Information Technology

Remember when we all thought the internet would miraculously make the world better? That was then, and now we know the truth: bad people still do bad things. They just do it on the internet.
The ad-driven dynamic of commercial social media makes it profitable to drive outrage. Thoughtful and fact-based dialog is the first casualty.
Furthermore, automation has made it profitable to give each user a view of the world that maximizes involvement, without any sense of proportion or reality. The baseless Q fantasies are a case in point.

The Q delusions exploit defects in human information processing. At a more general level, our social media giants exploit the same defects to sell ads, without giving us the social contact we crave, especially in a pandemic.
Underneath the neighborly and family content are social network algorithms designed to drive users to more extreme content. Facebook in particular has repeatedly failed to control hateful, false, and dehumanizing content.
Why should they? It may be bad for civilization, but it’s great for the bottom line.
There is another way
There are alternatives, but we need more.

Decades ago advocates for non-commercial broadcasting prevailed upon the government to help fund a national, ad-free, network. Today, the Public Broadcasting Service, National Public Radio, C-SPAN, and a plethora of independent, non-profit, listener-supported radio and TV stations provide an alternative, for those who want one, to the 20 minutes of advertising every hour on commercial TV. Some 80 percent of US households tune in annually.
Why not a public, not-for-profit, social network? One whose algorithms would not push ever more extreme content. Where advertisers couldn’t micro-target you. That would refer users to multiple trustworthy sources and original documents on contentious issues.
In short, a social network where civility, facts, and reason would be valued and encouraged. And cat videos.
Yes, this wouldn’t be nearly as involving as the popular social networks are today. That’s the point.
Historical examples
Societies have faced highly addictive and damaging social trends before. It happens all the time.

When industrial scale distilleries made potent alcohol cheap in the 1730s, alcoholism and its evils soared, as memorably noted by William Hogarth. When TV was young, Fred Rogers, shocked by the low standard of children’s programs, began a program fondly remembered by millions of Americans.
Some problems can be solved. Others can only be managed. Social networks – and alcohol – are the latter, and must be managed, but not by only by government. Competition from a non-profit will give those who want to keep up with friends and family will have a safe space to do so.
Funding
Money is the easy part. Social media and tech firms would endow a foundation with $10 billion to create and manage the new social network. Why would they do that? Because it would relieve the pressure to regulate themselves, and the reduce the cry for censorship coming from politicians.
The network could generate income from individual donors, corporate sponsorships and the sale of subscriptions to private online sources. And coffee cups!
The take
Human beings are flawed, and always will be. And we will always be exploited by bad actors. That’s why we have regulations.
But regulations are just one tool, one that wealthy industries are adept at dodging. A non-profit social network is another way to – softly – rein in the excesses ad-driven social networks. Let’s not ask our government to regulate online speech.
Instead, let’s give people a non-commercial alternative to Facebook, Twitter, and Instagram, just as we have for commercial broadcasting. And then let them choose the service they want.
Comments welcome. I was on Facebook briefly years ago. When I saw how they operated I left it and have never been tempted to return. More

Organisations in Singapore are facilitating remote work arrangements amidst the global pandemic, but being so has left more than half of them feeling anxious they are now more susceptible to cyber attacks. They believe companies should urge employees to be more mindful about cybersecurity and the resulting business consequences of an attack. 
Some 97% of businesses in Singapore currently had employees who worked from home and this figure was higher than their counterparts in Australia and Hong Kong, according to a study commissioned by AT&T, which polled 500 IT decision makers across the three Asia-Pacific markets.
Some 44% in Singapore had remote staff who were accessing corporate networks and data from personal devices, which was higher than the regional average of 35%. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

Their readiness to support a remote workplace, however, had left 58% of respondents in the city-state with concerns they were more vulnerable to cyber attacks. Some 12% of senior managers felt their organisations were not sufficiently prepared to manage a workforce that was shifting from the office to home. 
Across the region, 91% said they were prepared to support a remote workforce, but 39% pointed to Wi-Fi networks as the biggest security concern. Another 38% cited cloud storage as a worry, while 36% had security concerns about email and 34% were anxious about new technologies such as 5G and Internet of Things. Some 32% highlighted remote devices as a security risk and 31% pointed to video conferencing tools.
Bernard Yee, AT&T Business’ Asia-Pacific and Canada president, said: “The COVID-19 pandemic has created unprecedented opportunities for cybercriminals who are taking advantage of the fear and uncertainty surrounding the health crisis, along with the economic impact, which has caused massive shifts in IT environments exposing a wide range of vulnerabilities. 
“These are incredibly challenging times for IT specialists to keep businesses up and running remotely, while protecting their most valuable assets,” Yee noted, adding that employees remained a central part of the vulnerabilities in the security chain. “The need for businesses to support remote working is likely to be the new normal, so it is critical for companies to train and educate staff about the risks and the importance of following good cybersecurity practices.”

To mitigate security risks, 54% in Singapore believed organisations should share information about the nature and frequency of attacks to encourage their staff to be more mindful about cybersecurity. Employees also should be aware about the business consequences of cyber attacks. 
Another 52% in the country called for more training while 46% said employees should be made aware of news reports to highlight the impact on businesses. 
RELATED COVERAGE More

A new form of cyberattack has been developed which highlights the potential future ramifications of digital assaults against the biological research sector.

On Monday, academics from the Ben-Gurion University of the Negev described how “unwitting” biologists and scientists could become victims of cyberattacks designed to take biological warfare to another level. 
At a time where scientists worldwide are pushing ahead with the development of potential vaccines to combat the COVID-19 pandemic, Ben-Gurion’s team says that it is no longer the case that a threat actor needs physical access to a “dangerous” substance to produce or deliver it — instead, scientists could be duped into producing toxins or synthetic viruses on their behalf through targeted cyberattacks. 
See also: Human biohacking: an exciting prospect, but only for the rich?
The research, “Cyberbiosecurity: Remote DNA Injection Threat in Synthetic Biology,” has been recently published in the academic journal Nature Biotechnology.
The attack documents how malware, used to infiltrate a biologist’s computer, could replace sub-strings in DNA sequencing. Specifically, weaknesses in the Screening Framework Guidance for Providers of Synthetic Double-Stranded DNA and Harmonized Screening Protocol v2.0 systems “enable protocols to be circumvented using a generic obfuscation procedure.”
When DNA orders are made to synthetic gene providers, US Department of Health and Human Services (HHS) guidance requires screening protocols to be in place to scan for potentially harmful DNA. 

However, it was possible for the team to circumvent these protocols through obfuscation, in which 16 out of 50 obfuscated DNA samples were not detected against ‘best match’ DNA screening. 
Software used to design and manage synthetic DNA projects may also be susceptible to man in-the-browser attacks that can be used to inject arbitrary DNA strings into genetic orders, facilitating what the team calls an “end-to-end cyberbiological attack.”
CNET: Tesla Model X vulnerable to Bluetooth hack that makes theft a breeze, report says
The synthetic gene engineering pipeline offered by these systems can be tampered with in browser-based attacks. Remote hackers could use malicious browser plugins, for example, to “inject obfuscated pathogenic DNA into an online order of synthetic genes.”
In a case demonstrating the possibilities of this attack, the team cited residue Cas9 protein, using malware to transform this sequence into active pathogens. Cas9 protein, when using CRISPR protocols, can be exploited to “deobfuscate malicious DNA within the host cells,” according to the team.
For an unwitting scientist processing the sequence, this could mean the accidental creation of dangerous substances, including synthetic viruses or toxic material. 
TechRepublic: Top 5 business sectors targeted by ransomware
“To regulate both intentional and unintentional generation of dangerous substances, most synthetic gene providers screen DNA orders which is currently the most effective line of defense against such attacks,” commented Rami Puzis, head of the BGU Complex Networks Analysis Lab. “Unfortunately, the screening guidelines have not been adapted to reflect recent developments in synthetic biology and cyberwarfare.”
A potential attack chain is outlined below:

“This attack scenario underscores the need to harden the synthetic DNA supply chain with protections against cyber-biological threats,” Puzis added. “To address these threats, we propose an improved screening algorithm that takes into account in vivo gene editing.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Eligible non-bank financial institutions in Singapore soon will have direct access to the country’s retail payment platforms, PayNow and FAST, which will enable e-wallet users to make funds transfers between bank accounts and across different e-wallets. Most e-wallets currently can be topped up only via credit or debit cards and funds cannot be transferred between e-wallets. 
To plug this gap, a new API (application programming interface) payment gateway has been developed under guidelines from the Singapore Clearing House Association (SCHA) and Association of Banks in Singapore (ABS), both of which govern FAST and PayNow, respectively. The API is designed to better fit the technology architecture of banks and non-bank financial institutions, according to industry regulator Monetary Authority of Singapore (MAS). 

FAST, or Fast and Secure Transfers, is an electronic funds transfer service that allows real-time funds transfers, in Singapore dollars, between entities, while PayNow — running on top the FAST system — enables instant digital payments between accounts using a proxy, such as mobile numbers, national identification numbers, or Unique Entity Number. 
According to MAS, more than 12.5 million FAST transactions were processed each month in the latest quarter ended September, with PayNow accounting for almost half of the monthly volume. 
The move to provide direct access to non-bank institutions came more than a year after the regulator first announced plans to do so in September 2018. These institutions will need to be licensed under the Payment Services Act. 
The new API was developed by a group of industry players including banks and non-bank financial institutions, including Citi Singapore, Deutsche Bank AG Singapore, Standard Chartered Singapore, Grab Financial Group, Liquid Group, Razer Fintech, and Singtel Dash. Grab and Razer are amongst several non-banks vying for a digital bank licence in Singapore, which is expected to unveil the winning bidders by year-end.
With the API, organisations that collaborate with any of the 23 FAST or nine PayNow banks, including e-wallets that previously operated in closed-loop platforms, would be able to receive real-time payments from mobile banking apps or other e-wallets that planned to tap the two payment platforms.

Effective from February 2021, the expansion of direct access to the payment platforms would enable businesses to access a wider consumer segment to receive real-time e-payments.
MAS’ managing director Ravi Menon said: “Direct access by non-bank financial institutions to FAST and PayNow closes the last-mile gap in Singapore’s e-payments journey. Consumers who may not have ready access to debit or credit cards to fund their e-wallets will now have the option to do so directly through their bank accounts.
“Our vision to enable complete real-time payments interoperability will now become a reality. Adoption of e-payments will become even more simple for individuals and businesses,” Menon added.
ABS’ director Ong Ai-Boon noted that this marked the first time access to the two e-payment platforms had been opened to non-banks, with the aim to provide consumers greater convenience and options. “FAST and PayNow adoption rates have exceeded expectations and we are confident the addition of new players will help accelerate the national path towards a less-cash economy,” Ong said.
RELATED COVERAGE More

Under Australia’s Telecommunications Sector Security Reforms (TSSR), all carriers and nominated carriage service providers (C/NCSPs) are required to notify the Communications Access Coordinator (CAC) of proposed changes to their telecommunications systems or services if they become aware of any proposed changes that are likely to have a “material adverse effect” on their capacity to comply with security obligations.
As of 30 June 2020, the Department of Home Affairs has received a total of 66 notifications. It told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) the notifications received from carriers to date represented the vast majority of the fixed-line and mobile telecommunications market in Australia.
In its submission [PDF] to the PJCIS, Home Affairs suggested additional types of notices “with more nuanced language” to reflect various levels and types of risk and the urgency of adopting further mitigations.
See also: The disappointment of Australia’s new cybersecurity strategy
“Home Affairs notes that there has been some variation among C/NCSPs in their approach to the TSSR notification obligation. The obligation relies on self-determination by C/NCSPs of whether a proposed change warrants a notification, regardless of the guidance provided by Home Affairs,” it wrote.
“There have been instances where Home Affairs has engaged with a carrier about a proposed change to their networks and subsequently recommended that the carrier submit a notification as it was Home Affairs’ view that the features and characteristics of the proposed change introduced significant risk.”
Despite Home Affairs’ recommendations to these carriers, the department said they did not proceed to submit a formal notification, as in the carrier’s view, the proposed changes to their networks or facilities did not meet the carrier’s internal risk assessment thresholds for formal notification.

“In the absence of a notification, government has no visibility of changes to networks or steps taken to mitigate risks and cannot provide advice,” Home Affairs said.
The PJCIS is currently conducting a statutory review of the operation of Part 14 of the Telecommunications Act 1997 to the extent that it was amended by the Telecommunications and Other Legislation Amendment Act 2017 TSSR.
The reforms passed in September 2017 and commenced exactly one year later, which established a regulatory framework for managing the national security risks of Australia’s telecommunications networks and facilities.
Home Affairs said telecommunications networks and facilities, and the carriers and CSPs that own or operate them, are attractive targets for espionage, sabotage, and foreign interference activity by state and non-state actors.
“TSSR is a principles-based framework that formalises the good faith engagement between Home Affairs and Australia’s telecommunications sector to better manage national security risks to telecommunications networks,” the department says.
The TSSR introduced four key elements: Security obligation, notification obligation, information gathering power, and a directions power.
Home Affairs said amending the Act to allow it to request notification about a proposed change, including in circumstances where a C/NCSP has internally determined that it need not notify, would ensure that any changes to telecommunications networks and systems do not introduce national security risks.
Amending the Act to give Home Affairs the ability to impose conditions, including conditions relating to the use of entities in the supply chain, or require a C/NCSP to take specific action would help to mitigate identified risks with a proposed change, the department said. It explained this would ensure the conditions or mitigations are implemented and appropriate for the lifecycle of the change. 
In making this statement, the department noted amendments to include a formal mechanism that requires the C/NCSP to continue to engage with Home Affairs after conditions or mitigations have been imposed.
The department also flagged the requirement for C/NCSPs to have in place a security capability plan that can demonstrate they are meeting their baseline security requirements as another potential TSSR enhancement.
This is tackled in the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which seeks to amend the Security of Critical Infrastructure Act 2018 to implement “an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure”.
Read more: Tech giants not convinced Australia’s critical infrastructure Bill is currently fit for purpose
“Noting that telecommunications remains a key sector of critical infrastructure, the [positive security obligation (PSO)], if applied to the telecommunications sector  … could replace the current security capability plan provision,” Home Affairs said.
Further enhancements were listed under the directions powers, which grants the Minister for Home Affairs the power to issue a written direction to a C/CSP not to use or supply, or to cease using or supplying, a carriage service if, after consulting the Prime Minister and the Minister for Communications, Cyber Safety and the Arts, the minister considers the proposed use or supply of the carriage service is or would be prejudicial to security.
“The directions powers are considered to be appropriate last resort mechanisms. However, the graduated powers that will be available under the [Protecting Critical Infrastructure and Systems of National Significance] reforms, should they be passed by Parliament, would assist to provide options for government to address risks that are of a lower order,” it said.
“Graduated powers being designed under the … reforms could extend the positive security obligation that includes risk management planning obligations which would allow government to indicate where telecommunications entities may need to take steps to address risks in their supply chains without resorting to the directions power.”
Telstra used its submission [PDF] to the PJCIS to highlight its support of the use of the existing TSSR framework and that it believes there will be significant benefits in using it to meet the government’s objectives of strengthening the existing security of critical infrastructure framework.
It asked for the informal engagement model to be legislated into the TSSR and that formal notifications be used as a last resort mechanism where entities fail to engage with government.
Telstra also recommended that the information gathering and direction powers under the TSSR remain in place and be carried into the sector-specific rules under the proposed Critical Infrastructure and Systems of National Significance reforms.
“Whilst this regime has not been tested, the safeguards and guardrails were heavily negotiated during the TSSR implementation and should remain,” the telco said.
Global cybersecurity firm Palo Alto Networks also submitted [PDF] its opinion to the committee, asking the PJCIS look at ways to “encourage and incentify ISPs and telcos to maintain constant real-time visibility across traffic passing through their networks and be able to detect and stop cybersecurity threats in real time within that traffic for all customers”.
It also noted the merits of adopting a clean pipes solution to protect the nation from cyber threats and make it a less attractive target to adversaries.
RELATED COVERAGE More

The federal government has updated COVIDSafe, Australia’s COVID-19 contact tracing app, this time touting the changes will significantly improve its capability.
The app will incorporate a new Herald Bluetooth protocol, Minister for Government Services Stuart Robert said, explaining that this would offer “unparalleled app-level Bluetooth performance and contribute to better identification of potential close contacts”.
A statement from Robert and Health Minister Greg Hunt said the Digital Transformation Agency (DTA) has been working with Apple and Google to incorporate the protocol into the COVIDSafe app. The statement also provided COVIDSafe Bluetooth encounter logging results, which demonstrated “excellent” status for all tests.
See also: Even with COVID-19 spread near zero, chief scientist says Australia’s systems are ready  
The DTA said in May that 179 functional tests were conducted for the Apple iOS and Google Android versions of the COVIDSafe app prior to release and that requirements were met.
“All tests satisfied the baseline design requirements,” the DTA said at the time. “Performance tests were also conducted against the technical requirements.”
In June, however, it was revealed the DTA knew COVIDSafe had severe flaws. This was despite the app being sent out for public use on 26 April 2020. The revelation followed research that showed locked iPhones were practically useless when it came to logging encounters through COVIDSafe.

This time around, the app is reporting that even locked iPhone to locked iPhone logs were recording “excellent” performance.

Herald Bluetooth performance summary results as at 27 November 2020.
Image: Australian government
“The protocol provides for excellent performance of all encounter logging under all phone conditions and will continue to work on more than 96% of Apple and Android phones,” the ministers’ statement said. 
The code for the update will be made available via Github to “enable the tech community an opportunity to provide feedback ahead of the release to the Apple App Store and Google Play Store”.
“Australia’s technology capability and contact tracing systems are world-leading and we will be the first country in the world to adopt the Herald Bluetooth protocol, which has been shown to significantly improve our capability through the COVIDSafe App,” Robert said.
“We are encouraging everyone interested to review the code, conduct their own testing, and provide their feedback.
“We are also making this code available to other countries so they too can benefit from Australia’s world first technology implementation to help improve their digital response to managing COVID-19.”
COVIDSafe was originally a rework of Singapore’s TraceTogether app.
Australia’s tech community, however, has taken a different view.  
“This is not ‘engaging with the tech community’. The code is not inspection quality, and despite numerous CVEs and serious issues raised, nobody I know was contacted or notified of this,” researcher Jim Mussared wrote on twitter.
Mussared originally said the DTA has retrofitted the existing BlueTrace-based system into Herald, saying this means that the server-side implementation hasn’t changed. He later clarified the copied and modified Herald code has extra COVIDSafe-specific bits to make it work
“So the different versions have at least some level of backwards compatibility,” he said.
One of the current issues with COVIDSafe is that it only identifies a handful of cases and manual contact tracing efforts have proved to be more reliable.
During Senate Estimates last month, the Department of Health revealed that despite there being a total of 27,554 confirmed cases of COVID-19 in Australia, only 17 were picked up using COVIDSafe without the use of manual contact tracing.
“When used as part of state and territory contact tracing efforts, the COVIDSafe app has proven to assist in identifying close contacts not picked up through manual tracing,” the ministers’ statement continued. 
“New South Wales successfully accessed the COVIDSafe app to identify 80 close contacts, including 17 contacts that weren’t identified by manually contact tracing.
“In Victoria, it has been reported that 1,851 cases have said they have the App and are now using it as part of their contact tracing process.”
During a hearing held in early August by the COVID-19 Select Committee, Secretary of the Department of Health Dr Brendan Murphy said that health services in Victoria were feeling “so pressured” that they decided to not use the COVIDSafe app.
It was later confirmed that DHHS had told the Department of Health on July 16 it had paused using COVIDSafe app data, citing concerns that using the app’s data would contradict its requirements with privacy laws. On August 1, it recommenced using the COVIDSafe app data.
Must read: Living with COVID-19 creates a privacy dilemma for us all
With Victoria moving out of its second phase of lockdown restrictions, the state government on Monday announced businesses could now access a free QR code service to keep a record of visitors.
Similar to what has been in place in NSW for months, the Victorian QR system will rely on visitors scanning a QR code using their smartphone camera to check-in. Failing that, users will be directed to download the Service Victoria app to complete check-ins. 
“All data collected through the Victorian government QR code is securely stored, protecting customers from on selling of contact details. Data will be deleted after 28 days unless it is specifically requested by the Department of Health and Human Services for contact tracing purposes,’ the government said in a statement.
Following the state government announcement, Australian cybersecurity firm Pure Security raised concerns with QR code-based information collection.
“Many QR codes are simple links to websites and documents with the express purpose of recording the details and have little focus on security,” Pure Security acting head of advisory Jason Plumridge said.
“I have seen QR links that combine the submission of details along with marketing checkboxes which in my view is not appropriate.
“Businesses should be rightly concerned with the security controls around data privacy implemented by the QR providers and deserve to have assurance that only persons with a right to access that data (i.e. contact tracers) have the ability to do so.”
HERE’S MORE More

This
Personal details of millions of Brazilians infected with Covid-19 have been exposed after passwords to systems from the Ministry of Health (MoH) were openly published online, it has been revealed.
According to Brazilian newspaper O Estado de S.Paulo, the passwords were published on code hosting platform GitHub by an employee from Albert Einstein Hospital, one of the main private healthcare organizations in Brazil. The hospital collaborates with the Ministry on projects under a cooperation between the public and private sector for the national advancement of healthcare.
In addition, the report noted that as many as 16 million patients across the public and private healthcare system had their data exposed, since notification of suspected and confirmed Covid-19 cases is mandatory for all hospitals. None of the institutions have confirmed the exact number of records that were accessible as a result of the leak.

The leak has exposed details including address details, as well as previous medical history and social security numbers of citizens and senior politicians including president Jair Bolsonaro and at least seven other ministers and 17 state governors and leaders of the Lower House of Congress and Senate.
Also according to the report, the spreadsheet with the passwords remained available for nearly a month. The story added that with that information, it was possible to access two key federal government systems, which record notifications of suspected and confirmed Covid-19 cases and another with hospital admissions for Acute Respiratory Syndrome conditions, which include Covid-19.
The Ministry of Health said in a statement that its IT department had “immediately revoked all access to the logins and passwords that were contained in the [leaked] spreadsheet”. It added that the hospital informed the MoH that it has started a fact-finding process about the incident, the statement said.

“The hospital’s cyber security team is taking all measures to contain a possible leak of files containing login and password to access system information via Elastic Search”, it noted.
According to the statement, the file containing the passwords has been deleted and potential websites or cyberspaces where data may have been replicated are being tracked. The hospital also confirmed that the incident that been prompted by a human error by one of its employees rather than a system fault.
Also according to the MoH, the databases “are not easy to access, since only login and password are not enough to reach the information contained in the databases – but a set of technical factors”.
Consumer rights non-profit Idec has requested an investigation into the flaws in control and digital security measures currently in  place around the partnership between the hospital and the government to the Brazilian Prosecution Service.
“Once again we are faced with serious security flaws that may have caused damage or even harm a large number of Brazilians. We see that not even a government system that stores health data, which should be an example by the nature of that information, is safe”, said Bárbara Simão, lawyer and specialist in digital rights at Idec. “This is another example that shows  the need for both the public and private sectors to invest more to protect consumers.”
In the document submitted to the Prosecution Service, Idec points out that “the seriousness of the incident displayed the lack of basic care in terms of the security of stored information”. Among the main points highlighted are the existence of a table with login details, usernames and employee passwords; the failure to enforce of basic security measures such as two-factor authentication, and the fact that no other strict security criteria has been adopted, given the sensitivity of the data and the related exposure risks.Idec is also requesting the federal prosecutors to request a description of the details around the partnership between the hospital and the federal government in relation to handling  personal data, as well as information on the security policy adopted for data sharing and the measures taken to contain the leak and minimize damage to the affected citizens.
The institute has also reinforced that both the Ministry of Health and the Albert Einstein Hospital must take the necessary measures to adapt the platforms and their policies in relation to the general data protection regulations and consumer rights regulations, and that the federal  administration should also establish a consistent and effective policy for the protection of personal data.  More

Image: Ryoji Iwata
A threat actor is currently selling passwords for the email accounts of hundreds of C-level executives at companies across the world.

The data is being sold on a closed-access underground forum for Russian-speaking hackers named Exploit.in, ZDNet has learned this week.
The threat actor is selling email and password combinations for Office 365 and Microsoft accounts, which he claims are owned by high-level executives occupying functions such as:
CEO – chief executive officer
COO – chief operating officer
CFO – chief financial officer or chief financial controller
CMO – chief marketing officer
CTOs – chief technology officer
President
Vice president
Executive Assistant
Finance Manager
Accountant
Director
Finance Director
Financial Controller
Accounts Payables
Access to any of these accounts is sold for prices ranging from $100 to $1,500, depending on the company size and user’s role.

The seller’s ad on Exploit.in
Image via KELA
A source in the cyber-security community who agreed to contact the seller to obtain samples has confirmed the validity of the data and obtained valid credentials for two accounts, the CEO of a US medium-sized software company and the CFO of an EU-based retail store chain.
The source, which requested that ZDNet not use its name, is in the process of notifying the two companies, but also two other companies for which the seller published account passwords as public proof that they had valid data to sell.
These were login details for an executive at a UK business management consulting agency and for the president of a US apparel and accessories maker.

Sample login provided by the seller as public proof
Image via KELA

The seller refused to share how he obtained the login credentials but said he had hundreds more to sell.
According to data provided by threat intelligence firm KELA, the same threat actor had previously expressed interest in buying “Azor logs,” a term that refers to data collected from computers infected with the AzorUlt info-stealer trojan.
Infostealer logs almost always contain usernames and passwords that the trojan extracts from browsers found installed on infected hosts.
This data is often collected by the infostealer operators, who filter and organize it, and then put it on sale on dedicated markets like Genesis, on hacking forums, or they sell it to other cybercrime gangs.
“Compromised corporate email credentials can be valuable for cybercriminals, as they can be monetized in many different ways,” KELA Product Manager Raveed Laeb told ZDNet.
“Attackers can use them for internal communications as part of a ‘CEO scam’ – where criminals manipulate employees into wiring them large sums of money; they can be used in order to access sensitive information as part of an extortion scheme; or, these credentials can also be exploited in order to gain access to other internal systems that require email-based 2FA, in order to move laterally in the organization and conduct a network intrusion,” Laeb added.
But, most likely, the compromised emails will be bought and abused for CEO scams, also known as BEC scams. According to an FBI report this year, BEC scams were, by far, the most popular form of cybercrime in 2019, having accounted for half of the cybercrime losses reported last year.
The easiest way of preventing hackers from monetizing any type of stolen credentials is to use a two-step verification (2SV) or two-factor authentication (2FA) solution for your online accounts. Even if hackers manage to steal login details, they will be useless without the proper 2SV/2FA additional verifier. More