From time to time, there emerge cybersecurity stories of such potential impact that they have the effect of making all other security concerns seem minuscule and trifling by comparison. Yesterday was one of those times. Bloomberg Businessweek on Thursday published a bombshell investigation alleging that Chinese cyber spies had used a U.S.-based tech firm to secretly embed tiny computer chips into electronic devices purchased and used by almost 30 different companies. There aren’t any corroborating accounts of this scoop so far, but it is both fascinating and terrifying to look at why threats to the global technology supply chain can be so difficult to detect, verify and counter.
At Defcon, one of the world’s largest hacking conferences, new pressures are reshaping the community’s attitudes toward privacy and anonymity.
LAS VEGAS — Ask any hacker who’s been around long enough, and there’s a good chance you’ll hear an archetypal story, tinged with regret, about the first time his or her real identity was publicly disclosed.
After enjoying years of online anonymity, the hacker known as Grifter was unmasked by a less-than-scrupulous spouse. “Hey, Neil!” his wife called out at him, absent-mindedly, from across a crowded room, while accompanying him (for the very first time) at a hacking conference. “My beautiful wife, she outed me in front of the entire hacker community,” he said with a laugh.
Email is the single most effective and commonplace way of reaching someone in the business world today. Even as other methods of digital communication have come and gone over its 40-year history, email remains the backbone of business communications with 3.7 billion users worldwide collectively sending 269 billion messages every day.
But email’s ubiquity and popularity comes at a price: vulnerability. With the growing prevalence and success of targeted social engineering attacks, email continues to be a shockingly easy entry point for cybercriminals. In fact, the FBI’s 2017 Internet Crime Report indicates that business email compromise and phishing drive 48 percent of ALL internet crime-driven financial loss – more than all other business-related internet crime combined. Depending on their form, these targeted attacks are called by a number of names – spear phishing, business email compromise, impersonation, credential theft, etc. – and have a disproportionately large impact on an organization as they gain access to confidential information, intellectual property and in many circumstances, east-west migration attacks that go from email into core backend systems that contain customer data or even financial access.
In its ongoing campaign to build trust through transparency, Google this week released a white paper describing the company’s process for responding to incidents impacting the confidentiality, integrity or availability of customer data.
The paper shows that Google has implemented a four-phased approach for responding to data incidents, which it describes as a breach of Google security that results in the disclosure, alteration or destruction of customer data in its care.
A spate of hacked Instagram accounts. A $220 million lawsuit against AT&T. A bustling underground crime ring. They all have roots in an old problem that has lately found new urgency: SIM card swaps, a scam in which hackers steal your mobile identity—and use it to upend your life.
At its most basic level, a SIM swap is when someone convinces your carrier to switch your phone number over to a SIM card they own. They’re not doing it for prank call cover, or to rack up long-distance charges. By diverting your incoming messages, scammers can easily complete the text-based two-factor authentication checks that protect your most sensitive accounts. Or, if you don’t have two-factor set up in the first place, they can use your phone number to trick services into coughing up your passwords.
Symantec issued a report on Aug. 3 revealing that technical support fraud scammers are using call optimization services to improve their results. The new techniques come as the volume of tech support scams blocked by Symantec continues to grow.
Tech support scams come in multiple forms, including malware advertising where an ad shows up on a user’s screen warning that they have been infected with malware and need to call a certain number to get help. Symantec researchers found that scammers are making use of call optimization services to inject local numbers into malware alerts, as well providing additional features to improve call delivery.
A story published on July 12 about a new sextortion-based phishing scheme that invokes a real password used by each recipient has become the most-read piece on KrebsOnSecurity since this site launched in 2009. And with good reason — sex sells (the second most-read piece here was my 2015 scoop about the Ashley Madison hack).
But beneath the lurid allure of both stories lies a more unsettling reality: It has never been easier for scam artists to launch convincing, targeted phishing and extortion scams that are automated on a global scale. And given the sheer volume of hacked and stolen personal data now available online, it seems almost certain we will soon witness many variations on these phishing campaigns that leverage customized data elements to enhance their effectiveness.
Nearly every web application has at least one vulnerability, according to the 2017 Trustwave Global Security Report, released Tuesday. Of the apps scanned by Trustwave for the report, 99.7% included at least one vulnerability, with the mean number of vulnerabilities in web apps being 11.
In addition to looking at application security, the Trustwave report also includes information on data breaches as well. The median number of days it took to detect an intrusion dropped to 49 in 2016 from 80.5 days in 2015. However, internally-detected breaches were typically found in about 16 days, a much shorter time period.
The FBI has revised its figure for the total amount of financial losses from business email compromise attacks, as real estate-related scams grow.
Among the most impactful cyber-attacks is business email compromise (BEC), where criminals trick unsuspecting organizations into paying fraudulent invoices.
The FBI has calculated the estimated impact of BEC attacks that it is aware of and has determined that between October 2013 and May 2018, there has been $12.5 billion in global losses. During that period, the FBI has estimated that approximately $2.9 billion has been stolen from U.S victims.
Check Point’s mid-year cyber-attack report reveals that 42 percent of organizations globally have been hit by crypto-mining intrusions and that sophisticated attacks on cloud infrastructures are growing.
During the last couple of years, cyber-security has been largely about the huge influx of malware flowing through the veins of the internet. The problem hasn’t gone away by any means, but now in 2018 there’s an even larger threat: crypto-mining-specific malware.