Lessons from the hack of officials in Moldova, a different phone scam and a warning about an abandoned web server.
Welcome to Cyber Security Today. It’s Wednesday, November 23rd, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Hacked text messages of the defence advisor and the Justice Minister of the government of Moldova in Eastern Europe are being leaked by threat actors. Why should you care? Two reasons: First, the officials were using the free Telegram Messenger service. In a commentary John Pescatore of the SANS Institute said this incident shows the risk to any senior executive, board member or politician who talks business over apps that have “zero revenue” models, or get revenue through sponsored messages. Second, the government says some of the leaked messages were grossly modified from the originals. Which means the risk is not merely eavesdropping but the issuing of fake messages that may destroy the reputation of your organization. You get what you pay for, and if you pay nothing that may be the level of security.
I’ve talked before about employees falling for email scams that don’t initially involve clicking on a malicious link. The email message claims their credit card has been charged for a service or they owe money for software on their computer. It’s an excuse to make the victim phone a supposed call centre to cancel the charge. A phony support person convinces the victim to download malware, either to pay for the charge or remove the software. Known as callback phishing, researchers at Palo Alto Networks have issued a report into the latest version by crooks. The difference with this campaign is the victim is persuaded to download remote management tools that allow the threat actor to hunt around the corporate IT network and copy sensitive data. Using legitimate tools is a way to avoid being detected. Then the threat actor sends an extortion note to the organization, demanding money or the copied data will be publicly released. One defence to this scam is security awareness training for employees. They need to be taught to be cautious of messages that create fear or a sense of urgency. They also need to be warned not to download anything unless approved by the IT department.
A long-discontinued web server filled with vulnerabilities is still being detected around the world, posing dangers to millions of organizations with devices that use it. According to Microsoft, the Boa web server is still being used by makers of internet-of-things devices for management consoles as well as makers of some software development kits. Microsoft continues to see attackers attempting to exploit Boa vulnerabilities. Because this application isn’t being updated, Microsoft urges IT and security administrators to patch everything else whenever updates are available, and limit the number of IoT devices that connect to the internet.
Here’s another example of how threat actors quickly shift to new tactics when they are exposed. In July researchers at a company in Finland called WithSecure put out a report on a criminal campaign it calls Ducktail. Its goal is to hijack the Facebook Business accounts of companies to install malicious ads. After the alert the digital certificate allowing the malware to be signed was revoked and the gang went quiet. But it’s come back, using digital certificates bought from other sources, as well as other tricks to evade detection. One way companies can protect themselves against this attacker is to toughen defences against Facebook Business account takeovers.
Fantasy sports betting site DraftKings has acknowledged the accounts of some users were hacked. Less than US$300,000 was taken from the accounts of customers. The service says its systems weren’t hacked. It alleges the victims were careless, suspecting their passwords were used on and stolen from other websites.
Some people hope to make quick money through cryptocurrency. That makes them easy targets for scammers. Here’s two pieces of news to put this into perspective: Two people in Estonia were arrested there after a U.S. grand jury returned an indictment. It is alleged the pair defrauded hundreds of thousands of people out of US$575 million in a fraud and money laundering scheme. They allegedly got victims to enter into fraudulent equipment rental contracts to share in profits from a cryptocurrency mining service. The service didn’t exist. And they allegedly got victims to invest in a phony virtual currency bank.
Separately, the Justice Department said it had seized seven domains used in a $10 million cryptocurrency confidence scheme. The scheme involved websites pretending to be the real Singapore International Monetary Exchange. Five victims in the U.S. were tricked into investing in what they thought was a legitimate cryptocurrency opportunity.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.