Tag Archives: Gnosticplayers

Hacker Well On His Way to Publishing ONE BILLION User Records

While some people say that you can’t prove that people have been harmed by lax cybersecurity practices, the laws are making it more expensive for companies to believe this.  Fines in the hundreds of thousands, millions and even billions of dollars are happening.  So whether companies believe cybersecurity is an issue or not, their wallets are suggesting that they need to make improvements.

To encourage that, one hacker who goes by the handle GnosticPlayer is making it a one man mission to make life miserable for businesses with weak security.

Until this week he has made 4 dumps of data –

  • round one contained 620 million records
  • round two contained 127 million records
  • round three contained 93 million records and
  • round four contained 26.5 million records.

This brought the total to over 850 million records,

Until this week.

Round five contains 65 million records from 6 companies, bringing the total to over 900 million records.

In case you are questioning whether this is a business, apparently the data is available, sorted by category.  For a “fee”.  In Bitcoin.

Stolen email addresses are sold to spam networks,

Financial details are sold to groups that specialize in tax fraud and online fraud.

Usernames and passwords are sold to groups that specialize in credential stuffing (the technique of taking a million userids and passwords, throwing them at a web site and seeing which ones work).

The hacker is selling his data on Dream Market, a pretty public dark web marketplace.  He does not appear to be very shy about publicity, so my guess is that he is not in a country friendly to the U.S.

For businesses and consumers, this means that your information is being used against you.  

Credential stuffing allows hackers to attempt to hack your bank account and empty it.  Is that important to you?

Tax fraud means that your tax return will be rejected by the IRS and you will not get the refund that you are owed.

Other attacks might mean that you will lose access to your email account or other accounts.

So unless you think that the issues above are not important to you or your customers, you need to work hard to improve your business’ and personal cybersecurity hygiene.   

Source: ZDNet.

 

Security News Bites for the Week Ending March 22, 2019

If privacy matters in your life, it should matter to the phone your life is on

Apple is launching a major ad campaign to run during March Madness with the tagline “If privacy matters in your life, it should matter to the phone your life is on.  Privacy.  That’s iPhone“.

Since Apple’s business model is based on selling phones and apps, they do not need to sell your data.  I saw a stat yesterday that one app (kimoji) claimed to be downloaded 9,000 times a second at $1,99 after it was launched.  One app out of millions.

The ad, available in the link at the end of the post, attempts to differentiate Apple from the rest of industry that makes money by selling your data.  Source: The Hill.

 

Another Cyber-Extortion Scam

Ignoring for the moment that the CIA is not allowed to get involved with domestic law enforcement, this is an interesting email that I received today.

Apparently the CIA is worried about online kiddie porn and my email address and information was located by a low level person at the CIA.  See the first screen shot below (click to expand the images).

Notice (first red circle) that the CIA now has a .GA email address, so apparently they must have moved their operations to the country of Gabon in south west Africa.

Next comes the scam – see second screen shot below

First, she knows that I am wealthy (I wish!).This nice person is warning me that arrests will commence on April 8th and if I merely send her $10,000 in Bitcoin, she will remove my name from the list.

Tracing the email, it bounces around Europe (UK, France and Germany) before landing in Poland.

Suffice it to say, this is NOT legit and you should not send her $10,000 or any other amount.

Hacker Gnosticplayers Released Round 4 of Hacked Accounts

The Pakistani hacker who goes by the handle Gnosticplayers, who already released details on 890 million hacked accounts and who previously said he was done, released yet another round of hacked accounts for sale.  This round contains 27 million hacked accounts originating from some obscure (to me) web sites: Youthmanual, GameSalad, Bukalapak, Lifebear, EstanteVirtual and Coubic.  This time the details can be yours for only $5,000 in Bitcoin, which seems like a bargain for 27 million accounts – that translates to way less than a penny per account).

Ponder this – one hacker out of the total universe of hackers is selling close to a billion compromised online accounts.  HOW MANY compromised accounts are out there?  Source: The Hacker News.

 

Airline Seatbacks Have … Cameras? !

Two U.S. Senators have written a letter to all of the domestic airlines asking them about seatback cameras in airplane seats.

I SUSPECT that it is based on some crazy plan to allow people to video with each other while travelling – likely at some exhorbitant cost.  If you allow people to use their phones, they can Facetime for free, but if you build it into the seat, you can charge them for the same service.

The concern, of course, is whether big brother is watching you while you sit there.  Maybe trying to figure out if you are the next shoe bomber.

Now you need to travel with yet one more thing – a piece of duct tape to put over the camera.

The airlines say that the cameras a dormant.  For now at least.  Source: CNN .

 

Congress May Actually Pass (Watered Down) IoT Security Bill

Cybersecurity bills seem to have a challenge in getting passed in Washington, in part because the Republicans are wary of anything that smells like regulation back home, partly because most Congress people are clueless when it comes to cyber and partly because they are scared to death of anything that might impact the tech industry money machine and what it has done for the economy.

Still, at least some Congresspeople understand the risk that IoT represents and after watering down the current IoT bill under consideration, it may actually get passed.  So, a start, but not the end.

The original bill said that any IoT device the government buys should adhere to acceptable security standards and specified several examples.  The new bill kicks the can down the road and says that NIST should create some standards in a year or two and then, probably, give industry several more years to implement it.  That way we will have hundreds of millions of non-secure IoT devices out in the field first for hackers to use to attack us.  Source:  Dark Reading.