Information Technology

On a Thursday back in February I was relaxing and watching TV when my evening was interrupted by the ping of a text message from my bank.
“You will shortly receive an SMS to confirm recent activity on your card.”
I was puzzled. I certainly hadn’t made any strange or unexpected purchases that day, so what was this about? About 30 seconds later, I received my answer in a second text message.
It said my credit card details had been used less than a minute before to try to make a payment of £108 at a store with an unfamiliar name. 
A quick search online revealed it to be a supermarket in the city of Paramaribo, Suriname – a small country on the north-eastern coast of South America, bordered by Brazil, Guyana and French Guiana. That’s quite a long way from my home in London, so I was pretty sure I hadn’t popped into that store to pick anything up in the last 60 seconds.
The alert asked me to confirm the transaction by replying with ‘Yes’ or ‘No’. It did cross my mind that perhaps this was a double- or triple-bluff scam and that by responding to an unexpected text message, I would be making a big mistake. Just in case, I chose to phone the bank instead.
They confirmed that yes, someone had attempted to use my card details over 4,500 miles away from London – but the attempted payment was blocked as suspicious, so no money was stolen. 
I cancelled my card and ordered a new one as the recommended safety precaution, given someone else had my details. But as a reporter I was left wondering how did this happen? 
How was it that my bank details were somehow stolen, passed onto someone on the other side of the world and almost successfully used at what looked to be a small retailer in Suriname?
Credit cards are a solution – and part of the problem
Debit and credit cards are a part of everyday life that we don’t think about, but not so long ago they would have felt like a strange concept to those using physical currency to buy things. The first UK credit card was issued in 1966, while the first debit card didn’t arrive in the UK until 1987.
Now, there are over 51 million debit cardholders in the UK, accounting for 96% of adults, while over 32 million UK adults have a credit card. According to the trade association UK Finance, total spending on credit and debit cards accounted for over £800 billion during 2018, with over 20 billion transactions over the course of the year.
Such is the increased popularity of using card payments – helped by online shopping and the ability to make contactless payments in stores – that it’s overtaken cash as the most common form of payment in the UK, and the number of card payments is still growing.
SEE: Identity theft protection policy (TechRepublic Premium)
We’re using them a lot more online, too. That makes it easier for us all to buy all manner of goods and services, but it also means that if crooks have the details they can use your account even if the physical card is safe in your pocket, because with online shopping, which only requires the input of credit card numbers, the card doesn’t need to be present. 
And the unfortunate truth is that crooks have access to a lot of credit card numbers, thanks to almost constant waves of data breaches from companies big and small.

There are over 51 million debit card holders in the UK, accounting for 96% of adults.
Image: Getty Images/iStockphoto
 So how are cyber criminals gaining access to all this data, how do they trade it and just how big is this illicit underground economy?
“It’s a really interesting question because it doesn’t have a clear answer. This sounds really Rumsfeldian but there are just unknown unknowns,” says Troy Hunt, creator of Have I Been Pwned?, a website that allows people to check if their email address, password or other personal data has been compromised in a breach. 
Have I Been Pwned? currently contains data on almost 10 billion compromised accounts from over 450 websites and data dumps that have been released publicly by hackers – but that’s almost certainly just scratching the surface of the information that’s been stolen over the years, because there are many more data breaches where the data hasn’t been publicly dumped by the hackers.
“We know there’s a huge amount of incidents, which have made the headlines, which aren’t in the system,” says Hunt. 
There are also many more breaches at smaller companies which might not even make headlines, but could still involve the personal data of thousands of people being stolen. 
Businesses need to be more careful with your data
There are a number of ways criminals can steal data. 
One classic example of this is point-of-sale (PoS) malware, which is malicious software that gets installed by gangs onto the PoS terminals that shops, restaurants, bars and other retailers use to take payments by card – a key part of almost any retail business.
And it’s because they’re a part of the furniture that many of these systems are so vulnerable, because organisations forget they’re computer systems that can contain vulnerabilities and need to be updated. Businesses can go years without being aware that customer payment information was being copied and stolen every time a transaction was made. 
It’s possible to install malware onto PoS terminals physically but such systems can also be compromised across the corporate network itself as the result of a hacking campaign. 
The attack might start with a phishing email aimed at unwary employees or a more technical approach targeting the network’s internet-facing remote ports as a way to get onto the network and move across the network to the PoS unit to install malware.
This is possible because most PoS systems run on a modified version of Windows, meaning that the computer can be vulnerable to attack like other Windows devices. And while most Windows systems on a network should be receiving regular security patches to ensure they can’t fall victim to attack, it’s all too easy for the PoS terminal to be forgotten about.
That was the case with the retailer Dixons Carphone, which had PoS malware installed on over 5,000 terminals between July 2017 and April 2018 and card information of more than five million customers being accessed by hackers. 
A report by the Information Commissioner’s Office pointed to “systematic failures” in how the retailer safeguarded personal data and managed the security of its networks – including the failure to patch systems against known vulnerabilities.

PoS systems can be vulnerable to attack, just like other Windows devices.
Image: Getty Images/iStockphoto
There are expectations that larger businesses will, for the most part, budget for IT security and upgrade the network when needed, but for smaller businesses that approach might not be as simple – yet they’re going to be targeted by hackers too, especially if they’re viewed as an easy target.
“Change is hard for everybody, especially for small businesses. If that credit card terminal is working, do you want to spend hundreds to upgrade to a new system you have to learn to use? Businesses just want to be paid as normal,” says Kevin Lee, digital trust and safety architect at Sift, a payment-fraud prevention company.
That’s why PoS malware remains so common – and potentially how my card details got stolen. But it’s far from the only way it could’ve occurred.
SEE: Hiring Kit: Security Analyst (TechRepublic Premium)
Another common means of card information being stolen is directly from ATMs. While it’s possible to remotely install malware on cash machines – after all, they’re mostly just Windows PCs and often old versions of Windows at that – physically tampering with the devices provides attackers with an even simpler means of stealing bank details.
These skimming attacks see criminals placing their own card-reading components on top of the real device, allowing them to not only see the card details contained within the mag stripe, but also able to see the PIN code – providing them with all the data they need to make payments and withdrawals – or collect that information to sell it.
“It’s entirely possible that you’ve used your card at an ATM and there’s been a skimmer that’s read your card and someone has figured out how to clone your card and sold it online. That’s entirely feasible – your card might not have been involved in a breach at all, but a skim,” says Leigh-Anne Galloway, head of commercial security research at Cyber R&D Lab.
“There’s still a large amount of skimmers in circulation. They’re still pretty popular because they work.”
Your data could be on an underground market
In some cases, criminals will use stolen card information for themselves, simply using the details either to clone the card, or to make purchases online. But tying purchases made on a stolen card directly to their own identity is likely to risk getting them caught sooner rather than later.
That’s why selling stolen card details online is the lower risk choice for crooks with large numbers of credit card details to sell. And with large scale data breaches so common, the cyber-criminal underground markets specialising in trading stolen information are extremely busy.
“Cyber criminals are just looking for a way to monetise the data that they get and often it’s a lot more complicated than people realise. If you’re good at writing malware, but you don’t know what to do with credit card information, that’s why you’d turn to the underground,” says Liv Rowley, threat intelligence analyst at Blueliv. “Sometimes it’s clear following big-data breaches and they’re handed off,” she says.
There are dozens of different card shops at any one time as criminals attempt to trade stolen details while also remaining outside the eyes of the law. Some remain in business for a long time, while others get shut down – either by law enforcement, or by the operators themselves in an effort to avoid getting caught. One of the largest and most successful is Joker’s Stash, which is often used as a way to sell millions of credit card details and other personal information at any one time. 

Rowley: “Cyber criminals are just looking for a way to monetise the data that they get.”
Image: Getty Images/iStockphoto
This particular forum also has ties to Fin7, a prolific hacking group that has stolen details about millions of credit cards from retailers, restaurants, casinos and others over the years. If Fin7 is behind a data breach, the details often turn up for sale on Joker’s Stash.
Earlier this year, US authorities directly linked Fin7 to Joker’s Stash, among other carding forums, in an indictment following the arrest of Ukranian nationals accused of being members of the hacking group.
However, it doesn’t appear as if my details being stolen was related to any of these breaches – at least any that are in the public light – so what are the other options if it was stolen in a data breach?
There are smaller carding forums where users turn up to sell data they’ve stolen, and potential buyers can barter to buy as many or as few as they’d like – sometimes details on a single stolen card can cost under a dollar. 
SEE: Cybersecurity 101: Protect your privacy from hackers, spies, and the government (ZDNet)
In many cases, the process is completely automated and users can establish who can be trusted via the reviews that have been left by previous buyers – much like any other peer-to-peer online retail environment.
“You don’t really need to interact with anyone, you just go there, search what you’re looking for and just buy it. It’s nice for cyber criminals because it’s a pain-free process,” says Rowley. The pain is felt, of course, by the victims instead.
Two seconds that make all the difference
It could be that my card details passed through a few different hands before ending up in South America – but why, of all places, was it a gas station or a small convenience store where it looks like a copy of the card was attempted to be used? 
Printing cards is a relatively simple process for criminals, and the physical tools they need to do it aren’t actually illegal. After all, plastic identity cards exist in many workplaces, and they need to be able to print them out, while it’s also possible to buy and use an embosser to punch raised bank details and personal information onto cards so they look like the real thing.
“You’re a cyber criminal and you’ve bought this data, and it’s just raw numbers. You take that data, you take a plastic card and print out the correct bank information, you pop up the letters for the name and numbers that should be on it,” Rowley explains. “Then you write the information on the magnetic stripe and that should work,” she adds.
For cyber criminals, the perfect place to test if these cards – and the bank details they’ve stolen – work is small retailers as they often don’t have sophisticated security in place.
“Gas stations are a great place to test credit card numbers because you don’t have to deal with the gas attendant – you slide the card in and if it works you get a free tank of gas and keep going. If it doesn’t work, there’s no harm in trying. If it works at a gas station, it’s a green light to make larger transactions,” says Kevin Lee.
There’s no way to find out what the person using my details was attempting to buy, but it’s likely if the transaction had gone through, they would have attempted to milk my bank account for much more than the £108. Fortunately, the attempt at using my card was almost immediately detected and stopped by the bank.
“We have two seconds to make the decision. We would’ve decided in the first two seconds to decline that,” says Paul Davis, retail fraud director at the UK’s Lloyds Bank. 
Lloyds Banking Group has 12 different systems to analyse transactions for unusual payments, and it works with external companies and Visa to examine the vast amount of payments which are made every single day. These systems need to find a balance between flagging potentially suspicious activity, while also not standing in the way of regular transactions.
“The fraud engine will look at things like who you’re trying to pay, how much you’re paying them, have you ever made a payment like that before,” Davis explains – pointing out how the unexpected location of my payment that was attempted using my card likely played a role in identifying it as potentially suspicious.
“I don’t know how many of our customers make transactions in Suriname – probably not many – so that’s more likely to flag an alert,” he says. 

For cyber criminals, the perfect place to test cards is small retailers as they often don’t have sophisticated security in place.
Image: Getty Images/iStockphoto
The location, combined with the merchant, the history of other transactions there – and whether they’re fraudulent or not – and the amount being paid all helps the bank come to a decision. And in this case, it correctly decided that the transaction was fraudulent – but these decisions have to be made quickly and without blocking genuine attempts at purchases.
“The more data we have, the better this system is and the more likely we’ll stop more fraud and interrupt fewer genuine cases,” says Davis.
In some cases, it’s easier to spot that attempts at fraud are happening, such as if criminals make lots of requests at once using sequential card numbers – indicating that they’re working their way down a list. In that case, attempted transactions for card numbers yet to be tested can be preemptively blocked.
“If there’s a merchant we’ve never seen before and all of a sudden we get 10,000 payments with almost sequential numbers, or with a pattern, they stand out as being suspicious. We block those payments before it even gets to the fraud-detection engine,” Davis explains.
Cyber criminals have in the past been able to get away with this type of trick – it’s what led to attackers being able to steal over £2 million from 9,000 Tesco Bank customers in November 2016 – but advances in fraud detection mean they’re more able to be easily blocked.
In some cases companies may not even realise that they’ve been breached.
“Breaches aren’t always reported. In our experience, the number of merchants who’ve potentially had a breach, but haven’t yet noticed it, is a lot higher,” says Davis. “A lot of people’s card data is being traded on the web and so to keep the systems secure we’re reliant on systems we run in banks.”
Credit card fraud is far from unusual
But it isn’t just by directly stealing bank information that cyber criminals are able to get what they need to to abuse personal data to commit fraud. Names, social media accounts, addresses, birthdays and all sorts of other information is potentially out there and can be used to build false profiles or socially engineer victims into falling victim to cybercrime. It has even happened to high-profile politicians.
“Oftentimes, you can gather enough from social media to log in to their accounts or answer security questions,” says Charity Wright, cyber threat intelligence advisor at IntSights.
Information from stolen accounts can be put up for sale on underground forums and, if the victim has reused their email password on other important accounts, it could easily provide a means of attackers getting hold of much more information, potentially even online bank accounts.
Wright’s role involves searching the open and underground web for information about CEOs, executives and other high-profile individuals to see what information is out there – and crucially help stop cyber criminals from using and abusing it. She also looked at what information about me was out there and perhaps, surprisingly, given my job, there’s not much to find based on my name.
“Your digital footprint is limited to professional and social media from what I can tell, which is excellent given your public profile in the media,” she said.

Your social media channels can be a treasure trove of personal data.
Image: Getty Images/iStockphoto
Nonetheless, via skimming, PoS malware or something else, cyber criminals were able to get hold of my bank details – despite how I write about cybersecurity everyday and know how to take precautions to help protect myself. 
However, I’m certainly not the only person I know whose had their bank information or other personal details stolen over the years and I won’t be the last; a lot of people have fallen victim to similar fraud and even many of the security researchers I spoke to when trying to find out what happened to my card details have fallen foul of cyber criminals at one point or another.
“I don’t think there’s as much of a stigma of being caught out by credit card fraud; I don’t think as many people would feel it now. It’s just one of these things that happens and a lot of the time it’s completely out of your hands as you’re finding now – you have no idea where or how it happens,” says Chris Boyd, lead malware intelligence analyst at Malwarebytes.
“And when PoS malware can lurk on networks for a year or more, how are you going to know?”
I was fortunate that an attempt at using my bank account was spotted; many haven’t been so lucky – and they’ve had criminals use card details to make very large purchases. Boyd found himself a victim of one of these schemes.
“The short version is I got contacted and told there was fraud on my card,” he explains. “Usually you hear about small amounts claimed, people will get hold of card details and take a little bit here and there – but this was about £14,000!”
SEE: Identity management 101: How digital identity works in 2020 (ZDNet)
As with my case, it wasn’t possible to pin down how exactly the card details got stolen, but in this instance, the scale of the purchase was unusual.
“Somehow, someone had got my credit card details and they’d gone to a specialist wine supplier, an organisation that sells huge quantities of wine to shops, and put in a baffling order for £14,000 of wine,” says Boyd.
“The Great Wine Heist,” as he describes it just goes to show that even those who are deeply knowledgeable about security can fall victim to cybercrime – and in most cases, they’re unlikely to find out how it happened, either.
“You realise there’s only a small amount of places you buy from regularly and an even smaller amount of outliers, so it’s easy to figure out your day-to-day movements and what you spend,” Boyd explains.
“But then you still hit a brick wall because none of it comes in handy for finding out what happened to your information,” he adds.
Some people seemingly haven’t actively fallen victim to fraud, yet it still feels as if it’s only a matter of time before something happens.
“For me, as an American, I have a social security number and I have no doubt that my social security number is somewhere out there on the dark web, it’s just a matter of luck I haven’t had my identity stolen yet. That’s the point we’re at, it’s so easy to lose control of your data,” says Liv Rowley.
Take precautions to keep data safe and secure
It might feel as if getting your card details stolen is inevitable due to the sheer number of organisations that fall victim to hacking and malware campaigns. Nonetheless, it is possible to take precautions against credit card fraud.
“Don’t let your card out of your sight. Keep in control of your card because if you give it up, you don’t know if it’ll be skimmed or have the details written down,” says Paul Davis.
While it’s impossible to know if any organisation is about to become a victim of a data breach, on the whole, it’s recommended that people buy from trusted vendors, so in the worst case scenario even if details do get leaked, information about the leak emerges eventually. This might not be the case if people buy from online – or other – stores that have been set up with the intent of stealing personal data.
However, the individual can only do so much to stay safe online, when it ultimately falls to the organisations that are handling personal data to keep it from going missing. 
Legislation like the General Data Protection Regulation (GDPR) provides an extra incentive for organisations to keep personal data of customers and consumers safe, because if the company falls victim to a breach and is judged to have managed security irresponsibly, they could face a huge financial penalty. 

Organisations must do more to ensure personal data does not go missing.
Image: Getty Images/iStockphoto
British Airways, for example, was issued with a penalty of £183 million after personal data – including bank details – of over 500,000 customers was stolen, with “poor security arrangements” blamed.
But even if your personal information is stolen in a big batch alongside hundreds of thousands, maybe even millions of others – and it isn’t your fault – it’s still hard not to feel as if your bank account being used, or your password being used, is a personal attack.
“Most of the time, it’s not personal, the same with things like account takeovers and credential stuffing – you’re one of a million people on a list and that’s the criteria as to why it’s happened, that’s literally it,” says Troy Hunt.
And it does indeed look as if some of my information was up for sale, with several cards at least partially matching my card number advertised on an underground forum for the price of $25, according to one researcher I asked to dig around.  
No information about my address was listed, which appears to suggest that my details are potentially more likely to have been stolen via the use of a skimmer or PoS malware, rather than an online retailer that would also need my address to send out an item. 
That’s all educated guesswork on my part. I’m unlikely to ever find out how exactly my card details got stolen, how they ended up in South America and who was attempting to use them. I, however, was fortunate that the bank managed to pick up suspicious activity and blocked anything from happening – many others aren’t so lucky.
But as long as there’s bank information and other personal data out there for cyber criminals to keep grabbing, exchanging and exploiting, it’ll keep happening. For victims, while it may be frustrating, even upsetting, perhaps knowing they haven’t been individually targeted could provide some comfort, even if they too never really work out how it happened. More

(Image: file photo)
The US government has filed charges today against five Chinese nationals for hacking into more than 100 companies across the world, part of a state-sponsored hacking group known as APT41.
According to court documents unsealed today, US officials said the group has hacked software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, healthcare, non-profit organizations, universities, think tanks, from where they stole proprietary source code, code-signing certificates, customer data, and valuable business information.
Victim companies resided in countries such as the US, Australia, Brazil, Chile, Hong Kong, India, Indonesia, Japan,Malaysia, Pakistan, Singapore, South Korea, Taiwan, Thailand, and Vietnam.
US officials said APT41 members also compromised foreign government computer networks in India and Vietnam, as well as pro-democracy politicians and activists in Hong Kong. Attacks against he UK government were also executed, but were not successful.
The APT41 group is one of today’s most infamous and most active state-sponsored hacking groups. ATP41’s operations were first detailed in their full breadth in a FireEye report published in August 2019, with the report linking the group to some of the biggest supply-chain attacks in recent years, and to older hacks going to as early as 2012.

Some of APT41’s largest supply-chain attacks
Image: FireEye
At the time, the report was also ground-breaking, as FireEye researchers revealed how the the group conducted both cyber-espionage for the Chinese regime but also intrusions for personal financial gain, usually executed outside normal working hours. Most of these side-hacks usually targeted gaming companies, from where the hackers stole source code or in-game digital currency.
In some cases, APT41 was also spotted deploying ransomware and installed malware that mined cryptocurrency for the group’s members. While it’s unknown how many of these incidents have occurred, the DOJ named one victim of a ransomware attack as “a non-profit organization dedicated to combating global poverty.”
Five Chinese nationals indicted
According to court documents obtained by ZDNet, the indictments came in two waves, but were unsealed today. The first two APT41 members were identified and charged in August 2019, following the FireEye report. According to a copy of the 2019 indictment, these charges stemmed from allegedly hacking high technology and video gaming companies, and a United Kingdom citizen. The two suspects were identified as:
Zhang Haoran (张浩然), 35
Tan Dailin (谭戴林), 35
Three more APT41 members were charged in a separate indictment filed last month, in August 2020. These three were charged with most of the APT41 intrusions.
Jiang Lizhi (蒋立志), 35
Qian Chuan (钱川), 39
Fu Qiang (付强), 37
US officials said the three were employees of Chengdu 404 Network Technology, a front company that operated under the close supervision of PRC officials. Court documents also revealed that US officials intercepted online chats between Jiang and another Chinese hackers, conversations where Jiang touted knowing and operating under Gong An, a high-ranking official in the Chinese Ministery of Public Security.

In a really interesting reveal, US government had intercepted communications where operators bragged about their close relationship with Ministry of State Security (MSS) 4/
— Dmitri Alperovitch (@DAlperovitch) September 16, 2020

All five APT41 members remain at large, and their names have been added to the FBI’s Cyber Most Wanted List.

Image: FBI/DOJ
In addition, two Malaysian businessmen were also charged for conspiring with two of the APT41 members to profit from intrusions at video game companies. The two were arrested on Monday, September 14, by Malaysian authorities in the Malaysian city of Sitiawan.
According to court documents, the two have been identified as Wong Ong Hua, 46, and Ling Yang Ching, 32, owners of Sea Gamer Mall, a website that sold digital currency for various online games — currency that US officials believe was sometimes provided by APT41 members illegally, following intrusions at gaming companies.
In a live-streamed press conference today, FBI Deputy Director David L. Bowdich, said the Bureau is currently seeking the extradition of the two Malaysian businessmen to the US, to face their charges.
The FBI, which spearheaded the investigation, also obtained a court warrant earlier this month and seized “hundreds of accounts, servers, domain names, and command-and-control (C2) ‘dead drop’ web pages” used by APT41 in past operations.
Third Chinese state hacking group disrupted by US officials since 2017
The arrests today are part of a larger US crackdown against Chinese cyber-espionage and theft of intellectual property from US companies. US authorities previously charged three other Chinese hackers in November 2017 (believed to be part of Chinese hacker group APT3) and two other hackers in December 2018 (believed to be part of Chinese hacker group APT10).
Earlier this year, the FBI said it was investigating more than 1,000 cases of Chinese theft of US technology.
“Today’s charges, the related arrests, seizures of malware and other infrastructure used to conduct intrusions, and coordinated private sector protective actions reveal yet again the Department’s determination to use all of the tools at its disposal and to collaborate with the private sector and nations who support the rule of law in cyberspace,” said Assistant AttorneyGeneral John C. Demers.
“Regrettably, the Chinese communist party has chosen a different path of making China safe for cybercriminals so long as they attack computers outside China and steal intellectual property helpful to China,” added Deputy Attorney General Jeffrey A. Rosen. More

The source code of the Cerberus banking Trojan has been released as free malware on underground hacking forums following a failed auction. 

Speaking at Kaspersky NEXT 2020 on Wednesday, Kaspersky cybersecurity researcher Dmitry Galov said that the leaked code, distributed under the name Cerberus v2, presents an increased threat for smartphone users and the banking sector at large.  
Cerberus is a mobile banking Trojan designed for the Google Android operating system. In circulation since at least July 2019, the Remote Access Trojan (RAT) is able to conduct covert surveillance, intercept communication, tamper with device functionality, and steal data including banking credentials by creating overlays on existing banking, retail, and social networking apps. 
The malware is able to read text messages that may contain one-time passcodes (OTP) and two-factor authentication (2FA) codes, thereby bypassing typical 2FA account protections. OTPs generated through Google Authenticator may also be stolen. 
CNET: Razer leak exposes thousands of customers’ private data
In early July, Avast researchers discovered Cerberus in Google Play, wrapped up and disguised as a legitimate currency converter. It is thought that when the application was submitted to Google for approval, the functions were innocent and legitimate — but once a large user base was established, an update package deployed the Trojan on victim devices. 
Later in the same month, Hudson Rock spotted Cerberus going to auction. An advert was posted by the maintainer of the malware, revealing that the development team was breaking up, and so a new owner was being sought. 
The operator set a starting price of $50,000 — with the aim of generating up to $100,000 — for the malware’s .APK source code, client list, servers, and code for administrator panels. The auctioneer claimed that Cerberus generated $10,000 in revenue per month. 
However, it seems there were no takers. 
TechRepublic: Cyberattacks against schools are on the rise
“Despite Cerberus’ Russian speaking developers earmarking a new vision for the project in April this year, auctions for the source code began in late July due to the breakup of the development team,” Kaspersky says. “Due to an unclear culmination of factors, the author later decided to publish the project source code for premium users on a popular Russian-speaking underground forum.”
The cybersecurity firm says that following the free release of Cerberus source code in the underground, there was an “immediate rise” in mobile app infections across Europe and Russia. Of particular note, Galov says, is that previous clients were not encouraged to strike Russian mobile device users — but the moment the code was released, the attack landscape changed.
When Cerberus was offered as Malware-as-a-Service (MaaS), the scope of the threat was contained to attack groups able to pay for the code, on subscription from $4,000 for one month to $12,000 for a year. Now the developer has washed their hands of the project and released the source code for free, we may not only see rising adoption of Cerberus, but also potentially new variants based on the leaked code in the future. 
See also: Your email threads are now being hijacked by the QBot Trojan
“We continue to investigate all found artifacts associated with the code, and will track related activity,” Galov commented. “But, in the meantime, the best form of defense that users can adopt involves aspects of security hygiene that they should be practicing already across their mobile devices and banking security.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Connected teddy bears, connected coffee machines and connected cars are just some of the unusual Internet of Things (IoT) devices being insecurely connected to corporate networks which could leave whole organisations open to cyber attacks.
A research paper by Palo Alto Networks details the surge in IoT devices being connected to corporate networks and their wide variety.
Some the most common irregular devices being connected to organisations’ networks include connected vehicles, connected toys and connected medical devices, with connected sports equipment such as fitness trackers, gaming devices and connected cars also being deployed.
These devices are being connected because they can often help people through the working day or help manage aspects of their personal life, but they’re also creating additional problems for the corporate network.
In many cases, these ‘shadow IoT’ devices which are being added to the network without the knowledge of the security team.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
This could potentially leave the corporate network vulnerable because not only do some IoT devices have poor security which means they can easily be discovered and exploited, the way some workplaces still have flat networks means that if a device is compromised, an attacker can move from the IoT product to another system.
“If a device has an IP address it can be found. Sadly all too often they fail to have the most basic or complete lack of cyber security controls, using standard passwords, having no patching process and no basic firewall controls,” Greg Day, VP and CSO for EMEA at Palo Alto Networks told ZDNet.
“Considering some are so cheap, the cost of adding security simply isn’t considered viable”.
Even IoT devices which have been connected to the network by the organisation itself can contain security vulnerabilities which can allow hackers to gain full access to the network. One famous example of this saw cyber criminals exploit a connected fish tank to hack into the network of a casino and steal information about customers.
Many organisations need to get a better hold of the IoT devices that are connected to the corporate network and only then can they look to secure them from being exploited if they’re discovered by cyber attackers.
The key to this is being able to see the devices on the network and ensuring that IoT products are segmented so they can’t serve as a gateway to a bigger, more extensive attack.
“We live in a business world where IoT rightly opens up new business opportunities which should be embraced.  However, businesses need to know what and why something connected into their digital processes,” said Day.
“Businesses need to be able to identify new IoT devices, outline what normal looks like to define what it should connect with – the segmentation part – and of course also monitor to check it does as it is predicted, to recognise any threats or risk,” he added.
READ MORE ON CYBERSECURITY More

Over half of US citizens are estimated to be willing to share their medical data and records due to COVID-19, and beyond, but fears of a surveillance state remain. 

As the number of confirmed novel coronavirus edges close to 30 million worldwide, governments are seeking ways if not to eradicate infections, at least mitigate their impact on existing medical systems and reduce the pressure felt by hospitals to deal with the most severe cases. 
One of the methods proposed is contact tracing, a concept based on individuals providing their details to places they visit — such as pubs or restaurants — as well as downloading mobile apps that automatically alert users if they have been in contact with a confirmed COVID-19 case. 
Mobile-app based track-and-trace systems are at varying levels of development; Protect Scotland has recently rolled out and EU states have begun testing a region-wide interoperability gateway, whereas the UK’s promised “world-beating” system is a shambles.
See also: Google wants to make it easier to analyse health data in the cloud
These types of apps may be able to track the spread of COVID-19 throughout a population, but privacy remains a concern, especially if user mobile and location data end up in centralized servers able to be accessed by government agencies for purposes other than curbing the pandemic. 
However, in the United States, at least, many are willing to try them out for the common good. 
On Wednesday, Virtru published the results of a study exploring US attitudes on contact tracing and the release of their medical records in the fight against COVID-19.  
The research is based on a survey conducted by The Harris Poll for Virtru in July and contains the responses of over 2,000 US citizens aged 18 and over. 
In total, just over half of US citizens — 52% — said they were willing to share their medical records, even beyond COVID-19, with government agencies if this would help the pandemic response and healthcare in general. If they are given control over access to their own information and are able to block access or delete data at any time, 61% would be willing to do so. 
However, when it comes to the information harvested from contact tracing apps, such as location and user data, 42% of survey respondents were confident in their privacy being respected. 
CNET: Razer leak exposes thousands of customers’ private data
In total, the most confidence is felt in tracing apps provided by healthcare providers and technology companies, with 34% and 28% of respondents saying they would trust them, respectively. 
However, 58% are not confident when it comes to state and technology vendor-based app security and privacy. The idea of a “surveillance state” is in the mind of many, too, due to the US’ well-known mass surveillance programs, FISA, bulk data collection, and attempts to force technology providers to deliberately install backdoors into encrypted services. 
In total, 62% of participants cited these issues as a potential barrier to their willingness in sharing health records beyond COVID-19 test results with government agencies. Overall, 31% of respondents said the government’s attitude on surveillance has a “major impact” on their willingness to share sensitive medical information. 
TechRepublic: Top 10 antivirus software options for security-conscious users
“As we continue to battle the pandemic, and at a time when trust in each other and institutions is most critical, we’re living in a massive trust deficit,” said Virtru CEO John Ackerly. “While we all love the convenience and access technology has afforded us, our personal information has become an economic engine and even a weapon, and as a result, we have very little control over it. So when we’re asked to give our most sensitive health information over to someone else, it’s understandable to fear that the data may be used and shared beyond what is asked.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Grab must reassess its cybersecurity framework, especially after the mobile app platform reported a series of breaches that compromised its customers’ data. The latest security incident has prompted Singapore’s Personal Data Protection Commission (PDPC) to impose a fine of SG$10,000 ($7,325) and order a review of the company’s data protection policies within 120 days. 
The August 30, 2019, breach came to light when Grab informed the PDPC that changes it made to its mobile app had resulted in the unauthorised access of its drivers. Further investigations later revealed that personal information of 21,541 GrabHitch drivers and passengers was exposed to the risk of unauthorised access, including vehicle numbers, passenger names, and e-wallet balance comprising a history of ride payments. 
Grab had deployed an update to plug a potential vulnerability in its API (application programming interface), but this resulted in the data breach. 

In its report, the PDPC noted that Grab had made changes to its systems without ensuring “reasonable security arrangements” were put in place to prevent any compromise of personal datasets. The lack of sufficiently robust processes to manage changes to its IT systems was a “particularly grave error” since it was the second time the vendor had made a similar mistake, with the first affecting a different system. 
The commission noted that Grab had made changes to its app without understanding how such modifications would operate with existing features of its app and its broader IT system. 
It also did not conduct proper scoping tests before deploying updates to its app, the PDPC said, noting that organisations were obliged to do so before introducing new IT features or changes to their systems. “These tests need to mimic real-world usage, including foreseeable scenarios in a normal operating environment when the changes are introduced. Such tests prior to deployment are critical to enable organisations to detect and rectify errors in the new IT features and/or be alerted to any unintended effects from changes that may put personal data at risk,” the commission said. 
It added that Grab had admitted it did not conduct tests to simulate multiple users accessing its app or specific tests to verify how the caching mechanism — which was the component that resulted in the breach — would work in tandem with the update.
Underscoring the fact that the company now had breached Section 24 in Singapore’s PDPA four times, the PDPC said this was “significant cause for concern” especially given Grab’s business involved processing large volumes of personal data on a daily basis. Section 24 outlines the need for organisations to protect personal data in its possession or under its control by making “reasonable security arrangements” to prevent unauthorised access, collection, use, disclosure, copying, modification, or similar risks.
Singapore-based Grab, which started out as a ride-sharing operator, now offers a service portfolio that includes food delivery, digital payments, and insurance. It also announced its bid for a digital bank licence, alongside partner Singtel, in Singapore, where both companies would target “digital-first” consumers and small and midsize businesses. The partnership would lead to a joint entity, in which Grab would own a 60% stake. Grab has operations across eight Asia-Pacific markets including Indonesia, Malaysia, Thailand, and Vietnam.
In addition to the fine, the PDPC also instructed Grab to put it place a “data protection by design policy” for its mobile applications within 120 days, in order to reduce the risk of another data breach.
ZDNet asked Grab several questions including specific areas the company planned to review, security policies it put in place following the initial breach, and steps it had taken to ensure security was built into its various processes as the company introduced new services in recent years.
It did not respond to any of these questions and, instead, replied with a statement it had previously released: “The security of data and the privacy of our users is of utmost importance to us and we are sorry for disappointing them. When the incident was discovered on August 30, 2019, we took immediate actions to safeguard our users’ data and self-reported it to the PDPC. To prevent a recurrence, we have since introduced more robust processes, especially pertaining to our IT environment testing, along with updated governance procedures and an architecture review of our legacy application and source codes.”
Data policy in need of “serious review”
That it violated the PDPA four times since 2018, seemed to indicate Grab was in need of a “serious review”, noted Ian Hall, Synopsys Software Integrity Group’s Asia-Pacific manager of client services. In particular, the company should assess its release processes, where required testing and checkpoints must be passed before the release of its app.
Citing a study by Enterprise Strategy Group, he noted that it was common for vulnerable codes to be moved to production, typically due to a company’s need to meet deadlines. 

Aaron Bugal, Sophos’ global solutions engineer, concurred, noting that Grab’s brushes with security was “a classic example” of an organisation that was rapidly expanding, but not scaling their security policies and technical controls proportionately. “Given this is another issue with its application on mobile devices, it would be wise to look at a third-party service that evaluates the security of the app before its release,” Bugal told ZDNet in an email interview.
Asked if it was challenging for companies such as Grab, which had rapidly expanded their service portfolio, to ensure security remained robust, Hall said it certainly would be more difficult to maintain increasingly complex apps that covered a wide range of functionalities. 
He explained that certain legacy code sections might not be updated as frequently as newer codes and, at the same time, newer codes also might introduce new vulnerabilities. 
“Developers may tend to focus their efforts on newer codes and going back to fix a vulnerability in the legacy code portions may be more difficult,” he said. “This is why it is always better to find and fix issues earlier in the development lifecycle and for security tools to be well integrated to development processes.”
Bugal noted that more customer data would be captured as organisations grew their business, and security measures should scale alongside the app and data collected. 
He added that any changes to a company’s operational model should incorporate a security architecture from the conceptual stages. “This is not something that’s retrospectively bolted on, or thought of, once the changes are released,” he said.
According to Hall, developers often inadvertently introduced vulnerabilities because they were not security experts. He noted that some of the most common vulnerabilities emerged from improper use of Google’s Android or Apple’s iOS mobile platforms, insecure data storage, and insecure communication. 
Bugal added that several organisations also used outdated development tools and would not implement services that evaluated the libraries and shared code that many applications used as a base. “These can sometimes introduce vulnerabilities into an application through no fault of the application developer,” he explained. “Using modernised development environments and including security designs and evaluations of applications during the formative and release phases are integral to better security.”
He noted that changes to mobile apps typically were automatically accepted by app store fronts and applied to mobile devices upon their release, leaving mobile consumers “at the mercy of the developer to do the right thing” with regards to application design and overall security. 
“As consumers, we should understand what data an organisation is collecting, how they store it, and understand the risk if that data was to ever leak,” he said. 
Hall added: “I would recommend users of mobile and other devices keep both their apps and operating systems updated. Also, use apps and providing personal details only to companies and apps that you trust. On the Android platform, we can disable particular permissions on apps that should not have access to them.”
RELATED COVERAGE More

Adobe has released an out-of-band patch to resolve a trio of vulnerabilities discovered in Media Encoder.

Adobe Media Encoder, software used to encode audio and video in different formats, is the sole subject of the security update issued outside of the company’s usual monthly release.
On Tuesday, Adobe said that three vulnerabilities — CVE-2020-9739, CVE-2020-9744, and CVE-2020-9745 — are out-of-bound read security flaws “that could lead to information disclosure in the context of the current user.”
See also: Adobe Experience Manager, InDesign, Framemaker receive fixes for critical bugs in new update
Reported to Adobe by cybersecurity researcher Radu Motspan, the bugs are deemed “important” and impact Adobe Media Encoder version 14.4 on Windows and Mac machines. 
However, each vulnerability has only been awarded a priority rating of 3, which Adobe says means the software at hand has “historically not been a target for attackers.”
CNET: Razer leak exposes thousands of customers’ private data
As always, it is recommended that users accept automatic software updates to patch their builds to stay protected. 
Last week, the software giant released its September security patch update, tackling vulnerabilities in Adobe Experience Manager, InDesign, and Framemaker.
TechRepublic: Top 10 antivirus software options for security-conscious users
Critical and important vulnerabilities in the products were resolved, including cross-site scripting (XSS) issues, memory corruption bugs, and security issues leading to arbitrary code execution, including those within a browser session.
In related news, on Tuesday, Adobe reported third-quarter financial results that beat analyst expectations. Adobe reported profits of $955 million, or $1.97 a share, and non-GAAP EPS of $2.41 on revenue of $3.16 billion.  
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Caroline Grondin, Microsoft, ZDNet

A new malware gang has made a name for itself over the past few months by hacking into Microsoft SQL Servers (MSSQL) and installing a crypto-miner.
Thousands of MSSQL databases have been infected so far, according to the cybersecurity arm of Chinese tech giant Tencent.
In a report published earlier this month, Tencent Security has named this new malware gang MrbMiner, after one of the domains used by the group to host their malware.
The Chinese company says the botnet has exclusively spread by scanning the internet for MSSQL servers and then performing brute-force attacks by repeatedly trying the admin account with various weak passwords.
Once the attackers gained a foothold on a system, they downloaded an initial assm.exe file, which they used to establish a (re)boot persistence mechanism and to add a backdoor account for future access. Tencent says this account uses the username “Default” and a password of “@fg125kjnhn987.”
The last step of the infection process was to connect to the command and control server and download an app that mines the Monero (XMR) cryptocurrency by abusing local server resources and generating XMR coins into accounts controlled by the attackers.
Linux and ARM variants also discovered
Tencent Security says that while they saw only infections on MSSQL servers, the MrbMiner C&C server also contained versions of the group’s malware written to target Linux servers and ARM-based systems.
After analyzing the Linux version of the MrbMiner malware, Tencent experts said they identified a Monero wallet where the malware generated funds.
The address contained 3.38 XMR (~$300), suggesting that the Linux versions were also being actively distributed, although details about these attacks remain unknown for now.
The Monero wallet used for the MbrMiner version deployed on MSSQL servers stored 7 XMR (~$630). While the two sums are small, crypto-mining gangs are known to use multiple wallets for their operations, and the group has most likely generated much larger profits.
For now, what system administrators need to do is to scan their MSSQL servers for the presence of the Default/@fg125kjnhn987 backdoor account. In case they find systems with this account configured, full network audits are recommended. More