and intercepted phone calls and text messages. They often purchased help by bribing an employee of a mobile phone provider. Other times, they used social engineering: contacting a mobile phone provider’s customer service; posing as the victim; and sweet-talking their way into having the victim’s phone number swapped to a SIM card in one of their own mobile devices.

Prosecutors also allege that The Community bribed the other three people charged in the indictment, who are all employees at mobile phone service companies – Jarratt White, 22, of Tucson, Arizona; Robert Jack, 22, of Tucson, Arizona; and Fendley Joseph, 28, of Murrietta, California. The three allegedly helped the hackers steal subscribers’ identities.

The indictment claims that once the gang had control of a victim’s phone number, they’d use it as a gateway to gain control of online services such as email, cloud storage, and cryptocurrency exchange accounts.

The Community gang members allegedly tried to hijack victims’ cryptocurrency wallets or online cryptocurrency exchange accounts so as to clean them out of funds. The indictment alleges that the defendants executed seven attacks that resulted in the theft of cryptocurrency valued at $2,416,352.

If convicted of conspiracy to commit wire fraud, each defendant faces a statutory maximum penalty of 20 years in prison. The charges of wire fraud each carry a statutory maximum penalty of 20 years, while the aggravated identity theft in support of wire fraud charge carries a statutory maximum penalty of 2 years in prison to be served consecutively to any sentence imposed on the underlying count of wire fraud. Maximum sentences are rarely handed out, however.

A rising trend

The past few years have seen many examples of  fraudsters using SIM swaps to drain accounts.

A steady drip of them have been arrested for going after cryptocurrency in particular: in March, Joel Ortiz, a 20-year-old SIM-swap scammer accused of stealing $5 million in Bitcoin, copped a plea and was sentenced to 10 years in prison.

Over the last 18 months or so, we’ve also seen SIM swappers arrested for hijacking phone numbers and using them to access emails, social media accounts, and online Bitcoin wallets. In August 2018, 19-year-old Xzavyer Narvaez, known as being one of the “best” SIM swappers out there, was accused of stealing around $1 million in Bitcoin. He used the loot to buy fancy sports cars.

Nicholas Truglia, 21, was also accused of stealing millions in Bitcoin last year. Part of that was $1 million that a Silicon Valley dad had put aside for his daughter’s college fund.

Yet another 21-year-old, Joseph Harris, was arrested in September for allegedly stealing more than $14 million in cryptocurrency.

What to do?

Whether they’re breaking into regular old bank accounts or Bitcoin accounts, the crime is obviously extremely costly for the victims who watch helplessly as their accounts drain. The growing tide of incidents has given rise to a regrettable number of times that Naked Security has found itself handing out advice on how to protect yourself from these SIM hijacks.

The indictment announced on Thursday presents yet another one of those times.

So, once again, here are those tips:

Watch out for phishing emails or fake websites that crooks use to acquire your usernames and passwords in the first place. Generally speaking, SIM swap crooks need access to your text messages as a last step, meaning that they’ve already figured out your account number, username, password and so on. Avoid obvious answers to account security questions. Consider using a password manager to generate absurd and unguessable answers to the sort of questions that crooks might otherwise work out from your social media accounts. The crooks might guess that your first car was a Toyota, but they’re much less likely to figure out that it was a 87X4TNETENNBA. Use an on-access (real-time) anti-virus and keep it up-to-date. One common way for crooks to figure out usernames and passwords is by means of keylogger malware, which lies low until you visit specific web pages such as your bank’s login page, then springs into action to record what you type while you’re logging on. A good real-time anti-virus will help you to block dangerous web links, infected email attachments and malicious downloads. Be suspicious if your phone drops back to “emergency calls only” unexpectedly. Check with friends or colleagues on the same network to see if they’re also having problems. If you need to, borrow a friend’s phone to contact your mobile provider to ask for help. Be prepared to attend a shop or service center in person if you can, and take ID and other evidence with you to back yourself up. Consider switching from SMS-based 2FA codes to codes generated by an authenticator app. This means the crooks have to steal your phone and figure out your lock code in order to access the app that generates your unique sequence of login codes.

Having said that, Naked Security’s Paul Ducklin advises that we shouldn’t think of switching from SMS to app-based authentication as a panacea:

Malware on your phone may be able to coerce the authenticator app into generating the next token without you realizing it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.

Europol arrests end GozNym banking malware gang

by

Arrests in Europe and the US appear to have ended the cybercrime careers of the gang behind the GozNym banking malware.

According to Europol, which coordinated the pursuit of 10 people in Ukraine, Moldova, Georgia, Bulgaria, Germany and the US, GozNym stole $100 million by infecting 41,000 devices around the world – mainly business computers.

Among those picked up were the alleged network mastermind, arrested in Georgia, and another individual in Ukraine who unsuccessfully attempted to evade police by producing a firearm. Five unnamed Russians remain on the run.

The GozNym malware was created sometime around 2015 by combining the code of two older pieces of malware, the well-known banking trojans Gozi which leaked in 2010, and the Nymaim dropper, a later malware most often used to unleash ransomware attacks.

The combination combined the best of two slightly different worlds, turning up in attacks on customers of two dozen US and Canadian banks in 2016.

The attacks used a common technique – blasting out the malware in phishing campaigns, or via exploit kits planted on websites; capturing online banking credentials; accessing those accounts to steal money; and laundering the proceeds:

The GozNym network exemplified the concept of cybercrime as a service, with different criminal services such as bulletproof hosters, money mules networks, crypters, spammers, coders, organizers, and technical support.

The gang behind it was highly-specialised in their roles, each carrying out different tasks from coding, sending phishing emails, and tending to the flow of money from victims.

Avalanche botnet

The breakthrough in collaring the people behind GozNym can be traced to Europol’s takedown of the Avalanche botnet in 2016. That had been used to host GozNym, which gave police several leads.

The operation stands out for the unusual way it was conducted, with simultaneous prosecution in four nations at the same time representing what Europol described as a “paradigm change.”

Normally, prosecutions progress haphazardly in different countries for reasons to do with the local laws and legal process.

Complicating this is the fact that an individual might be arrested in one country for crimes carried out in another that might or might not have mutual extradition agreements.

Said Scott Brady of the US Attorney’s Office for the Western District of Pennsylvania:

The law enforcement response must be equally broad and borderless. We believe this represents the new blueprint for how we attack cybercrime going forward.

This is good news – though sadly we suspect that there are plenty of cybercriminals and malware still to come…

Europol arrests end GozNym banking malware gang

by

Arrests in Europe and the US appear to have ended the cybercrime careers of the gang behind the GozNym banking malware.

According to Europol, which coordinated the pursuit of 10 people in Ukraine, Moldova, Georgia, Bulgaria, Germany and the US, GozNym stole $100 million by infecting 41,000 devices around the world – mainly business computers.

Among those picked up were the alleged network mastermind, arrested in Georgia, and another individual in Ukraine who unsuccessfully attempted to evade police by producing a firearm. Five unnamed Russians remain on the run.

The GozNym malware was created sometime around 2015 by combining the code of two older pieces of malware, the well-known banking trojans Gozi which leaked in 2010, and the Nymaim dropper, a later malware most often used to unleash ransomware attacks.

The combination combined the best of two slightly different worlds, turning up in attacks on customers of two dozen US and Canadian banks in 2016.

The attacks used a common technique – blasting out the malware in phishing campaigns, or via exploit kits planted on websites; capturing online banking credentials; accessing those accounts to steal money; and laundering the proceeds:

The GozNym network exemplified the concept of cybercrime as a service, with different criminal services such as bulletproof hosters, money mules networks, crypters, spammers, coders, organizers, and technical support.

The gang behind it was highly-specialised in their roles, each carrying out different tasks from coding, sending phishing emails, and tending to the flow of money from victims.

Avalanche botnet

The breakthrough in collaring the people behind GozNym can be traced to Europol’s takedown of the Avalanche botnet in 2016. That had been used to host GozNym, which gave police several leads.

The operation stands out for the unusual way it was conducted, with simultaneous prosecution in four nations at the same time representing what Europol described as a “paradigm change.”

Normally, prosecutions progress haphazardly in different countries for reasons to do with the local laws and legal process.

Complicating this is the fact that an individual might be arrested in one country for crimes carried out in another that might or might not have mutual extradition agreements.

Said Scott Brady of the US Attorney’s Office for the Western District of Pennsylvania:

The law enforcement response must be equally broad and borderless. We believe this represents the new blueprint for how we attack cybercrime going forward.

This is good news – though sadly we suspect that there are plenty of cybercriminals and malware still to come…

Trump seeks tales of social media bias – and your phone number

by

President Donald Trump has long railed against social media sites for what he says is their politically biased censoring of conservative voices, and now he’s looking for proof.

The White House on Wednesday released a tool that invites people who’ve been censored on social media and who suspect political bias as the cause to “share your story with President Trump.”

The first page says:

SOCIAL MEDIA PLATFORMS should advance FREEDOM OF SPEECH. Yet too many Americans have seen their accounts suspended, banned, or fraudulently reported for unclear ‘violations’ of user policies.

No matter your views, if you suspect political bias caused such an action to be taken against you, share your story with President Trump.

Read the fine print

Anyone thinking of using the tool should take a good, long look at the user agreement, which grants the US government – including, but not limited to, the president’s executive office – an irrevocable license to any content you submit on the site.

You grant the U.S. Government (including, but not limited to the Executive Office of the President) a license to any “Content” (including but not limited to the photographs, information, text, or otherwise) you post or submit on this site… The license you grant is irrevocable and valid in perpetuity, throughout the world, and in all forms of media… You should not post any information that you do not wish to become public…

That means that whatever content curled somebody’s toes enough that a social media platform removed it will potentially see the bright light of day, as it uses your stuff in any way it likes:

This permission grants the U.S. Government a license to use, edit, display, publish, broadcast, transmit, post, or otherwise distribute all or part of the Content (including edited, composite, or derivative works made therefrom).

The user agreement makes clear that “you understand this form is for information gathering only.”

The reporting form, hosted on Typeform, asks users to submit screenshots of and links to the banned content. It also provides a text field where users can describe the enforcement actions taken against them. Users can choose between Facebook, Twitter, Instagram, YouTube or “other” as the platform from which their content was taken down.

The form also urges you to hand over your phone number, though in a strangely roundabout way for a web-based system, asking you, “Would you mind sharing your phone number, in case we need to get in touch?”

What it actually means is, “Enter your phone number in case we need to get in touch (or leave blank if you don’t want to provide it),” which would be a much clearer way of putting it on the form.

Long-simmering resentment

There’s a lot of context behind Wednesday’s rollout of this tool. For years, conservatives have been alleging that the big platforms – Facebook, Google, and Twitter – have been censoring them. When they ran the House, Republican lawmakers held multiple hearings on the matter.

Trump has in the past threatened regulation: last year, he suggested that the administration could take aim at the way Google displays its search results; in March, he again criticized the companies, accusing them of “collusion” and a “hatred they have for a certain group of people that happen to be in power, that happen to have won the election.”

Regardless of where your politics lie, the bigger picture is probably that, as soon as social media companies make themselves the arbiters of what’s acceptable and what’s not, they open themselves to accusations of bias. Even if they banned people at random you’d be able to find a way to cut the data so that it looked biased against somebody.

The White House is now looking at capturing a whole lot of data. It remains to be seen how it will use the results.

Readers, if you plan to chime in with your own tale(s) of being silenced, feel free to share with us the details – including your thoughts on the form and how the government might use the data you submit with it…

EternalBlue reaching new heights since WannaCryptor outbreak

Attack attempts involving the exploit are in hundreds of thousands daily

It has been two years since EternalBlue opened the door to one of the nastiest ransomware outbreaks in history, known as WannaCryptor (or WannaCry). Since the now-infamous malware incident, attempts to use the exploit have only been growing in prevalence. Currently it is at the peak of its popularity, with users bombarded with hundreds of thousands of attacks every day.

The EternalBlue exploit was allegedly stolen from the National Security Agency (NSA) in 2016 and leaked online on April 14, 2017 by a group known as Shadow Brokers. The exploit targets a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol, via port 445. The flaw had been privately disclosed to and patched by Microsoft even before the WannaCryptor outbreak in 2017; yet, despite all efforts, vulnerable systems are widespread even to this day.

According to data from Shodan, there are currently almost a million machines in the wild using the obsolete SMB v1 protocol, exposing the port to the public internet. Most of these devices are in the United States, followed by Japan and the Russian Federation.

Poor security practices and lack of patching are likely reasons why malicious use of the EternalBlue exploit has been growing continuously since the beginning of 2017, when it was leaked online.

Based on ESET telemetry, attack attempts involving EternalBlue are reaching historical peaks, with hundreds of thousands of instances being blocked every day, as seen in Figure 1.

Figure 1. Trend of EternalBlue detections, according to ESET LiveGrid®

A similar trend can be observed by looking at the number of unique ESET clients reporting thousands of attempts to use the exploit daily, as seen in Figure 2.

Figure 2. Trend of unique clients reporting EternalBlue exploit attempts, according to ESET LiveGrid®

Besides malicious use, EternalBlue numbers might also be growing due to its use for internal security purposes. As one of the most prevalent malicious tools, this exploit can be used by company security departments as a means for vulnerability hunting within corporate networks.

EternalBlue has enabled many high-profile cyberattacks. Apart from WannaCryptor, it also powered the destructive Diskcoder.C (aka Petya, NotPetya and ExPetya) campaign and the BadRabbit ransomware campaign in 2017. Well-known cyberespionage actors such as Sednit (aka APT28, Fancy Bear and Sofacy) were also caught using it against hotel Wi-Fi networks.

EternalBlue was also recently seen spreading Trojans and cryptomining malware in China – a return to what the vulnerability was first seen used for, even before the WannaCryptor outbreak – and was advertised by the black hats as the spreading mechanism for a new Ransomware-as-a-Service Yatron.

This exploit and all the cyberattacks it enabled so far highlight the importance of timely patching. Moreover, it emphasizes the need for a reliable and multi-layered security solution that can do more than just stop the malicious payload, such as protect against the underlying mechanism.

17 May 2019 – 11:30AM

Security Technology Cannot Stop All Attacks

A common misconception most people have about cyber attackers is that they use only highly advanced tools and techniques to hack into people’s computers or accounts.  This is simply not true. Cyber attackers have learned that often the easiest way to steal your information, hack your accounts, or infect your systems is by simply tricking you into making a mistake. In this newsletter, you will learn how these attacks, called social engineering, work and what you can do to  protect yourself. 

What Is Social Engineering?

Social engineering is a psychological attack where an attacker tricks you into doing something you should not do. The concept of social engineering is not new; it has existed for thousands of years. Think of scammers or con artists, it is the very same idea. What makes today’s technology so much more effective for cyber attackers is you cannot physically see them; they can easily pretend to be anything or anyone they want and target millions of people around the world,  including you. In addition, social engineering attacks can bypass many security technologies. The simplest way to understand how these attacks work and protect yourself from them is to take a look at two real-world examples.

You receive a phone call from someone claiming to be from a computer support company, your ISP, or Microsoft Tech Support. The caller explains that your computer is actively scanning the Internet. They believe it is infected and have been tasked with helping you secure your computer. They then use a variety of technical terms and take you through confusing steps to convince you that your computer is infected. For example, they may ask you to check if you have certain files on your computer and walk you through how to find them. When you locate these files, the caller assures you that these files prove that your computer is infected, when in reality they are common system files found on almost every computer in the world. Once they have tricked you into believing your computer is infected, they pressure you into buying  their security software or giving them remote access to your computer so they can fix it. However, the software they are selling is actually a malicious program. If you purchase and install it, not only have they fooled you into infecting your computer, but you just paid them to do it. If you give them remote access to your computer, they are going to take it over, steal your data, or use it for their bidding. 

Common sense is your most powerful defense in identifying and stopping most social engineering attacks.

Another example is an email attack called CEO Fraud, which most often happens at work. This is when a cyber attacker researches your organization online and identifies the name of your boss or coworker. The attacker then crafts an email pretending to be from that person and sends the email to you. The email urgently asks you to take an action, such as conducting a wire transfer or emailing sensitive employee information. Quite often, these emails pretend there is an emergency that urgently requires you to bypass standard security procedures. For example, they may ask you to send the highly sensitive information to a personal @gmail.com account. What makes targeted attacks like these so dangerous is the cyber attackers do their research beforehand. In addition, security technologies like anti-virus or firewalls cannot detect or stop these attacks because there is no malware or malicious links involved.

Keep in mind, social engineering attacks like these are not limited to phone calls or email; they can happen in any form, including text messages on your phone, over social media, or even in person. The key is to know what to look out for–you are your own best defense. 

Detecting/Stopping Social Engineering Attacks

Fortunately, stopping such attacks is simpler then you may think—common sense is your best defense. If something seems suspicious or does not feel right, it may be an attack. The most common clues of a social engineering attack include:

Someone creating a tremendous sense of urgency. They are attempting to fool you into making a mistake. Someone asking for information they should not have access to or should already know, such as your account numbers. Someone asking for your password. No legitimate organization will ever ask you for that. Someone pressuring you to bypass or ignore security processes or procedures you are expected to follow at work. Something too good to be true. For example, you are notified you won the lottery or an iPad, even though you never even entered the lottery. You receive an odd email from a friend or coworker containing wording that does not sound like it is really them. A cyber attacker may have hacked into their account and is attempting to trick you. To protect yourself, verify such requests by reaching out to your friend using a different communications method, such as in person or over the phone.

If you suspect someone is trying to trick or fool you, do not communicate with the person anymore. If the attack is work related, be sure to report it to your help desk or information security team right away. Remember, common sense is often your best defense.

License

OUCH! newsletter is under the Creative Commons license.  You are free to share / distribute it but may not sell or modify it.

Feds Target $100M ‘GozNym’ Cybercrime Network

Law enforcement agencies in the United States and Europe today unsealed charges against 11 alleged members of the GozNym malware network, an international cybercriminal syndicate suspected of stealing $100 million from more than 41,000 victims with the help of a stealthy banking trojan by the same name.

The locations of alleged GozNym cybercrime group members. Source: DOJ

The indictments unsealed in a Pennsylvania court this week stem from a slew of cyber heists carried out between October 2015 and December 2016. They’re also related to the 2016 arrest of Krasimir Nikolov, a 47-year-old Bulgarian man who was extradited to the United States to face charges for allegedly cashing out bank accounts that were compromised by the GozNym malware.

Prosecutors say Nikolov, a.k.a. “pablopicasso,” “salvadordali,” and “karlo,” was key player in the GozNym crime group who used stolen online banking credentials captured by GozNym malware to access victims’ online bank accounts and attempt to steal their money through electronic funds transfers into bank accounts controlled by fellow conspirators.

According to the indictment, the GozNym network exemplified the concept of ‘cybercrime as a service,’ in that the defendants advertised their specialized technical skills and services on underground, Russian-language, online criminal forums. The malware was dubbed GozNym because it combines the stealth of a previous malware strain called Nymaim with the capabilities of the powerful Gozi banking trojan.

The feds say the ringleader of the group was Alexander Konovolov, 35, of Tbilisi, Georgia, who controlled more than 41,000 victim computers infected with GozNym and recruited various other members of the cybercrime team.

Vladimir Gorin, a.k.a “Voland,”  “mrv,” and “riddler,” of Orenburg, Russia allegedly was a malware developer who oversaw the creation, development, management, and leasing of GozNym.

The indictment alleges 32-year-old Eduard Malancini, a.k.a. “JekaProf” and “procryptgroup” from Moldova, specialized in “crypting” or obfuscating the GozNym malware to evade detection by antivirus software.

Four other men named in the indictment were accused of recruiting and managing “money mules,” willing or unwitting people who can be used to receive stolen funds on behalf of the criminal syndicate. One of those alleged mule managers — Farkhad Rauf Ogly Manokhim (a.k.a. “frusa”) of Volograd, Russia was arrested in 2017 in Sri Lanka on an international warrant from the United States, but escaped and fled back to Russia while on bail awaiting extradition.

Also charged was 28-year-old Muscovite Konstantin Volchkov, a.k.a. “elvi,”  who allegedly provided the spamming service used to disseminate malicious links that tried to foist GozNym on recipients who clicked.

The malicious links referenced in those spam emails were served via the Avalanche bulletproof hosting service, a distributed, cloud-hosting network that for seven years was rented out to hundreds of fraudsters for use in launching malware and phishing attacks. Avalanche was dismantled in Dec. 2016 by a similar international law enforcement action.

The alleged administrator of the Avalanche bulletproof network — 36-year-old Gennady Kapkanov from Poltova, Ukraine — has eluded justice in prior scrapes with the law: During the Avalanche takedown in Dec. 2016, Kapkanov fired an assault rifle at Ukrainian police who were trying to raid his apartment.

After that incident, Ukrainian police arrested Kapkanov and booked him on cybercrime charges. But a judge later ordered him to be released, saying the prosecution had failed to file the proper charges. The Justice Department says Kapkanov is now facing prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal network.

The five Russian nationals charged in the case remain at large. The FBI has released a “wanted” poster with photos and more details about them. The Justice Department says it is working with authorities in Georgia, Ukraine and Moldova to build prosecutions against the defendants in those countries.

Nikolov entered a guilty plea in federal court in Pittsburgh on charges relating to his participation in the GozNym conspiracy on April 10, 2019.  He is scheduled to be sentenced on Aug. 30, 2019.

It’s good to see this crime network being torn apart, even if many of its key members have yet to be apprehended. These guys caused painful losses for many companies — mostly small businesses — that got infected with their malware. Their activities and structure are remarkably similar to that of the “Jabberzeus” crime gang in Ukraine that siphoned $70 million – out of an attempted $220 million — from hundreds of U.S.-based small to mid-sized businesses several years ago.

The financial losses brought about by that gang’s string of cyberheists — or at least the few dozen heists documented in my series Target: Small Business — often caused victim companies to lay off employees, and in some cases go out of business entirely.

A copy of the GozNym indictment is here (PDF).

Tags: , , , , , , , ,

Survey: What should companies do to restore trust post-breach?

The ESET survey of thousands of people in Asia-Pacific (APAC) provides valuable insight into their perceptions of cyber-threats and various common aspects of online security

A full 58 percent of respondents in a recent survey in the Asia-Pacific region experienced a data breach in the past 12 months.

This is just one finding from the ESET APAC Consumer Survey 2018, which was carried out in Hong Kong, India, Indonesia, Malaysia, Singapore, Taiwan and Thailand between October and December 2018. In each country, it gathered input from 2,000 respondents.

Among other things, the survey sought to get a sense of people’s sentiments towards organizations that had suffered damaging security incidents, albeit not necessarily with direct implications for the respondents themselves.

After public trust in a company has been dented as a result of a breach or hack, the best way, according to many respondents, to begin undoing the reputational damage is simple: apologize and come clean on what happened and how it was resolved. This approach was favored by nearly one in every three (32%) people, whereas another 25% said that the key thing the company should do in such a scenario is provide proof that the right precautions are in place to prevent such incidents in the future.

Turning to another issue, the survey found that only three in every ten parents deploy parental controls on their children’s smart devices. That’s despite the fact that such tools can be helpful in ensuring that children only engage with platforms and content that is suitable and safe for their age.

Children, and not only they, may be exposed to a range of threats on social media, most often by sharing too many details of their lives. And this is precisely what many respondents appear to be doing, as nearly one third of them admitted to having shared the kind of information with strangers over social media that might help them commit identity theft or launch social engineering campaigns.

But so as not to end on a downer, almost 80% percent of all respondents indicated that they’re willing to learn and develop a better understanding of cyber-threats.

To be sure, these are just a few morsels of information that can be extrapolated from the survey. To learn more about the respondents’ views on these and other issues you may want to refer to the report itself. It covers a smorgasbord of topics, including password security, accessing the internet on smartphones, safe online shopping, and the implications of our use of social media for privacy and security. The report also provides a bunch of easy-to-apply tips and tricks for your online safety.

16 May 2019 – 06:09PM

Please vote for Naked Security at the European Blogger Awards 2019!

It’s that time of year again.

Please vote for us in the European Security Blogger Awards 2019.

We’re up for an award called The Corporates – The Best CyberSecurity Vendor Blog, and if you think we’re the best, you can have your say on the voting page:

(You don’t have to vote in every category on the list – if all you want to do is vote for us, you don’t have to pick an entry in the other sections as well. Just leave them blank.)

You vote means a lot to us…

…and you do too!

Naked Security would be nothing without you, our community – so to everyone who reads, listens, watches, comments, votes, likes, and shares our material, thank you so much.

By the way, the reason the Blogger Awards are in June every year is because they’re organised to coincide with the Infosec Europe conference at London Olympia.

The Naked Security team will all be attending Infosec this year, so if you’re in the area from 04 June 2019 to 06 June 2019, please drop in and say, “Hi!” and maybe catch some of the talks on our stand and at the show.

(Duck will be speaking on the stand every day at 14:00 , with a bonus appearance at 11:00 on the first day, plus a talk on Cryptography and Malware in the Technology Showcase Theatre at 10:40 on the second day.)

On the door, Infosec tickets are £69, but you can get free entry on us by registering online until 03 June 2019.