Hackers Steal Your Data – By Pretending They Are Cops

Hackers are creative if nothing else.

Normally when police want data, they need to provide a subpoena or warrant, but that is not required in all cases.

If there is a risk of imminent harm – life or death – the police can just ask a company for their data and they have to comply. They could say no, but if it turns out that it was a matter of life or death, they might be liable. And, from a PR standpoint, that would be really bad, too.

But there is really no way to verify that the documents are real or the claims are real.

Big ISPs get bombarded by these requests.

So what do the hackers do?

They hack a mailbox of some (usually smaller) law enforcement agency. Done right, there are no visible signs that this one mailbox has been hacked. Then they send an emergency data request (EDR) to the phone company or ISP.

Given that there are tens of thousands of police agencies around the country and the phone and Internet providers really don’t want to spend money to fund an overhead department, the companies just hand over the data. Besides, they don’t really care about protecting your information; the warrant thing is just to cover their posteriors.

Lapsus$, the group that hacked Okta and many others, offered fake warrant and subpoena service for between $100 and $250 per request. The head of Lapsus$ is a 14 year old kid. That probably gives you some idea that this is not that hard.

And there really is no easy fix. Credit: Brian Krebs

Cybersecurity News for the Week Ending March 25, 2022

FCC Publishes Notice of Inquiry on Digital Redlining

The recently passed jobs act gave the FCC two years to adopt rules that will “facilitate equal access to broadband internet access service.” Congress says that these rules should prevent “digital discrimination … based on income level, race, ethnicity, color, religion, or national origin”. The FCC is asking, publicly, an awful lot of questions. Stay tuned for what happens next. Comments are due by May 16th. Credit: Wiley Law

EU and US Sign New Data Transfer Deal

The EU and US signed a deal to replace Privacy Shield today, in Brussels. We have not seen the details of the deal and Max Shrems, who killed the last two versions of the deal in court says his group will review it in detail for compliance with EU law, so this is not over yet, but it is a good sign for US businesses who are looking for some certainty when it comes to data transfers. Credit: Security Week

Hackers Unlock and Remote Start Honda Civics for $300 in Parts

Nobody told Honda that sending security information from the fob to the car unencrypted or sending the same information each and every time to unlock or start the car is a problem. If you are worried about your Honda being stolen, the only thing you can do is, well, not much. The article says you can put your key fob in Faraday bag, but reality is, that doesn’t help at all. Credit: The Register

Google Trains Employees to CC: Attorneys to Claim Privilege

In the face of the massive anti-trust lawsuit between the feds, 14 attorneys general and Google, the government is asking the judge to sanction Google for arbitrarily CC:ing lawyers on sketchy emails and ask for an opinion. Google’s attorneys understand this is a scam and don’t respond. Google even trains its employees to do this. We shall see what the judge decides. Credit: Ars Technica

FBI Releases 2021 Internet Crime Report

The FBI runs something called the IC3 or the Internet Crime Complaint Center. While they do occasionally catch bad guys, their main objective (they might argue with this) is to understand how big the problem is and share information with a lot of other law enforcement agencies. The bad news is that the problem is huge.

Last year people reported almost $7 billion in Internet crime – specifically…

Note that business email compromise attacks and email account compromises represents a third of the total.

But look at the growth curve. Between 2017 and 2021, the dollar value of crimes reported grew by 500%.

Now look at crimes REPORTED by age. This doesn’t necessarily map to actual crime numbers, but it could. It may just mean that older people are more likely to report crimes or it could mean that older people are better targets. Still it is a very interesting set of facts.

The report has more detailed information, but the big takeaways should be the dollar value of the crime and the shape of the curve. Neither of those is terribly comforting.

That means that it is up to you and me to educate ourselves and our families, add layers of security and think before we act.


IC3 report: https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf

The Record and the FBI

EU Proposes Major New Rules for Big Tech

The Digital Markets Act is designed to reign in big companies like Amazon, Facebook and Apple. Alternatively, those companies could choose not to do business in Europe, fearing the requirements could be too expensive or too risky. My guess is that none of the platforms will have the guts to do that, but who knows.

Fines could be up to 10% of a company’s annual revenue or 20% for repeat offenders.

The EU thinks the law could be passed and in effect by the fall. Companies would have from three months to four years to interoperate with smaller platforms, depending on the complexity.

Right now the bill is only targeting messaging apps like Whatsapp and iMessage and the EU would like those to be able to talk to each other and other apps.

Some vendors, like Apple, choose to not allow their apps to interoperate because they think it sells more hardware.

It will be interesting to see who is smarter – the tech companies or the lawyers. I could see a situation where an iMessage user could talk to a Whatsapp user, but using the least common denominator – no security. While that technically works, that is probably not what either community wants. Will that meet the requirements of the bill? No one knows because the sausage is not done being made.

Apple commented about the bill saying that it will create unnecessary privacy and security holes and will stop us from being able to charge for our intellectual property. We believe in competition, they say (as long as they win, I say). Credit: The Verge

Russia is Eating its Young

Russian con artist Pavel Vrublevsky, the founder of the dark web payment firm (credit card processor) ChronoPay and the antagonist in Brian Krebs’ 2014 book Spam Nation, was arrested in Moscow this month for fraud.

In Brian’s book, he talks about the fraudulent money laundering and SMS payment schemes that Vrublevsky operated.

ChronoPay “specializes” in providing access to the global credit card network to “high risk” (AKA criminal) merchants.

Krebs started writing about Vrublevsky in 2009 when Brian was still a writer at the Washington Post.

In 2013 he was sentenced to two and a half years in prison for convincing one of his associates to launch a denial of service attack against a competitor. Unfortunately, it also took Russia’s state-owned airline Aeroflot’s ticketing system down.

After he got out of jail he started a new payment platform, based in Hong Kong.

Likely what got him in trouble is this.

He had a habit of documenting everything. Unfortunately, it was on a Confluence server.

Not only did his “autobiography” document all of his shell companies and scams, but it also documented all of the bribes that he made to corrupt FSB officers. It also named other Russian hackers. The guy who gave Brian the stolen autobiography was Vladislav Horohorin, who served four years in a U.S. prison for his part in a 2009 very public breach of millions from global credit card processor Worldpay.

Turns out Horohorin is Ukrainian (surprise), but also, he told Brian, that Vrublevsky threatened a family member. Not a good plan. My guess is that he not only gave the info to Krebs, but also to the FSB. Payback, no doubt. Do not threaten my family. Does this sound like the plot for a soap opera?

At that point, the Russians were trying to do damage control. They probably had no way of knowing how many other people Horohorin “shared” that information with. Or, who the source was.

Interestingly, these guys and other Russian criminals are all willing to talk to Krebs and give him a lot of dirt.

Given all of the crap that is going on in Russia right now, it seems like even the FSB has better things to do, but clearly, he ticked off the wrong person. Or persons.

Check out the rest of the saga at Brian’s blog, here.

Why Passwords Don’t Hack It Anymore

Security folks (like me) have been telling people for years that passwords are just not secure enough anymore.

Now we have another reason that is true.

Companies have been promoting single sign on as a way around the insecurity of passwords, but now, even that is not secure anymore.

Multifactor authentication helps, but even that isn’t perfect and people grump about it a lot.

Lets pick this apart.

First we told people to look for the padlock in the browser address bar. That worked until hackers started buying doppleganger domains. Is GOOGLE.COM different than G00GLE.COM? What about TIME.COM vs. T1ME.COM? Or DISNEY.COM vs DlSNEY.COM? You get the idea.

When the web went truly international, the browsers had to support different character sets and the hackers added homograph attacks. These are attacks that abuse those different character sets in a way that looks visually identical to the real domain.

Now attackers are figuring out how to compromise single signon attacks. Examples that consumers see are “signon with Google” or “signon with Facebook”, but the business world uses Microsoft single signon or Ping or Okta.

Here is an example of a real and fake “signon with Facebook” screen:

real and fake single signon page

There is a difference between these two, but even I can’t see what it is.

They still have to lure you to the bad website, but if they do and you fall for the sign on with xxx bait, they have you.

But you say, what about multifactor authentication? It definitely helps, but does EVERY site you log into use MFA? I didn’t think so.

And users LOVE having to enter a number from a text message (ignore the SIM swapping attack for the moment). If EVERY SINGLE WEBSITE that you care about uses MFA and you use a more secure MFA method like an authenticator app, that is probably still pretty good.

But if you reuse passwords or if you don’t use MFA EVERYWHERE, you have a problem.

According to researcher mr.d0x, it is pretty simple to concoct the fake popup login with basic HTML and stylesheets. Using Javascript, you can make the window pop up anywhere on the screen – on a button click or a page load or whatever.

This attack, called a Browser-in-the-browser attack, can also fake out the hover over the URL trick. Go to the link for details on how that works.

One tool that reduces the effectiveness of this attack is a password manager. Why? Because the password manager doesn’t rely on the visual URL. It is looking at the code underlying that and it isn’t as easily fooled.

But most companies don’t use – or at least force the use – of password managers and most consumers have no clue what a password manager is.

Client-side encryption certificates are also great, as is IP whitelisting. Most companies don’t even know what that is. Consumers certainly don’t. And, many systems don’t even support this technology.

None of this is bullet proof, but it makes things a lot more secure.

FIDO keys work well too, but how many people have FIDO keys?

Bottom line is that IT teams need to up their game before it is too late.

You can find the rest of the story at Threatpost.