Search This Blog

Showing posts with label Cyber Security awareness. Show all posts

Ahead of the Labor Day Holiday, the FBI and CISA Warn of Ransomware Risk Over Weekends and Holidays



Ahead of the Labour Day holiday coming about this weekend, CISA and the FBI have released joint advisory warning organizations of increased ransomware attack risk on weekends and holidays. 

Over the past few months, the government agencies have noticed a relative increase in 'highly destructive' ransomware attacks being launched by attackers on long weekends and holidays. Reportedly, these time frames – holidays, especially long weekends – are viewed as attractive time slots by cybercriminals to deploy ransomware due to a lower level of defense during weekends which maximizes the impact of infiltration. The physical absence of the personnel plays a significant role when the offices are normally closed. 

The FBI and CISA noted that the recent cyberattacks that crippled high-profile US entities were all scheduled by hackers over weekends. The cited case studies include recent attacks against JBS, Kaseya, and Colonial Pipeline. 

In May 2021, the DarkSide ransomware operators launched the Colonial Pipeline attack, around Mother's Day weekend. The data was stolen on May 06, 2021, and the malware attack occurred on May 07, 2021. 

In May 2021, the world's largest meat processing organization, JBS, experienced a cyberattack by the REvil ransomware group that disabled its beef and pork slaughterhouses. This attack took place on May 30, 2021 – leading into the Memorial Day public holiday. 

In July 2021 –  building on the weekend attack trend – Kaseya, a leading software provided to over 40,000 organizations, suffered a sophisticated cyberattack yet again by REvil ransomware. The attack was carried out on July 2nd, 2021 ahead of the Independence Day holiday in the United States on July 4th.  

"The FBI's Internet Crime Complaint Center, which provides the public with a trustworthy source for reporting information on cyber incidents, received 791,790 complaints about all types of internet crime -- a record number -- from the American public in 2020, with reported losses exceeding $4.1 billion," the advisory read.

The two agencies clarify that as of now there are no clear indications of a cyberattack that will take place around the oncoming 'Labour Day holiday', however, the alert warns that the threat actors have carried out increasingly damaging cyberattacks around holidays and weekends over the past several months. Therefore, the FBI and CISA urge the organizations to not lower their defenses while providing information on how to effectively combat the increasingly worsening threat of cyberattacks. They advised organizations to strengthen their security, minimize their exposure, and potentially "engage in preemptive threat hunting on their networks to search for signs of threat actors." 

“Threat actors can be present on a victim network long before they lock down a system, alerting the victim to the ransomware attack. Threat actors often search through a network to find and compromise the most critical or lucrative targets. Many will exfiltrate large amounts of data. Threat hunting encompasses the following elements of understanding the IT environment by developing a baseline through a behavior-based analytics approach, evaluating data logs, and installing automated alerting systems.” The joint advisory further said.

Experts discussed how to fight cyberbullying on children at Cyber Polygon 2021

At the international online cybersecurity training Cyber Polygon 2021, organized by BI.ZONE, Stanislav Kuznetsov, Deputy Chairman of Sberbank, and Henrietta Faure, Executive Director of UNICEF, discussed the important issue "Cyberbullying and more: how to protect children from the threats of the digital world?"

Stanislav Kuznetsov cited UN statistics, according to which more than 70% of children in the world are Internet users (this is 30% of all Internet users of the planet). 95% of teenagers have smartphones, and 45% are online most of the time. While the Internet offers huge educational opportunities for children, the World Wide Web is a dangerous place full of cyberbullying, social engineering, violence and phishing. And children are the most vulnerable to digital threats because they trust each other more, and it is more difficult for them than for adults to distinguish good from evil.

Henrietta Faure agreed that cyberbullying is a very big risk. She thinks authorities should control it because they have laws and a justice system. They can restrict illegal activities on the Internet.

Moreover, she considers it very important to always be in touch with your children and to know what is going on.

"You need to hear and listen to your children. Take your time: ask them what they are doing online. Often parents think that children will always come to them for advice, but this does not always happen. That's why we need to tell our kids that they need to let us know all these things. If the criminals successfully attacked one victim, they will attack millions of others. And if one teenager knows which service to contact in case of a problem, he will tell his friend," said Henrietta Faure.

"Children are our future, and it is obvious that we need to expand international cooperation to protect them," concluded Mr. Kuznetsov.

Henrietta Faure agreed that UNICEF's cooperation with large companies and ecosystems, such as Sberbank, can be very fruitful.


Security Experts listed who responsible for leaking your data to scammers

"There are three most common types of data leakage," said Vseslav Solenik, Director of the R-Vision Center of Expertise.

Personal data of Russians become available to fraudsters due to the negligence of employees and partners of companies, hacking of IT structures of organizations, or due to the carelessness of the citizens themselves.

Mr. Solenik stressed that in most cases, data leakage is illegal. Often, scammers find out personal data from the people themselves, promising them profitable bonus programs.

"Fraudsters attract them with various bonus programs, favorable offers and other things. And in exchange, the attackers receive a full set of personal data," the expert added.

The specifics of the Russian legislation is that even when transferring the full name and phone number of the company, the subject is obliged to fill out the consent form prescribed by law, where he is forced to specify his passport data, registration address and other information that can be used later by fraudsters.

"At the same time, it is impossible to fully protect your personal data from fraudsters today. You can only observe the hygiene of information security, raise your awareness to resist phishing and attacks, be vigilant and refuse to transfer personal data in exchange for minor services from dubious companies," the expert stressed.

Solenik added that it is equally important to know the current legislation. He called on the Russians to defend their rights in the field of personal data processing: to report incidents of leakage to the regulator and to seek the responsibility of companies for this.

Earlier, the majority of Russians supported the introduction of amendments to the law on personal data. Thus, 62 percent consider it necessary to be able to withdraw consent to the use of their personal information. In this case, Internet services will have to delete it within three days.

Every fifth child faced with malware and adult content

Experts analyzed how often children encounter cyber incidents in the online space. It turned out that every fifth child has at least once encountered malware and viruses. Also (in 19% of cases), children come across unwanted content "for adults". In 18% of cases, children's social media accounts were hacked or attempted, and 15% of parents also reported that suspicious strangers wrote to their child.

Parents also noted that children make unconscious or uncoordinated spending on the Internet: they subscribe to paid services or buy access to online games. Parents whose children bought something on the Internet said that in most cases (81%) the purchase amount was up to 1 thousand rubles ($14).

“Parents need to abandon online wallets and cash and make a separate bank card for the child in order to protect the family from unwanted spending. This can be a virtual account or an additional card to your own. The fact is that openly criminal websites and services on the Internet do not accept bank cards for payment. In addition, adults have access to the limits and settings of the children's card, and they can always challenge unwanted spending in the bank and save the family budget," said Alexey Govyadov, head of analytics and automation at ESET in Russia.

Cyber threats that children most often face online: malware (viruses, etc.); unwanted content 18+; hacking or attempted hacking of a page in social networks; suspicious strangers wrote to the child; unconscious or uncoordinated spending; the child was in suspicious groups or communities.

Speaking about child safety on the Internet, half of the parents surveyed say that their child knows that in the event of a cyber incident, they should immediately contact adults. More than a third of the respondents also noted that their child knows safe sites and applications, and also makes online payments only on trusted resources.

Cyber criminals scam bank customers pretending to be from bank security

 Attackers call a potential victim and offer to install an app on their phone that "reliably protects money from theft." And then, with the help of this app, they steal the money from the card or get a loan on behalf of the victim.

According to Sergey Sherstobitov, head of the Angara information security integrator, fraud is committed using a malicious program that can intercept passwords when they are activated in banking applications. Then, with their help, the attackers can easily transfer funds to another account.

Dmitry Kuznetsov, head of methodology and standardization at Positive Technologies, warns that Bank employees never ask customers for card or account details.

The police do not exclude that such fraud may be widespread and asks Russians to remain vigilant.

According to the Central Bank, the activity of telephone scammers increased four times in the first six months of this year. In total, the regulator recorded more than 360 thousand unauthorized transactions with funds of Russians for a total of about 4 billion rubles ($51,8 million). Banks returned about 485 million rubles ($6 million) of stolen money to their clients.

The low percentage of refunds from the Bank is due to the fact that people, in fact, become victims of their own free will. After all, the client signs an agreement with the Bank that prohibits the transfer of confidential information about the Bank card to third parties, said lawyer Yakovlev.

However, it should be noted that the data of clients of Russian banks has risen in price on DarkNet. Ashot Hovhannisyan, the founder of the DLBI DarkNet search and monitoring service, explains that the increase in the cost of such services indicates a decrease in the number of offers on the market. This, in turn, means that credit institutions reduce the chances of hackers to steal data and increase security.

Russian Cyber Criminals started using bots to deceive victims

Fraudulent call centers started using bots to filtering distrustful victims in order to force them to call back and assist them on their own

According to experts, this approach makes it possible to reduce the cost of attacks on victims and increase conversion.

"The robot says: "Your card in this bank is blocked, call us back at this number”. When the victim calls back, allegedly the bank's security officers answer, ” explained Artem Gavrichenkov, technical director of Qrator Labs. He added that scammers make up to hundreds of calls a day using such robots.

Fraudsters also use fake IP telephony service numbers, bulk SMS sending services and messages in Messengers on behalf of the Bank, said Sergei Nikitin, deputy head of the Group-IB computer forensics laboratory.

The fraudsters in this case used "reverse social engineering", said Alexey Drozd, head of the information security department at SerchInform. In such cases, the victim calls the attackers.

Andrey Zaikin, Head of Information Security at CROC, explained that people are not used to the use of robots by scammers, this increases the credibility of hackers.

The technology also makes the attack cheaper, adds Mikhail Kondrashin, technical Director of Trend Micro in Russia and the CIS. A robot is a simple software for auto-calling, notes Mr. Zaikin. Developers of voice platforms usually do not charge a fee for creating such a bot, and the average cost of a call is 2.5–3.5 rubles ($0.3-$0.4) per minute.

Previously, many fake call centers operated from prisons, but recently, according to Group-IB, most are organized outside and sometimes even abroad. According to experts, international cooperation at the state level is necessary to neutralize them.

Numerous fraudulent sites disguised as well-known brands have appeared on the Runet


In autumn, experts recorded mass registration of domain names with the names of well-known brands in the .RU zone

Specialists at Infosecurity, a Softline company, recorded mass domain registration in Runet with the name of well-known brands and the ending –off, which can be used for sales.

As an example, the company cited the domain names familiya-off.ru, detskiy-mir-off.ru, tele2-off.ru, rosneft-off.ru and citilink-off.ru. According to the head of the Infosecurity special server Sergey Trukhachev, on October 20, the Ethic threat detection service detected the registration of 192 such domains. All of them are registered through the same Russian structure with servers at ISPIRIA Networks Ltd, located in Belize (Central America). As Trukhachev noted, the company is often used for hosting malicious sites.

At the end of September, the appearance of hundreds of similar domains in Runet was noticed by SearchInform. According to Alexey Drodd, head of the company's information security department, it’s about very diverse brands (furniture companies, clothing stores, jewelry stores, mobile retail).

According to Kirill Kirillov, co-founder of BrandMonitor, domains with the names of major brands are registered every day, and the earnings of scammers depend on the method of monetization. For example, according to Kirillov, counterfeit dealers can earn 3-10 million rubles ($39,000 - $117,000) annually.

Such a site can be blocked in a day if it is obvious that it is phishing or distributes malicious software. There are also cases when it is technically impossible to block access to a resource: if their servers are located in a country where hosting providers do not block sites (for example, in Belize).

The companies surveyed said they monitor domain registrations with similar names and fight them when signs of fraud appear.

Russian experts gave tips on protecting a mobile Bank from fraudsters


Two-factor authentication and compliance with digital hygiene rules can protect users from hacking a mobile Bank on smartphone

According to experts, mobile banking programs are quite secure, so most often funds are stolen due to user errors.

“More often, cybercriminals call customers of financial institutions or use malware,” said Sergei Golovanov, a leading expert at Kaspersky Lab. In this case, users may accidentally give fraudsters the card details and login passwords.

Andrey Arsentiev, head of Analytics and Special Projects at InfoWatch Group, believes that any applications are vulnerable to hacking if malware is installed.

Vladimir Ulyanov, head of the Zecurion analytical center, is sure that users need to configure two-factor authentication to get an additional one-time code. At the same time, the specialist believes that the spyware installed on the smartphone can intercept the SMS code from the Bank. "It is more secure to perform operations and receive confirmation codes on different devices," Ulyanov said.

"Install the software on your phone only from authorized, approved sources (App Store and Google Play)," said Ruslan Suleymanov, Director of information technology at ESET Russia. In his opinion, customers of credit organizations need to have a separate card for online purchases, set daily limits for transfers, and regularly change passwords.

"You can't tell anyone your card details or login details to the customer Bank by telephone. Not a single bank makes such official requests on its behalf,” concluded Suleymanov.
According to the founder of DeviceLock Ashot Hovhannisyan, it is best not to use a mobile Bank, but to log in to your personal account on a computer protected by antivirus. If mobile banking is important, then you should stop using a jailbreak and installing dubious programs through alternative stores.

In addition, Roskachestvo experts have recommended that users should regularly update the software on their devices, even if they do not see a particular need for it. Otherwise, it can lead to unpleasant consequences.

A gift for a hacker: experts name the easiest passwords to hack



Experts have conducted research and found out an algorithm that can be used to calculate the password to log in to another user's system on the Internet, if the combination they came up with is too simple, and therefore unreliable.

According to the head of the research group of the information security Analytics Department of Positive Technologies, Ekaterina Kilyusheva, it is not difficult for hackers to crack passwords with simple words such as password or qwerty, as well as with personal data of users - name, date of birth and phone numbers. This became clear after the company's experts analyzed the passwords of users of 96% of large companies.

“The results showed that one of the most popular was the password of the format “Month, Year” (in Russian) using English keyboard layout, for example, Ltrf,hm2019 or Fduecn2019. Such passwords were found in every third company, and in one organization they were selected for more than 600 users," said Kilyusheva.

Experts gave a unanimous recommendation not to use default passwords and not to use weak combinations that cybercriminals will start to pick up first. These include sequences of numbers: 12345, dates of birth: 01.01.1990, phone numbers, and simple words like password or qwerty.
Passwords in the format "name + year of birth" and the names of loved ones are also at risk: such data is easy to find in the public domain, for example, in social networks, said Anton Ponomarev, Director of corporate sales at ESET Russia.

"Passwords consisting of a random set of letters, numbers and signs are the most difficult to crack, but, of course, much depends on their length," added the founder of DeviceLock Ashot Hovhannisyan.

The Russian quality system (Roskachestvo) gave recommendations on protecting data in social networks

Scammers in social networks use social engineering techniques to hack a user account. In this regard, Roskachestvo experts recommend setting the most stringent privacy settings for the personal page. According to experts, cybercriminals tend to get into the friend list in social networks in order to use this opportunity for fraud in the future, so users of social networks should monitor their privacy and be vigilant.

"Set the most strict privacy settings. For example, hide your contact information, published posts, and information about relatives and friends from everyone except your friends. This will make it more difficult for attackers to get your data and use it in fraud using social engineering," said experts.

Cybercriminals use fake phone numbers, fake names, and other people's photos to get into the friend's list. In addition, there is a high risk that when you click on a postcard, petition, or unknown link, the user is redirected to a site that requests access data to social networks and passes them to the fraudster.

"Everyone knows for sure that a request for financial assistance from a hacked page is a fraudulent technique," reminded Roskachestvo.

Experts advise adding only really familiar people to friends, and also beware of those who ask or offer money, and if a friend makes such a request, ask him personally by phone.

"Do not send payment or other confidential information in social networks and messengers. If you have already sent your card data, find and delete these messages," said experts.

Roskachestvo advises not to follow suspicious links sent in messages, not to use public Wi-Fi networks, set up two-factor authentication in social networks, and use complex passwords for each service, using special software generators to compile them.

"At the same time, it is extremely important to use different passwords for accounts on different resources," said Anton Kukanov, head of the Center for Digital Expertise of Roskachestvo.

Russian Bank reminds about the danger of transferring personal data to someone


Transferring personal data to someone (details of cards and accounts, passport data), you can become a victim of cyber fraud, so you can not do this in any case, recalled the Deputy Chairman of the Board of Sberbank Stanislav Kuznetsov.

"Even if you take a picture of your card and send it to someone — this is basically already a leak. You might as well throw your wallet with your salary in the trash," he said.

He also said that in the second half of 2019, Russian companies faced large-scale phishing. "Last year, several organized criminal groups working in this direction became more active. One of them has made a big step forward in expanding its criminal activities. This is the RTM hacking group, it is Russian-speaking and operates in Eastern Europe, including Russia".

According to him, using modern software, RTM sends phishing emails to tens of thousands of companies in the country 10-15 times a month. Mr. Kuznetsov added that many companies open emails infected with viruses. "In this way, criminals get access to the company's accounting documents — with the help of a virus, they send the company's funds to their Bank accounts and gradually withdraw them," he said.

According to Mr. Kuznetsov, Sberbank has already given law enforcement agencies materials about almost 20 criminals from the group. There are at least five such groups, he said.

"This is not a new type of crime, but in the second half of last year, Russia faced it for the first time on this scale. As a result, some institutions of the financial system, as well as small and medium-sized companies in various industries were affected," said Stanislav Kuznetsov.

Recall, according to a study by TAdviser and Microsoft, in 2019, 76% of Russian medium and small businesses faced cybersecurity incidents. The main source of threats, businessmen called e-mail and external Internet resources.

Russian experts warn the danger of charging the phone in public places


The number of charging stations at airports, bus stops, metro stations and other public places in Russia has been growing rapidly in recent years. However, using such USB-inputs is not safe because attackers can access data stored in the phone or download malware through them. Today in Moscow you can charge your gadgets at airports and train stations, in metro trains, buses, at public transport stops, and in shopping and entertainment centers.

According to Sergey Nikitin, Deputy head of Group-IB, standard USB cables contain four wires: two for data transfer and two for charging. The problem is that hackers embed a special device in the charging wire, or add a small computer to the charger itself. When people connect a gadget to charge, they connect it to some other device.

"Attackers can thus gain access to your device," said the expert. Nikitin gave an example of one of these attacks: a small computer sends malicious code to the gadget, runs it, and so the hacker gains access to the data of the smartphone. An expert at Jet Infosystems Georgy Starostin noted that cybercriminals can download photos from victim's phones for blackmail or infect the device with a virus.

According to him, charging stations in public places carry other risks, the company providing the service can also install additional equipment. According to him, this way it will collect user data for further analysis and sale to advertisers.

The Avast press service said that information is transferred via USB ports in the same way as to the computer. If there are any vulnerabilities in the USB phone software, hackers can gain full control of the connected phone.

Experts advised users to try to avoid charging stations in public places. Avast offered to buy a portable power supply for charging the gadget or USB cables in which the data wires are removed.

Russian quality system made recommendations for the safe use of IP cameras


The Russian Quality System study says that wireless IP cameras that are used at home, in cafes and other public places can be hacked by attackers to obtain confidential data.

The organization found that cameras have many vulnerabilities, as well as other devices that connect to the Network, for example, smart refrigerators, coffee makers. Specialists of the Russian quality system reported numerous cases in which personal data fall into the hands of hackers due to the hacked Wi-Fi cameras. Hackers can connect to the cameras of a cafe or restaurant and see the victim’s keyboard and their passwords.

In addition, there was a case of hacking the casino’s Wi-Fi cameras when any person with sufficient technical skills could connect to them and observe the casino’s work from the inside, seeing people’s cards.

The vulnerability of wireless cameras is associated with the quality of software that manufacturers save on and the lack of data encryption. In addition, cameras are often managed from accounts for developers who use standard logins and passwords.

Often, the owners of the cameras themselves do not change the data for connecting to the camera, leaving the default passwords and thereby simplifying access to it.

"The cameras are often not thought out in terms of security, so it’s unlikely that they can completely protect themselves from hacking," said the hacker, who wished to remain incognito.

To reduce the risk of hacking IP cameras, the Russian quality system is advised not to save on them and buy cameras with data encryption. It is worth paying attention to the websites of manufacturers, as it is important that the camera model is supported at the moment. The page to which the recording from the camera is broadcast must be protected by the HTTPS protocol.

Experts also advise changing standard passwords, making them complex and limiting the number of devices from which you can connect to the camera.

November 30 Computer Security Day by Cyber Security and Privacy Foundation


International Computer Security Day is the day which takes place annually on November 30 and is celebrated to raise awareness in computer security - help people to prevent them falling prey to malware attacks, scams, loss of personal and company data .

Cyber Security and Privacy Foundation(CSPF) & Anna University CSE Department celebrated the Computer Security Day on November 30, 2019 at Anna University, Chennai, India.


Michael Costa

Michael Costa, Deputy Consulate General of Australia for South India, was the chief guest of the event.  The event started with welcome address speech by R. RamaMurthy, chairman of CSPF.

The speakers:
  • Dr. R.K. RAGHAVAN- Former High Commissioner of India, Republic of Cyprus.
  • Dr.R.SADAKATHULLAH– Former Regional Director,RBI,Chennai.
  • Dr. S SATHIK-Former Vice Chancellor, University of Madras.
  • SUGATA ROY – Specialist for Communication, Advocacy & Partnerships of UNICEF
  • R. RAM KUMAR - CEO, Amvion Labs Pvt Ltd
  • SURIYA - Head – Reeja Vajra APT Scan, CSPF Pte Ltd., Singapore

Security Experts warn about threats before Black Friday


Experts of the antivirus company Kaspersky Lab reported that in the discount season, also known as Black Friday, the number of threats from cyber fraudsters has grown significantly.

"According to Kaspersky Lab, the number of phishing threats related to Black Friday has increased significantly over the past two weeks. On the eve of big sales and the upcoming holiday shopping season, cybercriminals are increasingly trying to attack users who prefer to shop online," said the antivirus company.

So, in the period from 18 to 24 November, the company recorded almost twice as many fraudulent resources, compared to the previous week.

The number of phishing attacks on online stores has also increased.“This growth is especially noticeable in Russia: if approximately every 20th phishing attack was sent to the e-commerce section in Runet two weeks ago, last week phishers tried to attack Russian online stores in every 11th case,” concluded company.

As Kaspersky Lab content analyst Tatyana Sidorina noted, an increase in the percentage of phishing attacks is also expected in the upcoming New Year's sales. In addition, there are about 12% more such attacks in the fourth quarter than at other times of the year.

It is interesting to note that earlier, Roskomnadzor warned about the appearance on the eve of Black Friday fraudulent sites that illegally collect personal data under the guise of sales.

"Roskomnadzor experts note that the main purpose of collecting such data (name, phone number, email address, bank details, etc.) is to use them later as spammer databases and to steal bank card data,” stated the regulator.

To avoid identity theft, Roskomnadzor recommends checking the originality of the domain of the online store and checking the presence of an SSL certificate. If the site address begins with http://, and not with https://, this is a reason to doubt the originality of the page.

Pavel Durov, the founder of Telegram advised users to remove WhatsApp from smartphones


The Creator of Telegram messenger Pavel Durov called WhatsApp application unsafe.
He recalled a recently discovered vulnerability that allowed hackers and government intelligence agencies to access user data.

"WhatsApp not only does not protect your messages, but this app is also constantly being used as a Trojan to track photos and messages unrelated to Messenger," wrote he on the Telegram channel.
According to Durov, the problem lies in the policy of Facebook, which owns WhatsApp.
Durov noted that his Telegram messenger did not encounter such vulnerabilities in six years of existence. At the same time, he doubted that WhatsApp makes mistakes in the security system due to system imperfections.

"It is very unlikely that someone can accidentally allow serious security failures, such convenient for surveillance, on a regular basis," said he.Therefore, Durov urged users to delete WhatsApp.

In addition, Durov claimed that WhatsApp, like Facebook, shared user information with almost everyone who claimed to be working for the government.

The words of the Creator of Telegram were commented by experts. Thus, the CEO of Digital platforms Arseny Shcheltsin noted that any messenger, including Telegram, has access to the files of the smartphone.

"Does the messenger use this data for its work? It's hard to say," said he.According to Shcheltsin, WhatsApp is trying to demonstrate its usefulness to investors and recoup millions of dollars in costs. And Mark Zuckerberg can consider data collection is an excellent format for the best advertising targeting.

Arseniy Poyarkov, a member of the State Duma’s expert council on the digital economy, advised users of Messengers to prepare in advance for the fact that their personal data can become available to anyone.

According to him, data leaks are almost always associated with careless actions of the user himself.
"Observing information hygiene: using VPN, foreign secure messengers, regularly deleting correspondence and unnecessary photos - you can feel safe with a high degree of confidence," concluded Poyarkov.

Security forces are frequent victims of fraudulent lotteries, says Central Bank of Russia


In the past 1.5 year, financial fraudsters switched from the elderly to the economically active population. The Central Bank of Russia reported that most of the victims are middle-aged men with experience in the power structures. This was announced at the conference on information security of the financial sector by Artem Sychev, the first deputy director of the Information Security Department of the Central Bank of the Russian Federation.

Sychev explained that he is talking about participation in a fictitious lottery. Most often its victims are people over the age of 50 years or middle-aged men.

"This trick is very simple: participate in the lottery — get a prize. You will not believe it, but men, especially those who somehow related to power structures, become victims much more often than anyone else."

According to Natalia Ratinova, the Candidate of Psychological Sciences, the leading researcher of the University of Prosecutor's Office of the Russian Federation, an excessive share of self-confidence can fail people in uniform. A false sense of self-protection plays a cruel joke, because for scammers everyone is equal.

According to Sychev, now the target category of fraudsters is citizens aged 32 to 48 years. Only an economically active citizen can have a large amount on the card, which is important for criminals. Elderly people usually keep funds on deposits, leaving a small amount on the card, which is not interesting to fraudsters.

According to him, women of economically active age, 65%, also often become victims. At the time the scammers call, they are usually "busy with business."

Earlier it was reported that a new type of fraud is gaining momentum on the Web. Internet users are encouraged to participate in a "win-win lottery" or survey with guaranteed rewards. Users need to pay a commission and enter credit card information to participate. According to intelligent sources, attackers use a server simulating the site of one of the mobile operators to withdraw funds.

According to media reports, the turnover of the fraudulent scheme could amount to hundreds of millions of rubles. Now it’s becoming more difficult to investigate such crimes, because attackers do not just call from fake numbers, but use the bank’s official phone number.

Image credit: rbc.ru

A new type of fraud was discovered in WhatsApp


The Russian edition Cnews reported that ESET experts warned users of WhatsApp messenger about a new type of fraud.

At this time, users began to receive a message with a special offer on the occasion of the tenth anniversary of the messenger. The attackers promise 1 TB of free Internet traffic, moreover, this traffic can be used without Wi-Fi.

Users must follow simple steps to get a huge amount of free traffic: follow a special link, answer a number of questions, and send the same survey to his 30 contacts.

ESET experts believe that the ultimate goal of attackers is to distribute intrusive advertising without the consent of users. It turned out that this scheme really works; users who want to get a gift are playing a game of the scammers.

Analysts of the anti-virus company conducted an investigation, during which they managed to find the site of cybercriminals, which was used for several phishing campaigns. This is a type of fraud aimed at obtaining personal data of users. Fraudsters launched more than 66 phishing services from the same domain. All fake promotions were sent to subscribers under the guise of well-known brands – Adidas, Rolex, etc.

An interesting fact is that the scammers have already used such schemes to deceive WhatsApp users. In early May, it became known that the victims received a letter with an offer to get a premium account in the Spotify service. The attached link led to a phishing site similar to the official music platform portal.

It should be noted that WhatsApp posted on its website a publication in which it announced that WhatsApp will sue the organizers of mass mailings starting from December 7, 2019. Also, WhatsApp prohibits the use of the application for non-personal purposes. The messenger warns that it will collect evidence of illegal activity not only on its own platform. Moreover, in the fight against violators will be used technical means.

Group-IB: Hackers hit hard SEA and Singapore in 2018




Singapore, 19.03.2019 – Group-IB, an international company that specializes in preventing cyberattacks, on Money2020 Asia presented the analysis of hi-tech crime landscape in Asia in 2018 and concluded that cybercriminals show an increased interest in Asia in general and Singapore in particular. Group-IB team discovered new tool used by the Lazarus gang and analyzed North Korean threat actor’s recent attacks in Asia. Group-IB specialists discovered 19 928 of Singaporean banks’ cards that have shown up for sale in the dark web in 2018 and found hundreds of compromised government portals’ credentials stolen by hackers throughout past 2 years. The number of leaked cards increased in 2018 by 56%. The total underground market value of Singaporean banks’ cards compromised in 2018 is estimated at nearly $640 000.

Lazarus go rogue in Asia. New malware in gang’s arsenal

According to Group-IB Hi-Tech Crime Trends 2018 report, Southeast Asia, and Singapore in particular, is one of the most actively attacked regions in the world. In just one year, 21 state-sponsored groups, which is more than in the United States and Europe combined, were detected in this area, among which Lazarus – a notorious North-Korean state-sponsored threat actor.

Group-IB established that Lazarus is responsible for a number of latest targeted attacks on financial organizations in Asia. Group-IB Threat Intelligence team detected and analyzed the gang’s most recent attack, detected by the company experts, on one of the Asian banks.

In January 2019, Group-IB specialists obtained information about previously unknown malware sample used in this attack, dubbed by Group-IB RATv3.ps (RAT - remote administration tool). The new Trojan was presumably downloaded to a victim’s computer as part of the second phase of a so-called watering hole attack, which, according to Group-IB report on Lazarus, the group has been actively using since 2016. During the first stage, cybercriminals supposedly infected a website, visited by a victim, with a Trojan Ratankba, a unique tool used by Lazarus. Group-IB specialists note that the new RATv3.ps might have been used by North Korean hackers in other recent attacks at the end of 2018. At least one of RATs was available via a legitimate Vietnamese resource, which might have been involved in other attacks.

“The newly discovered Lazarus’ malware is multifunctional: it is capable of data exfiltration from the victim’s computer, downloading and executing programs and commands via shell, acting as a keylogger to retrieve victim’s passwords, moving, creating and deleting files, injecting code into other processes and screencasting,” – comments Dmitry Volkov, Group-IB CTO and Head of Threat Intelligence. “So in case of Lazarus a stitch in time saves nine. It is very hard to contain their attacks as they happen. You have to be well prepared and know their tactics and tools. In particular, it is extremely important to have most up-to date indicators of compromise, unavailable publicly, that can only be gathered through automated machine learning-powered threat hunting solutions. Given the group’s increased activity in the region in 2018, we believe that Lazarus will continue to carry out attacks against banks, which will result in illicit SWIFT payments, and will likely experiment with attacks on card processing, primarily focusing on Asia and the Pacific.”

Several cybersecurity researchers note that also in 2018 Lazarus carried out global campaign known as “Rising sun”. The malicious campaign affected close to 100 organizations around the world, including Singapore. The gang’s new endeavor took its name from the implant downloaded to victims’ computers. It was found that Rising Sun was created on the basis of the Trojan Duuzer family, which also belongs to cybercriminals from the Lazarus group. The malware spreader as part of this campaign was primarily aimed at collecting information from the victim’s computer according to various commands

According to Group-IB Hi-Tech Crime Trends report 2018, Lazarus, unlike most of other state-sponsored threat actors, does not shy away from attacking crypto. “Singapore, being one of the most crypto-friendly countries in the world, attracts not only thousands of crypto and blockchain entrepreneurs every year, but also threat actors willing to grab a piece of the pie. We expect that that other APTs like Silence, MoneyTaker, and Cobalt will stage multiple attacks on cryptocurrency exchanges in the near future,” – says Dmitry Volkov.

Have you been pwned?

Group-IB Threat Intelligence team identified hundreds of compromised credentials from Singaporean government agencies and educational institutions over the course of 2017 and 2018. Users’ logins and passwords from the Government Technology Agency (https://www.tech[.]gov.sg/), Ministry of Education (https://www.moe[.]gov.sg/), Ministry of Health (https://www.moh[.]gov.sg/), Singapore Police Force website (https://polwel[.]org.sg/about/), National University of Singapore learning management system (ivle.nus[.]edu.sg) and many other resources were stolen by cybercriminals. CERT-GIB (Computer Emergency Response Team) reached out to Singaporean CERT upon identification of this information. “Users’ accounts from government resources are either sold on underground forums or used in targeted attacks on government agencies for the purpose of espionage or sabotage. Even one compromised account, unless detected at the right time, can lead to the disruption of internal operations or leak of government secrets,” – comments Dmitry Volkov. Cybercriminals steal user accounts’ data using special spyware aimed at obtaining users' authentication data. According to Group-IB data, PONY FORMGRABBER, QBot and AZORult became the TOP 3 most popular Trojan-stealers among cybercriminals.

Pony Formgrabber retrieves login credentials from configuration files, databases, secret storages of more than 70 programs on the victim’s computer and then sends stolen information to cyber criminals’ C&C server. Another Trojan-stealer — AZORult, aside from stealing passwords from popular browsers, is capable of stealing crypto wallets data. Qbot worm gathers login credentials through use of keylogger, steals cookie files and certificates, active internet sessions, and forwards users to fake websites. All these Trojans are capable of compromising the credentials of crypto wallets and crypto exchanges users. More information on the most actively used Trojans and their targets can be accessed through Group-IB Threat Intelligence.

Public data leaks is another huge source of compromised user credentials from government websites. Group-IB team analyzed recent massive public data breaches and discovered 3689 unique records (email & passwords) related to Singaporean government websites accounts.

Underground market economy. Number of compromised cards of Singaporean banks on sale increases

In 2018, Group-IB detected the total of 19,928 compromised payment cards related to Singaporean banks on darknet cardshops. Singapore, as one of the major financial hubs in Southeast Asia is drawing more and more attention of financially motivated hackers every year. According to Group-IB data, compared to 2017, the number of leaked cards increased in 2018 by 56%. The total underground market value of Singaporean banks’ cards compromised in 2018 is estimated at nearly $640,000.

Group-IB Threat Intelligence team observed two abnormal spikes in Singaporean banks’ dumps, unauthorized digital copies of the information contained in magnetic stripe of a payment card, offered for sale on the dark web in 2018. The first one occurred on July 20th, when almost 500 dumps related to top Singaporean banks surfaced on one of the most popular underground hubs of stole card data, Joker’s Stash. On overage, the price per dump in this leak was relatively high and kept at 45$. The high price is due to the fact that most of the cards were premiums (e.g. Platinum, Signature etc.).

Another significant breach happened on November 23rd when the details of 1147 Singaporean banks dumps were set up for sale on cardshops. The seller wanted 50$ per item– 50% of stolen cards in batch were also marked as Premium.

Group-IB Threat Intelligence continuously detects and analyses data uploaded to cardshops all over the world. According to Group-IB’s annual Hi-Tech Crime Trends 2018 report, on average, from June 2017 to August 2018, the details of 1.8 million payment cards were uploaded to card shops monthly.

Be careful with whom you share your Jio Hotspot!

If you are sharing your Jio internet with others via mobile hotspot, you should know what is the risk that you are taking.  Our research shows that sharing your Jio with others puts your sensitive information in their hands.

The person who is using your Jio Internet can easily log into your Jio account. All they have to do is download the MyJio app and click "SIGN IN WITH SIM". 

Steps to replicate:
Step 1:
    You should have two phones - one with Jio Sim and another one with non-Jio SIM(make sure you have not installed Jio app in the second phone yet).

Step 2:
    Turn on Wi-Fi hotspot in the Jio phone and connect from your non-Jio phone

Step 3:
    Install Jio app from playstore and open.  When it is asking for authentication, click "SIGN IN WITH SIM". Now you will be able to access the Jio account from your non-Jio mobile.

View/Modify Details:
After logging in, it is possible to view sensitive information including name, date of birth, mobile number, alternate contact work, address, photo, usage details.  Also, some of the details can be edited.



Once you are logged in, the session is getting maintained even if you are disconnected from the Jio network.

Account lockout:
If you mistakenly log out from the Jio-phone when it is logged in the non-Jio phone, you won't be able to log in to your Jio app unless the other person logs out from the app.

If the victim has installed Jio Security app, it is possible for an attacker to track the current location or see the last location details.

Let's say that you are in public place and a stranger(attacker) asking for Internet connection to check his email.  If you share the Internet, it is enough for the attacker to steal your sensitive information.

The issue can be resolved by adding OTP Check when doing authentication.

We thank Suriya Prakash from Cyber Security & Privacy Foundation(CSPF) for helping us with this research.