At a glance.
- What's actually being bought and sold in the cyber black market.
- COVID-19 contact tracing as a pretext for collecting personal information.
- Zoom's privacy issues.
- Equifax settles with Indiana.
A look at what's being sold in dark web black markets.
Terbium Labs inspected three of the largest dark web souks–The Canadian HeadQuarters, Empire Market, and White House Market–to determine what sorts of data are being traded in the criminal markets. The researchers found that the most commonly sold information were, in order:
- Fraud guides–"listings claiming to sell guides and processes"–comprised 49% of the material on offer.
- Personal data came second, at 15.6%.
- Nonfinancial accounts and credentials amounted to 12.2% of the trade.
- Financial accounts and credentials comprised 8.2%.
- Fraud tools and templates made up 8%.
- Payment cards comprised 7% of the total.
Fraud guides were the clear leader, and that may be surprising, but it's a sign of the commodification of cybercrime. The guides enable people of no particular skill to make an attempt at criminal hacking. Terbium's examples of fraud guides include "how to open a fraudulent account at a specific financial institution, or how to reset an account password without knowing the answers to security questions."
Using COVID-19 checks and tracking as a pretext for stealing personal data.
As public awareness of contact tracing during the coronavirus pandemic rises, criminal attempts to use the emergency have moved beyond scams hawking bogus cures and protective gear to social engineering designed to steal personal information. CNBC summarizes some of the ways in which criminals are impersonating trusted public agencies or healthcare organizations with emails telling the victims that they may have been in contact with an infected person. Naturally the victim is asked to provide a range of personal information, the better to help the authorities track and contain the outbreak. Matt Bennett, Asia Pacific and Japan vice president at VMware Carbon Black told CNBC that the approach typically works like this: “Basically you receive an email, which says ‘Hey, you’ve been in contact with patient X, we need to determine XYZ about you, please go to this portal.’ I think that’s a common trick we’ve seen in cybersecurity for a while where people leverage one brand or a government agency brand or reputation to trigger what they want to achieve.”
Zoom's suitability for telework when privacy is required.
More large companies have banned the use of Zoom. TechRadar reports that Siemens has joined Standard Chartered Bank in telling its employees to avoid using the teleconferencing service.
In Zoom's latest move to shore up security, the company has brought in Luta Security to run a revamped bug bounty program. ZDNet observes that Luta's Katie Moussouris has tweeted a greeting to others she indicates are joining Zoom's advisory team. In addition to Alex Stamos, whose appointment has been known for several days, she indicated in a tweet that she'd be joined by, as ZDNet lists them, "privacy expert Lea Kissner (former Global Lead of Privacy Technology at Google), cryptographer and Johns Hopkins professor Matthew Green, and three well-known security auditing firms—BishopFox, the NCC Group, and Trail of Bits."
Forbes offers sensible advice: If data privacy and security are paramount, then no, don't use it. If, however, affordability and ease-of-use are more important than locking down your data, then Zoom isn't a bad choice. So if your office is holding a virtual happy hour, go ahead and Zoom happily. If you need to discuss PII, trade secrets, or classified information, then look elsewhere.
Equifax settles with the state of Indiana.
Equifax settled the Indiana Attorney General's claim that the credit bureau was culpably negligent in the way it handled personal data prior to the major data breach it disclosed in September, 2017. Law360 reports that the settlement came to $19.5 million.