Information Technology

An international scam ring is targeting dating app users in a romance scam to not only deprive victims of their cryptocurrency but also the control of their handsets. 

On Wednesday, Sophos cybersecurity researchers named the gang “CryptoRom” and said they have recently expanded their operations from Asia, spreading to both the United States and Europe.  Romance scams are an insidious and constant problem, and thanks to the rising popularity of dating apps, are now not only limited to phishing emails. Instead, fraudsters will ‘match’ with their victims, pretend interest until they build a foundation of trust, and then they will ask for money — only to vanish soon after. In recent years, romance scams have become more sophisticated, with some cybercriminals offering their victims ‘exclusivity’ in trading deals or in cryptocurrency investments, using the lure of easy profit as well as potential love matches.  Interpol warned of an uptick in investment-based romance fraud taking place across dating apps in January this year.  The CryptoRom scam artists target iPhone users of dating apps including Tinder and Bumble. One tactic used is to lure victims into downloading a fake cryptocurrency trading app that gives the operators remote control over the handset.  The researchers say this has been made possible by abusing Apple’s Enterprise Signature platform, used by software developers to test out iOS apps ahead of submission to the App Store. 

Victims are asked to purchase cryptocurrency through Binance and then transfer the funds to a wallet via the fake trading app. Matches are pointed to fraudulent websites that mimic the look and feel of the legitimate App Store — likely in the hope they won’t look at the address bar too closely and they will install a malicious app.  “At first, the returns look very good but if the victim asks for their money back or tries to access the funds, they are refused and the money is lost,” explained Jagadeesh Chandraiah, Senior threat researcher at Sophos. “Our research shows that the attackers are making millions of dollars with this scam.”
Sophos
Unfortunately, it seems the group is competent, as a wallet controlled by them contains close to $1.4 million in cryptocurrency, thought to have been stolen from victims who fell for their tactics and who invested their cash into crypto. However, there could easily be more than one wallet in use.  As Enterprise Signature allows developers to test out app functionality, the fake apps are also able to perform other functions such as data theft, account compromise, as well as potentially download and execute other payloads.  Sophos reached out to Apple with its findings but at the time of writing has not received a response.  “To avoid falling victim to these types of scams, iPhone users should only install apps from Apple’s App Store,” Chandraiah cautioned. “The golden rule is that if something seems risky or too good to be true — such as someone you barely know telling you about some ‘great’ online investment scheme that will deliver a big profit  — then sadly, it probably is.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Sophos has released a new report this week about a dating app scam that led to the theft of millions of dollars from people on Tinder, Bumble, Grindr, Facebook Dating and similar apps.After gaining their trust on these dating apps, scammers convinced victims to download fake crypto apps, where they duped them into investing money before freezing the accounts. The scammers were somehow able to easily game Apple’s Developer Enterprise program — and the Apple Enterprise/Corporate Signature — to distribute these fraudulent crypto apps, which were masquerading as Binance and other legitimate brands. Sophos said its threat hunters observed the scammers abusing Apple’s Enterprise Signature to manage victims’ devices remotely.Apple did not respond to requests for comment. Sophos also contacted Apple about the issue and did not get a response. 
Sophos
Named “CryptoRom,” according to Sophos researchers Jagadeesh Chandraiah and Xinran Wu, the scam has led to at least $1.4 million being stolen from victims in the US and EU. In their report, the two say that the attackers moved beyond going after victims in Asia and instead are now targeting people in Europe and the US. Sophos researchers even managed to find a Bitcoin wallet that was being controlled by the attackers thanks to one victim, who shared the address he initially sent the money to before being shut out. Chandraiah said the CryptoRom scam relies heavily on social engineering at almost every stage. Victims came to Sophos to discuss the scam and the researchers found other reports of people being taken advantage of. 

“First, the attackers post convincing fake profiles on legitimate dating sites. Once they’ve made contact with a target, the attackers suggest continuing the conversation on a messaging platform,” Chandraiah said. “They then try to persuade the target to install and invest in a fake cryptocurrency trading app. At first, the returns look very good but if the victim asks for their money back or tries to access the funds, they are refused and the money is lost. Our research shows that the attackers are making millions of dollars with this scam.”Victims are initially contacted on apps like Bumble, Tinder, Facebook dating and Grindr before the conversation is moved to other messaging apps. From there, the conversation is steered toward getting victims to install fake trading applications onto their devices. Once a victim is drawn in, they are asked to invest a small amount before being locked out of accounts if they demand their money back. 

see also

Best VPN services

Virtual private networks are essential to staying safe online — especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

The attack is two-pronged, giving cybercriminals the ability to steal money from victims and gian access to their iPhones. According to Wu and Chandraiah, the attackers are able to use “Enterprise Signature” — a system built for software developers that assists enterprises with pre-test new iOS applications with selected iPhone users before they submit them to the official Apple App Store for review and approval. “With the functionality of the Enterprise Signature system, attackers can target larger groups of iPhone users with their fake crypto-trading apps and gain remote management control over their devices. This means the attackers could potentially do more than just steal cryptocurrency investments from victims. They could also, for instance, collect personal data, add and remove accounts, and install and manage apps for other malicious purposes,” the researchers said. Chandraiah added that until recently, criminal operators mainly distributed the fake crypto apps through fake websites that resemble a trusted bank or the Apple App Store.”The addition of the iOS enterprise developer system introduces further risk for victims because they could be handing the attackers the rights to their device and the ability to steal their personal data,” Chandraiah said.”To avoid falling victim to these types of scams, iPhone users should only install apps from Apple’s App Store. The golden rule is that if something seems risky or too good to be true – such as someone you barely know telling you about some ‘great’ online investment scheme that will deliver a big profit  – then sadly, it probably is.”Sophos published another report on a similar scam in May that was aimed solely at people in Asia. But over the last few months the researchers saw a startling expansion of the attacks. “This scam campaign remains active, and new victims are falling for it every day, with little or any prospect of getting back their lost funds. In order to mitigate the risk of these scams targeting less sophisticated users of iOS devices, Apple should warn users installing apps through ad hoc distribution or through enterprise provisioning systems that those applications have not been reviewed by Apple,” the two researchers wrote. “And while institutions dealing with cryptocurrency have started implementing ‘know your customer’ rules, the lack of wider regulation of cryptocurrency will continue to draw criminal enterprises to these sorts of schemes, and make it extremely difficult for victims of fraud to get their money back. These scams can have have a devastating effect on the lives of their victims.” More

Apple has defended its position on the restriction of app sideloading in light of current EU discussions surrounding competition in the tech space.

On Wednesday, the iPad and iPhone maker published a new paper (.PDF) on sideloading, a process allowed by other mobile OS developers — such as Google, albeit with some friction — to install apps on devices outside of official app repositories. Sideloading can be useful when users want access to software that is not available in official stores. Users may want to install apps that have been discontinued or when newer versions are not compatible with an existing handset, or for whatever reason — such as legal battles — an app has been pulled from an official source.  However, there are caveats to this practice. If you bypass an official store such as Google Play, Apple’s App Store, or the Microsoft Store, you may be missing out on the security protections and verification in place for an app to be hosted, and, therefore, you may be exposing yourself to mobile malware.  In June, Apple chief executive Tim Cook claimed that sideloading was not in the best interests of Apple product users, and reviewing all apps introduced into the ecosystem keeps mobile malware rates low.  “Mobile malware and the resulting security and privacy threats are increasingly common and predominantly present on platforms that allow sideloading,” Apple says.  There are a number of ways that malware can reach a handset. On occasion, malicious apps can circumvent existing protections in an official app repository; but more commonly, apps can be spread through phishing, masquerading as legitimate software or OS updates, and website spoofing. 

According to Apple’s research paper, “Building a Trusted Ecosystem for Millions of Apps: A threat analysis of sideloading,” — which builds upon a paper published in June — there are far more malware infections on Android-based devices than on iPhones. These infections include ad fraud software, spyware, Trojans, ransomware variants, and fake apps that could result in the theft of data or funds. The research has been published in light of discussions in Europe concerning the Digital Services Act (DSA) and the Digital Markets Act (DMA). The EU’s proposals would require tighter controls on “illegal” content online and for “gatekeepers” — such as tech and service providers — to protectively preserve and permit competition.  As previously reported by ZDNet, this could include measures such as increased interoperability between services and third-party software and banning the prevention of uninstalling pre-installed apps on mobile devices by users.  According to the Center for Strategic & International Studies, the DMA could force vendors such as Apple and Google to facilitate sideloading in the future.  While renewed regulation could be a positive force, there may be not enough discussion concerning the security of mobile device users, and the ramifications of taking away their choice to purchase a handset contained in a closed — and, therefore, potentially safer — mobile ecosystem.  Apple says that if the company was forced to support sideloading, even if limited to “third-party app stores only,” this would increase the spread of harmful applications as these sources may not have sufficient vetting procedures.Apple claims that users would end up with less control over their apps and features including parental controls, accessibility, and app tracking transparency would be negatively impacted. In addition, Apple says that users could end up being forced to sideload apps due to work or school.  “Some sideloading initiatives would also mandate removing protections against third-party access to proprietary hardware elements and non-public operating system functions,” Apple says. “This would undermine core components of platform security that protect the operating system and iPhone data and services from malware, intrusion, and even operational flaws.” The tech giant added: “Forcing Apple to support sideloading on iOS through direct downloads or third-party app stores would weaken these layers of security and expose all users to new and serious security risks: It would allow harmful and illegitimate apps to reach users more easily; it would undermine the features that give users control over legitimate apps they download; and it would undermine iPhone on-device protections.  Sideloading would be a step backward for user security and privacy: supporting sideloading on iOS devices would essentially turn them into “pocket PCs,” returning to the days of virus-riddled PCs.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Critical security issues in the OpenSea NFT marketplace that allowed attackers to steal cryptocurrency wallet funds have been patched. 

NFTs, also known as non-fungible tokens, are digital assets that can be sold and traded on the blockchain. While some NFTs — from a pixel cartoon to a popular meme — can reach a sale price of millions of dollars, the popularity of this phenomenon has also created a new attack vector for exploitation.  On Wednesday, the Check Point Research (CPR) team said that flaws in the OpenSea NFT marketplace could have allowed “hackers to hijack user accounts and steal entire crypto wallets of users, by sending malicious NFTs.” An investigation was launched after reports surfaced of malicious NFTs, airdropped for free, being used as conduits for cryptocurrency theft and account hijacking.  The NFT itself, and the airdrop, was not the source of the issue. Instead, once an NFT had been gifted to a potential victim, they would view it — and then a pop-up would trigger, requesting a signature to connect to a wallet. A secondary signature request prompt would then appear, and if accepted, could grant attackers access to an unwitting user’s wallet, funds, and more.  In OpenSea’s case, the security flaw allowed the team to upload an .SVG file containing a malicious payload, which would execute under the OpenSea storage subdomain. “In our attack scenario, the user is asked to sign with their wallet after clicking an image received from a third party, which is unexpected behavior on OpenSea, since it does not correlate to services provided by the OpenSea platform, like buying an item, making an offer, or favoring an item,” CPR says. “However, since the transaction operation domain is from OpenSea itself, and since this is an action the victim usually gets in other NFT operations, it may lead them to approve the connection.”

The researchers disclosed their findings to OpenSea on September 26. Within less than an hour, the marketplace had triaged and verified the security issues and deployed a fix.  In a statement, OpenSea said: “Security is fundamental to OpenSea. We appreciate the CPR team bringing this vulnerability to our attention and collaborating with us as we investigated the matter and implemented a fix within an hour of it being brought to our attention.  These attacks would have relied on users approving malicious activity through a third-party wallet provider by connecting their wallet and providing a signature for the malicious transaction.” OpenSea added that the organization has not found any evidence of exploitation in the wild. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

A new report from cybersecurity company Randori has categorized the most tempting internet-exposed assets that an attacker is likely to go after and exploit, finding that one in 15 organizations currently runs a version of SolarWinds that is known to be actively exploited.In the 2021 Randori Attack Surface Report, researchers assigned each asset with a “Temptation Score” — effectively the likelihood an attacker will go after it. Any exposed asset with a score over 30 is considered to be high, with the highest-ranking assets currently within their corpus reaching an attacker Temptation Score of 55. The version of SolarWinds being actively exploited have an average Temptation Score of 40. The report found that more than 25% of organizations have RDP exposed to the internet, while 15% of organizations are still running outdated versions of IIS 6, which Microsoft hasn’t supported for six years. Randori gave the IIS 6 a Temptation Score of 37.Nearly 40% of organizations use Cisco’s Adaptive Security Appliance (ASA) firewall, which has a history of public vulnerabilities and a Temptation Score of 37. Almost half of all organizations run Citrix NetScaler, which has a score of 33 and multiple public exploits. Both CiscoWeb VPN and Palo Alto Global Protect joined Citrix NetScaler as VPNs listed in the report with high Temptation Scores.Just 3% of organizations are still running versions of Microsoft Outlook Web Access, but this alarmed Randori researchers, who noted the recent Exchange hacks and several known exploits for the tool. It was one of the highest on the Temptation Score scale at 38. “Many of the exposed assets — like SolarWinds and OWA — are there because of ignorance, not negligence. Organizations struggle to know what they have been exposed to on the internet. Cloud migration and the work-from-home boom dramatically increased the number of exposed assets — but it is possible to deploy security measures to help you secure the unknown,” David Wolpoff, CTO of Randori, told ZDNet.

The report notes that the SolarWinds issue ranked high in the report because it has publicly disclosed vulnerabilities, it is a mission-critical technology for many businesses, and it is widely used. “Many assume prioritizing based on vulnerability severity will keep you safe.  But that’s simply not true. Attackers think differently, and vulnerability severity is just one of many factors weighed by an attacker. Our hope with releasing this report is that people will get deeper into the attacker’s mindset, apply attacker logic to their security programs, and get one step ahead,” Wolpoff said. Wolpoff explained that the report is based on attack surface data from millions of internet-exposed assets and noted that The Temptation Score applies a proprietary weighting of six different attributes to determine the Temptation Score of an asset: enumerability, exploitability, criticality, applicability, post-exploitation potential, and research potential. Wolpoff said he is continually surprised to see that low effort, easy-to-break-in attacks still work at successful enterprises — like exploitable OWA. “What strikes me is the lack of focus on the basics, like hardening the default configurations or seeing default settings that contain admin/admin as the username and password. The number of times that the default username and password ‘admin/admin’ has gotten us into boxes is extremely surprising,” Wolpoff said. “For example, many enterprises are running old Microsoft OWA with the default settings — exposing the name, version, and, better yet, configuration information! The more an attacker knows about a system, the more tempting it is — it makes it easier for an attacker to cross-check to see if there are any known public vulnerabilities or exploits weaponized against that specific version and to confirm if an exploit will land.”He was also shocked by the high percentage of people not using MFA. He explained that his attack team often successfully conducts an attack with previously disclosed credentials because MFA wasn’t deployed.Wolpoff suggested security teams always change the default settings so the version number isn’t publicly visible, noting that if enterprises are unable to patch or upgrade a tool, they should at least hide it. He urged security teams to find ways to reduce their attack surfaces by taking things offline or disabling functionalities that go unused. It is no longer appropriate for organizations to settle for the configuration the manufacturer sets as default, and Wolpoff added that enterprises should segment critical assets as well as appliance and IoT devices.  More

The Australian government has announced a new set of standalone criminal offences for people who use ransomware under what it has labelled its Ransomware Action Plan.Under the new plan [PDF], people who use ransomware to conduct cyber extortion will be slapped with new stand-alone aggravated criminal charges.A new criminal offence has also been created for people that target critical infrastructure with ransomware. The acts of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence as well as buying or selling malware for the purposes of undertaking computer crimes are also both now criminalised.”The Ransomware Action Plan takes a decisive stance — the Australian Government does not condone ransom payments being made to cybercriminals. Any ransom payment, small or large, fuels the ransomware business model, putting other Australians at risk,” Minister for Home Affairs Karen Andrews said.Alongside the new criminal offences, the plan will also roll out a new mandatory ransomware incident reporting regime, which would require organisations with a turnover of over $10 million per year to formally notify government if they experience a cyber attack. The new plan will also see government work to introduce additional legislative reforms that potentially allow law enforcement to track, seize or freeze ransomware gangs’ proceeds of crime. 

All of the new measures will be developed through a new tranche of legislation rather than through the Security Legislation Amendment (Critical Infrastructure) Bill 2020 currently being considered by Parliament. This is in spite of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 already containing provisions that seek to create mandatory reporting requirements for organisations that suffer a cyber attack and provide more powers for government to undertake action against cyber attacks.While the plan itself says some of the new measures will be regulated through the Security Legislation Amendment (Critical Infrastructure) Bill 2020, a federal government representative clarified that the Bill would just be providing clarity surrounding the definitions of critical infrastructure.The government representative also said the new tranche of legislation would be primarily focused on introducing new offenses to allow law enforcement to charge cybercriminals on ransomware grounds, while the Security Legislation Amendment (Critical Infrastructure) Bill 2020 is focused on providing government more powers to intervene during cyber attacks.That Bill received the tick of approval from a parliamentary joint committee two weeks ago, with the parliamentary committee saying at the time there was compelling evidence that the complexity and frequency of cyber attacks on critical infrastructure was increasing.”Australia is not immune and there is clear recognition from government and industry that we need to do more to protect our nation against sophisticated cyber threats, particularly against our critical infrastructure,” committee chair Senator James Paterson said at the time.The Bill was originally meant to be broader in scope, but the committee advised that other “less urgent” aspects of the Bill should be introduced under a second, separate Bill following further consultation.Under the government’s new ransomware plan, a multi-agency taskforce led by the Australian Federal Police, called Operation Orcus, has also been created. Created in July, the government has touted the new taskforce as being the country’s “strongest response to the surging ransomware threat”.According to Andrews, these new measures all fall within one of the plan’s three objectives, which are to build Australia’s resilience to ransomware attacks; strengthen responses to ransomware attacks; and disrupt and deter cybercriminals through tougher laws. To achieve these three objectives, Andrews said the federal government would work closely with state and territory governments and industry stakeholders.The new plan builds on Australia’s overarching 2020 Cyber Security Strategy, which aims to impose cyber standards on operators of critical infrastructure and systems of national significance and create powers that allow the federal government to get on the offensive and actively defend networks and critical infrastructure.Updated at 2:30pm AEST, 13 October 2021: Updated article to reflect clarifications from the federal government about how the ransomware plan’s new measures would be legislated. MORE ON THE BILL More

Japanese tech manufacturer Olympus said on Tuesday that it was investigating a cyberattack on its IT systems in the US, Canada and Latin America.The company said the cybersecurity incident was detected on Sunday but despite the help of forensics experts, they are still working to resolve the issue. “As part of the investigation and containment, we have suspended affected systems and have informed the relevant external partners. The current results of our investigation indicate the incident was contained to the Americas with no known impact to other regions,” the company statement said. “We are working with appropriate third parties on this situation and will continue to take all necessary measures to serve our customers and business partners in a secure way.”The latest incident follows another cyberattack that the company reported on September 11. The statement from that incident is almost identical to the one released today, but Bleeping Computer reported that the earlier attack involved ransomware.The ransomware incident, believed to have been perpetrated by the BlackMatter ransomware group, hit the company’s EMEA IT systems. TechCrunch managed to obtain a letter on infected computers from BlackMatter indicating they were behind the attack. By September 14, Olympus released another statement describing the incident as “an attempted malware attack” and saying no data was accessed during the incident. 

Olympus has more than 31,000 employees across the world. The company did not respond to requests for comment about who may be behind the latest attack.BlackMatter has been one of the most prolific ransomware groups working after emerging this summer from the ashes of the DarkSide ransomware group. Just last month they shut down an Iowa-based farm service provider and demanded nearly $6 million to restore the damaged systems. Neil Jones, cybersecurity evangelist at Egnyte, said the second cyberattack on a technology giant like Olympus in just a month’s time should be a major wake-up call: no large global corporation should consider itself exempt from ransomware attacks. “Senior executives and IT leaders should also be aware that no technological solution is 100% effective, but a large percentage of ransomware attacks can be prevented with diligent preparation,” Jones said. “Unfortunately, even in technologically sophisticated organizations like Olympus, the methods and tools being employed don’t meet the security and control needs to combat today’s threats.” More

Distributed Denial of Service (DDoS) attacks are happening ever more often and growing ever bigger. At 2.4 terabits per second (Tbps), the DDoS attack Microsoft just successfully defended European Azure cloud users against could be the biggest one to date.What we know for certain is it’s the biggest DDoS attack on an Azure cloud customer. It was bigger than the previous high, 2020’s Azure 1 Tbps attack, and Microsoft reported it was “higher than any network volumetric event previously detected on Azure.” 

Who was targeted? We don’t know. Microsoft isn’t talking. The attack itself came from over 70,000 sources. It was orchestrated from multiple Asia-Pacific countries such as Malaysia, Vietnam, Taiwan, Japan, and China, and from the United States. The attack vector was a User Datagram Protocol (UDP) reflection attack. The attack lasted over 10 minutes with very short-lived bursts. Each of these bursts ramped up in seconds to terabit volumes. In total, Microsoft saw three main peaks, the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps.In a UDP reflection attack, the attacker exploits the fact that UDP is a stateless protocol. That means the attackers can create a valid UDP request packet listing the attack target’s IP address as the UDP source IP address. It looks as if the attack is being reflected back and forth within the local network, hence the name. This relies on the UDP request packet’s source Internet Protocol (IP) being spoofed, i.e. falsified. The UDP packet contains the spoofed source IP and is sent by the attacker to a middleman server. The server is tricked into sending its UDP response packets to the targeted victim IP rather than back to the attacker. The middleman machine helps strengthen the attack by generating network traffic that is several times larger than the request packet, thus amplifying the attack traffic.How big the amplification can get depends on the attack protocol being abused. Such common internet protocols as DNS, NTP, memcached, CharGen, or QOTD can all be turned into network DDoS attack dogs. The nastiest of these is memcached. Memcached is an open-source, high-performance, distributed, object-caching system. It’s commonly used by social networks such as Facebook and its creator LiveJournal as an in-memory key-value store for small chunks of arbitrary data. There it’s very useful. When abused, however, Cloudflare, the web performance and security company, has found 15 bytes of request can cause 750KB of attack traffic — that’s a 51,200x amplification! That’s bad. 

Microsoft isn’t saying which was used in this case but it did mention DNS. Attacks exploiting DNS can produce 28 to 54 times the original number of bytes. So, if an attacker sends a request payload of 64 bytes to a DNS server, they can generate over 3,400 bytes of unwanted traffic to an attack target. While Microsoft also didn’t go into detail about how it blocked the attack, the company said Azure’s DDoS protection platform, built on distributed DDoS detection and mitigation pipelines, can absorb tens of terabits of DDoS attacks: “This aggregated, distributed mitigation capacity can massively scale to absorb the highest volume of DDoS threats, providing our customers the protection they need.”Generally speaking this works by Azure’s DDoS control plane logic kicking in when it detects a DDoS storm building up. “This cuts through normal detection steps, needed for lower-volume floods, to immediately kick-in mitigation. This ensures the fastest time-to-mitigation and prevents collateral damage from such large attacks.”Some DDoS protection is provided for all of Azure’s users. For better, more comprehensive protection, Microsoft recommends you subscribe to Azure DDoS Protection Standard. Besides blocking DDoS attacks, it also offers cost protection. This provides data transfer and application scale-out service credit for resource costs incurred because of documented DDoS attacks.Related Stories: More