Private messages from 81,000 hacked Facebook accounts for sale

By: Andrei Zakharov

Hackers appear to have compromised and published private messages from at least 81,000 Facebook users’ accounts.

The perpetrators told the BBC Russian Service that they had details from a total of 120 million accounts, which they were attempting to sell, although there are reasons to be sceptical about that figure.

Facebook said its security had not been compromised.

And the data had probably been obtained through malicious browser extensions.

Facebook added it had taken steps to prevent further accounts being affected.

The BBC understands many of the users whose details have been compromised are based in Ukraine and Russia. However, some are from the UK, US, Brazil and elsewhere.

The hackers offered to sell access for 10 cents (8p) per account. However, their advert has since been taken offline.

“We have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores,” said Facebook executive Guy Rosen.

“We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts.”

Intimate correspondence

The breach first came to light in September, when a post from a user nicknamed FBSaler appeared on an English-language internet forum.

“We sell personal information of Facebook users. Our database includes 120 million accounts,” the user wrote.

The cyber-security company Digital Shadows examined the claim on behalf of the BBC and confirmed that more than 81,000 of the profiles posted online as a sample contained private messages.

Data from a further 176,000 accounts was also made available, although some of the information – including email addresses and phone numbers – could have been scraped from members who had not hidden it.

The BBC Russian Service contacted five Russian Facebook users whose private messages had been uploaded and confirmed the posts were theirs.

One example included photographs of a recent holiday, another was a chat about a recent Depeche Mode concert, and a third included complaints about a son-in-law.

More: https://www.bbc.co.uk/news/amp/technology-46065796

FIFA admits hack and braces for new leaks

By: Catalin Cimpanu

 

March 2018 phishing incident pegged as possible origin of latest hack and subsequent data theft.

FIFA officials are bracing for new damaging leaks to be published this week after soccer’s governing body fell victim to a phishing attack.

FIFA President Gianni Infantino admitted to the new hack while talking to the press after a FIFA Council meeting last week in Kigali, Rwanda.

He said that both FIFA, soccer’s global governing entity, but also UEFA, Europe’s soccer body, had received hundreds of questions from journalists about subjects only recorded in FIFA confidential documents.

Officials believe that someone at FIFA fell victim to a phishing attack this March, the New York Times reported on Tuesday.

Hackers are believed to have used this entry point to gain access to confidential data, which they have now leaked to Football Leaks, a website that became famous in late 2015 after it started publishing internal FIFA documents revealing the dirty dealings of the soccer player market. The 2015 leak, believed to have been caused by insiders, led to the firing of many FIFA officials and the prosecution of soccer superstars such as footballer Cristiano Ronaldo and coach Jose Mourinho.

The Football Leaks organization has already shared some of the files obtained from the recent hack with news agencies part of the European Investigative Collaborations (EIC), which said it plans to publish the new revelations starting this Friday, November 2.

More: https://www.zdnet.com/google-amp/article/fifa-admits-hack-and-braces-for-new-leaks/

Phishing attacks: Why is email still such an easy target for hackers?

By: Danny Palmer

The majority of cyber attacks begin with one simple phishing email. So will it ever be possible to close this door to hackers, once and for all?

Email is incredibly useful, which is why we all still use it. But chief among its downsides (along with getting caught in a group-cc’d message hell) is that email remains one of the most common routes for hackers to attack businesses.

Around one in every hundred messages sent is a malicious hacking attempt. That might not seem like a large figure, but when millions of messages are sent every day, it adds up — especially when it just takes one employee to fall victim to a phishing message and potentially lead to a whole organisation being compromised.

For example, the cyber attack against the Democratic National Committee that led to thousands of private emails being exposed in the run up to the US Presidential election started with just one successful phishing email, while countless espionage and malware campaigns have also gained entry to organisations via an email-based attack.

But if email leaves us so vulnerable to attempts at hacking, why do we stick with it?

“Email is still the main way that two entities who may not have a relationship get together and communicate. Whether it’s a law firm communicating with a business or a candidate applying for a job, email is still the bridge to getting these entities communicating. It’s not going away,” says Aaron Higbee, co-founder and CTO at anti-phishing company Cofense.

As long as email is here, phishing will also remain a problem — and while some phishing campaigns are really sophisticated and based around cyber criminals performing deep reconnaissance on targets, other email-based attacks aren’t so sophisticated — and yet are still worryingly successful.

More:  https://www.zdnet.com/article/phishing-attacks-why-is-email-still-such-an-easy-target-for-hackers/

 

Hackers breached into system that interacts with HealthCare.gov

By: Pierluigi Paganini

Centers for Medicare and Medicaid Services announced hackers breached into a computer system that interacts with HealthCare.gov.

Hackers breached into a computer system that interacts with HealthCare.gov, according to Centers for Medicare and Medicaid Services, attackers accessed to the sensitive personal data of some 75,000 people.

After experts discovered the intrusion, the system was shut down and the IT staff is working to restore the operation.

“Officials said the hacked system was shut down and technicians are working to restore it before sign-upseason starts Nov. 1 for health care coverage under the Affordable Care Act.” reported the Associated Press.

“The system that was hacked is used by insurance agents and brokers to directly enroll customers. All other sign-up systems are working.”

In the US, Barack Obama’s health care law ensured the private coverage for about 10 million people that in order to access the public service have to provide extensive personal information, including Social Security numbers, income, and citizenship or legal immigration status.

Starting November 1, people can log in to HealthCare.gov, fill out an application, and enroll in a 2019 Marketplace health plan.

More: https://securityaffairs.co/wordpress/77273/data-breach/system-interacting-healthcare-gov-hack.html

Group-IB: 14 cyber attacks on crypto exchanges resulted in a loss of $882 million

By: Pierluigi Paganini

Group-IB has estimated that crypto exchanges suffered a total loss of $882 million due to targeted attacks between 2017 and 2018.

Group-IB, an international company that specializes in preventing cyber attacks,has estimated that cryptocurrency exchanges suffered a total loss of $882 million due to targeted attacks in 2017 and in the first three quarters of 2018. According to Group-IB experts, at least 14 crypto exchanges were hacked. Five attacks have been linked to North Korean hackers from Lazarus state-sponsored group, including the infamous attack on Japanese crypto exchange Coincheck, when $534million in crypto was stolen.

This data was included in the annual Hi-Tech Crime Trends 2018 report, presented by Group-IB CTO, Dmitry Volkov, at the sixth international CyberСrimeCon conference. A separate report chapter is dedicated to the analysis of hackers’ and fraudsters’ activity in crypto industry.

Crypto exchanges: in the footsteps of Lazarus 

In most cases, cybercriminals, while attacking cryptocurrency exchanges, use traditional tools and methods, such as spear phishing, social engineering, distribution of malware, and website defacement. One successful attack could bring hackers tens of millions of dollars in crypto funds, whilst reducing the risks of being caught to a minimum:  the anonymity of transactions allows cybercriminals to withdraw stolen funds without putting themselves at greater risk.

Spear phishing remains the major vector of attack on corporate networks. For instance, fraudsters deliver malware under the cover of CV spam: they send an email containing a fake CV with the subject line “Engineering Manager for Crypto Currency job” or the file «Investment Proposal.doc» in attachment, that has a malware embedded in the document.

In the last year and a half, the North-Korean state-sponsored Lazarus group attacked at least five cryptocurrency exchanges: Yapizon, Coins, YouBit, Bithumb, Coinckeck. After the local network is successfully compromised, the hackers browse the local network to find workstations and servers used working with private cryptocurrency wallets.

More: https://securityaffairs.co/wordpress/77213/hacking/cyber-attacks-crypto-exchanges.html

Cybersecurity isn’t being taken seriously enough: MIT professor

By: Saheli Roy Choudhury

The digital economy is set to unlock tremendous economic value for countries over time. But a common setback for the use of various new technologies is their vulnerability to hackers.

That’s because companies and individuals are not taking cybersecurity seriously, according to Erik Brynjolfsson, director at the MIT Initiative on the Digital Economy and a professor at MIT Sloan School.

The threat of cyber attacks “can be addressed much more effectively than it has been,” he told CNBC’s “Street Signs” at the annual Barclays Asia Forum in Singapore. “I think we’re just not taking it seriously enough.”

Brynjolfsson was commenting on the news that a Google bug exposed the account information of 500,000 users, spurring the tech giant to make a slew of privacy changes and shut down the Google Plus service for consumers.

“The story here isn’t really about Google, it’s about our atrocious cybersecurity — not just in social networks, but in banking or voting systems,” he said. “Whenever I talk to the real cyber experts, they tell me the lights are blinking red, that we’re so vulnerable, and we need to do a lot more to make our information system secure.”

There have been numerous incidents in recent years where technology companies suffered breaches that resulted in user data getting compromised: Uber was fined for a 2016 data breach, Facebook recently discovered a security issue that allowed hackers to access information that could have let them take over around 50 million accounts, and the personal information of millions of Americans was affected in a data breach at credit reporting firm Equifax last year.

Combating cyber threats “boils down to prioritizing at a higher level,” Brynjolfsson said. Some of the fixes are straightforward: For example, he said, two-factor authentication might prevent unauthorized logins and machine-readable paper ballots could make voting systems more secure.

“These small additional steps, they may slow down some of the processes incrementally, add a little bit of cost, a few percent here and there, but they’ll make us tremendously more secure,” he said.

In cybersecurity, he explained, using publicly available cryptography is usually more secure than proprietary systems that are built for specific companies — that’s because the former is extensively tested by the cryptography community.

Digital economies are set to grow as companies spend more money to transform their businesses using technology. International Data Corporation said that in 2018, worldwide spending on digital transformation will shoot past $1 trillion.

More: https://www.cnbc.com/amp/2018/10/09/cybersecurity-isnt-being-taken-seriously-enough-mit-professor.html

Japanese Crypto Exchange Hit by $60m Heist

By: Phil Muncaster

Yet another Japanese cryptocurrency exchange has been targeted by hackers: this time Zaifsuffered losses worth 6.7bn yen ($60m) earlier this month.

Virtual currencies including Bitcoin, Monacoin and Bitcoin Cash were stolen from the exchange’s hot wallet, with 4.5bn yen’s worth ($40m) belonging to Zaif customers.

The incident occurred over a two-hour period on September 14, with server issues detected three-days later and the authorities notified shortly after. The firm is withholding precise details of the attack while the authorities investigate.

Parent company Tech Bureau has reportedly already been hit with two business improvement orders this year and was subsequently forced to sign an agreement with investment group Fisco that will see the firm receive 5bn yen to help replace the lost coins, in exchange for majority ownership.

This is just the latest in a long line of cyber-attacks on Japanese crypto firms. Most famously, Tokyo-based Coincheck lost $530m worth of virtual currency earlier this year.

That could explain why the Financial Services Authority has created a new regulatory framework for such companies operating in Japan — the first of its kind to do so.

However, regulation is not a silver bullet, according to Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge.

“Digital coins are extremely attractive for cyber-criminals who can easy launder them and convert into spendable cash, even in spite of some losses due to ‘transactional commissions’,” he said. “Most of these operations remain technically untraceable and undetectable, granting an absolute impunity to the attackers. Thus, cyber-criminals will readily invest into additional efforts to break in, even if security is properly implemented and maintained.”

More: https://www.infosecurity-magazine.com/news/japanese-crypto-exchange-hit-by/

British Airways boss apologises for ‘malicious’ data breach

By: BBC

British Airways’s boss has apologised for what he says was a sophisticated breach of the firm’s security systems, and has promised compensation.

Alex Cruz told the BBC that hackers carried out a “sophisticated, malicious criminal attack” on its website.

The airline said personal and financial details of customers making or changing bookings had been compromised.

About 380,000 transactions were affected, but the stolen data did not include travel or passport details.

“We are 100% committed to compensate them, period,” Mr Cruz told the BBC’s Today programme.

“We are committed to working with any customer who may have been financially affected by this attack, and we will compensate them for any financial hardship that they may have suffered.”

BA said the breach took place between 22:58 BST on 21 August and 21:45 BST on 5 September. Shares in BA parent group IAG closed 1.4% lower on Friday.

Communication

Mr Cruz also told the Today programme: “We’re extremely sorry. I know that it is causing concern to some of our customers, particularly those customers that made transactions over BA.com and app.

“We discovered that something had happened but we didn’t know what it was [on Wednesday evening]. So overnight, teams were trying to figure out the extent of the attack.

“The first thing was to find out if it was something serious and who it affected or not. The moment that actual customer data had been compromised, that’s when we began immediate communication to our customers.”

More: https://www-bbc-co-uk.cdn.ampproject.org/c/s/www.bbc.co.uk/news/amp/uk-england-london-45440850

Why crypto investors might want to think twice about giving out their phone numbers

By: Kate Rooney

It’s a familiar scenario.

You forget a password to a website or log in from a new computer, and get locked out of your account. The website or your bank sends a text to confirm it’s you. Most of the time it is.

But the person receiving that text could be a hacker. Criminals are using a method known as “SIM swapping” to take over phone number accounts by duping wireless carriers, and in some cases stealing millions of dollars worth of cryptocurrency.

“In online banking, if someone gets into your account there’s ways to get the money back,” said Kyle Samani, managing partner at crypto hedge fund Multicoin Capital. “In crypto, if hackers get access to your your private keys, they own your money and you’re screwed.”

This week, a California man sued AT&T for $224 million after hackers used his number to steal $24 million worth of cryptocurrency stored on an online exchange. The plaintiff Michael Terpin accused AT&T of negligence, and likened it to “a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner.”

Terpin is hardly the only one to suffer a hack. The total in cryptocurrency lost by individuals hit $1.6 billion at the end of June, according to CoinDesk’s 2018 State of Blockchain Report.

In order to stop the trend, cybersecurity and industry experts say investors should guard their cellphone numbers with the same paranoia with which they guard their social security numbers.

Swapping digits

Wireless store employees can assign your phone number to any device, with the right authorization. To confirm, they ask for pieces of private information like a birthday or a social security number. But those can be easily accessed for a price.

“Data is being bought, sold and traded on the dark web,” said Aaron Higbee, chief technology officer and co-founder of anti-phishing company Cofense. “If your phone number is of a sufficient age, you’re on a database somewhere.”

While one piece of data like a birthday might not be valuable on its own, combined with your phone number or address it can be used to answer those security questions from a wireless store employee.

After a criminal hacks into the person’s email or cryptocurrency account from their own devices, what’s known as “two-factor identification” will send a text code to the phone number as a form of security, and to prevent any sort of unauthorized log in. But because the hacker now controls that phone number, there’s no way of the rightful owner regaining control or stopping the hack.

This happened to a New York-based venture capitalist who invests in early stage tech companies. He asked not to be named for this story because he did not want to be targeted again, and feared he might egg on the hackers.

He was in his office on Monday when he was suddenly logged out of both his personal and business email accounts. When he turned on his AT&T phone, the device had no signal. Because of his experience in cryptocurrency and the tech world, he recognized it as a SIM swap attack. He immediately called his wireless carrier through Skype, and quickly went to the store to regain access to his cell phone but “not quickly enough.”

“This was the perfect storm,” he said. “If I was on vacation or didn’t know what to do immediately, they would have taken everything in my bank account.”

He was able to regain control of his email but not his Coinbase account. Hackers had already moved the cryptocurrency he held to another account, and had attempted to wire money from his CitiBank account, which was refunded by the bank, he said.

The total amount stolen was roughly $5,000 — which he says is no where near the total of his crypto holdings because the rest was stored offline.

More: https://www-cnbc-com.cdn.ampproject.org

Flaws in Pre-Installed Apps Expose Millions of Android Devices to Hackers

By: Swati Khandelwal

Bought a new Android phone? What if I say your brand new smartphone can be hacked remotely?

Nearly all Android phones come with useless applications pre-installed by manufacturers or carriers, usually called bloatware, and there’s nothing you can do if any of them has a backdoor built-in—even if you’re careful about avoiding sketchy apps.

That’s exactly what security researchers from mobile security firm Kryptowire demonstrated at the DEF CON security conference on Friday.

Researchers disclosed details of 47 different vulnerabilities deep inside the firmware and default apps (pre-installed and mostly non-removable) of 25 Android handsets that could allow hackers to spy on users and factory reset their devices, putting millions of Android devices at risk of hacking.

At least 11 of those vulnerable smartphones are manufactured by companies including Asus, ZTE, LG, and the Essential Phone, and being distributed by US carriers like Verizon and AT&T.

Other major Android handset brands include Vivo, Sony, Nokia, and Oppo, as well as many smaller manufacturers such as Sky, Leagoo, Plum, Orbic, MXQ, Doogee, Coolpad, and Alcatel.

Some vulnerabilities discovered by researchers could even allow hackers to execute arbitrary commands as the system user, wipe all user data from a device, lock users out of their devices, access device’s microphone and other functions, access all their data, including their emails and messages, read and modify text messages, sending text messages, and more—all without the users’ knowledge.

More: https://thehackernews.com/2018/08/android-app-hack.html