At a glance.
- RagnarLocker takes to Facebook.
- Stolen RedDoorz data found for sale on the dark web.
- Magecart sweeps through insecure Magento instances.
- IRS impersonators.
- Zoom's settlement with the US FTC.
Someone should buy Campari a drink.
Imagine scrolling through Facebook and encountering what appears to be a typical ad, but is actually a ransom note from cybercriminals threatening a major liquor brand. According to KrebsOnSecurity, this is exactly what thousands of Facebook users experienced this week. On November 6 beverage purveyor Campari Group stated that the company had suffered a malware attack, but claimed they were uncertain whether any data had been stolen. Three days later on Facebook, ads from the RagnarLocker Crime Group appeared with a message for Campari: “We can confirm that confidential data was stolen and we [sic] talking about huge volume of data” -- two terabytes, to be exact, which Ragnar threatened to publish if Campari did not pay the ransom on time. The ad campaign was traced to a Facebook account belonging to Chris Hodson, a Chicago DJ who confirmed that his account had been hacked. The threat actors used Hodson’s payment info to cover the ad campaign, which reached over seven thousand Facebook users before Facebook discovered it was offering more than DJ services. The incident is still being investigated and Campari was not available for comment.
The incident attracted comment from a number of experts in the security sector. Chris Clements, VP of Solutions Architecture with Cerberus Sentinel, sees it as a further advance in criminal shamelessness.
"Cybercrime groups have no shame in their extortion attempts. They will [use] any and all options available to them to extract whatever money they can from their victims. The use of compromised Facebook user accounts to buy ad campaigns to further harass their victims is novel, but not at all out of character. What this does show is that every online user is vulnerable to compromise and false financial charges should their social media accounts be compromised and used to purchase ad campaigns on the corresponding platforms. Users should ensure that two-factor authentication is enabled on all of their online accounts and that they do not reuse the same password across different websites or mobile applications. Password manager applications can help alleviate the burden of remembering unique passwords across multiple sites or applications but carry their own risk should they become compromised. Still, the benefits of using a password manager usually greatly outweigh the potential downsides."
Chris Hauk, consumer privacy champion at Pixel Privacy, admits to a degree of fascination with how brazen the RagnarLocker hoods have grown.
“While I hesitate to say I am entertained by the creative methods the bad actors of the world are using to pressure companies to pay after a ransomware incident, I will admit I am intrigued. The RagnarLocker gang's hacking of a Facebook account to place ads on the social network publicly pressuring Campari to pay could be a new effort by the bad guys to use what could best be called 'Facebook shaming' to get companies to admit there had been a hack, and to pay up. These moves could bring increased pressure from the customers of affected companies to pay up to protect their data.”
Brian Higgins, security specialist with Comparitech, thinks we'll see more of the same in the not too distant future.
“I’m not surprised to see activity like this from RagnarLocker and would expect more of the same from them and other ransomware actors in the future. It’s well documented that the majority of data breach victims don’t report attacks despite regulatory and statutory obligations to do so. Campari Group may well have reported this attack but criminal organizations will always seek to exert maximum pressure for minimum effort in order to force their victims to pay up. Making their successful attacks public before anyone has the chance to implement an incident response plan is unfortunately an easy way to speed up the process as regulators, law enforcement and customers will all be seeking assurances that things will be resolved to their own satisfaction. That’s an awful lot of pressure for any victim organization and this kind of activity should be factored in to security response protocols as soon as practicably possible. It won’t take long for the criminal community to figure out the benefits and increase their exploitation accordingly.”
Thus gangland comes to Facebook. Should they appear on LinkedIn, they'll have taken a big step forward in professionalism.
RedDoorz database for sale on the dark web.
Singapore-based hotel booking platform RedDoorz was the victim of a data breach in September, and now the stolen data have been posted for sale in an underground souk, reports Bleeping Computer. RedDoorz, which serves more than one thousand Southeast Asian properties, confirmed in September that they had suffered a cyberattack, but the company believed no sensitive user data had been involved. The threat actors released a sample of the data on an online hacker forum, and while it’s true that the database, which contains 5.8 million user records, did not include financial data, the information is more sensitive than RedDoorz initially believed, including as it does user birthdates, contact information, and hashed passwords.
We heard from Chris Clements, VP of Solutions Architecture with Cerberus Sentinel, who sees this story as a good-news-bad-news one:
"The good news is that RedDoorz appears to have used a secure hashing algorithm, bcrypt, to secure user passwords in the stolen database. Secure hashing algorithms like bcrypt make it much harder for attackers to crack user passwords but they aren’t a silver bullet. Although it makes cracking passwords much slower, simple and short passwords can still be cracked relatively quickly.
"The attackers have apparently stolen RedDoorz complete database which suggests that the most likely attack methods were insecure configuration or storage of the database, or a web attack such as SQL injection. Insecure configuration or storage can often happen if developers who aren’t familiar with security best practices inadvertently expose databases, especially in cloud services.
"To protect themselves, organizations must adopt a culture of security to ensure that software development processes are tightly integrated with their security operations to encompass proper security protections are in place for not only the developer’s code, but also the underlying systems and applications that it runs on."
Magecart 12 takes advantage of flawed online shopping platform.
Recent cyberattacks targeting shopping websites using the online retail platform Magento 1.x appear to be the handiwork of a single team of cybercriminals, reports The Hacker News. The perpetrators, dubbed Magecart 12, have been collaborating for months, likely since a January attack on French ad agency Adverline. More than twenty-eight hundred ecommerce sites were hit by Magecart attacks in September as part of the CardBleed campaign, which takes advantage of Magento 1.x’s outdated system that reached end-of-life last June. The operation infiltrates shopping cart platforms by installing virtual credit card skimmers, harvesting customer payment info, and sending it to the hacker’s remote server in real time, and the malware deletes itself as soon as the skimmer is in place. Vendors have been advised to upgrade to Magento 2, but clearly not every retailer has the means to do so.
The IRS will not call you or email you.
One of the perennial scams fraudsters run is to call or email their marks and tell them that they're in big trouble with the US Internal Revenue Service. (We ourselves have been threatened with jail and worse, and have had little success in appealing to the better angels of the criminals' nature.) The best thing to do is hang up. Hang up on the IRS? Yes, because of course it's not the IRS at all. They're grifters after your money and your personal information. Abnormal Security has a good rundown of recent IRS scams.
James McQuiggan, Security Awareness Advocate at KnowBe4, wrote with this advice: "One of the lures of social engineering scams is the use of fear. Cybercriminals will create an email profile to appear to be from a government agency to help strike fear into the victim. Emails will leverage topics similar to late tax payments or cases entered in court with fake case numbers. In fear of prosecution, the victim will write a check or submit payment to the cybercriminals and, unfortunately, learn when it's too late that it was all a scam." And the IRS won't call or email you; they're not a collection agency. "The IRS and other government agencies will not contact you to request payment through email. If they do, it is usually through certified mail," McQuiggan added.
Colin Bastable, CEO of Lucy Security, points out that some actual IRS schedules can lend some plausibility to the scams:
"To make this scam even more credible, it coincides with the IRS sending out real written demands for outstanding taxes. Tax reporting --and therefore tax payment -- season was pushed back six months, with taxes due October 15th. That sets an “impending event” in place – pay up by November 15th. The scammers know this, just as CPAs know it.
"The IRS is a fearsome beast to contend with, so the scammers get to leverage the trepidation that Americans feel when they receive an email that's apparently from the IRS. By combining heightened emotions with a sense of urgency, the attackers created a powerful call to action. Not to mention that since most likely, more people are going to be behind on their taxes due to the pandemic, the scammers will have an even higher hit rate.
"The emails themselves are ludicrous, of course, but unfortunately someone is going to fall for them.
"It's a good reminder to consumers that they should always be cautious when they receive an email asking for payment. Here are three simple questions to consider:
- "Ask yourself --is the sender really who they claim to be? Start by checking the domain name – it’s easy to miss a one-letter mismatch between the sender’s domain and the company domain.
- "Does the email contain suspicious content? Improper use of grammar or language, multiple spelling mistakes, or a strange layout are all red flags. Hover over any links in the email to see if the links are unusual. If so, don’t click on them!
- "What are they asking me to do? Always be suspicious anytime an email asks you to do something unexpected, such as provide payment info or confidential log-in credentials. Take a closer look at the sender’s address or content and you’ll usually catch the attack.
"With motivated scammers on the attack, consumers need all the help they can get to keep their money in their bank accounts."
So again, hang up the phone; delete the email. These aren't "nice" people, as Medium points out.
Zoom's settlement with the FTC.
Tom DeSot, EVP & CIO of Digital Defense, Inc., thinks the settlement Zoom reached with the US Federal Trade Commission is a harbinger of things to come. “The fines imposed by the FTC are a prime example of the type of actions companies are going to face when they do not take security in their products seriously," he wrote. "Zoom unfortunately ended up being the poster child for how not to handle things when vulnerabilities are found in commercial products.” The settlement requires Zoom to undertake a range of security enhancements to redress issues with user privacy.