Pay up or your reputation gets it. Contact tracing abuse. No Robin Hoods here. High rates of data exposure.

Summary

By the CyberWire staff

At a glance.

REvil ups the ante.
Contact-tracing data abused.
Criminals don't in fact have the common good at heart.
High rates of personal data exposure?

Ransomware gang ups its ante.

Grubman Shire Meiselas & Sacks, the attorneys to the stars who were hit by the REvil ransomware gang, have according to Page Six seen a doubling of the ransom REvil wants. The gang's demand is now $42 million, and they say that they will release the information they've stolen if they're not paid within the week. For some reason Lady Gaga seems to be the star client most often mentioned in press coverage of the incident, but REvil says they've taken lots of stuff about President Trump, too, and that they intend to air the President's "dirty laundry" if Grubman Shire doesn't pony up. Granted he may not be as big a star as Lady Gaga, but still, the President's information is probably worth something. Whether they actually have anything on him is open to doubt: sources told Page Six that, celebrity though he may be, and reality TV star that he may have been, President Trump hasn't been a client of the affected law firm.

Contact tracing is not a dating app.

Here's why you might resist sharing personal information even in the cause of public health: data can be abused, and giving someone your contact information can sometimes amount to inviting nemesis into your life. Take this case from New Zealand, as reported by Newshub. A woman in Auckland wanted to buy a sandwich from Subway (as anyone might) and in doing so responsibly filled out a contact form the restaurant presented her (as any restaurant might, during a pandemic emergency). "I had to put my details on their contact tracing form which I didn't think anything of. It asked for my name, home address, email address and phone number so I put all those details down," she told Newshub. The guy who served her gave her the sandwich, but also favored her with lots of unwanted attention via text, Facebook, Instagram, and Facebook Messenger, which made the customer feel "pretty gross." Subway fired the unhappy suitor.

Criminals don't in fact have the common good at heart.

Anyone still willing to take seriously ransomware gangs' claims that they'll restrain themselves during a time of global emergency should consider this: the Wall Street Journal reports that Europol has warned of criminals increasing the rate of ransomware attacks against hospitals providing urgent care during the pandemic. This is as economically rational as it is morally depraved: the hospitals are more needed than ever, and the reliability and availability of their data are more important than ever, which the criminals calculate will make them all the more likely to pay a hefty ransom.

The underworld is also paying attention to how it crafts its phishbait. Proofpoint has found a number of templates in circulation that help criminals craft more convincing spoofs of government messages, especially messages involving the emergency relief programs so many of those in economic trouble find themselves hoping to use for a leg up, out of their difficulties. The templates are most often used in credential-harvesting scams.

High rates of personal data exposure?

A study by Interest looked at significant data breaches and concluded that the average American had personal data stolen or exposed at least four times last year. Social media sites like Facebook were responsible for most of the exposed data. Warren Poschman, senior solutions architect at comforte AG, shared these observations with us in an email:

"Unfortunately, there is no guarantee that even a perfect security program will prevent every breach. With an increasing attack surface, classic perimeter defense is becoming more and more useless. And in the face of these emerging threats, consumers still expect their personal data to remain protected. Often organizations only discover backdoors and other vulnerabilities long after hackers have already used them which is too late. Therefore, the most effective way to reduce the risks associated with breaches is to protect the sensitive data itself, while making it useless for attackers. A data-centric security approach helps organizations deploy data protection focused on security and maintaining privacy with technologies like tokenization and format-preserving encryption."

Selected Reading

Vint Cerf suggests GDPR could hurt coronavirus vaccine development (Register) Essay on role of internet during plague times also suggests online schooling may not be the finished article

Boost for contact tracing app as Isle of Wight pilot achieves more than 50pc take-up (The Telegraph) Hopes of delivering an effective contact tracing programme appear to have been given a boost after the pilot of the new NHSX app achieved more than 50 per cent take-up.

Faulty contact-tracing app would ‘risk spreading the virus’, NHSX advisor warns (The Telegraph) Sir Jonathan Montgomery, chair of NHSX's advisory board, warned the app could give people 'false negatives'

Secret details on NHS contact tracing app left open to public in security blunder (The Telegraph) Details of the future plans for the app were inadvertently left public on Google Drive

()

Most Americans are not willing or able to use an app tracking coronavirus infections. That’s a problem for Big Tech’s plan to slow the pandemic. (Washington Post) Nearly 3 in 5 Americans say they are either unable or unwilling to use the infection-alert apps under development by Google and Apple, suggesting a steep climb to win enough adoption of the technology to make it effective against the coronavirus pandemic, a Washington Post-University of Maryland poll finds.

Criminals boost their schemes with COVID-19 themed phishing templates (Help Net Security) Phishers are incessantly pumping out COVID-19 themed phishing campaigns and refining the malicious pages the targets are directed to.

Hackers Change Ransomware Tactics to Exploit Coronavirus Crisis (Wall Street Journal) Cyber criminals have adapted their ransomware tactics during the coronavirus pandemic, setting their malware to launch more quickly once inside the networks of health-care providers and other companies.

Fresh Twist for Pandemic-Related Phishing Campaigns (BankInfo Security) Fraudsters are honing their phishing emails tied to the COVID-19 crisis, using fake messages about business continuity plans and new payment procedures to spread

This new, unusual Trojan promises victims COVID-19 tax relief (ZDNet) QNodeService’s codebase may have helped it avoid detection by traditional antivirus solutions.

When we need it most, healthcare is still being hit hard by ransomware (Armenian Reporter) The Fortune 500 for-profit managed healthcare and insurance coverage agency Magellan Health was hit by a ransomware assault this week. The American outfit

Interserve hit by cyber attack as hackers target hospital construction firms (CityAM) Outsourcing group Interserve has been left reeling from a cyber attack earlier this month as criminals target construction firms involved in the UK’s coronavirus response.

Covid-19 lockdowns push organised gang crime online says UK’s top cyber cop (SC Magazine) Organised criminal networks have been forced online to find new sources of cash because transporting drugs and committing robberies have become almost impossible, a chief constable says.

Woman stalked by sandwich server via her COVID-19 contact tracing info (Naked Security) She wanted a sub, not Facebook, Instagram and SMS come-ons from the guy who served her and intercepted her contact-tracing details.

Hackers who stole files from a law firm to stars like Lady Gaga and Drake doubled their ransom to $42 million and threatened to release 'dirty laundry' on Trump (Business Insider) Grubman, Shire, Meiselas and Sacks was recently the target of a hack by a group called REvil, which is attempting to random the information.

Ransomware Gang Demands $42M or it Releases Trump’s ‘Dirty Laundry’ (Cointelegraph) The ransomware gang responsible for stealing almost 1TB of legal secrets from celebrities and entertainers last week is now targeting the President

The Average American Had Personal Information Stolen at Least 4 Times in 2019 (Interest.com) Over the past decade or so you’ve probably noticed the increasing frequency of major data breaches around the world. There have been at least 200 documented data breaches since 2005, and the number of records exposed is only on the rise as more folks move their lives online. With more people transitioning facets of their …