Dollars to doughnuts. Privacy settlements. PII for sale on the dark web. Promethium's targeted spying. Bitcoin scam.

Summary

By the CyberWire staff

At a glance.

Canadian doughnut chain under scrutiny for privacy issues.
UnityPoint Health reaches settlement; deadline approaches for making a claim against Yahoo.
Up to 14 million may be affected by PII for sale on the dark web.
Promethium APT is newly active in the Middle East.
Alt-coin scam exploits privacy failures.

Canadian Privacy Commissioner investigates Tim Hortons.

The popular Canadian doughnut chain Tim Hortons is under investigation by privacy authorities at both federal and provincial levels, the CBC reports, following reports that the company may be improperly collecting customer data. As has so often been the case, the issue turns on monitoring user geolocation. The Financial Post claimed that Tim Hortons was using its app to silently track its users' activities even when the app was turned off, and that the users themselves were typically unaware of the tracking.

Two privacy settlements.

Health IT Security reports that UnityPoint Health after two years of litigation, has reached a $2.8 million settlement over two data breaches it sustained in 2018. A total of 1.4 million patients were affected. The breaches were both induced by phishing.

And, if you were among those affected by the data breaches Yahoo disclosed in 2016 or 2017, Nerdwallet reminds you that you have until July 20th to put in a claim for part of the $117.5 million settlement fund the company established. You could be eligible for up to $358.80, but it's unlikely in the extreme you'd get anything near that amount.

A large quantity of PII, origins unclear, appears on the dark web.

Lucy Security says it's found data from nine-hundred-forty-five websites for sale in dark web souks. Up to fourteen-million victims may be affected. The information includes “usernames, full names, phone numbers, hashed and non-hashed passwords, IP and email addresses as well as physical addresses.” It’s contained in two databases that together amount to roughly a hundred-fifty gigabytes of unpacked SQL files. They were released this month, on June 1st and June 10th. The contents of the databases, and remember they represent material culled from almost a thousand sites, appear to have been procured by different hackers. Investigation is proceeding.

Promethium APT deploys cyberespionage tools against individuals.

The Promethium APT (also known as StrongPity, although that name has also been used for one of the group's tools) is back, ZDNet and others report. This time around StrongPity is active against targets in Turkey and Syria. The latest wave of attacks features new Trojanized installers. It also shows a capability to search for and exfiltrate files from victims’ machines. It’s been employing watering hole tactics to selectively target victims in Turkey and Syria using pre-defined IP list, and it has adopted a three-tiered command-and-control infrastructure that’s enabled it to mask, to a certain extent, its operations and escape forensic investigation.

Promethium is a cyberespionage and surveillance operation believed to have been active since 2012, although it came to public attention in October 2016 with a watering hole campaign against targets in Belgium and Italy. Researchers at Bitdefender and Cisco Talos believe it to be state-sponsored, and that represents a consensus view. Which state does the sponsoring, however, is unclear, and the answer may not be a simple one. Cisco Talos believes, for example, that it's possible that Promethium could be a crew of hired guns, cyber mercenaries working under contract for a nation-state or a set of nation-states. It's had an extensive target list. While Middle Eastern and North African nations have figured prominently among its targets, Promethium has also been active in Europe, Asia, and the Americas. It has recently been implicated in surveillance of Kurdish populations.

Promethium has been known to use both internally developed tools and lawful intercept products in its operations.

A Bitcoin scam with privacy implications.

Group-IB reports a widespread Bitcoin scam that's used the exposed personal data on thousands of victims. The victims are distributed over twenty-one countries, but by far the most have been in the UK and Australia.

Group-IB explained that “Victims’ phone numbers, which in most cases came with names and emails, were contained in personalized URLs used to redirect people to websites posing as local news outlets with fabricated comments of prominent local personalities about [a] cryptocurrency investment platform that ‘helped them build a fortune’.”

The scam begins with an SMS text message with a shortened link, often a message that spoofs a well-known media outlet. Following the link takes the victim to a page tailored to their geographical region; the content purports to be exclusive media content of interest to an alt-coin speculator. The final stage redirects the unwary to enroll in a fraudulent Bitcoin investment scheme.

The losses to people gulled into fraudulent speculation are obvious. Less obvious, but equally real, is the reputational damage the spoofed celebrities and media outlets suffer as their names are hijacked into the service of crime.

Selected Reading

Advanced StrongPity Hackers Target Syria and Turkey with Retooled Spyware (The Hacker News) StrongPity hackers target Kurdish community in Syria and Turkey for surveillance and intelligence exfiltration purposes.

Promethium APT attacks surge, new Trojanized installers uncovered (ZDNet) The hacking group behind StrongPity is ignoring constant exposure by researchers in its quest for global intelligence and surveillance.

StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure (Bitdefender Labs) Bitdefender researchers have recently found the APT group StrongPity has been targeting victims in Turkey and Syria. Using watering hole tactics to selectively infect victims and deploying a three-tier C&C infrastructure to thwart forensic...

PROMETHIUM extends global reach with StrongPity3 APT (Cisco Talos) The threat actor behind StrongPity is not deterred despite being exposed multiple times over the past four years.

Creepto Cash: personal data of thousands of users from the UK, Australia, South Africa, the US, Singapore exposed in bitcoin scam (Group-IB) Group-IB, a global threat hunting and intelligence company headquartered in Singapore, has discovered thousands of personal records of users from the UK, Australia, South Africa, the US, Singapore, Spain, Malaysia and other countries exposed in a targeted multi-stage bitcoin scam.

945 Websites Hacked – up to 14 Million Potential Victims (Lucy Security) 945 Websites Hacked – up to 14 Million Potential Victims - Lucy Security - Lucy Security AG provides security awareness training and enables organizations to take on the role of an attacker and uncover weaknesses in both technical infrastructure and staff. We improve your IT security towards social engineering, spear phishing and ransomware attacks!

Understanding BlueLeaks (Avast) Law enforcement and public safety agencies share threat information insecurely through a third-party hosting provider that was breached in mid-June.

Cyber attack reported at NMSU Foundation (KRQE News 13) A cyber attack investigation is underway at New Mexico State University. School officials say security personnel noticed unusual activities on the network used by the NMSU…

Dark web fraud: How-to guides make cybercrime too easy (Infosec Resources) Introduction to dark web fraud Dark web fraud constitutes a global information security problem. The widespread availability of how-to guides providing

Evolving Government Data Collection Practices, Explained (Foreign Policy) Part 2: FP Analytics examines evolving government data collection practices and how AI is making this collection more efficient and ubiquitous.

New privacy-preserving SSO algorithm hides user info from third parties (Help Net Security) Researchers developed an SSO algorithm that does not disclose the user's identity and sensitive personal information to the service provider.

Tim Hortons faces probe from privacy regulator after report that mobile app tracks users movements (CBC) Tim Hortons is being investigated by Canadian privacy authorities after media reports raised concerns about how its smartphone app may be collecting and using data on people’s movements as they go about their daily activities.

UnityPoint Health Reaches $2.8M Settlement Over 2018 Data Breach (HealthITSecurity) UnityPoint Health has reached a $2.8 settlement with the 1.4 million patients impacted by two separate phishing-related data breaches, which also requires the health system to upgrade its security.

File Your Claim in the Yahoo Data Breach Settlement (NerdWallet) You have until July 20 to file a claim in the $117.5 million settlement for data breaches at Yahoo. But how much you'll get, and when, is uncertain.