Cybercriminals Preferring Audio Skimmers Over Flash Skimmers






There has been a rapid increase in the number of web skimming attacks since the advancements in the technological sector; it also resulted in excessive activity in the black market of physical card skimming tools.
Web skimming attacks are designed to capture critical financial data and card details like the name of the holder and sensitive numbers. It is when attackers connect their spying tool to a point-of-sale system (PoS) or an ATM in order to get access to the data that is processed from credit/debit cards via these machines.
The ever evolving ways of web skimming are one of the reasons why it is thriving and remains undetected,  professionals skimmers have formed closed communities which are organized to coordinate during skimming processes and assist the cashers, decoders, engineers, extractors, and vendors with whatever they need.
Advanced Intelligence, a New York based fraud prevention company reported that the usual targets are gas stations, ATMs or PoS terminals. Skimming includes unauthorized access to sensitive financial information for which the cybercriminals mainly rely on upgrades and advancements in technology to produce and circulate products which are unassailable and undetectable.
Another variant includes Audio Skimmers, which have been known to exist since 2010 and the technique employed in Audio Skimming is said to be existing since 1992. The devices involved store the data and encrypt it to capture it in MP3 format. The threat rate of Audio Skimmers multiplies with the camera attached to capture the PIN number and acting as a video skimmer.
Commenting on the matter, Yelisey Boguslaskiy, director of security research at AdvIntel, said, "They use timing-calculating algorithms to “reed” the audio when the card is been scanned by the ATM, which allows them to decode a track in 1-2 seconds and immediately convert it into text format,"
"Russian-speaking real carding communities have traditionally been exclusive and tight-lipped regarding their skimming operations. Skimming developers form exclusive trusted underground criminal networks thereby connecting talented engineers, their trusted sellers, and wealthy carder buyers of such tools,” further added.







GetCrypt Ransomware: Modus Operandi and Solutions




A new ransomware is in the dark market which encrypts all the files on the device and redirects victims to the RIG exploit kit. It’s being installed via “Malvertising” campaigns.


Securoty researchers found it while it was being installed by way of a RIG exploit kit in the “Popcash malvertising" campaigns.

First the victim is redirected to a page hosting the exploit kit, and then the malicious scripts on it would try to exploit vulnerabilities on the device.

If all goes well it will download and install GetCrypt into Windows.

How GetCrypt Works
Reportedly, when the exploit kit executes the ransomware, GetCrypt checks if the Windows language is set to Russian, Ukranian, Kazakh or Belarusian.

If so the ransomware immediately terminates and no encryption happens. If not, the ransomware examines the CPUID of the computer.

The Id is used to create a 4 character string which is used as an extension for encrypted files.

The four character extension that was created is appended while the files are encrypted. The files’ names are changed after they are encrypted

Later on the Shadow Volume Copies are cleared by running the vssadmin.exedeleteshadows/all/quiet command.

Then, the ransomware starts to scan the computer for the files to encrypt. No particular files types are targeted, except for files located under the following folders:
·       :\$Recycle.Bin
·       :\ProgramData
·       :\Users\All Users
·       :\Program Files
·       :\Local Settings
·       :\Windows
·       :\Boot
·       :\System Volume Information
·       :\Recovery
·       AppData

According to the sources, GetCrypt makes use of the Salsa20 and RSA-4096 algorithms for encryptions.

GetCrypt also creates a ransom note in each folder while it encrypts the files, named #decrypt my files#.txt

The aforementioned ransom note commands the victim to contact getcrypt@cook.li for payment instructions.

GetCrypt would also change the victim’s desktop background to an image with the ransom note written all over it which is stored at %LocalAppData%\Tempdesk.bmp

In addition to all the other things GetCrypt does, it will also try to encrypt files on network shares. When encrypting, it would also attempt to brute force the network account credentials.

It would use an embedded list of usernames and passwords to connect to the network shares using the WNetEnumResourceW function.

It could also try to brute force the credentials and mount them using the WNetAddConnection2W function.

Solution
All you need to get your files decrypted for free is an unencrypted copy of your encrypted file.

Simply download the decrypt_GetCrypt.exe program from the following link and save it on your desktop:

Once downloaded, run the decryptor and select an encrypted file you wish to decrypt and its unencrypted version.

Click on the start button. The decyptor will now brute force your decryption key and VOILA! Your files will get decrypted.


The Russian State Duma will be engaged in the protection of personal data on the Internet



This week at a meeting of the State Duma deputies the State Duma Deputy Pyotr Tolstoy recalled the global leak of personal data, which became known in early May. In particular, passport data of the Vice-speaker of the lower chamber Alexander Zhukov appeared in the Network. In this regard, the parliamentarians decided to create a working group that will deal with data protection issues in the implementation of the national project Digital Economy.

According to Pyotr, just recently, personal data of 2 million Russian citizens including passport data of members of the Government were publicly available. “First, personal data of people is leaked, then their property, then money from Bank accounts. We need to take measures to protect personal data”, said Tolstoy.

It is worth noting that the experts called the cause of the leak in the errors in the legislation and illiteracy of website developers. The problem arose because of two requirements in the law – on the publication of decisions on the approval of large transactions, which often include passport details of the founders and on the use of electronic signature in the documents of customers and suppliers, which contains the name, e-mail and insurance certificate.

Tolstoy stressed that the reason for the incident was the lack of data protection, which is almost completely publicly available.

Peter Tolstoy reminded that in Russia there is a project Digital economy, which implies adequate protection of the rights of citizens. He believes that the collection of all information about a person under one file is against the law on personal data and is an extremely dangerous idea. In addition, he recalled the problem of availability of modern technologies for residents of certain areas, in some Russian villages there is no Internet and cellular communication.

According to him, now it is important to find an answer to the question of how to protect the rights of citizens and their interests in the implementation of a project on a Digital Economy.

"Any data processing of a citizen should be carried out only with his consent – voluntary and informed," said the Deputy.

As a result, at the suggestion of State Duma Speaker Vyacheslav Volodin, it was decided to create a working group that should deal with security issues within the framework of the national project. Deputies intend to listen to the first offers from colleagues in a month.


Google stored G Suite passwords in plaintext, apologises


Google says a small number of its enterprise customers mistakenly had their passwords stored on its systems in plaintext.

If you have a Google account, Google's core sign-in system is designed not to know your password.
The search giant disclosed the exposure Tuesday but declined to say exactly how many enterprise customers were affected. “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” said Google vice president of engineering Suzanne Frey.

The company said that only G Suite enterprise customers were impacted, but not regular Gmail accounts.

The tech giant said it had notified G Suite administrators to change the impacted passwords.

Google on Wednesday extended an apology to its G Suite customers.

"We apologise to our users and will do better," she added.

Most G Suite customers are companies that signed-up for enterprise versions of Gmail, Google Docs, Google Sites, Google Drive, and Google's various other services.

No consumer Gmail accounts were affected by the security lapse, said Frey.

Storing passwords without cryptographic hashes expose them to hacking risk as they become readable.

Passwords are typically scrambled using a hashing algorithm to prevent them from being read by humans. G Suite administrators are able to manually upload, set and recover new user passwords for company users, which helps in situations where new employees are on-boarded. But Google said it discovered in April that the way it implemented password setting and recovery for its enterprise offering in 2005 was faulty and improperly stored a copy of the password in plaintext.

Google has since removed the feature.

Google said the bug at the heart of this security breach was an old tool it developed back in the 2000s.

"The tool (located in the admin console) allowed administrators to upload or manually set user passwords for their company's users," the company said today.


US Government Issues Alert Warning against China Made Drones




As the Chinese-made drones pose a "cyber-espionage” threat to the American organizations and different businesses that utilize them the US government issued an alert cautioning against them.

The said warning does not allude to a particular organization or company but rather the notice included that those utilizing the flying aircraft for assignments identified with national security or critical infrastructure were at high risk.

Market-leader DJI, which represents over 70% of the US market in drones costing more than $500 said that it had found a way to keep its customers' information secure and gave a statement for the same, 

“We give customers full and complete control over how their data is collected, stored, and transmitted, for government and critical infrastructure customers that require additional assurances, we provide drones that do not transfer data to DJI or via the internet, and our customers can enable all the precautions DHS [Department of Homeland Security] recommends."

Chris Huhn, the Vice-President of business development of Yuneec - the second bestselling Chinese manufacturer - has additionally said that it gives users full control of their information.
"All our UAV [unmanned aerial vehicles] do not share telemetry or visual data with internal or external parties,"

As per CNN, which was the first to report the development, the notice was issued on Monday by the US's Cybersecurity and Infrastructure Security Agency. This cited the notice as saying,

"The United States government has strong concerns about any technology product that takes American data into the territory of an authoritarian state that permits its intelligence services to have unfettered access to that data or otherwise abuses that access,"

"China imposes unusually stringent obligations on its citizens to support national intelligence activities."