Image: Apple’s website

Apple has been sued in a California court for not doing enough to combat iTunes gift card scams.
According to court documents, plaintiffs in a class-action lawsuit filed earlier this month claim that Apple is aware and knowingly permitting iTunes gift card scams to perpetuate as it allows the company to make a profit from the scammed funds.
What’s an “iTunes Gift Card Scam”
The iTunes gift card scam has been around since the mid-2000s when Apple introduced gift card for the iTunes store, which it later expanded to all its stores under its current official name of “App Store & iTunes Gift Cards.”
There are several variations of this scam, but the vast majority follow the same loose pattern.
Scammers call a victim citing an urgent and time-sensitive scenario that requires a payment for things like taxes, hospital bills, bail money, debt collection, and utility bills. They urge victims to buy an iTunes gift card from a local retailer and pass the card’s serial code and its PIN to the scammer as proof of payment.

Most of the scam’s targets are elderly who may not be aware that iTunes and Apple Store gift cards can only be used on Apple stores and nowhere else — such as paying bills or taxes in the real world.
The “scam” is that by the time victims realize this small detail, the scammer has already used the gift cards’ funds. Scammed funds are typically laundered in various ways, but three methods are often encountered:
The scammer uses funds to buy an Apple device (Mac, iPhone, iPad, or other), which it later resells to gain access to real-world fiat currency.
The scammer uses the funds to buy perks or digital currency in an app or game they have set up, creating real-world provits for a company they owned or have partnered with.
The scammer resells the gift card code and PIN to other criminals.
Lawsuit: Apple has benefited from letting scammers run wild
In their lawsuit, plaintiffs say that despite knowing of this problem for years, Apple has not done anything to prevent it, besides putting up a web page on its website with a simple warning.
“Apple is incentivized to allow the scam to continue because it reaps a 30% commission on all scammed proceeds, and knowingly or recklessly, Apple plays a vital role in the scheme by failing to prevent payouts to the scammers,” court documents read.
Plaintiffs say that despite Apple’s tight control of all App Store transactions and gift cards, the company “falsely tells victims that 100% of their money is irretrievable.”
“Apple retains 30% of the spent funds for itself. At all times, this amount remains retrievable to the consumer. Apple holds the remaining spent funds for four to six weeks before paying the third-party vendors on the App and iTunes stores on which the stored value was spent, meaning the remainder is also retrievable to the consumer,” the lawsuit alleges.
The plaintiffs claim that Apple has violated the California Consumers Legal Remedies Act (CLRA) that grants victims relief for any losses they suffer following an unlawful act.
The current plaintiffs, all elderly of 50+ years, are now seeking material relief for funds they lost during past scams.
They are also seeking an injunction to block Apple from transferring any money to Apple Developer accounts associated with known gift card scams.
Based on FTC complaints and statistics, the court documents estimate iTunes gift card scams losses to be around $1 billion, with Apple retaining $300 million in commissions.
According to a 2018 FTC report, a quarter of victims who are reporting falling victim to a scam said they were asked to pay by acquiring a gift card and passing on the card’s code. Of all gift card scams, the FTC said that iTunes cards accounted for 23.7% of all cases in 2018, the most of any type of gift card scam.

Image: FTC More

iStock The vast majority of federal government organizations in Brazil are at a high risk of cyberattacks, a new report produced by the Federal Audit Court (TCU) has found. A group of 29 areas that represent a high risk in terms of vulnerability, abuse of power, mismanagement, or need for drastic changes was analyzed in the […] More

There’s been a surge in cyber criminals selling access to compromised corporate networks as hackers look to cash in on the demand for vulnerable networks from gangs looking to initiate ransomware attacks. Researchers at cybersecurity company Group-IB analysed activity on underground forums and said there’s been a sharp increase in the number of offers to sell access to compromised corporate networks, with the number of posts offering access tripling between 2020 and 2021. Crooks are claiming to offer access to compromised Virtual Private Network (VPN) and Remote Desktop Protocol (RDP) login credentials, as well as web shells, reverse shells, Cobalt Strike penetration testing tools and more. With this access, cyber criminals can access a company’s networks and attempt to gain access to usernames and passwords or administrator rights which allow them to gain further control over the network.  On the underground forums being analysed, the number of offers to sell access to corporate networks went up from 362 to 1,099, a rise of three times in just a year and the report warns that increase is “one of the clearest trends on underground forums”. Some of the most common industries to which access is being offered to include manufacturing, education, financial services and healthcare.  The cost of access varies greatly and can sometimes be offered for a few thousand dollars – something a ransomware crew could make back many times over from a successful attack. But there’s a direct correlation between access value and the victim’s company revenue – the higher the revenue, the higher the price.  

SEE: A winning strategy for cybersecurity (ZDNet special report)  One of the key reasons there’s been an increase in sellers is because there’s the demand which is being driven by the growth in ransomware attacks. Ransomware groups need access to networks and buying access is easier and less time consuming than compromising networks themselves. “Ransomware operators are the main “customers” of initial access brokers’ (IAB) services,” Dmitry Shestakov, head of cybercrime research at Group-IB told ZDNet. “This unholy alliance of IABs and ransomware operators as part of ransomware-as-as-a-service affiliate programs has led to the rise of the ransomware empire,” he added. Another reason for the growth of initial access markets is because there is a relatively low skills threshold for engaging in this sort of cyber crime. These less sophisticated cyber criminals can use phishing attacks or buy off-the-shelf malware to steal information.The report also suggests that gaining this initial access has got easier due to the rise in remote working as a result of the  pandemic, which has resulted in many organisations unintentionally using insecure or misconfigured applications which cyber criminals can easily exploit. And as long as there are insecure networks which can be accessed and a demand from other cyber criminals to buy access to those networks, the rise of the access broker market looks set to continue.”We expect the number of brokers and initial access offers to grow. As the supply increases to meet the demand, we expect the price of initial access to corporate networks to decrease,” said Shestakov. “Ransomware will remain the main way to monetize access to corporate networks because it provides the highest possible return on investment for IABs,” he added. There are measures which organisations can take to help avoid cyber criminals breaching the network and gaining access to credentials.  They include installing software updates and security patches on a regular and timely basis to protect against known vulnerabilities, encouraging the use of strong passwords which are difficult to breach in brute force attacks and applying multi-factor authentication to accounts so that if credentials are compromised, there’s limited opportunities for attackers to exploit them. MORE ON CYBERSECURITY More

Ransomware shows no sign of slowing down as the average ransom paid to cyber criminals by organisations which fall victim to these attacks has nearly tripled over the last year.Cybersecurity researchers at Palo Alto Networks analysed ransomware attacks targeting organisations across North America and Europe and found that the average ransom paid in exchange for a decryption key to unlock encrypted networks rose from $115,123 in 2019 to $312,493 in 2020.That represents a 171 per cent year-over-year increase, allowing cyber criminals to make more money than ever before from ransomware attacks. Ransomware remains an effective tool for cyber criminals, because many organisations remain poorly equipped to deal with the threat, leading many victims to give in to extortion demands and pay a Bitcoin ransom in the hope they’ll get the decryption key required to restore their network.This has been helped along by the rise of additional extortion tactics such as when cyber criminals encrypt and steal data, threatening the victim with publishing the stolen information if the ransom isn’t paid. In some cases, this leads to organisations which could restore the network without paying the ransom giving into the blackmail and paying up anyway.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) The continued success of attacks has led to some ransomware gangs becoming extremely bold with demands – and it’s paying off. Before 2020, the highest ransom demand paid to cyber criminals stood at $5 million, but during the last year, that has doubled, with data in the report suggesting that one victim paid a ransom of $10 million to cyber criminals following a ransomware attack.

The highest attempted ransom demand during 2020 stood at $30 million – double the previous highest attempted demand of $15 million in previous years.And given the continued success of ransomware attacks – and the emergence of successful new variants of ransomware and easy-to-use ransomware-as-a-service schemes – it’s unlikely that cyber criminals will slow down any time soon.”Ransomware is one of the top threats in cybersecurity,” said John Davis vice president of public sector at Palo Alto Networks.”Organizations around the world are being held hostage by ransomware, and many are being forced to pay cybercriminals because they’re not equipped to combat the threat for varying reasons, from a lack of recoverable backups to the cost of downtime outweighing the cost of paying the ransom,” he added.Ransomware groups including Ryuk, Egregor, DoppelPaymer and many others continue to plague organisations around the world in 2021, but with the right cybersecurity strategy, it’s possible to defend against attacks.Phishing emails remain a common means of cyber criminals infiltrating networks, so researchers recommend that employees should receive training to identify threats. SEE: What is cyber insurance? Everything you need to know about what it covers and how it worksIt’s also recommended that remote desktop services should be secured with strong passwords and multi-factor authentication to protect against brute force attacks, while security patches should be applied to stop attackers taking advantage of known vulnerabilities.Organisations should also regularly store backups of the network – and do somewhere offline – so if the worst happens and hackers do issue a ransom demand, the network can be restored without lining cyber criminal pockets.MORE ON CYBERSECURITY More

A new brand of malware designed to compromise Windows containers to reach Kubernetes clusters has been revealed by researchers. 

The malware, dubbed Siloscape, is considered unusual as malware generally designed to target containers focuses on Linux as a popular operating system for managing cloud applications and environments.  According to Palo Alto Networks’ Unit 42, Siloscape, first discovered in March this year, has been named as such because its overall aim is to escape Windows containers via a server silo. In a blog post on Monday, the cybersecurity researchers said Siloscape uses the Tor proxy and an .onion domain to connect to its command-and-control (C2) server, used by threat actors to manage their malware, data exfiltration, and to send commands.  The malware, labeled as CloudMalware.exe, targets Windows containers — using Server rather than Hyper-V isolation —  and will launch attacks utilizing known vulnerabilities that have not been patched for initial access against servers, web pages, or databases.  Siloscape will then attempt to achieve remote code execution (RCE) on the underlying node of a container by using various Windows container escape techniques, such as the impersonation of the CExecSvc.exe, a container image service, to obtain SeTcbPrivilege privileges. “Siloscape mimics CExecSvc.exe privileges by impersonating its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to break out of the container,” Unit 42 says. “More specifically, it links its local containerized X drive to the host’s C drive.”

If the malware is able to escape, it will then try to create malicious containers, steal data from applications running in compromised clusters, or will load up cryptocurrency miners to leverage the system’s resources to covertly mine for cryptocurrency and earn its operators profit for as long as the activities go undetected.  The malware’s developers have ensured that heavy obfuscation is in place — to the point where functions and module names are only deobfuscated at runtime — in order to conceal itself and make reverse-engineering more difficult. In addition, the malware uses a pair of keys to decrypt the C2 server’s password — keys that are suspected to be generated for each unique attack.  “The hardcoded key makes each binary a little bit different than the rest, which is why I couldn’t find its hash anywhere,” the research states. “It also makes it impossible to detect Siloscape by hash alone.” Unit 42 managed to obtain access to the C2 and identified a total of 23 active victims, as well as 313 victims in total, likely secured in campaigns over the past year. However, it was mere minutes before the researchers’ presence was noted and they were kicked out of the server and the service was rendered inactive — at least, at that .onion address.  Microsoft recommends that Hyper-V containers are deployed if containerization is utilized as a form of security boundary rather than relying on standard Windows containers. Unit 42 added that Kubernetes clusters should be configured properly and should not allow node privileges alone to be enough to create new deployments. 

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More