Information Technology

A cybercrime group has developed a novel phishing toolkit that changes logos and text on a phishing page in real-time to adapt to targeted victims.
Named LogoKit, this phishing tool is already deployed in the wild, according to threat intelligence firm RiskIQ, which has been tracking its evolution.
The company said it already identified LogoKit installs on more than 300 domains over the past week and more than 700 sites over the past month.
The security firm said LogoKit relies on sending users phishing links that contain their email addresses.
“Once a victim navigates to the URL, LogoKit fetches the company logo from a third-party service, such as Clearbit or Google’s favicon database,” RiskIQ security researcher Adam Castleman said in a report on Wednesday.
“The victim email is also auto-filled into the email or username field, tricking victims into feeling like they have previously logged into the site,” he added.
“Should a victim enter their password, LogoKit performs an AJAX request, sending the target’s email and password to an external source, and, finally, redirecting the user to their [legitimate] corporate web site.”
Image: RiskIQ

Castleman said LogoKit achieves this only with an embeddable set of JavaScript functions” that can be added to any generic login form or complex HTML documents.
This is different from standard phishing kits, most of which need pixel-perfect templates mimicking a company’s authentication pages.
The kit’s modularity allows LogoKit operators to target any company they want with very little customization work and mount tens or hundreds of attacks a week against a wide-ranging set of targets.
RiskIQ said that over the past month, it has seen LogoKit being used to mimic and create login pages for services ranging from generic login portals to false SharePoint portals, Adobe Document Cloud, OneDrive, Office 365, and several cryptocurrency exchanges.
Because LogoKit is so small, the phishing kit doesn’t always need its own complex server setup, as some other phishing kits need. The kit can be hosted on hacked sites or legitimate pages for the companies LogoKit operators want to target.
Furthermore, since LogoKit is a collection of JavaScript files, its resources can also be hosted on public trusted services like Firebase, GitHub, Oracle Cloud, and others, most of which will be whitelisted inside corporate environments and trigger little alerts when loaded inside an employee’s browser.
RiskIQ said its tracking this new threat closely due to the kit’s simplicity, which the security firm believes helps improve its chances of a successful phish. More

Image: Apple
It has been over a month since Apple began publishing privacy summaries in all of its app stores across iOS, iPadOS, macOS, watchOS, and tvOS, with developers now needing to answer a questionnaire as part of submitting an app or update — but there has been one big tech giant-sized exception not providing new information for users, Google.
In a blog post on Wednesday, Google said it would supply information to Apple when its apps are updated.
“As our iOS apps are updated with new features or bug fixes, you’ll see updates to our app page listings that include the new App Privacy Details,” Google Ads group product manager Christophe Combette wrote.
Also due to arrive for users of Apple’s ecosystem is a new app tracking permission prompt appearing when apps want to track users, such as accessing an advertiser identifier (IDFA), which arrived as part of iOS 14.
On this point, Google has not quite worked it all out yet.
“When Apple’s policy goes into effect, we will no longer use information (such as IDFA) that falls under ATT [ App Tracking Transparency] for the handful of our iOS apps that currently use it for advertising purposes. As such, we will not show the ATT prompt on those apps, in line with Apple’s guidance,” Combette said.
“We are working hard to understand and comply with Apple’s guidelines for all of our apps in the App Store.”

Google said the ATT changes, due in the next iOS beta release, will lower the amount of data advertisers can access, such as ad conversion data, and app publishers could see “significant impact” to ad revenue on iOS.
“We’re working with the industry to give Apple feedback on how to further improve SKAdNetwork so advertisers can measure their campaign results accurately on iOS 14,” he said.
“We also encourage advertisers to monitor the performance and delivery of all iOS App campaigns closely and, if necessary, make adjustments to budgets and bids to achieve their goals.”
On Thursday, Apple took a swipe at the ad industry with its A Day in the Life of your Data report, which said apps, on average, had six trackers from other companies that “have the sole purpose of collecting and tracking people and their personal information”, and the industry collects $227 billion in revenue each year.
“Privacy means peace of mind, it means security, and it means you are in the driver’s seat when it comes to your own data,” Apple senior vice president of software engineering Craig Federighi said in a statement.
“Our goal is to create technology that keeps people’s information safe and protected. We believe privacy is a fundamental human right, and our teams work every day to embed it in everything we make.”
Earlier on Thursday, the Australian Competition and Consumer Commission added to its list of historically questionable decisions by proposing Australia adopt a common transaction ID.
“Industry should implement a common system whereby each transaction in the ad tech supply chain is identified with a single identifier which allows a single transaction to be traced through the entire supply chain. This should be done in a way that protects the privacy of consumers,” it wrote.
Related Coverage More

Australian entities covered by the Privacy Act reported 519 instances of data breaches in the six months to December 2020, a 5% increase from the first half of the year.
Data breach notification to the Office of the Australian Information Commissioner (OAIC) became mandatory under the Notifiable Data Breaches (NDB) scheme in February 2018.
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
Since the mandate, health has been the most affected sector; the latest report [PDF] shows no change, with health accounting for 123 notifications, followed by finance with 83 notifications. The Australian government entered the top five sectors for the first time, accounting for 6% of the total, with 33 notifications.
The Privacy Act 1988 covers most Australian government agencies; it does not cover a number of intelligence and national security agencies, nor does it cover state and local government agencies, public hospitals, and public schools.
Delving deeper on the government faux pas, human error was to blame for 29 of the sector’s total notifications, two stemmed from a malicious or criminal attack, one was attributed to a “cyber incident”, and the remaining one to social engineering/impersonation.
The “cyber incident” was confirmed as a brute-force attack on the unnamed entity.

The most common type of human error to blame for the government’s notifications was personal information being sent to the wrong recipient. Failure to redact was to blame for five notifications.
In total, malicious or criminal attacks, including cyber incidents, remained the leading source of data breaches, accounting for 58% of all notifications — 310 breaches. Data breaches resulting from human error accounted for 38% of notifications, at 204. System faults accounted for the remaining 25 breaches notified.
“While it is possible that this increase is linked to changed business and information handling practices resulting from remote working arrangements, the OAIC is yet to identify any information or incidents that conclusively prove a link,” the office said, pointing to COVID-19 stay at home measures and the uptick of human error-related breaches.
91% of data breaches notified under the NDB scheme from July to December 2020 involved contact information, such as an individual’s home address, phone number, or email address.
Data breaches resulting from social engineering or impersonation accounted for 34 notifications. Actions taken by a rogue employee or insider threat accounted for 35 notifications, up from 23, and theft of paperwork or storage devices resulted in 29 notifications.
23% of all notifications received by the OAIC involved malicious actors gaining access to accounts using compromised or stolen credentials, with the most common method email-based phishing.
“This confirms that email-based vulnerability is one of the greatest risks to information security facing organisations,” the report says. “The human factor is an important element in an organisation’s overall information and cybersecurity posture, given these attacks rely on a person clicking on a phishing link.”
68% of data breaches affected 100 individuals or fewer, but one of the notifications affected over 10 million individuals.
August saw 208 notifications made, and November only 62.
The OAIC also said it received a number of notifications during the reporting period that involved a managed service provider (MSP) hosting or holding data on behalf of one or more other entities.
RELATED COVERAGE More

The New South Wales government has been using a tool to help de-identify data related to COVID-19 prior to the release of that data to the public, the CSIRO said on Thursday.
The tool, dubbed Personal Information Factor (PIF), has been created by Data61, the NSW government, the Australian Computer Society, Cyber Security Cooperative Research Centre (CSCRC), and “several other groups”.
“The privacy tool assesses the risks to an individual’s data within any dataset; allowing targeted and effective protection mechanisms to be put in place,” the CSIRO claimed.
“The software uses a sophisticated data analytics algorithm to identify the risks that sensitive, de-identified and personal information within a dataset can be re-identified and matched to its owner.”
NSW chief data scientist Dr Ian Oppermann said the tool was being used on datasets containing data on people who had been infected with COVID-19 before it was made publicly available.
“Given the very strong community interest in growing COVID-19 cases, we needed to release critical and timely information at a fine-grained level detailing when and where COVID-19 cases were identified,” Oppermann said.
“This also included information such as the likely cause of infection and, earlier in the pandemic, the age range of people confirmed to be infected.

“We wanted the data to be as detailed and granular as possible, but we also needed to protect the privacy and identity of the individuals associated with those datasets.”
Data61 said PIF assigns a risk score to a dataset and makes recommendations to make de-identification “more secure and safe”.
The tool is also being used on other datasets such as domestic violence data and public transport usage, Data61 said.
PIF will be made available by June 22.
In a recent submission to a review of the Privacy Act, security researcher Vanessa Teague said de-identification does not work.
“A person’s detailed individual record cannot be adequately de-identified or anonymised, and should not be sold, shared, or published without the person’s explicit, genuine, informed consent,” Teague said.
“Identifiable personal information should be protected exactly like all other personal information, even if an attempt to de-identify it was made.”
At the end of 2017, a team of academics, including Teague, were able to re-identify some of the data from a set containing historic longitudinal medical billing records on one-tenth of all Australians.
“We found that patients can be re-identified, without decryption, through a process of linking the unencrypted parts of the record with known information about the individual such as medical procedures and year of birth,” Dr Chris Culnane said at the time.
“This shows the surprising ease with which de-identification can fail, highlighting the risky balance between data sharing and privacy.”
In September 2016, the same dataset was found by the University of Melbourne team to not be encrypting supplier codes properly. The dataset was subsequently pulled down by the Department of Health.
“Leaving out some of the algorithmic details didn’t keep the data secure ­– if we can reverse-engineer the details in a few days, then there is a risk that others could do so too,” the team said at the time.
“Security through obscurity doesn’t work — keeping the algorithm secret wouldn’t have made the encryption secure, it just would have taken longer for security researchers to identify the problem.
“It is much better for such problems to be found and addressed than to remain unnoticed.”
In response, the Australian government sought to criminalise the intentional re-identification and disclosure of de-identified Commonwealth datasets and reverse the onus of proof, with the aim of applying the changes retrospectively from 29 September 2016.
The changes lapsed at the 2019 election.

Coronavirus More

Facebook’s fourth quarter earnings conference call featured CEO Mark Zuckerberg calling out Apple’s iOS 14 moves, saying the iPhone maker was “one of our biggest competitors” and questioning motives.
Yes folks, Facebook’s Zuckerberg went a little pro wrestling (at least for tech CEOs not named Larry Ellison) with its Apple confrontation.
Zuckerberg has a reason to be a bit bent out of shape. Facebook said its future results could be hurt by privacy changes in Apple’s iOS 14. Zuckerberg argued that Apple’s changes are aimed at benefiting iMessage and harm small businesses.
Here are Zuckerberg’s comments in full:

WhatsApp, and the direction that we’re heading in with Messenger, are the best private social apps available. Now we have a lot of competitors who make claims about privacy that are often misleading. Now Apple recently released so-called nutrition labels, which focused largely on metadata that apps collect rather than the privacy and security of people’s actual messages. But iMessage stores non-intending encrypted backups of your messages by default unless you disable iCloud. So Apple and governments have the ability to access most people’s messages. So when it comes to what matters most, protecting people’s messages, I think that WhatsApp is clearly superior. Now since I try to use these earnings calls to discuss aspects of business strategy that I think are important for investors to understand, I do want to highlight that we increasingly see Apple as one of our biggest competitors. iMessage is a key linchpin of their ecosystem. It comes pre-installed on every iPhone, and they preference it with private APIs and permissions, which is why iMessage is the most used messaging service in the U.S. And now we are also seeing apples business depend more and more on gaining share in apps and services against us and other developers. So Apple has every incentive to use their dominant platform position to interfere with how our apps and other apps work, which they regularly do to preference their own. And this impacts the growth of millions of businesses around the world including with the upcoming iOS 14 changes, many small businesses will no longer be able to reach their customers with targeted ads. Now Apple may say that they’re doing this to help people, but the moves clearly track their competitive interests. And I think that this dynamic is important for people to understand because we and others are going to be up against this for the foreseeable future. Now our messaging services continue growing, but it is an uphill battle, and our services just need to be that much better as private social platforms to succeed.

Facebook operating chief Sheryl Sandberg noted that Facebook will find ways to amplify stories about small businesses worried about Apple’s iOS changes.
Related:
Apple CEO Tim Cook didn’t address Facebook by name but did stick to the company’s pitch on privacy. Cook said:

Tomorrow is International Privacy Day, and we continue to set new standards to protect users’ right to privacy, not just for our own products but to be the ripple in the pond that moves the whole industry forward. Most recently, we’re in the process of deploying new requirements across the App Store ecosystem that give users more knowledge about and new tools to control the ways that apps gather and share their personal data. More

Image: McAfee, ZDNet
Law enforcement agencies from Bulgaria and the US have disrupted this week the infrastructure of NetWalker, one of 2020’s most active ransomware gangs.

Bulgarian officials seized a server used to host dark web portals for the NetWalker gang, while officials in the US indicted a Canadian national who allegedly made at least $27.6 million from infecting companies with the NetWalker ransomware.
The seized servers were used to host pages where victims of NetWalker attacks were redirected to communicate with the attackers and negotiate ransom demands.
The same server also hosted a blog section where the NetWalker gang would leak data they stole from hacked companies, and which refused to pay the ransom demand — as a form of revenge and public shaming.

Image: ZDNet
Details about the Canadian national indicted today are not yet available beyond his name and residence — Sebastien Vachon-Desjardins, of Gatineau.
Vachon-Desjardins is currently believed to be an “affiliate,” a person who rented the ransomware code from the NetWalker creator.
This type of business is called Ransomware-as-a-Service, or RaaS, and is a common setup employed by many ransomware gangs today.

Prior to today’s takedown, NetWalker operated through topics posted on several underground forums by a user named Bugatti. This user advertised the ransomware’s features and looked for “partners” (aka affiliates) that would breach corporate networks, steal data to be used as leverage during negotiations, and install the ransomware to encrypt files.
If victims paid, Bugatti and the affiliate would split the ransom payments according to a pre-negotiated agreement.
According to US authorities, NetWalker has impacted at least 305 victims from 27 different countries, including 203 in the US.

Image: Chainalysis
A report from McAfee published in August 2020 claimed the NetWalker ransomware operation earned more than $25 million from ransom payments from March to July 2020 alone — a number that has gone up, as the gang continued to operate until today’s takedown.
In a report published today, blockchain analysis firm Chainalysis updated that figure to more than $46 million for the entire 2020, putting NetWalker in the year’s top 5 grossing ransomware strains, next to Ryuk, Maze, Doppelpaymer, and Sodinokibi.

Image: Chainalysis
The same Chainalysis report also claims that Vachon-Desjardins also worked as an affiliate for other ransomware gangs, such as Sodinokibi, Suncrypt, and RagnarLocker.
Besides charging the Canadian natioanl, the US DOJ also said it also managed to seize $454,530.19 in cryptocurrency believed to be linked to ransom payments made by three past NetWalker victims.
The NetWalker disruption also comes on the same day that Europol and its partners announced a takedown of the Emotet botnet. More

Updated on January 28 to correct date from March 25 to April 25. The error in interpreting the date was discovered by Malwarebytes earlier today. Original article, with the corrected date is below.
Law enforcement officials in the Netherlands are in the process of delivering an Emotet update that will remove the malware from all infected computers on April 25, 2021, ZDNet has learned today.

The update was made possible after law enforcement agencies from across eight countries orchestrated a coordinated takedown this week to seize servers and arrest individuals behind Emotet, considered today’s largest malware botnet.
While servers were located across multiple countries, Dutch officials said that two of three of Emotet’s primary command and control (C&C) servers were located inside its borders.
Dutch police officials said today they used their access to these two crucial servers to deploy a boobytrapped Emotet update to all infected hosts.
According to public reports, also confirmed by ZDNet with two cyber-security firms that have historically tracked Emotet operations, this update contains a time-bomb-like code that will uninstall the Emotet malware on April 25, 2021, at 12:00, the local time of each computer.

Last chance to audit networks
“The technical disruption that the Dutch police detailed in their press release, if it works as they described, will effectively reset Emotet,” Binary Defense senior director Randy Pargman told ZDNet today in an online chat.

“It forces the threat actors behind it to start over and attempt to rebuild from scratch, and it gives IT staff at companies around the world a chance to locate and remediate their computers that have been infected,” Pargman added.
Currently, the Europol takedown prevents the Emotet gang from selling access to Emotet-infected computers to other malware gangs, a tactic the Emotet gang has been known for doing.
But Emotet hosts where cybercrime gangs have already bought access remain at risk.
Pargman is now urging companies to take advantage of this time window until April 25 to investigate internal networks for the presence of the Emotet malware and see if other gangs used it to deploy other threats.
After Emotet uninstalls itself on April 25, such investigations will be harder to carry out.
Arrests in Ukraine
Since ZDNet’s early coverage of the Emotet takedown, Ukrainian police officials have also come out to announce they arrested two individuals who they believe were tasked with keeping Emotet’s servers up and running.
A video of the arrests and apartment searches is available below.
[embedded content] More

Law enforcement officials in the Netherlands are in the process of delivering an Emotet update that will remove the malware from all infected computers on March 25, 2021, ZDNet has learned today.

The update was made possible after law enforcement agencies from across eight countries orchestrated a coordinated takedown this week to seize servers and arrest individuals behind Emotet, considered today’s largest malware botnet.
While servers were located across multiple countries, Dutch officials said that two of three of Emotet’s primary command and control (C&C) servers were located inside its borders.
Dutch police officials said today they used their access to these two crucial servers to deploy a boobytrapped Emotet update to all infected hosts.
According to public reports, also confirmed by ZDNet with two cyber-security firms that have historically tracked Emotet operations, this update contains a time-bomb-like code that will uninstall the Emotet malware on March 25, 2021, at 12:00, the local time of each computer.

Last chance to audit networks
“The technical disruption that the Dutch police detailed in their press release, if it works as they described, will effectively reset Emotet,” Binary Defense senior director Randy Pargman told ZDNet today in an online chat.
“It forces the threat actors behind it to start over and attempt to rebuild from scratch, and it gives IT staff at companies around the world a chance to locate and remediate their computers that have been infected,” Pargman added.

Currently, the Europol takedown prevents the Emotet gang from selling access to Emotet-infected computers to other malware gangs, a tactic the Emotet gang has been known for doing.
But Emotet hosts where cybercrime gangs have already bought access remain at risk.
Pargman is now urging companies to take advantage of this time window until March 25 to investigate internal networks for the presence of the Emotet malware and see if other gangs used it to deploy other threats.
After Emotet uninstalls itself on March 25, such investigations will be harder to carry out.
Arrests in Ukraine
Since ZDNet’s early coverage of the Emotet takedown, Ukrainian police officials have also come out to announce they arrested two individuals who they believe were tasked with keeping Emotet’s servers up and running.
A video of the arrests and apartment searches is available below.
[embedded content] More