This week we have plenty of interesting stories and useful cyber security insights from you. We cover some of the latest crimes – and their outcomes. We consider how security can be made more sustainable. And we look at some of the issues around culture and insider threats.
Keep safe out there.
The personal data of around 100 million Indian MobiKwik users has been put at risk and some is up for sale on the Dark Web. The seller wants 1.2 bitcoin for the personal data of over 3 million people.
Other hackers are using a fake Clubhouse app to distribute malicious Android malware. The spoof of the popular invite-only audio chat app is being used to spread BlackRock malware.
Proving that good things come to those who wait, the co-founder of the Infraud Organisation sentenced to 10 years by a US court.
Developing more sustainable business practices is important for all industries and cyber security is no exception. We have some more thoughts on sustainability in IT and data security
Getting the best candidates in your cyber team is a challenge. Not everyone you are interviewing will know what to expect. So when you are interviewing security awareness candidates, ask: What do you think this job is?
Insider threats are to be found everywhere. And the legal sector is one area that is particularly prone to insider threats. What are the issues in your industry that create security tensions. Why not let us know by getting in touch with me.
UK education charity Harris Federation has suffered a ransomware attack that shut down its email and telephone systems. NCSC has reported a spurt in ransomware attacks targeting educational institutions in the UK this year with cyber criminals threatening to release sensitive data if a ransom is not paid. Take care – and test your back-ups.
We have rather less sympathy for the online FX broker FBS who leaked 16B customer records via an unsecured server. (What is it about Elastic Search servers that means we are constantly reporting stories about organisations that fail to secure them?)
Ubiquiti: We hear that network device manufacturer Ubiquiti have downplayed a massive data breach. A whistle-blower claims that this was to preserve its reputation. Whatever the truth of this claim, we feel that honesty is always going to be the best policy, as early notification protects consumers as well as mollifying regulators. And the truth has a habit of getting out eventually.
UK economy: A £300 million cyber investment in the UK is promised by Viasat who have announced the opening of its state-of-the-art Network Operations Centre and Cyber Security Operations Centre in Aldershot, UK.
Researchers at IT security firm ESET have discovered that cyber criminals have made a fake new android application of the popular invite-only audio chat app Clubhouse and are using it to spread the BlackRock malware to millions of Android device users.
As of now, the Clubhouse mobile application is only available on Apple's iOS operating system. However, cyber criminals have designed a fake Android version that contains malware and can be used for stealing credentials.
In a blog post, the security firm said that the fake Android version of the Clubhouse application was identified by security researcher Lukas Stefanko on a website that has the look and feel of the genuine Clubhouse website. The fake Android application contains a malware trojan named “BlackRock” that can perform a number of malicious activities.
Once deployed, BlackRock can steal credentials for hundreds of online services, including several popular ones. These include well-known financial and shopping apps, cryptocurrency exchanges, social media and messaging platforms like Twitter, WhatsApp, Facebook, Amazon, Netflix, Outlook, eBay, Coinbase, Plus500, Cash App, BBVA, and Lloyds Bank.
“The trojan – nicknamed “BlackRock” by ThreatFabric and detected by ESET as Android/TrojanDropper.Agent.HLR – can steal victims’ login data for no fewer than 458 online services,” ESET said.
According to Stefanko, the fake website, which is used by hackers to distribute the fake Clubhouse app, mimics the Clubhouse website and once any user clicks on the ‘Get it on Google Play' link, the app will be automatically downloaded onto the user’s device, whereas in case of a legitimate website, users will always be redirected to the Google Play Store, rather than directly downloading an Android Package Kit.
“Even before tapping the button, there are signs that something is amiss, such as the connection not being secure (HTTP instead of HTTPS) or that the site uses the “.mobi” top-level domain (TLD), rather than “.com” used by the legitimate app. Another red flag should be that even though Clubhouse is indeed planning to launch the Android version of its app soon, the platform is at present still available only for iPhones,” ESET said.
Once the BlackRock Trojan is installed, it tries to steal credentials using an overlay attack. Whenever a user launches the fake app after downloading it, the malware asks the user to log in to online services, and captures the user's credentials when they are entered. Furthermore, SMS-based two-factor authentication will also not help the user as BlackRock has the ability to intercept text messages as well.
Commenting on the discovery of the fake Clubhouse app, Sam Bakken, Senior Product Marketing Manager at OneSpan, said that “it's important for consumers to default to only downloading mobile apps from official app stores, but even then there's risk. If you're excited about the availability of a new app, chances are you are not alone. Criminals are very good at taking advantage of our anticipation, it's a human vulnerability ripe for exploit.”
“If you're excited about Clubhouse (and others) and surprised by its sudden availability, be careful not to let your guard down. I personally try to avoid clicking any "Get it on Google Play" or "Download on the App Store" links and instead, opt searching for those stores directly. This incident highlights the need for three things.
“First, it's time for all financial services apps to integrate biometric authentication. The overlay attacks that steal static usernames and passwords are only becoming easier for criminals to execute. Biometric authentication gives users a way to protect themselves.
“Second, this mobile banking Trojan has SMS-grabbing capabilities and at this point, I view authentication codes sent via SMS as security threat. Third, time and time again we see evidence that attackers are working hard to cheat mobile banking users.
“Banks can take additional steps to protect their users against overlay attacks and other mobile vulnerabilities and exploits with app shielding, an advanced mobile app security that travels with the banking app to protect the institution and their users against mobile banking threats similar to this one,” he added.
Originally Aired: Tuesday 30th March 2021, 16:00 (BST)
This episode is now available to view on-demand.
Gaynor Rich - Global Director Cyber Security Strategy, Unilever
Gary Sorrentino - Global Deputy CIO, Zoom
Jitender Arora - Chief Information Security Officer, Deloitte
Sudeep Venkatesh - Chief Product Officer, Egress
2020 accelerated the digital transformation of business and that has put a strain on cyber security teams, expanding the attack surface. Now it’s about being able to adapt. For instance as we move forward, we will probably move permanently to a hybrid home/office environment that is constantly changing. So we will need to flex with that.
One important tool is messaging. We need to be able to explain complex issues is a way that people find easy to digest. You need to hit people at the right time with the right messages.
And you will only do this by working closely with the different functions and understanding exactly what they need – because different functions will have different needs.
In addition IT and security need to be better integrated into the wider organisation so that it is accepted that the responsibility for security is shared across the organisation.
People have to make decisions about security every day which means we need people who have been educated to do this. First of all we need to break down the mystique so that people understand that security isn’t just something for specialists. That means we need communication and this needs to connect with people at a human level – we need tell people things they can share with friends. Behaving securely shouldn’t be something special. People shouldn’t have to think differently about it at work. Security should be natural for everyone.
Another requirement is for security to be run on a blame-free basis. And this is about security teams having an open door. Because you don’t want people to hide things away. If you have a regular cadence of communication, so people know where to find information, if you give people acknowledgements when they come forward to report security worries, you can be far more proactive about defence.
You have to communicate in a way that is appropriate to both the business culture and the country culture. And having local champions will help her. A tailored approach so that a similar message is communicated but in a way that’s appropriate for local conditions. That’s true for home working as well. You need to take account of the physical and procedural circumstances of people working from home and understand the additional pressures they may be under.
Working from home we tend to be more informal. And so we forget the normal security behavioural norms. Would people take a photograph of a screen in an office with other people? Probably not. But they might at home. And at home they might text people rather than use email that goes through a corporate security system. So people need to appreciate the extra risks this can create, and understand why they need to revert to the norms of office behaviour when it comes to security.
At home people may well have many devices connected to the internet – phones, TVs, games consoles, even thermostats and cameras. Perhaps the only properly secured device is their work laptop. So that device needs to be secured in the understanding that it may be operating on an insecure network, rather than a secure office network.
At home people may be less wary too. Professionally devised scams may be more effective in an environment where people are more relaxed. But we can’t expect people to be suspicious all the time at home; we can expect them to adopt a CISO’s zero trust mentality. All we can do is give them the most important information delivered in as simple a way as possible.
We can’t assume that that worked in the past will work today. People will use their own devices to access company information. They will work from home more often and perhaps without telling us. They will use software that is potentially secure. We need to appreciate this and instead of trying to force people back into old ways of working we need to respond to the way people want to work. After all, if they are at home, they are going to be hard to check up on.
Ultimately we all need to remember that the past is gone and it isn’t coming back. People now have two work personas: in the office and working from home. We need to create professional guardrails that protect people wherever they are working. If we accept change and if we are open minded about how people should be protected then we have a chance of succeeding.
Two leading operatives of the Infraud Organisation cyber crime group- one Russian and the other Macedonian- have been sentenced in the U.S. for their roles in various cyber crimes such as identity theft, the use of malware, and the use and sale of compromised credit card data.
In a press release, the Department of Justice said last week that the two members of the infamous Infraud Organisation were sentenced by the District of Nevada to 10 years and five years in prison respectively. Prior to its takedown, Infraud Organisation was a well-organised international cyber crime ring that boasted nearly eleven thousand registered members and routinely targeted financial institutions, businesses, and individuals for financial gain.
The cyber crime group was best known for engaging in the mass acquisition and sale of fraud-related goods and services, including stolen identities, compromised credit card data, computer malware, and other contraband since 2010.
According to the Department of Justice, Sergey Medvedev, who was sentenced to 10 years in prison, was the co-founder of Infraud along with Syvatoslav Bondarenko of Ukraine and played an active part in the organisation since November 2010 until it was taken down by law enforcement in February 2018.
Medvedev actively participated in the Infraud online forum facilitating illegal transactions among Infraud members. He also worked as Infraud’s administrator, handling day-to-day management, deciding membership, and meting out discipline to those who violated the enterprise’s rules.
Marko Leopard, who was sentenced to five years in prison, joined Infraud Organisation in June 2011, offering his services as an “abuse immunity” web hoster to Infraud members who wished to create websites to sell contraband.
Leopard catered to websites offering illegal goods and services, ignoring any abuse reports from internet users. He hosted a number of sites for Infraud members in this fashion, providing the infrastructure that allowed his co-conspirators to profit off of their criminal activities.
DoJ added that the Infraud Organisation operated for more than seven years under the slogan “In Fraud We Trust,” and its members and associates operated worldwide. The organisation was responsible for the sale and/or purchase of more than 4 million compromised credit and debit card numbers amounting to a loss of more than $568 million.
In February 2018, a U.S. court indicted as many as 36 cyber criminals, including Medvedev and Leopard, after it took down the cyber crime ring. The indicted members hailed from the United States, the UK, Russia, Pakistan, Australia, France, Italy, Kosovo, Serbia, Egypt, Moldova, Bangladesh, Ivory Coast, Ukraine, Canada, and Macedonia. In June last year, Medvedev pleaded guilty before the U.S. District Court of Nevada for running Infraud Organisation.
“Dismantling a cybercrime organization like Infraud requires aggressive pursuit of not only those who steal, sell, and use personal data, but also those who provide the infrastructure that allows cybercrime organizations to operate,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division.
“Today’s sentences should serve as a warning to any web host who willingly looks the other way for a quick buck — and that the United States will hold these bad actors accountable, even when they operate behind a computer screen halfway across the world.”
“While criminal operators lurk in the deepest corners of the internet, they ultimately do not escape the reach of law enforcement. We will continue to aggressively investigate, disrupt, and dismantle hidden illegal networks that pose a threat in cyberspace.
HSI and our partners are at the forefront of combating cyber financial crimes and illicit activities spread by online criminals looking for financial gain,” said Francisco Burrola of U.S. Immigration and Customs Enforcement’s Homeland Security Investigations (HSI) Las Vegas.
Air Date: Thursday 8th April 2021, 16:00 (BST)
Andrew Aken - Zero Trust Lead Technical Architect, Twitter
John Rouffas - Chief Information Security Officer, Pharos Security
Rob Hornbuckle - Chief Information Security Officer, Allegiant Air
Jason Soroko - CTO of PKI Sectigo
Air Date: Tuesday 13th April 2021, 16:00 (BST)
Jordan M. Schroeder - Deputy MD & Managing CISO, HEFESTIS
Robin Lennon Bylenga - Human Factors Analysis Classification System
Jean Carlos - Group Head of Information Security, Nomad Foods
Richard Cassidy - Senior Director – Security Strategy, Exabeam
Air Date: Thursday 15th April 2021, 10:00 (BST)
Emily Taylor - CEO of OXIL & Editor for the Journal of Cyber Policy
Karl Knowles - Global Head of Cyber | CISO, HFW
James Packer - Head of Information Security, EF Education First
Mike Campfield - VP, GM International Operations and Global Security Programs, ExtraHop
Air Date: Tuesday 20th April 2021, 16:00 (BST)
Mishu Rahman - Director of Cyber Security, BNP Paribas
Reena Shah - Director, Cyber Security Strategy, Culture & Process Optimization, London Stock Exchange Group
Reinhard Hochrieser - VP, Global Product Management, Jumio
Ardie Kleijn - Chief Information Security Officer, Transavia