Information Technology

The US Federal Trade Commission (FTC) has closed down a huge charity fundraising scam that duped victims out of $110 million.

The FTC said on Thursday that together with 46 agencies from 38 states, the organization was able to stamp out the telefunding operation, which has made an estimated 1.3 billion “deceptive” calls to at least 67 million US citizens. 
According to the FTC, the communication “bombardment” was mainly comprised of illegal robocalls, but after residents were told they would be funding charity projects related to firefighters, veterans, and children, millions of dollars were still raised by the group using “deceptive solicitations.” 
The complaint, filed in the US District Court for the Eastern District of Michigan, alleges that Associated Community Services (ACS) and associated defendants “knew that the organizations for which they were fundraising spent little or no money on the charitable causes they claimed to support,” and out of every dollar generated, the ACS and others kept as much as 90 cents. 
Since at least 2008, the FTC says solicitations were made on behalf of “numerous organizations” that claimed to help homeless veterans, children with autism, house fire sufferers, breast cancer patients, and more.  
ACS was also allegedly the main fundraiser for sham cancer charities that were shut down in 2015. ACS defendants have been the subject of 20 prior law enforcement actions over fundraising. 
The complaint claims that US Telemarketing Sales Rule (TSR) violations were constant, in which soundboards were used to generate robocalls originating from the Philippines and India. In addition, the FTC says that the agency’s own regulations were broken alongside numerous state laws. 

ACS was also charged with making harassing calls in the complaint. According to the agency, over 1.3 million phone numbers were called more than 10 times in a single week, and more than 500 numbers were called over 5,000 times. 
ACS and sister companies Central Processing Services and Community Services Appeal, as well as their owners, have agreed to settle with the FTC over the charges. Under the terms of the settlement, pending court approval, the defendants will be banned from fundraising and from utilizing existing donor lists or conducting any kind of telemarketing. 
Monetary judgments have been issued but many are either partly or fully suspended due to inabilities to pay. 
“Robocall technology such as soundboards allows users to reach a significant target population, and when utilized for deceptive or misleading practices — especially in charitable solicitations, it, unfortunately, means a significant number of potential victims,” commented Michigan Attorney General Dana Nessel. “We must take swift action to hold accountable those who are unlawfully using this technology to serve their own agendas and preying on unsuspecting, hardworking people.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A Swedish citizen who promised investors huge returns in a gold and cryptocurrency investment scheme has pleaded guilty to securities fraud. 

On Thursday, the US Department of Justice (DoJ) said Roger Nils-Jonas Karlsson pleaded guilty to securities fraud, wire fraud, and money laundering in a case that the agency says defrauded investors out of over $16 million. 
The 47-year-old was the operator of Eastern Metal Securities (EMS), a now-defunct company that used a website to lure investors into participating in a scheme that promised incredible returns for their cryptocurrency. 
According to the US agency, Karlsson offered investors a share of a “plan” that would eventually pay out in gold, a high-value commodity, from 2012 to 2019.
For only $100 per share, each investor was promised an eventual return of 1.15kgs in gold, worth over $45,000 as of January 2019. Each share was purchased through cryptocurrency including Bitcoin (BTC).
Investors were also assured that in the event this return didn’t happen, they would receive 97% of their funds back.
A second website was used to “delay” the moment investors in the “Pre Funded Reversed Pension Plan” (PFRPP) would realize they had been scammed, prosecutors claim, and Karlsson allegedly kept false and frequent dialogues going to this end.

“For example, on one occasion, Karlsson explained that a payout had not occurred because releasing so much money all at once could cause a negative effect on financial systems throughout the world,” the DoJ says. “Karlsson also falsely represented that EMS was working with the US Securities and Exchange Commission (SEC) to prepare the way for a payout.”
Investor cash was sent to Karlsson’s personal bank accounts, the DoJ says, where it was later used to purchase homes and a resort in Thailand. At least 3,575 investors parted with over $16 million. 
The criminal complaint was issued against Karlsson and EMS on March 4, 2019.
Karlsson, who went by at least six aliases, was arrested in Thailand on June 17, 2019, and extradited to the United States. Karlsson has pleaded guilty to all charges and the EMS website has been seized. 

Karlsson faces a maximum sentence of 20 years in prison for the wire fraud and securities fraud charges, as well as a further 20 years behind bars for the money laundering charge. A maximum collective fine for the charges could reach $750,000. Forfeiture proceedings are ongoing. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

An ongoing investigation into the active exploit of four Microsoft Exchange zero-day flaws has revealed attacks against local US government agencies. 

On March 2, Microsoft warned that the four zero-day vulnerabilities — now tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — were being exploited by threat actors in the wild.  
If abused, the vulnerabilities could be used to compromise servers running Exchange Server 2013, 2016, and 2019 software. 
Microsoft has urged customers to immediately apply patches provided to fix the vulnerabilities, but as is often the case with the disclosure of zero-days, cyberattackers are quick to exploit them. 
According to FireEye’s Mandiant Managed Defense cybersecurity team, a wave of attacks against US targets has been tracked that abuses the Exchange security flaws. 
Among the latest victims are local government entities, an unnamed university, an engineering company, and a host of retailers in the United States. 
This month, one threat actor was observed using at least one of the vulnerabilities to deploy a web shell on a vulnerable Exchange server in order to “establish both persistence and secondary access,” according to the team. In two cases, cyberattackers sought to delete existing administrator accounts on Exchange servers. 

Credential theft, the compression of data for exfiltration, and the use of PowerShell to steal entire email inboxes were also recorded. Covenant, Nishang, and PowerCat tools are being used to maintain remote access. 
Mandiant added that the compromise of two other entities, a Southeast Asian government and a Central Asian telecommunications firm, may be related to this campaign. 
“The activity we have observed, coupled with others in the information security industry, indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments,” Mandiant says. “This activity is followed quickly by additional access and persistent mechanisms.”
Microsoft has previously attributed attacks to Hafnium, a Chinese state-sponsored advanced persistent threat (APT) group. The APT has been connected to assaults in the past against US defense firms, the legal sector, researchers, and think tanks. 
Mandiant expects more clusters of intrusions to appear, a problem that will likely be ongoing until more vulnerable servers are patched. Kaspersky says that there is a high risk of ransomware and data theft. 
Microsoft Exchange users are urged to update their software as quickly as possible.
In related news this week, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive instructing federal agencies to immediately tackle the Microsoft Exchange vulnerabilities. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

15 schools in the United Kingdom have been unable to provide online learning due to a cyberattack. 

The schools, based in Nottinghamshire, belong to the Nova Education Trust co-operative. 
On Wednesday, as reported by local publication NottinghamshireLive, several of the schools reported issues across social media and the need to close down the IT systems due to the cyberattack. 
According to Nova Education Trust, a threat actor was able to access the trust’s central network infrastructure and while an investigation took place, all existing phone, email, and website communication had to be pulled. 
Students are still learning remotely in England. Schools are set to reopen on March 8, but in the meantime, only a small subset of children are attending school physically, such as the children of key workers.
The 15 schools impacted by the central cybersecurity incident were not able to provide typical remote learning and teachers have been unable to upload learning materials. However, some of the schools have pivoted to SMS messages, temporary phone numbers, and Microsoft Teams to try and keep lesson disruption to a minimum. 
Days after, IT teams are still working to restore the trust’s systems. While it is not known who is responsible, the incident highlights how centralized IT infrastructures, when compromised, can have a ripple effect and impact any and all institutions relying on them.

“The incident has been reported to the Department for Education and the Information Commissioner’s Office (ICO), and the trust is currently working with the National Cyber Security Centre (NCSC) and additional security professionals to resolve the matter,” Nova Education Trust said. “All trust employees have been advised to take the necessary precautions.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Yesterday, identity and access management (IAM) vendor Okta announced plans to acquire customer identity and access (CIAM) vendor Auth0 for $6.5B in an all-stock transaction. Founded in 2013, Auth0 has been rapidly growing its developer-focused offering and has raised more than $330 million in venture financing. Based on Forrester’s estimates of Auth0’s annual revenue, this acquisition price is around an 80-100X revenue multiple, which is considerable and unprecedented in the Identity Access management (IAM) space. For reference, we estimated that Cisco’s acquisition of Duo in 2018 was around a 20X revenue multiple and was done as a cash transaction. With this purchase and valuation, Okta is raising its bet and going all in on CIAM. 
Also: Okta and Auth0: A $6.5 billion bet that identity will warrant its own cloud

In Forrester’s opinion, this high acquisition price reflects that: 
Secure and easy-to-use digital experiences are a must going forward. Even before COVID-19 pushed many companies to all-digital customer interactions, organizations were investing heavily in building and optimizing digital experiences that provided great user experience without sacrificing on security or privacy. While companies may have previously tried this using homegrown or open-source offerings, the pace and velocity of digital transformation requires companies to evaluate turnkey CIAM solutions that can be quickly integrated into existing architectures to support these new digital experiences. This deal reflects that strong overall demand for solutions such as Auth0 help deliver on this promise and positions Okta to leverage that growing demand. 
The 2020 tech stock market rally-up is an M&A accelerant. Okta’s stock has doubled in the last year as it and many other tech-related companies rode a surge in demand due to changing work conditions caused by the COVID-19 pandemic. These higher stock valuations now give public companies the ability to pursue large deals using the higher stock value. As tech stock prices continue to surge, expect more M&A and more all-stock-type transactions. 
Okta is under pressure to cater to developers in CIAM. With digital transformation accelerating, identity has become the cornerstone of customer acquisition, management, and retention — traditionally managed by digital product teams, business units, marketing organizations, and buyers’ internal application developers. Access to these organizations’ stakeholders and decision-makers (especially to the app developers) has always been Auth0’s strength. Auth0 gives Okta better access to this developer buying center that Okta has not been as successful reaching. 
IAM and CIAM markets remain highly competitive, with a wide range of vendors such as ForgeRock, SAP, IBM, Ping Identity, Salesforce, Microsoft, and Akamai, to name a few.  

While Okta has built a strong leadership position in workforce IAM, the success of this merger will depend on the following: 
How successfully Okta can further integrate Auth0 with non-IAM and non-security solutions. In CIAM, integration with analytics, business intelligence, portals, and marketing solutions are critical to keep a CIAM platform relevant. Okta will have to expand its application ecosystem quickly to remain competitive and to support these new integrations. 
How much of a premium customers are willing to pay for identity orchestration. Auth0 had a lot of success through its freemium platform offering, which gave developers easy access to CIAM capabilities. A key factor in the financial success of the acquisition will be Okta’s ability to convert these freemium Auth0 customers into revenue-generating customers ,especially when some other vendors include orchestration for free. 
How well can Okta apply Auth0 CIAM technology to its existing workforce IAM solution. Okta’s DNA has been providing employee access to cloud apps using its cloud portal — which traditionally has required little orchestration. As Okta expands into protecting legacy on-premises apps and replacing existing on-premises solutions from Broadcom/CA, Oracle, and IBM and starts to compete more with ForgeRock and Ping Identity, Auth0’s orchestration technology will be a critical building block. 
How well Okta will tolerate and integrate Auth0’s completely different corporate culture. Auth0’s IAM approach has been original, innovative, and technology-led. Okta’s traditional approach has been business-, execution-, and financial-results-focused. As with many similar past IAM acquisitions, the acquiring company must retain the acquired vendor’s product management and engineering team and continue to innovate — which historically has been a challenging task for many acquisitions. 
How quickly and well Okta will eliminate overlaps to provide the best single CIAM solution. When an acquisition happens, there are usually and naturally significant overlaps between the acquiring and acquired vendors’ solutions. In this case, passwordless authentication, multifactor authentication, and even some of Okta’s preexisting developer-centric APIs overlap with Auth0’s offering. Swiftly arriving at a unified, consolidated solution to minimize customer confusion and maximize Okta’s engineering performance is critical to success. 
To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here. 
This post was written by Principal Analyst Andras Cser, VP and Research Director Merritt Maxim, and Senior Analyst Sean Ryan, and it originally appeared here.  More

In a new report released Thursday, the U.S. Government Accountability Office (GAO) said the Department of Defense fails to communicate clear cybersecurity guidelines to contractors tasked with building systems for its weapons programs. 

As part of its so called congressional watchdog duties, the GAO found that Defense Department weapons programs are failing to consistently incorporate cybersecurity requirements into contract language. 
For instance, three out of five contracts reviewed by the GAO had no cybersecurity requirements written into the contract language when they were awarded, with only vague requirements added later. And out of the four military service branches, only the Air Force has a record of issuing service-wide guidance on cybersecurity requirements in contracts. 
The GAO points out that the lack of clear cybersecurity guidance is problematic because defense contractors are only responsible for meeting terms that are written into a contract. In other words, if it’s not in the contract, it’s not getting built into the system.
As part of its recommendations, the GAO said that tailored cybersecurity requirements must be clearly defined in acquisition program contracts. The GAO also said the Defense Department should establish criteria for accepting or rejecting contracted work and for how the government will verify that requirements were met. 
The Defense Department has a vast network of sophisticated weapons systems that need to withstand cyberattacks in order to function when required. But the DOD also has a documented history of finding mission critical security vulnerabilities within those programs due to what the GAO says is a lack of focus on weapon systems cybersecurity. 
A GAO report from 2018 found that the DOD has historically focused its cybersecurity efforts on protecting networks and traditional IT systems. Since that report, the DOD has reportedly taken steps to make its network of high-tech weapon systems less vulnerable to cyberattacks.

“As we reported in 2018, DOD had not prioritized weapon systems cybersecurity until recently, and was still determining how best to address it during the acquisition process,” the report stated. “The department had historically focused its cybersecurity efforts on protecting networks and traditional IT systems, but not weapon systems, and key acquisition and requirements policies did not focus on cybersecurity. As a result, DOD likely designed and built many systems without adequate cybersecurity.”  More

Data belonging to 580,000 Singapore Airlines’ frequent flyer members have been compromised in a cybersecurity attack that originally hit air transport communications and IT vendor, SITA. The incident marks the second time in a week that an airline has reported a data breach, which appears also to be the result of the attack targeting SITA.
While not a customer of SITA, Singapore Airlines (SIA) had shared a “restricted” set of data as a member of the Star Alliance group, the airline said in a statement late-Thursday. This was necessary to facilitate verification of membership tier status and provide customers of other member airlines the relevant benefits while they travelled. 
Such data would reside on the passenger service systems of member airlines, SIA said. The national carrier did not specify when it was informed by SITA about the breach, which impacted the latter’s passenger service system servers. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

One member of Star Alliance had used this SITA system. The international airline alliance has 26 members, including Air Canada, United Airlines, and Lufthansa. 
Affected SIA customers were members of its KrisFlyer as well as higher tier PPS frequent flyer programme, the airline said, adding that compromised data was limited to the membership number and tier status, though, there were some instances in which membership name also was illegally accessed. 
The data leakage was relatively contained because these were the only details shared with the Star Alliance group. 
“Specifically, this data breach does not involve KrisFlyer and PPS member passwords, credit card information, and other customer data such as itineraries, reservations, ticketing, passport numbers, and email addresses,” the Singapore carrier said. “We would also like to reassure all customers that none of SIA’s IT systems have been affected by this incident.”

On its part, SITA released a statement on its website confirming the security breach was the result of “a highly sophisticated attack”. 
It said it ascertained the “seriousness” of the incident on February 24, after which it took “immediate action” to inform all affected customers. Adding that it deployed “targeted” containment measures, SITA said its security incident response team was investigating the breach alongside external cybersecurity experts. 
In an email response to ZDNet’s questions, a SITA spokesperson declined to say when the breach was first discovered internally prior to the February 24 notification, citing “tactical and security reasons”. She reiterated that investigations and forensic work were ongoing, and was unable to confirm how compromised systems were infiltrated. 
She also would not reveal which other organisations were impacted by the breach or the types of data that was compromised, as it still was in the process of informing all affected parties. 
She did, however, point to several airlines that already had reached out to their customers and made public statements confirming they were affected by the data breach. These included Jeju Air, Finnair, and Malaysia Airlines, she said. 
This indicated that SITA was involved in a breach reported earlier this week that affected Malaysia Airlines’ Enrich frequent flyer members. While it had yet to make a public statement on the security incident, the airline told Enrich members it was the result of an attack that targeted a third-party IT service provider, which it did not name. 
In its note, which offered scant details of the breach, Malaysia Airlines said compromised information had included date of birth and contact information between the period of March 2010 and June 2019. 
In her response to ZDNet, the SITA spokesperson clarified that this timeframe referred to the date during which the compromised data was registered. It did not refer to the length of the window of compromise, which she revealed to be less than a month. 
According to SITA, the vendor has 2,800 customers including airlines, airports, and government agencies. Pre-pandemic, 146 million passengers used its in-flight mobile service, it said. 
RELATED COVERAGE More

Ransomware as a service is proving effective for cyber criminals who want a piece of the cyber-extortion action but without necessarily having the skills to develop their own malware, with two out of three attacks using this model.
Ransomware attacks are still proving extremely lucrative, with the most well-organised gangs earning millions per victim, so many cyber criminals want to cash in – but don’t have the ability to code and distribute their own campaigns.

More on privacy

That’s where ransomware as a service (RaaS) comes in, with developers selling or leasing malware to users on dark web forums. These affiliate schemes provide low-level attackers with the ability to distribute and manage ransomware campaigns, with the developer behind the ransomware receiving a cut of each ransom victim’s pay for the decryption key.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Researchers at cybersecurity company Group-IB have detailed that almost two-thirds of ransomware attacks analysed during 2020 came from cyber criminals operating on a RaaS model.
Such is the demand for ransomware as a service, that 15 new ransomware affiliate schemes appeared during 2020, including Thanos, Avaddon, SunCrypt, and many others.
Competition among ransomware developers can even lead to the authors providing special deals to wannabe crooks, which is more bad news for potential victims.

“Affiliate programs make this kind of attack more attractive for cybercriminals. The tremendous popularity of such attacks made almost every company, regardless of their size and industry, a potential victim,” Oleg Skulkin, a senior digital forensics analyst at Group-IB, told ZDNet.
“Companies had to provide their employees with the capability to work remotely and we saw an increase in the number of publicly accessible RDP servers. Of course, nobody thought about security and many of such servers became the points of initial access for many ransomware operators,” said Skulkin.
However, despite the success of ransomware attacks and RaaS schemes it’s possible to help protect against falling victim to them with a handful of cybersecurity procedures – including avoiding the use of default passwords limiting public access to RDP.
“RDP-related compromise can easily be mitigated with the help of some simple but efficient steps like the restriction of IP addresses that can be used to make external RDP connections or setting limits on the number of login attempts within a certain period of time,” said Skulkin.
SEE: Cybercrime groups are selling their hacking skills. Some countries are buying
Organisations can also help protect the network from ransomware and other attacks via the use of multi-authentication to limit the access an attacker can get if they do breach an account, while applying security patches as soon as possible after they’re released prevents criminals from being able to exploit known vulnerabilities.
All of this can help prevent organisations from falling victim to ransomware attacks in the first place – and cut off the need to pay ransoms and encourage ransomware schemes.
“As long as companies pay ransoms, determined only by attackers’ appetite, such attacks will continue to grow in numbers and scale and are likely to become more sophisticated,” Skulkin concluded.
MORE ON CYBERSECURITY More