Published on November 26th, 2022 📆 | 7381 Views ⚑
0Cyber Security Today, Week in Review for Friday, November 25, 2022
Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, November 25th, 2022. Iâm Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes Terry Cutler of Montrealâs Cyology Labs will be here with commentary on events. But first a review of some of what happened in the last seven days:
A fantasy sports betting website called DraftKings is blaming its users for re-using their passwords as the cause of the theft of US$300,000 from their accounts. Terry and I will discuss if thereâs more to it than that.
Weâll also look at a couple of recent ransomware attacks. And weâll offer advice on safe online holiday shopping.
Also this week, an international police effort has closed the criminal iSpoof website, a service that allowed crooks to make calls that spoofed the phone numbers of business and government officials, as well as to intercept passcodes for two-factor authentication. The siteâs main administrator was arrested in the U.K. in an operation that also saw the arrests of over 140 people. Authorities estimate victims around the world lost about $160 million from iSpoofâs operations.
Separately, police around the world also arrested almost 1,000 suspects believed to have been committing online scams. And they seized $130 million as well. It was done in a combined operation under Interpol, the international police co-operative. While most of the suspects ran voice phishing, romance scams, sextortion and investment frauds, one group was more imaginative: They impersonated Interopol officers, tricking victims into transferring almost $150,000 to them through banks and cryptocurrency exchanges.
Ten people were charged in the U.S. with allegedly being involved in a multi-million dollar Medicare and Medicaid email scam. The con involved sending emails to public and private health insurance programs that looked like they came from real hospitals. The insurers were told to send payments to the hospitalsâ new bank accounts â accounts that were set up by crooks.
Microsoft warned that a long-discontinued web server called Boa filled with vulnerabilities is still being used in industrial products around the world. That means it poses dangers to millions of organizations. The Boa web server can be found in internet-of-things devices. Itâs also tucked away in some software development kits. The problem: Microsoft continues to see attackers attempting to exploit Boa vulnerabilities.
Researchers at Palo Alto Networks warned that employees are being tricked into downloading remote management tools under the guise of legitimate software. Using those tools a threat actor finds and copies sensitive data. They send an extortion note to the organization, demanding money or the copied data will be publicly released.
Thirty-four Russian-speaking threat groups are distributing malware capable of stealing passwords and other data. Thatâs according to researchers at Group-IB. In the first seven months of this year alone the gangs infected almost 900,000 devices and stole over 50 million passwords. The malware they use can also steal cookie files, credit card numbers, data from cryptocurrency wallets and passwords for gaming services like Steam, Epic Games and Roblox.
Finally, if you have an internet-connected video camera in or outside your home Canadaâs privacy commissioner just published advice on how to keep it secure.
(The following transcript has been edited for clarity)
Howard: I want to start with news of the theft of money from subscribers to the DraftKings fantasy sports betting site. DraftKings is an American-based sport and casino betting site that is available in a number of countries. On Monday there were news reports of users noticing funds had been withdrawn from their accounts. One person told a reporter that around the same time his email was filled with spam.
The company told reporters some US$300,000 was withdrawn without permission from user accounts. An official said the companyâs IT systems werenât compromised. So it believes victims werenât careful creating separate usernames and passwords for DraftKings. Their credentials were used elsewhere, stolen by crooks who then successfully used them on the DraftKings site.
Terry, if true this is another example of people being careless.
Terry Cutler: This is a case of people who donât want to deal with cyber security until itâs too late. If this was really a problem with the DraftKing site it would have affected all users. I think weâre dealing with about five per cent of their entire user base [affected] because theyâre worth $6.5 billion. This is classic password reuse [problem]. If these folks were cyber-educated they would have turned on two-step verification. Ironically, [competing site] Fan Duel put out a tweet around the same time saying, âMake sure you change your passwords and then set up two-step verification,â because someone was trying to hack their accounts as well. Whatâs interesting is that this is the perfect example of an unrelated third party advising thereâs a problem. Obviously, if youâre dealing with money turn on your two-step verification.
Howard: I wonder if Draft Kings also wasnât careful if one news site reporting on this is accurate, because it quotes a privacy advocate saying that while DraftKings offers two-factor authentication to protect logins from compromise, it doesnât force its subscribers to use it.
Terry: DraftKings says theyâre going to make victims right [for their losses], but should they really need to reimburse those people that lost US$300,000? Because should have turned on two-step verification themselves. Itâs a 60-second fix, but people feel itâs inconvenient. My company gets a lot of calls because peopleâs Instagram accounts were hacked. Instagram offers two-step verification as well. But nobody turns it on until they get hacked and try to get their accounts back. All their informationâs been changed in their profile, all the recovery passwords and all the recovery phone numbers.
Howard: Another news site that interviewed victims that used DraftKings suggests the attackers were able to compromise the smartphones of users who actually did enable two-factor authentication. Somehow their two-factor authentication code went to a different phone. Presumably these were phones that were controlled by the hackers, who were then able to get into the accounts of the players once they had they had their usernames and passwords and they had the two-factor authentication code. So it seems this was a really sophisticated and targeted attack: First, the attackers researched DraftKing players and they got hold of their passwords â or they got the passwords and then researched the players â and then they compromised the two-factor authentication process in some way. Either they stole the userâs token, or they convinced the userâs cellphone company to switch their SIM card to a different phone, or perhaps they convinced the DraftKings help desk to change the targetâs registered cell phone number so that the two-factor authentication code went to a phone that was controlled by the hacker.
Terry: Thereâs a lot of stuff going on here. Thereâs a high probability that the attackers bought a list of basic information, including the security questions, that users may have revealed, in a phishing attack. This way they could call up your phone provider and possibly switch your phone from one carrier to another Thatâs one plausible way. Thatâs why itâs very, very important that activate called port protection from your wireless provider ⊠With port protection you have to show up in person to the provider with identification to transfer your account to another phone. Thereâs also the possiblity of token stealing. Thereâs so many ways to bypass 2FA. One of the main tactics used right now is a victim receives an email with a phishing link. It goes to a real website, but because of a man-in-the-middle attack your password and possibly two-step verification goes to a bad guy. With one double click the guy can get access to your account. Thatâs why we need to start moving away from SMS text one-time passwords over to an authenticator app for delivering codes.
Howard: This incident involves crooks getting hold of victimsâ passwords. There was a related story that came out this week from a Singapore -based threat analyst firm called Group-IB. Through their research they found that there are 34 Russian-speaking threat groups distributing malware capable of stealing passwords and other data. They figure that in the first seven months of this year alone gangs infected almost 900,000 devices around the world and stole over 50 million passwords. The malware that they use can also steal cookies, credit card numbers, data from cryptocurrency wallets and passwords for gaming services. This again reinforces the point that for your security every place that you create an account has to have a separate password so you donât get screwed if a hacker steals a password from your email and then tries to use it on your bank site â or use it on your DraftKings site.
Terry: Letâs talk quickly about passwords. Your password can be decoded if you chose really crappy one like John123. Some people have a mindset, âWhoâs gonna want to hack me? I have nothing of value.â You need to start creating an unbreakable password â there has to be a combination of uppercase, lowercase and symbols thatâs between 16 and 25 characters long. I know what youâre thinking: How do you remember a password this long? But if you can think of song lyrics or phrases. that will help you. For example a simple phrase like, âIhadagreatdayatwork!!â, that could take 10 years to break. If you replace the âoâs in a password with a zero and the âaâ with an @ symbol that password will take 39 centuries to crack. But if an attcker can access your password hash they can do a pass-the-hash attack where they can log in as you without ever knowing your password. Thatâs why two-step verification is key here to stopping password theft attacks.
Howard: So in this DraftKings incident what are the lessons for companies?
Terry: That nothing is foolproof. If we look at how a phishing attack works, hackers are going to try and target a company like DraftKings and use social media networks and other data points to look at who the employees are maybe some of their players. Then theyâre going to try and follow them on social media to learn more about their identity, figure out their email address and send a fake message with a link. Perhaps theyâre going to try and impersonate a colleague or a boss or another player. Once the target opens the message theyâre at risk because they think they know who the sender is right? Once the linkâs been clicked on the attacker has two choices: Steal the victimâs credentials or install malware on the PC or their smartphone. Once the hacker has compromised access theyâre s going to use the back door to steal that information. Thatâs usually how itâs going to work.
Howard: I also think a lesson for all companies is donât make two-factor authentication optional. Make it mandatory for all of your users.
Terry: Iâm actually surprised itâs not mandatory now. Weâve been talking about data breaches and enabling two-step verification for at least 10 years.
Howard: And what lessons are there for individuals out of the DraftKings incident?
Terry: They need to get cyber-aware. There are so many ways you can get hacked, and a lot of times it starts with your password. There are sites you can check to see if your password has been stolen. One is âHave I Been Pwned.â It collects lists of stolen email and password combinations. You enter your email address and it tells you if your password has been part of a data breach. Another thing is Google your name to see what personal information about you is on the internet. Type in your first and last name with quotation marks at both ends. You might learn on the internet youâre listed personal things â say, your favourite Disney character, your favourite colour, the street you used to live on â that you use in your password. Thatâs how hackers can guess your password. If you wonder how you can keep up with security thatâs one of the reasons why I launched the Fraudster app to help you stay current.
Howard: Letâs move on to news item number two: The wave of ransomware attacks continues. This week the city of Westmount, Quebec â which is in your neck of the woods â said it was hit with ransomware last weekend. On Monday the city said it was still assessing the damage but that its email system was offline. It hasnât said anything since. Separately the union that represents Ontarioâs public high school teachers and teaching assistants has started to notify past and present members that their personal data was stolen in a ransomware attack in May. Several new strains of ransomware were discovered and given names like AXLocker, Octocrypt and Alice. Terry, we know that not all attacks can be prevented but what can you say when once a week we hear about a successful ransomware attack in Canada or the U.S.?
Terry: A lot of the companies we investigate are being misled by the IT department â and Iâm saying this based on our experience after doing incident response. After interviewing the upper management itâs always, âMy IT guys said we donât need antivirus on our Exchange servers because it slows us down,â or âMy IT guy has it covered.â But when we ask whoâs monitoring your system at 2 a.m. on a Saturday morning âŠ. They need to understand that cybersecurity folks are always going to complement IT departments and vice versa. We [cybersecurity] are going to find things that need to be fixed up, and the IT department is going to get it done faster than us because theyâre in there day-to-day. They need to better understand the threat surface. Remember that saying from GI Joe, âKnowing is half the battle?â Itâs true. Understanding and managing your threat surface are fundamental steps toward a better cybersecurity program. Attacks are coming to and from your network, at your endpoint and in your cloud. So how are you keeping track of all these attacks and how are you stopping them if youâre one IT guy, or have an undertrained and overworked staff? Itâs very very difficult.
Howard: The goal of IT and security administrators should be to minimize the damage of ah of a successful attack. Do you sense that organizations in Canada and U.S. are getting better at this?
Terry: I find that theyâre not doing enough partnering or outsourcing. IT guys are telling management they donât need cyber security experts, or my cyber insurance will cover me. I think the biggest challenge in IT â and the cyber guys are also facing â is thereâs too many tools to manage that were never made to work together. It leaves so many gaps. For example, we when we do investigations with healthcare institutions under we have to engage four different departments because they all have access to their own software tools. A lot of times they donât have the proper logs. Theyâre missing information. Itâs a horror show. You need to find a way to holistically manage all of the threat surfaces in your network, your cloud and your endpoints. Thereâs still a lot of old-school thinking that âI just need to have antivirus and a firewall and Iâm safe.â But with traditional technologies all an attacker has to do is send a crafted email to one of your employees and once he clicks on the link the attacker becomes an insider and bypasses the firewall. If an attacker has bypassed your firewall you need to have a good system, like EDR (endpoint detection and remediation) that will detect someone misbehaving. A lot of times IT guys are overworked so they donât have enough time to stay on top of threats. Thatâs why they need to partner with cybersecurity folks that can help complement them.
Make sure you have good content filtering, including a good email spam filter ⊠Weâve spoken in previous podcasts about how hackers get into companies and use them as a jump point to email other firms with malware. That email wonât be spotted because itâs from a legit domain. The last thing I would mention is to make sure you have a good incident response plan in place. You may be down for a minimum of 100 hours if you get hit with a ransomware attack.
Howard: Finally, because Cyber Friday officially starts today, kicking off the Christmas holiday shopping period, listeners need to be encouraged to practice safe online buying. What should they not be doing?
Terry: Donât trust any links or attachments with sales offers that you receive by email, especially from someone you donât know. Scams these days are getting really more sophisticated. Itâs really hard to make a blanket statement like that because a scam can look really legit, like it came from someone you know. Just be wary about always opening up attachments. Always double-check shopping websites before filling out any personal information â is the URL correct? Are there spelling or grammar errors on the site? Do you want to buy something from an unknown company? Make sure to check the reviews before making a decision. There can be fake five-star reviews. Look for really stupid product reviews like, âGreat job,â or âKeep it up.â Thatâs a sign the site may be buying these fake reviews to con you into spending money.
Despite all these warnings thereâs a chance that you may still fall victim to fraud. So always check your credit or debit card account for unusual or unexpected charges.
Finally, donât use public Wi-Fi, especially at a mall, because a bad guy can set up a fake hotspot that says, âShopping Mallâs Fastest Wi-Fi.â If you connect to it the guy can start intercepting your data and he might get access to your passcodes.
Howard: Think about the product that youâre buying online and whether you can afford to get scammed by a fake product from a website you donât know. You donât want to buy an expensive watch from a website youâve never heard. But it also applies to buying a pair of Nike running shoes or something as inexpensive as a memory card for a camera if itâs easy for someone to substitute a fake or a used item. Thatâs all the more reason to be shopping at a brand name online store, or one that youâre familiar with.
Terry: And if you see prices that are so low for a really high end brand, be wary. We/ve seen expensive Canada Goose jackets advertised for 60 bucks, and a phone book arrives in the box.
For more on safe online shopping see the government of Canadaâs Get Cyber Safe website and the U.S. Cybersecurity and Infrastructure Securityâs online shopping tips.
Â
Gloss