Information Technology

An open database has revealed the identities of over 200,000 individuals who appear to be involved in Amazon fake product review schemes. 

There is an ongoing battle between the e-commerce giant and dubious sellers, worldwide, who wish to hamstring competitors and gain an edge by generating fake reviews for their products. This can include paying individuals to leave a glowing review or by offering free items in return for positive, public feedback.  How they operate and stay under Amazon’s radar varies, but an open ElasticSearch server has exposed some of the inner workings of these schemes.  On Thursday, Safety Detectives researchers revealed that the server, public and online, contained 7GB of data and over 13 million records appearing to be linked to a widespread fake review scam.  It is not known who owns the server but there are indicators that the organization may originate from China due to messages written in Chinese, leaked during the incident.  The database contained records involving roughly 200,000 – 250,000 users and Amazon marketplace vendors including user names, email addresses, PayPal addresses, links to Amazon profiles, and both WhatsApp and Telegram numbers, as well as records of direct messages between customers happy to provide fake reviews and traders willing to compensate them. 

According to the team, the leak may implicate  “more than 200,000 people in unethical activities.”The database, and messages contained therein, revealed the tactics used by dubious sellers. One method is whereby vendors send a customer a link to the items or products they want 5-star reviews for, and the customer will then make a purchase. Several days after, the customer will leave a positive review and will send a message to the vendor, leading to payment via PayPal — which may be a ‘refund,’ while the item is kept for free.  As refund payments are kept away from the Amazon platform, it is more difficult to detect fake, paid reviews.  The open ElasticSearch server was discovered on March 1 but it has not been possible to identify the owner. However, the leak was noticed and the server was secured on March 6.”The server could be owned by a third-party that reaches out to potential reviewers on behalf of the vendors [or] the server could also be owned by a large company with several subsidiaries, which would explain the presence of multiple vendors,” the researchers said. “What’s clear is that whoever owns the server could be subject to punishments from consumer protection laws, and whoever is paying for these fake reviews may face sanctions for breaking Amazon’s terms of service.” Amazon’s community and review guidelines do not allow vendors to review their own products or offer a “financial reward, discount, free products, or other compensation” in return for positive reviews — and this includes through third-party organizations. However, as Amazon is a prominent online marketplace, it is likely that some vendors will continue to try and abuse review systems to bolster their revenue.  “We want Amazon customers to shop with confidence knowing that the reviews they read are authentic and relevant,” an Amazon spokesperson commented. “We have clear policies for both reviewers and selling partners that prohibit abuse of our community features, and we suspend, ban, and take legal action against those who violate these policies.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

There’s been a big rise in the number of ransomware gangs that threaten to release information stolen from the victims if they don’t pay the ransom for the decryption key required to restore their network.The idea behind these ‘double extortion’ ransomware attacks is that even if the victim organisation believes it can restore its network without giving into the ransom demands of cyber criminals – which regularly cost millions of dollars in Bitcoin – the threat of sensitive information about employees or customers being exposed could still push victims to giving into the blackmail, and paying the ransom.

Even then, there’s no guarantee that the cyber criminals behind the ransomware attack will delete the stolen data – they could exploit it down the line, or sell it onto other crooks on dark web forums.SEE: Security Awareness and Training policy (TechRepublic Premium)These attacks have become extremely successful – and lucrative – for cyber criminals and cybersecurity researchers at ZeroFox have tracked the activity of over two dozen dark web leak sites associated with ransomware attacks over the past year, as more and more cyber-criminal groups move towards this form of extortion.The ransomware gangs that are most successful with double extortion attacks are those that first adopted it in their attacks, such as Revil, Maze, Netwalker, and DoppelPaymer, but others have followed in their footsteps and are finding plenty of success in 2021.Groups like Conti and Egregor have become most prolific over the course of this year – with the report pointing out how the latter group has allegedly gained success by recruiting members of other ransomware gangs, including Maze, which supposedly shut down in November last year.

The recruitment of authors of other ransomware operations indicates how this particular type of malware has developed into a competitive market. Much like legitimate software companies, groups want to hire the best people to ensure that their product is as successful as possible – unfortunately, in this case, success comes at the cost of innocent victims who find their networks have been encrypted by a ransomware attack.But it isn’t just threats to leak data now, as the report points out how some ransomware groups are launching Distributed Denial of Service (DDoS) attacks against victims, overwhelming what remains of the network with traffic to the extent that it isn’t usable – and leveraging that as an additional method of forcing the victim to pay up.SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upUltimately, double extortion techniques have become so common amongst ransomware gangs because the attacks work and many organisations are unfortunately giving into ransom demands as cyber criminals in this space get more persistent and more aggressive.For organisations, the best way to avoid having to make a decision over paying cyber criminals in the hope they don’t publish their stolen data online is for their network to be secure enough to prevent cyber criminals from being able to get in to start with.Cybersecurity procedures that can stop cyber criminals from infiltrating the network in the first place include applying security patches as soon as possible, so attackers can’t exploit known vulnerabilities and deploying two-factor authentication across all users, so that if attackers do breach an account, it’s difficult for them to move laterally around the network.MORE ON CYBERSECURITY More

Security researchers have provided insight into how a single student unwittingly became the conduit for a ransomware infection that cost a biomolecular institute a weeks’ worth of vital research. 

In a report due to be published on Thursday, Sophos described the case, in which the team was pulled in to neutralize an active cyberattack on a biomolecular facility in Europe.  Sophos found that Ryuk ransomware had made its way onto the facility’s network, and set out to determine how the infection took place.  Ryuk is a prolific form of malware that is constantly evolving. The Ryuk family, including new strains equipped with worm-like capabilities and the ability to self-propagate over networks, encrypts networks and files, locking victims out of their systems until a ransom payment is made.  According to AdvIntel and HYAS, the operators behind Ryuk are estimated to have generated over $150 million in profit from their victims, with payments often made in Bitcoin (BTC).  While the name of the biomolecular institute has not been disclosed, the European organization is involved in the life sciences and research related to COVID-19. The institute works closely with local universities and collaborates with students in some projects.  It was a student, unfortunately, that proved to be the unwitting conduit for the Ryuk infection. 

The student was on the hunt for a free version of a data visualization software tool which would have cost them hundreds of dollars per year if licensed. After posting on a forum asking for a free alternative, the student eventually elected to find a cracked version instead.  As cracked software — modified to remove elements such as trial expiration dates or the need for a license — is deemed suspicious, antivirus software will usually flag and block its execution.  In this case, Windows Defender triggered, and so the student disabled the software as well as their firewall.  However, instead of launching the software they wanted, the executable loaded a Trojan which was able to harvest the student’s access credentials to the biomolecular institute’s network. In hindsight, in what was an unwise decision, the research institute allowed students to use their personal devices to access its network via remote Citrix sessions.  13 days after the student executed the ‘cracked’ software, a remote desktop protocol (RDP) connection was registered by the institute, using the student’s credentials, under the name “Totoro,” — an anime character from a 1988 film.  “A feature of RDP is that a connection also triggers the automatic installation of a printer driver, enabling users to print documents remotely,” Sophos says. “This allowed the Rapid Response investigation team to see that the registered RDP connection involved a Russian language printer driver and was likely to be a rogue connection.” The team believes that access to the institute was sold on in an underground market, and the RDP connection may have been made in order to test access.  It was 10 days after this connection was made that Ryuk was deployed on the network, costing the institute a week of research data as backups were not fully up-to-date. In addition, system and server files had to be “rebuilt from the ground up,” according to the researchers, before the institute could resume normal working activity.  “This is a cautionary tale of how an end user’s security misjudgement can leave an organization exposed to attack when there are no solid security policies in place to contain the mistake,” commented Peter Mackenzie, manager of Rapid Response at Sophos. “In this instance, the target was at risk the moment the external user clicked the ‘install’ button for a cracked copy of a software tool that turned out to be pure malware. […] The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker.”

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The maintainers of the widely-used Exim email server are urging admins to update to Exim version 4.94.2 due to 21 newly disclosed security flaws. “All versions of Exim previous to version 4.94.2 are now obsolete. The last 3.x release was 3.36. It is obsolete and should not be used,” the University of Cambridge-backed project said in an update. 

“This is a security release,” the project adds, referring to fixes for 21 flaws that can be exploited by anyone over the internet. SEE: Network security policy (TechRepublic Premium)The new Exim release addresses security flaws reported by researchers at security firm, Qualys.   The bugs are a potentially major threat to internet security given that nearly 60% of internet servers run on Exim mail transfer agent (MTA) software and is by far the most widely used email server. As Qualys points out, IoT search engine Shodan returns 3.8 million results for Exim servers exposed on the internet, of which two million are located in the US. Exim is so widely deployed in part because it often ships as the default email server with popular Linux distributions like Debian.  

“Exim Mail Servers are used so widely and handle such a large volume of the internet’s traffic that they are often a key target for hackers,” said Bharat Jogi, a senior manager of the vulnerability and threat research unit at Qualys.  “The 21 vulnerabilities we found are critical as attackers can remotely exploit them to gain complete root privileges on an Exim system – allowing compromises such as a remote attacker gaining full root privileges on the target server and executing commands to install programs, modify data, create new accounts, and change sensitive settings on the mail servers.”Jogi urged admins — many of whom run Exim servers at ISPs, government agencies, and universities — to apply the patches “immediately” given the breadth of the attack surface for this vulnerability.Such flaws have been rapidly exploited in the past: a previous remote code execution flaw in Exim that was patched in mid-2019 was also discovered by researchers at Qualys. The NSA eventually revealed that attackers had been exploiting the flaw, tracked as CVE-2019-10149, within two months of its public disclosure.  The NSA warned in June 2020 that a hacking group known as Sandworm, within Russia’s intelligence service, GRU, had been exploiting the Exim flaw since at least August 2019. That bug’s impact is the same as the 21 newly disclosed vulnerabilities. The NSA said the attackers exploited the bug on victims’ public-facing MTAs by sending a specially crafted command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message. Victims would then automatically download and execute a shell script from a domain controlled by the Sandworm group.SEE: This malware has been rewritten in the Rust programming language to make it harder to spotMTAs are an attractive target for attackers because they’re generally exposed on the internet. Qualys has posted a blog detailing each of the 21 bugs and says its researchers have developed exploits to obtain full root privileges. The company reported an initial set of bugs to Exim maintainers on 20 October, 2020 and provided 26 patches to Exim.  CVEDescriptionTypeCVE-2020-28007Link attack in Exim’s log directoryLocalCVE-2020-28008Assorted attacks in Exim’s spool directoryLocalCVE-2020-28014Arbitrary file creation and clobberingLocalCVE-2021-27216Arbitrary file deletionLocalCVE-2020-28011Heap buffer overflow in queue_run()LocalCVE-2020-28010Heap out-of-bounds write in main()LocalCVE-2020-28013Heap buffer overflow in parse_fix_phrase()LocalCVE-2020-28016Heap out-of-bounds write in parse_fix_phrase()LocalCVE-2020-28015New-line injection into spool header file (local)LocalCVE-2020-28012Missing close-on-exec flag for privileged pipeLocalCVE-2020-28009Integer overflow in get_stdinput()LocalCVE-2020-28017Integer overflow in receive_add_recipient()RemoteCVE-2020-28020Integer overflow in receive_msg()RemoteCVE-2020-28023Out-of-bounds read in smtp_setup_msg()RemoteCVE-2020-28021New-line injection into spool header file (remote)RemoteCVE-2020-28022Heap out-of-bounds read and write in extract_option()RemoteCVE-2020-28026Line truncation and injection in spool_read_header()RemoteCVE-2020-28019Failure to reset function pointer after BDAT errorRemoteCVE-2020-28024Heap buffer underflow in smtp_ungetc()RemoteCVE-2020-28018Use-after-free in tls-openssl.cRemoteCVE-2020-28025Heap out-of-bounds read in pdkim_finish_bodyhash()Remote More

The Australian Criminal Intelligence Commission (ACIC) believes there is no legitimate reason for a law-abiding member of the community to own or use an encrypted communication platform.”These platforms are used almost exclusively by SOC [serious and organised crime] groups and are developed specifically to obscure the identities of the involved criminal entities and enable avoidance of detection by law enforcement,” the ACIC declared. “They enable the user to communicate within closed networks to facilitate highly sophisticated criminal activity”.Consistency, at least: Cops are the only ones being lawful on the dark web, AFP declaresThe comments were made in a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) as part of its inquiry into the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020. It told the committee it intends to use the powers extended to the ACIC under the Bill to focus efforts on understanding and gathering intelligence on SOC groups who are using encrypted communication platforms to conceal their criminal activities.The Bill, if passed, would hand the Australian Federal Police (AFP) and ACIC three new computer warrants for dealing with online crime.The first of the warrants is a data disruption one; the second is a network activity warrant; and the third is an account takeover warrant.

The ACIC said the Bill would allow it, through the collection, assessment, and dissemination of criminal intelligence and information, to inform national strategies to address transnational serious and organised crime.”To deliver on this purpose, the powers and capabilities of the ACIC must keep pace with technological trends and emerging threats to ensure the agency is able to adequately tackle serious cyber-enabled crime and sophisticated criminal groups using encrypted platforms,” it said.”The agency must be enabled to support law enforcement outcomes to protect Australians against the most sophisticated and high-threat actors, who increasingly utilise advanced communications technologies to mask their criminal activities.”Elsewhere: ACIC running into jurisdictional data troubles with new national firearms databaseAccording to the ACIC, the disruption, intelligence collection, and account takeover powers contained within the Bill complement the agency’s existing powers by providing new avenues to gather information and respond to serious crime occurring online and to criminals using dedicated encrypted communication platforms. “The measures in the Bill are grounded in the principle that the powers granted by Parliament to the agencies charged with enforcing the criminal law should not be eroded by advances in technology,” it wrote. “The Bill is designed to provide the ACIC and AFP with the ability to protect the Australian community from harms online in the same way they protect Australians in the physical world.”The ACIC believes the Bill addresses gaps in current electronic surveillance powers.Network activity warrants provided by the Bill will “immediately transform the ACIC’s ability to discover and understand serious criminal groups using the Dark Web and encrypted communication platforms to undertake and facilitate serious crimes”.”Currently, while the ACIC might be able to detect criminal behaviour on a hidden website or computer network, we cannot identify all the individuals participating in the criminal behaviour,” it explained. “For this reason, we require the ability to target and infiltrate the network, or class of computers, in which the crime is occurring so the members of the criminal group can be identified and the full nature and extent of the criminality can be detected through the collection of intelligence.”Data disruption warrants, meanwhile, would enable the ACIC to interfere with the data held on online criminal networks or devices, in order to frustrate the commissioning of serious criminal offences. “This will be particularly powerful in the context of disrupting criminal activity which is largely occurring online,” it wrote.Lastly, account takeover warrants, it said, would allow the agency to take control of an online account in conjunction with other investigatory powers, labelling it an “efficient method for agencies to infiltrate online criminal networks”. “This will play a crucial role in uncovering the identities of otherwise anonymous criminals, as well as gathering evidence of the initiation and commissioning of serious offences online, including on the Dark Web and where encrypted communication platforms are in use,” it said. MORE ON THE ‘HACKING BILL’ More

Image: Getty Images
After revealing late last month it had fallen victim to a cyber incident, UnitingCare Queensland has now named REvil/Sodin as the gang behind the attack.The organisation, which provides aged care, disability supports, health care, and crisis response services throughout the state, suffered the attack on Sunday, 25 April 2021.In a statement issued a few days later, UnitingCare said its systems were still hurting. On Wednesday, it said some of the organisation’s systems have since been inaccessible.The organisation also pointed the blame at REvil/Sodin as the source of the attack.”We can confirm that the external group claiming responsibility for this incident has identified themselves as REvil/Sodin,” it said.”With the assistance of leading experts and advisors, we are conducting a thorough investigation into whether patient, client, resident or employee information has been breached. “This investigation is continuing and we will continue to keep the people we care for updated in this regard, in addition to employees, regulators, and other stakeholders.”

The REvil (Sodinokibi) ransomware gang has been active for quite a while, dwarfing any other similar ransomware operations. Run as a Ransomware-as-a-Service (RaaS), the REvil gang rents its ransomware strain to other criminal groups.The figure demanded of UnitingCare has not been disclosed, but it was reported in March that Taiwanese giant Acer was struck by REvil ransomware, with the culprits demanding $50 million from the company.”Since the incident occurred, as part of our business continuity plan, back-up and downtime procedures have been in place to ensure continuity of our clinical and care services, and these procedures have been working very well,” UnitingCare said.It said at this point in time, there is no evidence that the health and safety of its patients, residents, or clients has been in any way compromised as a result of the attack.”As soon as we became aware of the incident, we engaged the support of leading external technical and forensic advisors. We also notified the Australian Cyber Security Centre of the incident and are continuing to work closely with them to investigate it,” UnitingCare added.”Since the outset of the incident, we have been in pro-active regular contact with all relevant regulatory and government departments.”Last year, the Australian Cyber Security Centre (ACSC) issued an alert to aged care and healthcare providers, notifying them of recent ransomware campaigns targeting the sector.”Cybercriminals view the aged care and healthcare sectors as lucrative targets for ransomware attacks,” the ACSC wrote. “This is because of the sensitive personal and medical information they hold, and how critical this information is to maintaining operations and patient care. A significant ransomware attack against a hospital or aged care facility would have a major impact.”Data breach notification to the Office of the Australian Information Commissioner became mandatory under the Notifiable Data Breaches (NDB) scheme in February 2018.Since the mandate, the private health sector has been the most affected sector. The latest NDB report shows no change, with health accounting for 123 of the total 519 notifications in the six months to December 2020.Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaRELATED COVERAGEEastern Health cyber ‘incident’ cancels some surgeries across MelbourneMeanwhile, the federal government’s COVID-19 booking system suffers day one ‘problems’.Swinburne University confirms over 5,000 individuals affected in data breachUniversity confirms the personal information included in the breach contained names, email addresses, and phone numbers of some staff, students, and external partiesTransport for NSW confirms data taken in Accellion breachIt is the latest government entity to be caught up in the attack on the Accellion file transfer system. More

A fake COVID-19 vaccine website stealing visitors’ data has been shut down by the Justice Department, according to the U.S. Attorney’s Office for the District of Maryland.The people behind “freevaccinecovax.org” made the website look like it for a biotechnology company working on the vaccine for COVID-19, but it actually was being used by cybercriminals for “fraud, phishing attacks, and/or deployment of malware.”The site now has a large banner saying it has been seized by the federal government. “This is the ninth fraudulent website seeking to illegally profit from the COVID-19 pandemic that we have seized,” Acting U.S. Attorney Jonathan Lenzner said in a statement. Lenzner noted that the website is one of thousands that have popped up since the pandemic began in early 2020. Cybercriminals have leveraged the fear and interest around COVID-19 to propagate a variety of scams or efforts to spread malware. Lenzner added that the government is “providing the vaccine free of charge to people living in the United States” and that no one should ever click on anything offering the vaccine for sale. The affidavit filed in court by the Justice Department says the scam was initially uncovered by the HSI Intellectual Property Rights Center and the HSI Cyber Crimes Center. The website was allegedly created from an IP address in Strasbourg, Germany but was registered in Russia, according to the Justice Department. 

It was created on April 27 and the site’s homepage featured the logos of a number of well-known healthcare organizations like the World Health Organization, Pfizer, and the United Nations High Commissioner for Refugees. The website asked visitors to enter their location and then automatically downloaded a PDF file that users could fill out and upload. It is unclear how many people visited the site and filled out the PDF. Eric Howes, principal lab researcher at cybersecurity firm KnowBe4 said both the domain itself and the operation associated with it illustrate just how useful the COVID-19 pandemic has been for malicious actors looking to cash in on other people’s misery. A bogus vaccine website offers bad actors a wide range of potential social engineering schemes, Howes explained, including offers for free access to vaccine supplies to bogus investment schemes. “COVID-19 has been the gift that keeps on giving for fraud artists over the past year,” Howes said. “While authorities are to be lauded for shutting down this domain, one wonders how many more of them pushing similar fraudulent schemes are out there on the internet. Dozens? Hundreds? Thousands? Moreover, how long will it be before the parties behind this operation simply set up another domain and continue their operations?”  More

Since March 2020 there has been an increase of of VPN (Virtual Private Network) discount-related searches as Americans search for a way to feel secure online, according to a new report.

ZDNet Recommends

New York, NY-based coupon engine CouponFollow, part of NextGen Shopping surveyed 1,666 US adults before the pandemic and a further 1,834 US adults in February 2021 to understand how Americans view their internet security and data privacy.Also: What is a VPN and why do you need one? Everything you have to knowThe report showed that almost seven in ten (69%) of Americans are concerned about the security of their data when using public Wi-fi, and nearly two in three (64%) are worried about it when using the internet at home. A similar percentage (65%) are concerned that their medical or financial data might be shared — or sold on — by their ISP.Online privacy worries almost half (47%) of Americans who are concerned about their privacy when using public Wi-Fi. Nearly a third (30%) worry about their privacy even when using the Internet at home.
CouponFollow
Online fraud and hacking is a concern for Americans with over one in three (35%) knowing someone who has had their social media account hacked or hijacked — including them. Almost half of Millennials (48%) reported this happening.

In October 2020 the UK’s data privacy watchdog fined the Marriott hotel chain for a data breach that could have affected up to 339 million guests. Even social media sites like Facebook has suffered data leaks.One in three have had, or know someone who has had their password stolen, and (52%) of Millennials and Gen Z reported the same. Also: How to set up and use a VPN on Windows, Mac, iOS, or AndroidOnly 12% of Baby Boomers reported having their password stolen, and one in five (20%) had a social media account hacked or hijacked — reflecting the amount of time they spend online. Although one in three (35%) Americas use a VPN, 33% reported that they do not know what a VPN is. Men are more likely to know what a VPN is, but almost half of Baby Boomers (49%) do not know what a VPN is. Even two in five (40%) of VPN users do not understand what the term VPN means.
CouponFollow
Using the internet at work does not seem to elicit the same level of concern. This could be due to the levels of antivirus and firewall protections that their employer has implemented on their devices. Perhaps it is due to the type of sites that people browse on their work devices, here, less than one in three (32%) are worried about their security. Less than one in five (18%) are concerned about their privacy when browsing the web from a work device.Over one in ten (12%) started to use a VPN in 2020, and one in five (21%) installed a VPN to enable them to work from home. Also: Stop using your work laptop or phone for personal stuffUp to 35% of Americans already use a VPN for anonymous browsing (45%), work access (45%), or for shopping online (21%). Only 12% use it for Torrenting or P2P file sharing. As hacking attempts and breaches grow Americans have good reason to be cautious. Parler’s data leak exposed millions of posts as 70TB of data was scraped from the platform, and The ParkMobile app data breach exposed data from 21 million users.Being ultra-careful online will be the only way to avoid being a victim of the next breach. More