Digital Identities: I Have One For Sale

Via RSA:

The term digital identity is so suiting to who we really are online.  Think about the accounts you log in to on a regular basis, the activities you perform each day, the way you communicate with others…most of our lives are digital.  In a research study by Harris Polls (commissioned by RSA) on digital identities, the most popular online accounts for consumers are email, financial and banking, and entertainment/shopping.  And on average, they access these online accounts from two different digital devices.  But what does a digital identity really mean?

I like to think of myself as an average consumer/online user so let’s take a look at what I consider to be my digital identity – and perhaps make you think a little more about yours.

My financial identity.  My financial identity is the one I treasure most.  I mean seriously, if a hacker takes over my bank account and steals the money in it, I’d be lost.  While my bank would ultimately reimburse me for fraudulent transactions, that could take days or weeks.  How would I pay my bills, buy food or gas – and my daily iced coffee?  But your financial identity goes well beyond just your bank account or credit cards.  We attribute our financial identity just to those two areas because we use or access them almost every day.  However, what about your stock account, 401k, payroll information?  Or if you’re like me, you have a flexible spending or healthcare savings account you use to submit claims for childcare and medical expenses.  As you can see, your financial identity extends well beyond just your bank account.

My personal identity.  The two things I associate most with my personal identity are my personal email and social networking accounts.  I hardly use personal email much anymore, but for most things you sign up for, you have to submit an email address.  That’s probably the reason I maintain one as I can’t have my credit card statements or utility e-bills coming to my work email.  Then we share our personal lives and moments with friends and family on social networking sites such as Facebook and Twitter.   Most don’t realize the value these simple accounts hold to a criminal or hacker, but they do.  For example, many online service providers notify you via email of changes on your account so if a hacker had access to your email, they could go in and delete the notifications so you wouldn’t be suspicious.  Trust me, this happens all the time!

My entertainment/shopping identity.  I do a majority of my holiday shopping online. The deals are usually better and frankly, I just can’t stand the holiday crowds.  Then I have my kids who always seem to want the craziest or rarest things that you just can’t find in a regular store (One word to parents of little boys and you will understand: Minecraft).  I also book a lot of activities online, purchase tickets to shows, and plan my travel among other things.  So I probably have at least two dozen various entertainment/shopping online identities that I use or have used in the past (and that list keeps growing because of Groupon).

My online gaming identity.  Well, this one could have gone under my entertainment identity, but I decided to make it its own category as a reminder to myself that I need to get a life and stop playing Candy Crush Saga.  I’m on Level 270 – and there is no end in sight.  Yes, this is my “You need a life” alert.

My online dating identity.  Now this is the one for sale.  While identity theft is hardly a laughing matter, I will gladly let any data thief steal this one.  I never thought I could hate one of my own digital identities, but this one has got to go. Data thief steals online dating identity and handsome, emotionally available man steals my heart.  Oops, I think I fell into daydream mode for a brief moment there.

Back to reality now.  What made me ultimately realize the depth of my own digital identity occurred the other day when I went online to order my son’s pre-K pictures.  I had to create an account with a username and password, and it made me ask myself, “How many times have I ever done this in my life for an ‘account’ I will probably only ever use once?”  According to the Harris research, the average adult creates about two new online accounts every year, but I think it’s many more than that.  We just don’t realize it because many are “one-time use” accounts – like the one I had to create to order my son’s school pictures.  The problem is that we are likely using the same usernames, email address, and passwords that we use to log in to our everyday accounts like our online banking account.  The reality and the risk: most small merchants don’t have the same security in place to protect your personal information that Amazon does.  And with small merchants such a high value target for cybercrime, just one small breach could translate into your digital identity being compromised across multiple sites you access every day.

Be mindful every time you are asked to create an online account.  If it is one that will be used only once or rarely, give yourself a very unique username and password.  And then just for general online hygiene, also make sure you change the passwords to your major online accounts on a regular basis (about every 90 days).

read more

Don’t be fooled by these common social engineering attacks

Via RhinoSecurityLabs:

Ever wonder how hackers get a foothold in big corporations who spend millions of dollars on security? Instead of attacking the technology, they often target employees, tricking them into providing access.

Some of these techniques are advanced and require a lot of skill and practice. But the most common social engineering attacks are simpler to pull off than you might think.

“This is the helpdesk…”

An oldie but a goodie, attackers masquerading as helpdesk employees remains one of the most common social engineering attacks.

An example of this kind of attack might sound a bit like this:

“Hello, this is the Kenny with the helpdesk. We’re going to be doing some PC maintenance tonight and I needed to get your password to make sure everything is ready to go for you when you get back in the office tomorrow.”

It’s surprising how often this technique works. As a matter of convenience, some IT helpdesks place legitimate phone calls like this and lull users into it being a common, acceptable procedure.

A well-run, security-conscious helpdesk will never ask users for their passwords. Establishing this as a policy and providing end users with training on how they should handle their passwords will go a long way towards preventing this type of social engineering attack.

Ransomware

Have you ever received a pop-up in the corner of your screen that said something like “Your computer is infected. Click here to begin removal.”?

Once you clicked on the message you were taken to a screen that outlined some details of the “infection” and how you could solve the problem by paying a fee. Maybe you even followed through and provided your credit card information.

Ransomware is normally targeted at individual consumers, but often takes the form of blackmail when targeted at a business’ employees. More targeted ransomware might claim “We’ve found illegal pornography on your computer.” or something similarly embarrassing.

In addition to credit card information, these attacks might also capture username’s and passwords or pull the employee into a one-on-one conversation with an attacker who forces them to take some action under the threat of blackmail.

While solid anti-malware controls can help prevent ransomware infections, the best defense is to train employees on how to differentiate between legitimate and illegitimate system messages, noting that whenever they are unsure of what they’re seeing, they should contact the helpdesk.

Social media

Facebook and other social media platforms provide a great avenue for social engineers to collect information about their corporate target and plan out their attack.

Maybe you get an invitation to connect on LinkedIn that looks a little like this:

“Hey, I just started working at Trask in the executive office and am trying to connect with other people who work here. Would you mind adding me?”

Once you connect with this person they are able to see all of your professional connections and any details you’ve added to your social media profile. This information can be used to build out an organizational chart they will use in their attack or might provide a direct avenue to attack.

The attacker may start a longer conversation with you over social media that turns into a friendly relationship. Once that relationship matures a bit, you might get a message like:

“OMG! My login won’t work and the helpdesk isn’t answering. I’m supposed to finish this report for Dave (the CEO) but need to be on the network to get the info I need. Can I borrow your VPN login? It would really save my butt.”

It might sound silly, but this technique works time and time again. It’s become especially effective as younger generations, who are more comfortable developing relationships with people they might never meet in the physical world, enter the work force.

Again, training is key to making sure employees know how they might be exploited to attack their employer.

read more

Criminal Underground is a Sophisticated Metropolis, with Stores, Education, and Law & Order

Via InfoSecurity:

“Shadowy hacker underworld.” “Dark Web.” “Underground cyber-forum.” These are the phrases that get bandied about referring to those dark corners of the internet where cybercriminals publish their malware, espionage campaigns are hatched and hacktivist manifestos are discussed. The verbiage is decidedly DIY. But new research suggests that these cyber black markets are hardly makeshift affairs: rather, they account for a mature and growing multi-billion-dollar economy with a robust infrastructure and social organization.

The report from RAND Corp. found that these black markets, like any other economy, react to market forces like supply and demand, and continue to evolve. Likening it to a thriving metropolis, RAND found significant levels of economic sophistication, reliability, accessibility and resilience in the products, distribution channels and actors involved in the black markets.

“The security industry, government and legal communities must come together to establish new norms for how companies can more vigorously defend themselves against cyber-attacks,” said Nawaf Bitar, senior vice president and general manager of the security business for report sponsor Juniper Networks, in a statement. “We must address the root cause behind the accelerated maturation of the cyber-crime market – the very economics that drive its success. By disrupting the economics of hacking we can break the value chains that drive successful attacks.”

The mainstream economic hallmarks of the cybercriminal shadow-land are myriad. For instance, there are storefronts, where data records, exploit kits and goods are bought and sold – and like other forms of e-commerce, the customer service elements range from instant messaging chat channels and forums to sophisticated, multilayered shopping cards. RAND found some organizations can reach 70,000 to 80,000 people, with a global footprint that brings in hundreds of millions of dollars. Those dollars are most often used in the form of digital currency, like Bitcoin, Pecunix, AlertPay, PPcoin, Litecoin, Feathercoin and Bitcoin extensions such as Zerocoin. RAND in fact found that many criminal sites are starting to accept only digital crypto currencies due to their anonymity and security characteristics.

There’s also a service economy – RAND said that not only goods, but criminal services are available for purchase. These tools, sold on the black market as traditional software or leased like any other managed service, can help enable the most unskilled hackers to launch fairly elaborate and advanced attacks. For example, RAND found botnets, which can be used to launch a Distributed Denial of Service (DDoS) attack, are sold for as low as $50 for a 24-hour attack.

The underweb also has a hierarchy of power. Much like a legitimate business, RAND found it takes connections and relationships to move up the (cyber) food chain. Getting to the top requires personal connections – and those at the top are making the lion’s share of the money.

Shockingly, there really does appear to be honor among thieves. RAND found many parts of the cyber black market that are well structured, policed and have rules like a constitution. In addition, those who scam others are regularly banned or otherwise pushed off the market. And, even the criminal cyber black market has criminals. Known as “rippers,” these specific bad guys do not provide the goods or services they claim.

There’s education and training too. RAND identified widely available tools and resources on the black markets that teach criminals how to hack, including instructions for exploit kits and where to buy credit cards. This access to training has accelerated sophistication, a broader set of roles and has helped facilitate entry into the hacker economy.

As far as who populates the underground, the research showed that there’s significant diversity. Cybercriminals from China, Latin America and Eastern Europe are typically known for quantity in malware attacks, while those from Russia tend to be thought of the leader in quality.

RAND also found areas of expertise and focus among different countries. Many Vietnamese criminal groups, for example, mainly focus on ecommerce hacks. Cybercriminals from Russia, Romania, Lithuania and Ukraine focus on financial institutions. Many Chinese cybercriminals specialize in intellectual property. And US-based cybercriminals primarily target US-based financial systems. In addition to a diverse set of cybercriminals, RAND said that there’s now more cross-pollination between these groups than ever before.

Bitar said that security personnel need to take a realistic view of the enemy and react accordingly. “We must never lose the moral high ground, however, so we cannot go on the offensive and hack back, but we can no longer remain passive,” Bitar said. “By using forms of active defense such as intrusion deception we can identify, thwart and frustrate attackers. Active defense is a promising and exciting approach for addressing the rapidly evolving threat landscape.”

read more

How Social Engineering Attacks Target Web Hosting Support Staff

Via TheWhir:

As DDoS attacks and malware become increasingly complex, there is another type of attack that doesn’t rely on much technology, aside from maybe a phone or email, and is just as dangerous.

Called social engineering, this type of attack relies on manipulation and human error, tricking victims or their service providers into turning over sensitive information that could be used to access hosting or other online accounts.

“When a lot of people think security attack the first thing on their minds is decrypting data or software viruses, but the vast majority of attacks, and the biggest flaw that we have in software security, are people. We’re capable of making decisions, and we’re quite capable of making bad ones,” Kevin Jones, chief security officer for Thycotic Software, a Washington, D.C-based company that specializes in IT management software tools for system administrators said.

An example of a security incident involving social engineering happened recently, when an attacker was able to impersonate a PayPal employee, get the victim’s credit card information, and use it in a social engineering attack on GoDaddy and Twitter.

“As most attacks we’ve seen recently, it involved a lot of social engineering, which has become an increasingly persistent form of attacks,” Jones says.

The attacker was after the single-character Twitter handle @N belonging to software developer Naoki Hiroshima. In order to get to the Twitter account, the attacker got the last four digits of the victim’s credit card by impersonating a PayPal employee. He then called GoDaddy as Hiroshima, saying he lost his credit card but he remembered the last four numbers. GoDaddy support let him take over the account with just those last four digits, not a typical authentication means for the hosting company.

“Based on what GoDaddy has said in the past, they don’t really do that. That’s not one of their normal authentication means to confirm a user’s identity,” Jones says. “The other thing was the GoDaddy employee also requested the first two digits of the credit card, and most credit cards almost always start with the same four digits because they are used to identify who makes the card.”

According to a report by PCWorld, GoDaddy said the attacker was “already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy” and “the hacker then socially engineered an employee to provide the remaining information needed to access the customer account.”

“GoDaddy didn’t have a strictly enforced policy on how they’re going to identify who their customers are. Based on what GoDaddy said, that particular GoDaddy support engineer kind of stepped out of their bounds on what they were and were not allowed to do,” Jones says.

GoDaddy said it is “making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques,” according to a statement.

Once the attacker was in the account, he was able to take control of his PayPal, hosting account, and his email. The attacker eventually seized the victim’s Facebook and Twitter. Hiroshima got access back to his GoDaddy account, but only got his Twitter handle back a couple weeks ago.

“The GoDaddy incident is not unique. It’s certainly very prominent because of who the companies are the parties involved, and the owner of the Twitter handle that was compromised,” Jones says.

For hosting providers, the PayPal-GoDaddy incident sheds some light on the potential gaps in terms of account authentication and making sure support staff are trained to understand how to deal with social engineering attacks.

“As someone that would work with a web hosting company one of my immediate concerns would be what are you doing to identify your customers and ensure that my data is really my data and it really stays with me?” Jones says. “How are you training your support engineers, and how are you renewing and validating things that they are or are not supposed to do? If I were to do business with a web hosting company these would be some of my first questions.”

Jones says that customers should ask their web hosts about their training policies around protecting data and how they ensure they don’t get violated.

“Another thing a web host can do is this employee at some point was able to reset or send a reset code to the attacker. In order to do that the employee must have had some kind of access to a system. Internal auditing is going to be the really key thing there,” Jones says.

“As a web hosting company I would want to make sure I have in place is some sort of irrevocable means  of identifying who you are. If i’m able to provide you a non-variable security pin then that at least can confirm that somehow I have some sort of information for this account, and then we can  open a dialogue and resolve these kinds of situations. Really, the best kind of way to resolve these kinds of breaches is to have a conversation with a human.”

read more

Sally Beauty Confirms Card Data Breach

Via KrebsOnSecurity:

Nationwide cosmetics and beauty retailer Sally Beauty today confirmed that hackers had broken into its networks and stolen credit card data from stores. The admission comes nearly two weeks after KrebsOnSecurity first reported that the company had likely been compromised by the same criminal hacking gang that stole 40 million credit and debit cards from Target.

The advertisement run by thieves who stole the Sally Beauty card data.

The advertisement run by thieves who stole the Sally Beauty card data.

Previously, Denton, Texas-based Sally Beauty had confirmed a breach, but said it had no evidence that card data was stolen in the break-in. But in a statement issued Monday morning, the company acknowledged it has now discovered evidence that “fewer than 25,000 records containing card present (track 2) payment card data have been illegally accessed on our systems and we believe have been removed.” Their statement continues:

“As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation. As a result, we will not speculate as to the scope or nature of the data security incident.”

“We take this criminal activity very seriously. We continue to work diligently with Verizon on this investigation and are taking necessary actions and precautions to mitigate and remediate the issues caused by this security incident. In addition, we are working with the United States Secret Service on their preliminary investigation into the matter.”

On Mar. 5, this blog reported that hackers appeared to have broken into Sally Beauty’s network and stolen at least 282,000 cards from the retailer. That conclusion stemmed from purchases made by several banks at an archipelago of fraud sites that have been selling cards stolen in the Target breach. The first new batch of non-Target cards sold by this fraud network — a group of cards marketed under the label “Desert Strike” — all were found by three different financial institutions to have been recently used at Sally Beauty stores nationwide.

 

In a FAQ that accompanies today’s announcement, Sally Beauty declined to speculate whether data from its online stores was compromised, but stressed that so far the breach is known to involve “card present” data — specifically the data stored on the magnetic strip on the backs of cards. Thieves prize this data because it allows them to create counterfeit cards and use them to go shopping in big box stores for high-priced merchandise, gift cards and other items that can be resold quickly for cash.

In a fascinating and timely development, the main fraud shop that has been selling cards stolen in the Sally Beauty breach — rescator[dot]so — was recently hacked, its entire database of customers’ (read: fraudsters) usernames and passwords dumped online. Then, sometime on Sunday, the site’s homepage was defaced, with a message to this author and to the proprietors of the fraud shop:

The site principally responsible for selling Sally Beauty cards -- as well as millions of cards stolen from Target -- was defaced this weekend.

The site principally responsible for selling Sally Beauty cards — as well as millions of cards stolen from Target — was defaced this weekend.

read more

Bitdefender Warns Of New Facebook Scam

Via HotforSecurity:

More than 1,000 people have been tricked into installing a Trojan after clicking on a new Facebook scam that promises naked videos of their friends. According to Bitdefender Labs, the countries with the most detected infections are Romania, the UK, Italy, France and Germany.

The scam has just started to make rounds on the social network and can multiply itself and tag users’ friends extremely quickly. Over 6,000 .tk websites have been registered for malicious purposes. To avoid detection, cyber-criminals vary the scam messages from “user’s name private video” to “user’s name naked video” or “XXX private video”. Malware writers can also redirect users to fake surveys or toolbar, video and converter downloads.

Scam Promises Naked Videos of Facebook Friends, Drops Trojan Instead, Bitdefender Warns

When clicking the link that promises videos of their friends naked, users are redirected to a fake YouTube website where a “FlashPlayer.exe” file deploys a Trojan. The malware installs a browser extension capable of posting the scam on users’ behalf and stealing their Facebook pictures.

“Adobe Flash Player has crashed, please update to the latest version,” the fraudulent web page reads.

Scam Promises Naked Videos of Facebook Friends, Drops Trojan Instead, Bitdefender WarnsTo increase the infection rate, the malware has multiple installation possibilities. Besides the automated and quick drop on the computer or mobile device, it also multiplies itself when users click the fake Adobe Flash Player update.

To make the scam more credible, cyber-criminals faked the number of views of the adult video. Over 2 million users have allegedly clicked on the infected “YouTube” link. To add another touch of realism, the malware creators also added a message that the video is “age-restricted” based on “Community Guidelines.”

Scammers also fake the date they uploaded the malicious video by making it current. Bogus Flash Player installers have been infecting users on Facebook and Twitter for a couple of years.

Scam Promises Naked Videos of Facebook Friends, Drops Trojan Instead, Bitdefender WarnsThe malware is detected by antivirus software provider Bitdefender as Trojan.FakeFlash.A (Trojan.GenericKD.1571215), while the fake YouTube link is marked as a fraudulent attempt. For maximum protection, the Bitdefender free application Safego also alerts users about the naked video scam circulating on the social network.

read more