Ransomware – Extortion by any other name, would be as bad!

Ransomware is not new, but how many of you actually know when it first appeared?

Believe it or not, the very first Ransomware appeared in 1989; yes you read that right! Want to know more, then read on, and I’ll explain the history and major changes that have occurred since that very first Ransomware way back in 1989…

Back in Time

The very first Ransomware was the so-called AIDS Trojan which was supplied on a 5.25″ Floppy Disc to thousands of  attendees of the World Health Organisation’s AIDS Conference and also mailed out to over 20,000 individuals across Europe.

The disc was created by PC Cyborg which was the company run by Dr. Joseph Popp and it contained a program that claimed to work out your risk/chance of catching AIDS (now called HIV). If you inserted the disc into your IBM (or compatible) PC and ran the program, it would indeed do what it claimed; however after 90 boots/reboots the malicious payload (encryption) would trigger and you would see the following:

AIDS Trojan Ransomware

Ironically, if you actually read the EULA that came with the disc, it clearly explained that you needed to pay a licence fee to use it and that it would encrypt your system if you didn’t pay, sound familiar?

Here is part of the text of the supplied EULA:

"If you install [this] on a microcomputer...
then under terms of this license you agree to pay PC Cyborg Corporation in full for the cost of leasing these programs...
In the case of your breach of this license agreement, PC Cyborg reserves the right to take legal action necessary to recover any outstanding debts payable to PC Cyborg Corporation and to use program mechanisms to ensure termination of your use...
These program mechanisms will adversely affect other program applications...
You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement; your conscience may haunt you for the rest of your life...
and your [PC] will stop functioning normally...
You are strictly prohibited from sharing [this product] with others..."

Here is the full version:

EULA from the AIDS information diskette

Luckily the program used trivial encryption and soon a decryption tool was written by Jim Bates and given away for free. He also wrote up his analysis of the Trojan (the term Ransomware didn’t exist in 1989).

An arrest warrant was issued by New Scotland Yard and Popp was eventually arrested at Schiphol airport in Amsterdam during a routine baggage inspection.

From that date his behaviour became very erratic; he was held in Brixton prison until he was due to go to appear at court. There have been reports that he was known to wear a cardboard box whilst in prison, and that when he finally appeared in court, that he had curlers in his beard and a condom (prophylactic) on his nose, allegedly “to ward off radiation”. Whatever the real state of his appearance in court, he was declared “mentally unfit to stand trial” and returned to the United States without charge.

Other researchers (Yung and Young) analysed the Trojan in more detail and wrote a paper on it (in 1996) pointing out its many flaws, but the major one was that is used Symmetric (single key) encryption rather than Asymmetric (Public Key Cryptography, that uses two keys, a Public and a Private key). Most modern Ransomware uses the latter, and this means that unless you have access to the Private key, you can’t decrypt the encrypted data (unless the encryption methodology used is not properly implemented).

The Rebirth…

Not surprising, the Bad Guys n Girls were taking notes, and in the early Noughties we saw the re-birth of (or birth of modern) Ransomware. Of course it used Public Key Cryptography (PGP/GPG). Some of the early new versions were named PGP or GPGCoder. However, the problem was how to get the money from a victim without being caught or unmasked (always a tricky issue for any extortionist or blackmailer in the days before cryptocurrencies existed).

We saw a small (compared to the explosion that was to follow) number of these new Ransomware, but all was about to change in 2009 with the first launch of a little cryptocurrency called Bitcoin (invented in 2008).

It took a few years for the cyber-criminals (the Bad Guys n Girls) to catch on to the value of Bitcoin as a method of payment for Ransomware and other crimes, but by around the start of 2013, they had started to embrace Bitcoin and Ransomware exploded over the next 4-5 years. The first modern Ransomware that took full advantage of not only Public Key Cryptography, but also Bitcoin was known as Cryptolocker. Many saw the success of this malware, and promptly developed their own Ransomware strains.

The Business

Once Cryptolocker had arrived, Ransomware quickly became a thriving way to make money for the Bad Guys n Girls. Estimates appeared that claimed that in 2015 Ransomware netted (according to the FBI) over $24 Million USD, in the first three months of 2016 this had grown to over $209 Million USD, and Kaspersky claimed that Ransomware attacks tripled in 2016. Things just got worse in 2017 as we saw the first Worm-enabled Ransomware (which can move from system to system without human help). 2017 is remembered for two major Ransomware attacks, Wannacry in May, and then NotPetya in June (both Worms). The problem with NotPetya was although it acted like Ransomware, it was in reality a wiper, so even if you paid up, you wouldn’t get your data back!

According to Cybersecurity Ventures, they predict that Ransoware will cost $6 Trillion USD annually by 2021.

But read on dear reader, things are about to change, in 2018!

The Future?

As mentioned previously things were about to change in 2018 (actually from the last quarter of 2017)…

During 2018 we saw the number of Ransomware attacks shrink, but the average Ransom being charged increased (significantly), why?

  • The Bad Guys and Girls moved to a more targeted approach, often manually hacking an organisations infrastructure, mapping out there network, and then encrypting the organisations “crown jewels”. Often part of this mapping would identify where the backups were and these would either be erased (securely) or encrypted too. They started to look for high value targets, rather than use the previous scatter-gun (mass-mailing) approach they had used during 2015-2017.
  • Writing Ransomware is not trivial (if done properly), so the Bad Guys n Girls were also looking for other ways to monetise vulernable systems (ones they can hack, either manually or via an automated script). They decided to steal the processing power of compromised systems to “mine” cryptocurrency. Less work, less risk and more profit; it was a match made in heaven!

I blogged about the “Curse of Cryptojacking” recently.

However, I don’t think we have seen the back of Ransomware, the Bad Guys n Girls may have moved on to Cryptojacking and Sextortion scams, however, they will continue to hold data and systems to ransom where the payout is worth the effort. Increasingly this means Public Services (Government), Healthcare, Education, and Law Enforcement (including Law firms), as well as the more traditional targets (Retail, Travel, Finance, etc.)

Update March 20th: Ironically less than 24 hours after I posted this blog, Norsk Hydro was hit by manually deployed Ransomware (in this case is was LockerGoga) which uses the same approach as other manually deployed Ransomware (such as SamSam); the victims infrastructure in penetrated via a vulnerability or insecure open port, and the Bad Guys n Girls map out the network and then deploy their Ransomware personally.

Protection?

  • Harden and patch all systems, applications and Cloud infrastructure.
  • Use unique passwords for all access; even better use two or multi-factor authentication (not SMS based).
  • Install and run anti-malware, end-point/server protection, and on servers enable and configure the firewall and if it is a web server protect it via a Web Application Firewall too.
  • Remove all default accounts and sample content on web and database servers, etc.
  • Close off ports for remote administration, or put them behind a VPN. That includes RDP (Terimal Services), Telnet, SSH and others
  • Stay aware of new threats and countermeasures, both specific and generic.
  • Train and test your staff; they are often the first and last line of defence.
  • Take BACKUPS, and store them physically off-site (not in the Cloud), and test that they work (do a RESTORE). That way you have the option to recover your systems and data without having to pay the Bad Guys n Girls.
  • If you are using O365 or GSuite enable 2FA/MFA and do NOT allow the services to be accessed via IMAP or POP3, as this will bypass Multi-Factor Authentication (you have been warned!)
  • If you have cyber or crime insurance, check that Ransomware is covered by the policy (most cyber insurance policies currently do cover this, but Property and Casualty policies usually don’t)…

Until next time, stay safe out there!

The Curse of CryptoJacking!

Since around the end of 2017 there arose a new threat to organisations and individuals alike, cryptojacking; with Ransomware starting to become less favoured as a mass-attack method, the Bad Guys n Girls were looking at new ways to make money with the least amount of work and risk as possible.

So, in 2018 we saw a huge jump in a new tactic; this was the use of scripts and malware to “mine” cryptocurrency using your or your organisations systems (usually without your knowledge, or approval). We also saw the move towards targeted Ransomware attacks, often asking for huge ransoms to be paid to get access to your data, on your systems, or hosted/cloud based servers.

So, what is CryptoJacking, what is cryptocurrency “mining”, and what does it mean to you and your systems or organisation, do you need to be worried, and what can you do to help reduce the risk from this new threat?

Let me explain:

Hopefully you all know about cryptocurrencies, at least at the basic level? If not, or for those of you that know the basics, here’s a more in-depth look at it (but not too deep), it should also help those of you that don’t yet know about cryptocurrencies.

Cryptocurrencies

When most people are asked about what they know about cryptocurrencies, they will usually reply that they know of, or have heard of Bitcoin (and possibly they may also mention Blockchain, which is not a cryptocurency at all, it is the Distributed Ledger [transaction log] used by all cryptocurrencies, and it can be used for lots of other things too, but that’s another story).

In simplest terms a cryptocurrency (like Bitcoin) is a digital currency that unlike other currencies, is decentralised (no single person or entity has control over it), unlike real “phyiscal” currencies (British Pound, US Dollar, Euro, etc.). It is also, for most purposes anonymous (that’s why the cyber criminals like to use them). It instead relies on Blockchain and what you might call a democratic method of recording and approving all transactions.

Cryptocurrency Mining

“Mining” in the world of cryptocurrencies is the act of “approving or validating a transaction and adding it to the  blockchain” each validation or approval of a transaction earns new cryptocurrency for the miner.

To do this is a case of using huge amounts of processing power; unlike “physical” mining, where you have to expend manual effort, cryptocurency mining is all done on a computer. There are many crypto-mining groups and individuals, often with dedicated “rigs” to carry out this activity. One of the real-world concerns with crypto-mining, is that because the systems used are “maxed-out”, they require lots of power and as a by-product produce lots of heat; requiring extra power to cool the room they are housed in. This, it is suggested, may also affect (increase) global warming!

Cryptojacking

Cryptojacking is when your site, server or application has been compromised (hacked), either via a vulnerability (bug), weak or default credentials (maybe re-used credentials), poor security controls such as open ports (that shouldn’t be), social engineering (phishing, vishing or smishing, etc.) Once compromised an unauthorised script, binary or other file is uploaded and executed (run); this then starts to crypto-mine using your systems processor to carry out intensive processing to validate transactions (mine cryptocurrency).

So what, I hear you say?

Well, for one thing, if it is an end point (laptop, workstation, etc.) it will slow to a crawl, now image this happening on a webserver, database server, etc. Now throw in the scenario of Cloud (where you are often charged by the CPU cycle), imagine what your next bill from them will look like. It will be between hundreds and thousands of time more than your “normal” bills! All the while the Bad Guys n Girls are making money and slowing (and possibly damaging) your business…

Now there are Worms that perform cryptojacking! Worms are automated malicious code that can move from system to system without human help.

No real surprise there, as the technique is the same as we saw with many of the Ransomware Worms in 2017 and 2018 (such as WannaCry and NotPetya). It is an obvious evolutionary step. In fact the same exploit code is being used (EternalBlue, which was stolen from the NSA by the ShadowBrokers).

What do you need to do?

  • Harden and patch all systems, applications and cloud infrastructure.
  • Use unique passwords for all access; even better use two or multi-factor authentication (not SMS based).
  • Regularly check you systems for high or unusual CPU usage (beyond the normal range).
  • Install and run anti-malware, end-point/server protection, and on servers enable and configure the firewall and if it is a web server protect it via a Web Application Firewall too.
  • Remove all default accounts and sample content on web and database servers, etc.
  • Close off ports for remote administration, or put them behind a VPN.
  • Stay aware of new threats and countermeasures, both specific and generic.
  • Train and test your staff; they are often the first and last line of defence.
  • If you have cyber or crime insurance, check that cryptojacking is covered by the policy (most cyber insurance policies currently do NOT cover this)…

Until next time, stay safe out there!

Have the Spammers Become Lazy?

Is it just me or are spammers getting lazy?

I ask as the latest trick being used by them, that I’ve seen recently, seems to be to get the recipient <victim> to click on one of two buttons in the spam email. Nothing odd about that right? Normal tactics to get victims to go to a fake or booby-trapped website.

However, this is not the case, and there appears to be no malicious code or links in these, so what does it do when you click on one of the buttons in the email?

If you hover over the button, you will see lots of mailto: links (which will send email to the intended recipient specified), in this case it includes not just one mailto: but usually between 10 and 30! So if you clicked on one of the buttons, it simply sends the same email to a bunch of other email addresses…

Furthermore, It makes no difference which button you select as they both do the same thing!

Here’s an example using Facebook as the spoofed sender, but I’ve also seen ones that use FedEx, Google and a whole load of other well known brands….

 

And here’s one claiming to be from Google:

Most odd!

Please be careful out there…

Anyone out there have any idea why they are using this technique?

 

What Cyber Threats and Trends Might We See in 2019?

‘Tis the season to get out the crystal ball and play at being the cyber equivalent of “Mystic Meg” (no that’s not me in the picture).

For 2018 I predicted a number of things that were spot on, these included the following:

  • The change from mass ransomware campaigns to more targeted ones asking for higher ransom payments.
  • The move from ransomware to cryptomining/cryptojacking as the primary monetisation payload/method.
  • GDPR being used for extortion/blackmail attempts.
  • Organisations still not focussing on the basics and best practice for their industry/vertical and wondering why they suffered security breaches/incidents.

So what will 2019 bring, according to OMG?

  • More targeted extortion attempts; Ransomware, GDPR, DDoS, etc. All with higher ransom being demanded.
  • Organisations will still be mainly focussed on the latest, must have “shiny toys/technologies” rather than dealing with the basics and best practice for their industry/vertical.
  • A mainstream move towards two or multi-factor authentication, as password theft is increasingly seen as the main way that bad guys and girls get in; other than social engineering (phishing) or via the supply-chain/business-partner. This move will be required due to massive Credential Stuffing attacks in 2018 fuelled by the many data breaches where user ids and passwords were stolen.
  • More supply-chain breaches as a method to gain access to the intended victim organisation.
  • Cloud service breaches and/or take-downs and mis-use by the Bad Guys n Girls.
  • The skills-gap and staff shortage will increase, again. And those of us in the industry will be in demand and frequently head-hunted or just pestered by desperate recruiters that don’t read your LinkedIn profile and still approach you with roles that you are not interested in or have the skills/background for.
  • More Business Email Compromise attacks (aka Fake CEO/CFO, etc.); these will rake in far more money in 2019
  • Artificial Intelligence and Machine Learning will continue be touted as “The” solution to deal with cyber threats and breaches; they are useful but generally too prone to false positives (detect things that are not an issue) and more worryingly false negatives (don’t detect what they should do).
  • The Internet of Things will start to “grow-up” as manufactures start to bake in security and offer it as a differentiator to competing products/services.
  • However, despite this we will continue to see IoT devices/infrastructure used as an attack platform and I suspect that we will start to see volumetric DDoS attacks exceed 2Tbps (largest so far was 1.35Tbps against Github in 2018). 
  • We may well see some critical infrastructure attacks (outside of Ukraine) that are successful, and that cause major outages and/or physical damage/loss of life.
  • Too many organisation thinking that using a single Cloud provider will give them a fully resilient infrastructure; it won’t. Just like having multiple data-centers, you need multiple Cloud providers (this should be part of your Business Continuity and Disaster Recovery Plan), no single-points of failure!
  • GDPR will finally start to bite (hard) and organisations that should have already been following industry best practice for data/privacy will finally do something about it (well, most of them)!
  • Blockchain will be finally recognised as not being the solution to everything!
  • Increase in use of Sextortion, Bomb and other extortion/blackmail emails/calls, despite the fact that most Sextortion campaigns did not net piles of bitcoin as those behind them expected.
  • More social-media scams mainly focussed around crypto-currency giveaways; like the many Elon Musk themed ones we saw in 2018.
  • People will still mainly fail to learn from history; we will see yet more old techniques/technologies dusted off and re-used by the Bad Guys n Girls, for victims that weren’t around (or paying attention) the last time it was successfully used…

Don’t have nightmares, remember that 80-90% of all security breaches/incident I have dealt with could have been avoided by just following best practice and doing the basics… This includes taking (and testing) backups, educating (and testing) your staff, patching your systems, applications and writing secure code, good Identity and Access Management, and so on…

Effective End-User Training, Compliance and Testing

What do most staff think when they hear the words “end-user security training” or “security awareness training“?

They think, “Oh no, is it really that time of the year again? What a waste of my time; it is so boring and doesn’t teach me anything that is useful to me. Security is the IT department’s problem/job, not mine!

In many organisations security awareness training is dull, impersonal and does not use “real life or real world” stories to add colour and flavour and help explain the problem, the risks, and the impact of security breaches/incidents. In most cases the training is to read a policy document (Internet Usage Policy/Security Policy, etc.) or to watch a video or attend a webinar where they are preached to rather than being allowed to participate in an interactive or interesting session.

Staff need to understand that in today’s world, security is everyone’s job, because if your staff are not part of the solution, they are part (if not most*) of the problem!

[*] 95% of successful cyber attacks are the result of a phishing scam.
Source: (2017) Ironscales,Email Security Report.

Add to this that many staff treat end-point protection (anti-malware, personal firewall and related security tooling) as an “authentication” method; “if I can open this link/file in the email, go to this site, etc. and my system gets hacked/infected, it is not my fault, it is the security/IT departments fault!” This is captured very nicely in this cartoon.

Given the above perceptions of many staff/end-users, what can we do to try and reverse this situation, so that staff see security as part of their job/responsibility and become part of the extended security team?

What do you need to make end-user security training successful, rather than something that is hated/despised/loathed and avoided at all costs for as long as possible by most staff in almost every organisation?

Here are some top tips:

  1. Make it fun; use gamification, where they are engaged, entertained, involved and tested throughout each module.
  2. Keep it short and punchy; no longer than 20 minutes, backed up with bite-size (5 minute) modules to reinforce an individual topic/threat. Don’t try and do the whole organisation at the same time; do it in groups and stagger the roll-out to be more effective.
  3. If you can make it a competition; who can report the most spam/scams/phishing emails, etc. Give prizes, or at least recognition!
  4. Make is personal; teach them skills that they can use in everyday life, including at home.
  5. Phish your own staff (after training them, and before) so that you can gauge the effectiveness of the training, but do it wisely and sparingly as otherwise they will quickly become fatigued and disinterested.
  6. Don’t penalise those that fall for the phishing test emails; use this instead as a “teachable (not preachable) moment“, rather than shame or blame them, try to understand why they fell for it, and explain how they could have recognised it for what it was.
  7. Make sure you set-up an email address such as: “[email protected] which can be used by employees when they suspect they have received a phishing email. Explain what steps they should take in order to report the email and give them with the necessary tools/guidance to report a suspected phishing email, such as a “report-phish” button in their email program.
  8. Training is not a one-time or once a year thing; good awareness training is part of the culture of an organisation and needs to be topped-up and refreshed all the time to stay effective. Make sure all staff, from the C-Suite down to the most junior staff in the organisation are included, not just techies.
  9. Ask for feedback, especially ask them about what they are worried about, e.g. Ransomware, Scams, Sextortion, Social Networks, Privacy, Passwords, GDPR, Data Breaches and how it impacts them personally and the company/organisation/industry, etc.
  10. You could always bring in a real-life “hacker” (an Ethical one, also known as a Penetration Tester or White Hat Hacker) and let them talk to your staff and answer their questions; they will have lots of real-world stories and good advice. T here are some that are good at talking to non-techies without resorting to acronyms and technical jargon.  These rare individuals will use humour, analogies and stories to help illustrate and bring the subject to life; they will often be very passionate about security, and this will keep the audience engaged.

However, you will find that 10-20% of your staff will just not be trainable (from a security awareness perspective)and you need to identify them and work on ways to reduce the risk that they pose to your organisation.

As the old saying goes:
The Bad Guys n Girls only have to get lucky once;
the Good Guys n Girls have to be lucky all the time
“.

So, what is a good solution that isn’t going to break your budget, but still allow you to deliver most of the above as a managed service and tie in to your Active Directory do that you can assign training to groups or individuals and see the results (meta data) from the training and testing?

One vendor that I have found to be very effective in this space is Techguard Security, this is what they say about their offering:

“Empowering your workforce to recognize and respond to sophisticated threats is only a click away. TechGuard S.H.I.E.L.D is a cutting-edge and comprehensive training solution for businesses of all sizes.”

You can use the following link to find out more about Techguard and their offerings, including the end-user training and phishing testing offerings, and what’s more, if you decide you like what you see and sign-up with them, you will get 10% off the price!

To find out more and claim your 10% discount when you sign up, use this unique web link: https://www.techguard.com/omg-cyber-security/

If you don’t use that link to register your interest, you won’t get the discount when you sign up.

Don’t just take my word for the effectiveness of good Security Awareness training, here are some statistics:

  • According to research by Ponemon, even the least effective training programmes have a 7-fold return on investment.
  • Most cybersecurity training programmes result in a 37-fold return on investment.
    Source: (2015) Maria Korolov, Does security awareness training even work?

If you don’t train your staff and carry out phishing tests, the Bad Guys n Girls will, and the results won’t be pretty…

I have been doing security for over 30 years and I often state “The day I stop learning will be the day they bury me“, in other-words, I’m still learning and will continue to do so until I die.

Helping the Hackers – Password Re-Use is Widespread!

Some interesting, but not surprising findings from F-Secure:

They found that many users were re-using passwords even though they knew the risk of doing so, and I quote:

“59% reuse passwords across multiple accounts, even though 91% say they understand the risks of doing so.”

You can read the full article from F-Secure here: https://blog.f-secure.com/how-to-keep-your-passwords-from-being-an-attackers-key-to-your-account/

Please, please do not make a hackers job easier by using the same password on multiple sites; if you must use the same password at least enable 2FA (Two Factor Authentication)/MFA (Multi-Factor Authentication)* on the sites where you do this, as this will make it harder for the hackers to compromise (take-over) your account(s).

The problem is, if you use the same password on multiple sites, it allows the bad guys and girls to carry out what is known as “Credential Stuffing” attacks….once they have found a valid set of credentials for one site that you use, they will try the same ones on other sites…

It is better if you use not only 2FA/MFA, but also a Password Manager to store and create strong unique passwords for you (belt and braces, folks!)

You can even enable 2FA/MFA on the Password Manager, so if that is stolen, the bad guys and girls can’t gain access to that either… Belt, Braces and Super-glue 😉

* One factor authentication, is something you know (user id and password), Two or Multi-Factor authentication, is something you know, and something you have or are (such as a one-time password/key/token, biometrics, smart card, hardware or software token, certificate, etc.) Unless the Bad Guys and Girls can gain access to the second factor, they can’t sign in as you…

Question of the Day: Are Passwords the New Exploit?

The quick answer is NO, they are not, however as with most things it isn’t quite as simple as that, let me walk you through how things have changed over the last 10+ years and how passwords have NOW become the main exploit technique (other than unpatched systems/application, config/coding errors and end-users). To start we need to go back into cyber history…

Back in Time…

Let’s go back to the 80’s, 90’s and early 00’s and look how passwords were captured and misused:

As an ethical hacker (penetration tester and web application tester), I have over 15 years of experience and “hacks” to call on to cover this.

In the years prior to 2005, most passwords were stolen via Social Engineering (Phishing, etc.) or via hacking a system/application and using that as a pivot point (beach-head) to scour an organisations network for the password file (usually imaginatively called password.txt, password.doc or password.xls, yes really!) or to find other vulnerable or insecure systems (including ones with default or weak credentials).

This file usually would contain either personal passwords for the user of that system, or if I was really lucky it would be the password file for the system administrator, IT manager, help-desk, or other technical resource that had the much sought after “root”, “admin” or other privileged account credentials to allow me to escalate my privileges (upgrade them from user or other restricted account access level).

In the best cases this could then be used to become “Domain Admin”; which means that I would have unrestricted access to ALL systems on the Domain (Microsoft Active Directory)… Once I had that level of access, it was “Game Over”, as I could do anything; access ALL the systems and ALL the data on them!

There were other ways for me to get passwords, the most common other way was to dump the password hashes from Windows or Linux (other UNIX flavours are available) and then “crack” them; this means doing either a so-called “dictionary” (using a list of known words/passwords until a match is found) or “brute-force” (trying every combination of letters, number and other characters until a match is found) attacks, or even using “rainbow tables” (Rainbow Tables are pre-computed password hashes in a database, these are used to simply compare the stolen password hash to those in the tables until a match is found), this is harder to do nowadays as hashes are often protected by techniques such as salting, which means the hash for “P4ssW0rd123” on one system, will not be the same on another server/system/site (as long as the salt is not the same on both).

Back to the Future…

So, what about password misuse since 2005 until today?

Over the last 10+ years we have seen numerous mega-breaches (as well as loads of smaller data breaches), this has meant that over 7 Billion sets of credentials (current best estimate) have now been stolen (user IDs and password combinations).

These data/credential dumps are widely used by cyber criminals (and other hackers) to carry out attacks using “credential stuffing”. You can see if your email address and credentials have been seen in on of these dumps on haveibeenpwnd (run by well respected security researcher Troy Hunt); this site has over 5 Billion sets of credentials that have turned up in data dumps from hacked/compromised sites/servers.

In summary, yes, nowadays passwords are the new exploit and we need to move beyond them,or at least make them less of an exploit…

What’s Credential Stuffing and Why Should I Care?

Credential Stuffing is a type of automated attack which is very similar to a “dictionary attack”; this is where a list (often huge) of passwords are tried one after another until the list runs out, the account gets locked out, or the hacker finds the correct (valid) password for the account.

The way that Credential Stuffing is different is that the hacker has a list of user IDs (often email addressed) and passwords dumped from a breach. They simply run these against each web site that they think you may have an account on.

I hear you say, “so what!”, well the problem is if you use the same userid and password on multiple sites, and that userid and password is compromised (stolen in a hack), the bad guys and girls now have your credentials for other sites where you have re-used the same password!

What Else are the Bad Guys and Girls Doing With Stolen Credentials?

As covered in a previous blog entry on “Sextortion“, stolen credentials (user IDs and passwords) are being used to add credibility to the email extortion scams. We will see this technique used for other scams, again to give “proof” that they have your data/access to your account or system, etc.

How do I Protect Myself?

There are a number of ways to reduce the risk of Credential Stuffing and related attacks (including Phishing and Social Engineering), these include:

  1. Never use the same password on multiple sites (known as password re-use), as you make is easier for the bad guys and girls to take over your accounts.
  2. Use strong, long, unique passwords for each and every site and store these in a Password Safe (and encrypted database), you can find out more about these in one of my other blog postings, here.
  3. Even better enable what is known as 2FA (Two Factor Authentication); sometimes called MFA (Multi-Factor Authentication). I hear you ask “what the hell is that?”Let me explain; when you use a user id and password, that is a single factor (something you know), the second factor, often a token or one-time code, is the second factor (something you have or are).This can include solutions such as Google Authenticator, Authy, Duo, RSA, Yubikey or even biometric controls such as Face Recognition, Fingerprint, Voice, etc.Using 2FA will mean that it doesn’t matter if your user id and password is compromised (as long as the site you are using uses 2FA and you have enabled it, and the site has implemented it properly so that it can’t be bypassed easily).

    Most large sites, including Google, Microsoft, Dropbox, Facebook, etc. all have 2FA support.BUT, don’t use a 2FA that sends you the one-time code via SMS (text message) as this can easily be captured, either via the network or via what it known as “SIM Porting” or “SIM Swapping”. This is becoming a major threat and has cost some victims the contents of their bank accounts, their bitcoin (or other digital currency) wallet contents… Also, Reddit were compromised via SMS based 2FA!

    This extra protection means that even if they have your valid user id and password for that site, they can’t access your account as they don’t have the second factor (only you do)… In theory this makes it impossible for anyone but you to gain access to your account on that site…However, as usual there are still ways (non-trivial) for the Bad Guys and Girls to get you to give them the second factor, but that’s another story!

Stay safe out there, and don’t make the “Bad Guys and Girls” job easier!

Sextortion – Your Money, or Your Pride!

I have been hearing about the recent wave of sextortion emails (these are not a new phenomena) that many are receiving and I was feeling a little left out, as I haven’t received a single one of the new campaign…..until the other day!

Here’s an edited screen shot of the sextortion email I finally received on the 11th of October, 2018:

It included what it claims is not only my email address, but also my user ID and password for the site they claim I accessed.

Let’s look at this in a bit more detail…

Should I be worried, panic, and pay up?

Of course not, why?

  1. The credentials (user id and password) are ancient and lifted during one of the many data breaches over the last 10 years.
  2. I don’t visit porn sites (yes, really!)
  3. There is NO video, it is all a bluff to get you to panic and pay up, just in case…
  4. I stopped using FaceBook a while ago, in fact I closed my account and requested all my data to be deleted weeks ago (well before I got the sextortion email).
  5. I have been working in anti-malware and malware analysis for over 30 years, and I’m used to catching and analysing new malware; guess what, there is no malware on my systems (unless I put it there to analyse it, in a safe environment).
  6. There is NO unique pixel in the email (it is just pure plain ASCII text, no graphics, no HTML, no scripting, no risk). They do not know if you have received or read the email (there isn’t even a receipt request in the email).
  7. The Bitcoin address is not unique, it is used for the whole sextortion email campaign, so they have no way to see if you have paid or not. This is how many modern ransomware attacks and DDoS extortion attempts work; they have no intent in giving you back your data or actually carrying out any DDoS attack. It is all about getting you to believe in what they are telling you, so that they can make lots of money by frightening you in to paying up…

At the time of publishing this article, over 5 days had elapsed (so my pay up deadline had expired) and guess what happened?

NOTHING, NADA, ZILCH, etc.

Update 1st November, 2018: Well I checked out the Bitcoin Wallet this scammer was using, this wasn’t a very profitable scam as they had only two victims pay up, which is around 1,600 USD. A later variant of the scam I received managed to get thirteen victim to part with 700 USD each, netting around 9,100 USD.

I was at a conference last week and one of the delegates there approached me after my talk and showed me yet another variant of this scam, he was really concerned that his phone and system had been hacked (it hadn’t). I analysed the email and found no trace of any beacon, malware or any active content. This new scammer was more successful as he/she was asking for 803 USD per victim and eighteen paid up, netting the scammer almost 14,500 USD

Update 8th December, 2018:

More new campaigns and a few of them are starting to get more bitcoin payments, but others are getting almost nothing. Hopefully the word is getting out and less people are falling for this?

A new twist (but not unexpected), the Sextortion scammers are now including links to booby-trapped sites/files that contain Malware (mainly Ransomware, at the moment, but this will change). This means that clicking on ANY links in these Sextortion emails is now far more dangerous; just delete the email or report it, don’t click on any links in them, not even on how to buy Bitcoin!

Here is a screen shot of the activity for a number of Bitcoin wallets that were involved in Sextortion scams:

I will continue to monitor these Bitcoin Wallets and investigate new versions of this scam; stay tuned!

Update 18th March, 2019

A new version has just started to circulate, this time claiming to be from the CIA accusing you of accessing child pornography,  I’m naming this new variant “pextortion”, see the screen shot below of the version I received overnight:

Where you see (victim-email-address) that will be your email address that you received the pextortion for.

You might want to add the following IP address to your blacklist: 51.68.91.127

Again, I am tracking the Bitcoin Wallet(s) linked to this new campaign. I’ll post updates if anything interesting happens.

However, this is a growing crime wave and victims do fall for it, look at the statistics below to see how bad it can be, and what you should do if you receive such as threat:

  • What is sextortion?
    – Being blackmailed by cyber-criminals that claim they have got hold of explicit material of you or one of your children, including: Photos, Video, Chat, Text messages, etc.
  • How common is it and who are the main victims?
    – Over 1,304 reported cases in 2017, up from 428 in 2015, although the number is likely to be significantly higher as many of these crimes go unreported. This is just in the UK (not globally, and it is a global scam).
    –The target is usually male, in their teens or twenties. Although some girls have also been targeted.
  • How do they work?
    – Victims are usually groomed for weeks/months before the blackmail attempt.
    – Often this happens via fake social media accounts or via targeted phishing emails.
    – Occasionally this may start with a video call, such as via Skype.
    – Many are just scams, they have no data/video of you or a family member.
  • What should you do?
    – Don’t Panic.
    – Don’t Pay.
    – Call the Police (sextortion is a criminal act). It is a form of blackmail.
    – Don’t contact the blackmailers (stop all communication).
  • What are the costs?
    – Amounts requested vary, but typically between £300 and £3,000 is asked for
    – At least 5 males have taken their own lives due to being a victim of this type of blackmail/extortion

Stay safe and educate yourself about the risks and ways to reduce your own attack surface; that will make it harder for the Bad Guys n Girls to succeed.

IoT Malware Detections Soar 273% Since 2017

A new report shows that the risks from IoT  (Internet of Things) devices are increasing, with the bad guys and girls using bots, worms and other malware (including scripts) to trawl the Internet looking for IoT devices that are insecure; un-patched and therefore vulnerable, use weak, known and often hard-coded passwords that can’t be changed, weak crypto implementations, etc. and are therefore, easy to compromise and re-purpose for their nefarious purposes.

This doesn’t surprise me, and in fact I expect it to accelerate until suitable standards backed up by legislation comes in to force….

IoT vendors need to take responsibility for the (mainly) poor security (or complete lack of security) in their products….

There are a few vendors out there that have baked good security in at the design phase and continue to secure/patch/harden their products and back-end infrastructure; the rest need to catch up, fast!

More details can be found here: https://www.infosecurity-magazine.com/news/iot-malware-detections-soar-273/

First GDPR Extortion Attempt?

Interesting news, I predicted at the start of 2018 that we may see GDPR extortion…

Superdrug (a large high-street pharmacy chain in the UK) has warned online customers…in what could be the first GDPR-related extortion attempt computerweekly.com/news/252447313…

Here’s what I said:

I suspect that this will be the first of many. I have also predicted that we will see another type of GDPR attack, this being down to competitors using GDPR as a way to attack their competition in a specific sector. I see it working like this:

Competitor (company A) pays black-hat hackers to hack in and steal personal/financial data and they then leak the data and  report the breach to the ICO (or other local enforcement body).  The victim (company B) gets investigated and fined for the breach; six months later the Competitor (company A) pays for another round of hacking, etc.

Rinse and repeat until the victim goes out of business…