Information Technology

Businesses in China should brace themselves for a potential spike in smishing attacks and identity theft, following reports that the personal data of 1 billion residents in the country has been put up for sale online. If legitimate, the massive data breach can result in phone swapping or other identity fraud activities, which can impact a Chinese user’s social credit scoring.Hackers claiming to have access to databases containing the data had offered the information for sale on an online forum, which specialised in the trading of stolen databases. Priced at 10 Bitcoins ($197,376) for 24TB worth of data, the personal details included date and place of birth, national identification number, residential address, and mobile number. The hackers claimed the data came from the Shanghai National Police and offered a sample dump. A report from Wall Street Journal said the details of at least nine residents from this sample were confirmed to be legitimate. According to data security vendor Acronis, the data sample contained three categories of information comprising the resident’s personal data file, phone location data or address and phone number, and police incident or criminal case registry. For the latter, information such as location of the crime and brief incident description appeared to be leaked, Acronis’ co-founder and technology president Stas Protassov told ZDNet. Most of the criminal case information involved minor incidents and descriptions of the scene, including “a fight” at a specific location in Zhujing Town and minor road incidents.Protassov noted that these police records referred to people involved in the incidents, which could be damaging to them. He added that the compromised data could be used to personalise future attacks, such as spear phishing, or to commit fraud using the identity of the victims. He urged organisations and individuals to be on the lookout for fraudulent activities and malicious email or text messages.Asked if the data breach could have greater impact in China, where the use of some services required registration based on personal information, Protassov said it was unlikely the compromised data on its own could result in hackers taking over such services. However, he warned that it could lead to phone swapping or other identity theft activities that could negatively impact a Chinese user’s scoring on social media platforms. Operators of apps that provide news, instant messaging, and other related services in China must require their users to register based on their mobile and identification card numbers. Users who refuse to do so or who use fraudulent identification data cannot be permitted to use the app. China operates a social credit system that aims to track and assess the trustworthiness of a person, company, and government agency. Each is tagged with a social credit score that is evaluated against various data sources, such as financial, government, and criminal records. The system is undergoing further refinement by the government. Protassov said while news of data leaks were common, this breach was unique due to its volume. According to Check Point Software Technologies’ threat intelligence group manager Sergey Shykevich, the significant size of the compromised data indicated a high likelihood cybercriminals might use the information to launch phishing and spear-phishing attacks. With the leaked data encompassing mobile numbers, Shykevich said businesses in China should be prepared for a potential wave of smishing or SMS phishing attacks. He added that the online forum touting the sale of the data also peddled other databases from China, including a courier database with 66 million user records that were allegedly stolen from ShunFeng Express in 2020, and data from driving schools in the country.A tweet from Binance CEO Changpeng Zhao suggested the latest data breach was the result of a government employee posting a tech blog on Chinese Software Developer Network that accidentally included user credentials. Without access to the log files, Protassov said it was impossible to confirm the attack vector. Based on the ID format, he surmised it was likely an Elasticsearch dump, but it was unclear whether the breach was due to leaked credentials or poorly configured systems. “Such data leaks most commonly happen when someone leaves unauthenticated Elastic instance available on the internet,” he added.RELATED COVERAGE More

Image: Shutterstock/GaudiLab A new phishing campaign on WhatsApp is scamming individuals who want to work in the United Kingdom. As documented by Malwarebytes, the scheme’s operators are sending out messages claiming to be from the UK government, offering a free visa and other benefits to individuals willing to move to the country. SEE: Google: Half […] More

Image: Getty Images Ukrainian police said they have arrested suspected members of a cyber-criminal gang conducting an EU payments phishing scheme. In a statement, Ukraine’s Cyber Police Department and the Kyiv-based Pechersk Police Department said the criminal group created and promoted roughly 400 phishing links to send to the county’s citizens. The links sent victims […] More

Image: 10’000 Hours/GETTY Google has released an update to Chrome 103 for Windows desktops that fixes a flaw in its implementation of WebRTC, which it warns is already under attack.  The issue that Chrome update 103.0.5060.114 for Windows addresses is a “heap buffer overflow in WebRTC”, referring to when the buffer allocated in the heap […] More

Singapore is mulling over additional rules in cryptocurrency trading that it says are necessary to safeguard the general public. These may include restrictions on retail trading and the use of leverage in cryptocurrency transactions. The revelation comes weeks after repeated warnings from the government that cryptocurrencies, due to their “sharp speculative price swings”, are unsuitable retail investments for the public. Recent market events clearly demonstrated the risks with prices of several cryptocurrencies dipping significantly, said Senior Minister and Minister in Charge of Monetary Authority of Singapore (MAS) Tharman Shanmugaratnam. In a written response issued Monday to a parliamentary question, he said MAS since 2017 had issued cautionary notes about cryptocurrency investments.Noting that the industry regulator already had taken steps that went further than most others, Tharman said MAS in January restricted the marketing and advertising of cryptocurrency services in public areas as well as barred the portrayal of cryptocurrency trading as trivial. He added that digital payment token service providers since had adhered to the rules, which included the removal of both cryptocurrency ATMs and advertisements from public areas and public transport venues. Under the country’s Payment Services Act, MAS was empowered to implement further measures to ensure better consumer protection, maintain financial stability, and safeguard the effectiveness of its monetary policies, the minister said. Tharman said: “MAS has been carefully considering the introduction of additional consumer protection safeguards. These may include placing limits on retail participation and rules on the use of leverage when transacting in cryptocurrencies. Given the borderless nature of cryptocurrency markets, however, there is a need for regulatory coordination and cooperation globally. These issues are being discussed at various international standard setting bodies where MAS actively participates.”The European Union last week reached a provisional agreement on cryptocurrency regulations that aimed to “protect investors and preserve financial stability”. Coined Markets in Crypto Assets (MICA), the regulatory framework would cover issuers of unbacked crypto assets and stablecoins, trading platforms, and wallets in which crypto assets were held. For instance, under the new rules, cryptocurrency service providers must adopt “strong requirements” to protect consumers wallets and would be held liable when investors’ assets were lost. French Minister for the Economy, Finance, and Industrial and Digital Sovereignty, Bruno Le Maire, said: “Recent developments on this quickly evolving sector have confirmed the urgent need for an EU-wide regulation. MICA will better protect Europeans who have invested in these assets and prevent the misuse of crypto-assets, while being innovation-friendly to maintain the EU’s attractiveness.”MICA still is subject the approval of the Council and European Parliament, before going through formal adoption procedures.Singapore, though, had stressed the importance of driving the development of underlying technologies often associated with cryptocurrencies, specifically, blockchain. Deputy Prime Minister and Coordinating Minister for Economic Policies, Heng Swee Keat, said last month efforts were needed to bring out the best potential of emerging technologies while mitigating the risks. For instance, he said a consortium was set up to ensure the responsible use of artificial intelligence (AI) in the financial sector and this led to the release of whitepapers and toolkits to guide the industry.  The same approach should be applied to drive the upsides and minimise the downsides of Web 3.0 developments, Heng said, pointing to distributed ledgers and tokenisation, which drove transparency and cost savings.”Crypto assets have more recently been in the spotlight for the wrong reasons. This, however, does not reflect where the greatest value of blockchain and digital assets lies, much of which is away from the retail glare,” he said. He noted that while cryptocurrencies were unsuitable as retail investments due to their volatile prices, the underlying blockchain technology had the potential to streamline and improve wholesale cross-border transactions. MAS in May announced plans to pilot use cases of asset tokenisation and assess the feasibility of autonomous trading powered by blockchain technology. Efforts here would include the development of interoperable networks to facilitate digital asset trading as well as an evaluation of regulations needed to safeguard against potential risks. According to a study released last August, 67% of personal investors in Singapore held cryptocurrencies with 78% owning Ethereum and 69% holding Bitcoin.Investments in Singapore’s fintech sector also grew 47% year-on-year to hit $3.94 billion last year, with blockchain and cryptocurrencies raking in almost half of the funds with $1.48 billion across 82 deals, according to KPMG. RELATED COVERAGE More

Sensitive personal information about over a billion people has apparently been leaked from a government agency and put up for sale on the dark web, in what would be one of the biggest data breaches in history.  Information which has been leaked is said to include names, addresses, national ID numbers and mobile phone numbers, […] More

The largest bug bounty platform HackerOne said it has fired an employee who took bug reports submitted by external researchers and filed the same reports elsewhere for personal gain. HackerOne is one bug bounty platform that big companies and government departments have turned to manage their bug bounties. HackerOne receives bug reports from ethical hackers about software, and then internally triages the reports to determine whether or not to pay rewards to those who report them. There’s big money at stake. By 2020, HackerOne had paid out over $100 million to participants who’d reported over 181,000 vulnerabilities through bounties it manages since launching in 2012. Last year Zoom, a HackerOne customer, paid out $1.4 million through HackerOne managed bounties. HackerOne co-founder and CISO Chris Evans said in a Friday blogpost that the now-former employee — whose role was to triage bugs for numerous customer bounty programs — had improperly accessed security reports at some point between April 4 and June 22 and then leaked the information outside of the HackerOne platform to claim additional bounties elsewhere. The employee wrongfully received bounties in a “handful of disclosures”, according to Evans.  The firm investigated the incident after receiving a customer filed a complaint on June 22 asking it to investigate “a suspicious vulnerability disclosure made outside of the HackerOne platform.” The reporter, using the name “rzlr”, had used “threatening communication” about the vulnerability disclosure. “This customer expressed skepticism that this was a genuine collision and provided detailed reasoning,” said Evans. Evans said that the former employee anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties. “Our investigation has concluded that a (now former) HackerOne employee improperly accessed vulnerability data of customers to re-submit duplicate vulnerabilities to those same customers for personal gain,” he explains later.”This is a clear violation of our values, our culture, our policies, and our employment contracts. In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data. We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future.”HackerOne terminated the employee’s system access and remotely locked their laptop on June 23. It interviewed the employee on June 24 and on June 27 “took possession of laptop of suspended threat actor and conducted remote forensics imaging and analysis.” The employee, who had system access since April 4, had been in contact with seven HackerOne customers.HackerOne officially terminated the employee on June 30. By July 1, HackerOne had notified all customers whose bug bounty programs had any interaction with the employee, it said. HackerOne says it is confident the external disclosure was not the work of multiple insider threats, but the one employee. “This was a serious incident. We are confident the insider access is now contained. Insider threats are one of the most insidious in cybersecurity, and we stand ready to do everything in our power to reduce the likelihood of such incidents in the future,” said Evans.Evans admits HackerOne’s existing detection and response systems didn’t proactively detect this threat. The firm plans on enhancing its screening process for employees, improving data isolation and network logging, and will implement new simulations to test whether it can detect insider threats.   HackerOne raised in $49 million in funding in January, bringing its total funding to $160 million. Customers include The U.S. Department of Defense, Dropbox, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Microsoft, Singapore’s Ministry of Defense, Nintendo, PayPal, Slack, Starbucks, Twitter, and Yahoo.   More

Image: Vintage Tone/Shutterstock The owner of several metaverse companies has been arrested over an alleged investment fraud scheme that defrauded more than 10,000 victims of over $45 million. Last week, the US Department of Justice (DoJ) said that Neil Chandran, a Las Vegas resident, was arrested over allegations of fraud. The 50-year-old owns companies operating […] More