Cisco Talos believes it has tied a recent wave of emailed bomb threats to the same group that was conducting a sextortion campaign earlier this year, and revealed that most recent campaign was a financial bust for the malicious actors.

A nationwide wave of bomb threat emails demanding a bitcoin payment to halt the explosion were received by schools, government agencies and private organizations yesterday. In no case was an explosive device found or detonated. Talos believes what took place was conducted by the same group that has been conducting sextortion scams over the last three months.

Jaeson Schultz, Cisco Talos technical leader, noted there are many similarities between the bomb threat emails and sextortion/extortion attacks Cisco Talos has monitored previously. Some of the subject headers used in the bomb threats, including “You’re my victim” and “Your life in your hands” were previously used in the sextortion emails. Additionally, the written text between the two is similar and when the IP addresses behind the bomb threats were studied, messages from early October that were from a sextortion attack were found.

“For that reason, we believe that these bomb threats likely come from a group that has also conducted sextortion attacks. The group does not have a specific name to our knowledge,” he told SC Media.

One of the bomb threat emails.

It also appears the entire effort was a financial bust, as Talos found 17 distinct bitcoin addresses used with the bomb threats. Only two had a positive balance due to deposits made on December 13 and in each case, the amount was less than a dollar.

Talos researchers also believe the attackers compromised credentials for a specific website from which they launched the emails.

“So far, all of the samples Talos have found to be associated with the bomb threat attack were sent from IP addresses belonging to the domain registrar and hosting company, suggesting that the attackers, in this case, may have compromised credentials for domains that are hosted at this particular domain registrar,” the Talos report said.

While Talos did find the details behind the campaign, the amateurish delivery gave it away as nothing more than a poor attempt at extortion from the start.

AppRiver researchers first saw these emails on December 13. “In these emails, the senders inform recipients that their “recruited mercenary” has placed an explosive device inside their building which they plan to detonate unless a Bitcoin payment in the amount of $20,000 is made to the BTC address provided in the message,” AppRiver told SC Media in an email.

“This spam campaign is pure extortion, plain and simple. It’s not very advanced and doesn’t require much social engineering or any hacking whatsoever, said Paul Bischoff, privacy advocate with “In fact, it seems very poorly thought out if the aim was actually to make someone pay up. Even though bomb threats are scary, this is amateur scamming.”

The emails caused evacuations and searches by local law enforcement, which have not turned up any explosive devices. The FBI and local police agencies are reporting that they do not consider the threats credible.

The post Sextortion gang found to be behind email bomb threat spree appeared first on SC Media.

Go to Source
Author: Doug Olenick

Malicious document builder LCG Kit a key component in recent phishing campaigns

Researchers at Proofpoint have uncovered a sophisticated tool commonly used by malicious actors to build weaponized…

Online retailers should be on high alert for attacks carried out by a Magecart-style credit card sniffing tool similar to the one used to carry out the British Airways and Ticketmaster hacks.

Armor researchers are warning retailers after spotting the tool for sale in a Russian forum on the dark web for $1,300, according to a report by Armor Threat Intelligence.  

Russian ad for the Margecart-style tool.

The tool is advertised to contain two components: a standard universal payment card sniffer and a control panel. The tool’s control panel is capable of generating a custom credit card sniffer in a JavaScript file that will work on any e-commerce site that employs Magento, OpenCart or OsCommerce payment forms.

In addition, researchers noted it used Secure Socket Layer (SSL) protocol to encrypt the outbound payment card data being collected, which makes it harder for security teams to see the data being exfiltrated from the e-commerce site.

Armor’s Threat Resistance Unit senior security researcher Corey Milligan believes the tool represents the first step in the commoditization of the Magecart-style attack that will create a new line of revenue for the original Magecart threat groups while also saturating the threat landscape with attempts by low-level threat actors.

“We expect to see a mass of “Hail Mary” attacks, with the cybercriminals  intent on hitting as many sites as possible, hoping that some of them will succeed and be fruitful,” Milligan said. “Unfortunately, the threat actors only have to be right once, and in this case, being right once could result in a haul of credit card data that is profitable and easy to sell on the Dark Web.”

In addition, TRU team believes that the low-level threat actors will plug this tool into processes that involves the automated scanning for and the indiscriminate attacking of vulnerable e-commerce sites, even ones that don’t have the applicable payment form.  

The post Magecart-style credit card sniffer spotted for sale, online retailers beware appeared first on SC Media.

Go to Source
Author: Robert Abel

The developers of make-your-own-avatar app Boomoji reportedly neglected to password-protect two of their internet-connected databases, thus publicly exposing the personal data of roughly 5.3 million users.

The wide-open databases, from Elasticsearch, stored users’ names, genders, countries and phone types all in plain text, TechCrunch reported yesterday. Moreover, the databases also contained unique user IDs, each of which was linked to additional, highly sensitive information that the user either provided or allowed the app to access. 

For instance, some IDs were linked to tables that listed the school the user attends, geolocation data, and phone book entries. Because phone book contacts were included, that means that the information of non-users were collected and exposed as well.

“Boomoji’s data leak is an example of how one breach resulting in a number of users’ data exposure is not as straightforward as it seems,” said George Wrenn, CEO and Founder at CyberSaint Security, in emailed comments. “Exposed records compromising [millions of[ contacts who might have had perhaps no knowledge of the app is just one example of an unforeseen consequence of the data leak.” 

The databases – one in the U.S. containing information on international users and one in Hong Kong reserved primarily for Chinese users – could be easily found using the Shodan search engine.

“It does not take much effort for outsiders to find unsecured databases and access sensitive information,” said Anurag Kahol, CTO, at Bitglass in emailed comments. In fact, there are now tools designed to detect abusable misconfigurations within IT assets like Elasticsearch databases. Because of these tools, and the continued carelessness of companies when it comes to cybersecurity, abusing misconfigurations has grown in popularity as an attack vector across all industries.”

TechCrunch said Boomoji removed the databases after contacting the developers, after dubiously claiming the accounts were made for testing purposes.

Boomoji’s app store description encourages would-be users to create 3D avatars, customize them with outfits, and turn them into animated stickers.

The last few months have seen a spate of data exposures involving unprotected Elasticsearch servers, including ones affecting FitMetrix, Sky Brasil, Urban Massage and Voxox.

“Boomoji’s breach joins the likes of… companies that have exposed massive amounts of user data due to leaving Elasticsearch databases unsecure,” said Stephan Chenette, co-founder and CTO at AttackIQ. “By allowing the data of global users to be exposed, Boomoji could potentially face sanctions under several international data privacy laws, such as GDPR.”

The post Report: Boomoji app developer leaves customer data exposed on open database appeared first on SC Media.

Go to Source
Author: Bradley Barth

Google is boosting Android Key security for mobile apps with new Keystore features to improve the safety of devices running Android Pie.

The Android Keystore provides application developers with cryptographic tools designed to secure user data and Android Pie is introducing new capabilities to Keystore to enable restrictions on key use and to secure key use while protecting key material from the application or operating system, according to a Dec. 12 blog post.

Android Pie is implementing keyguard-bound keys which ties the availability of keys directly to the screen lock state while authentication binding uses a constant timeout so that the keys become unavailable as soon as the device is locked. The keys are then only made available again when the user unlocks the device.

This feature is enforced by the operating system, not the secure hardware because the secure hardware has no way to know when the screen is locked and is available to any device running Android Pie.

Google will also add secure key import to facilitate secure key use while protecting key material from the application or operating system. Keys will be encrypted in transit and remain opaque to the application and operating system, meaning they’re only available inside the secure hardware into which they are imported.

This feature will help prevent key interception when leaving the device where an application intends to share a secret key with an Android device.

The post Google Keystore feature looks to improve Android Pie security appeared first on SC Media.

Go to Source
Author: Robert Abel

YouTube is reading text in users’ videos – Naked Security

Google keeps tabs on much of your activity. Now, it turns out that its YouTube service…

SNDBOX: AI-Powered Online Automated Malware Analysis Platform

Israeli cybersecurity and malware researchers launches SNDBOX, an artificial intelligence-powered free online automated malware analysis platform…

WordPress Appliance - Powered by TurnKey Linux