Cybercriminals are using stolen Apple credentials to lock iPads, iPhones, and Macs and are doing this for ransom. The target users are mainly from Australia and New Zealand, but there are also some reports of victims within the United States.
The attackers are taking advantage of the Find My iPhone iCloud feature and enable Lost Mode for compromised Apple IDs. Lost Mode is a feature that enables users to lock a stolen or misplaced device and sends a message to the lost device. The compromised message reads, "Hacked by Oleg Pliss." Oleg Pliss is an Oracle software engineer and is someone who cybercriminals chose at random, states Symantec's Satnam Narang.
Victims are instructed to send 100 USD/EUR through services such as MoneyPack in order to have their devices unlocked. The devices can be easily unlocked by entering the passcode that the user initially configured. However, if a passcode was not used, users can recover their devices by wiping them and restoring them from a backup.
The Apple IDs were most likely compromised through a phishing attempt. Another way the Apple IDs could have been breached is through data leaks from other sources, such as eBay's security breach. This scenario is possible due to the fact that many users use the same username/password combination for multiple online accounts.
The eBay security breach exposed customers' private information including mailing addresses, email addresses, date of births, phone numbers, and possibly additional information. Furthermore, the loss of passwords has the potential to compromise additional websites other than eBay's due to the fact that online consumers tend to use the same password on multiple sites.
Mike Fey, Chief Technology Officer at Intel Security, recommends the following actions to protect yourself from unauthorized access to your online accounts:
There are multiple scanners available that you can use to protect yourself from the Heartbleed bug. These scanners require you to manually enter the websites you want to inspect. If you're looking for a more intuitive approach, I recommend using Google Chrome's extension called Chromebleed.
When installed, Chromebleed notifies you if a website is currently vulnerable to the Heartbleed bug. Evidently, Chromebleed is only compatible with Google's Chrome browser and can't be used with other popular Internet browsers such as Internet Explorer, Firefox, or Opera.
To install Chromebleed, open your Google Chrome Internet browser. Then, perform the following steps:
- Click the bar on the top right corner with three black horizontal bars on it. From there, click on "Settings."
- On the upper left corner of the Settings page, click on "Extensions."
- Click on "Get more extensions."
- On the Search box, type Chromebleed and press enter.
- Click the blue "+ Free" button to install Chromebleed, and then click "Add" on the confirmation box.
Chromebleed will run in the background when using Google Chrome. You will notice a Chromebleed icon (bleeding heart) directly to the left of the "Settings" button. Right-click on the Chromebleed icon and click on "Options." Ensure you have the "Notifications Activated" and "Show All Notifications" boxes checked. With these options enabled, Chromebleed will notify you if the site you're visiting is protected from the Heartbleed bug.
The Heartbleed vulnerability has been around for two years and it's uncertain if cybercriminals have exploited it during this time frame. Now that the news is out, it's very likely that malicious actors have attempted to harvest your personal information.
Consequently, companies are advising their customers to change their passwords in case their accounts have been access by cybercriminals. If you still don't know what Heartbleed is, well, it's a vulnerability in OpenSSL that can be exploited by an attacker by sending malicious "heartbeat" requests to obtain information on the targeted server. If successful, the leaked information can contain encryption keys, usernames, passwords, etc.
"This might be a good day to call in sick and take some time to change your passwords everywhere - especially your high-security services like email, file storage, and banking, which may have been compromised by this bug," stated a representative from Tumblr.
On April 8, 2014, a list of the vulnerable top 10,000 Alexa websites was published on GitHub. However, many of them listed may have resolved the issue.
Windows users infected with a particular Trojan downloads ransomware that encrypts computer files and demands Bitcoin payment to decode the data. According to Trend Micro, the Windows Trojan called Fareit is an information stealer that downloads other malware, such as Zeus. Recently, it has been determined that Fareit also downloads "Cribit."
One of the Cribit variants uses an English message for ransom, and another variant delivers a multilingual ransom note which includes 10 different languages. In the ransom note, users are directed to a Deep Web website accessible only through Tor. The malware demands $240 worth of Bitcoins. To avoid being infected, avoid clicking on embedded links in emails and keep your software updated on a regular basis.
Image ©Danielle Walker
Three men, believed to be part of an international cybercrime operation, were charged with conspiracy to commit identity theft, access device fraud, and wire fraud. The group targeted financial institutions and major organizations in the United States.
They attempted to steal at least $15 million from US customers and organizations by hacking into bank accounts, brokerage firms, and government agencies. Targeted organizations include:
- Aon Hewitt
- Automatic Data Processing
- Electronic Payments
- Fundtech Holdings
- JP Morgan Chase
- Nordstrom Bank
- US Department of Defense Finance and Accounting Services
- Veracity Payment Solutions
The cybercriminals transferred money from hacked accounts to pre-paid debit cards. The money was then withdrawn from ATMs and/or funds were used to make fraudulent purchases. Furthermore, the stolen identity information to file fraudulent tax returns with the IRS.
The three individuals charged with these counts are Sharapka, Yanovitsky, and Gunderson. The indictment identifies Sharapka as the criminal leader of an enterprise called the "Sharapka Cash Out Organization." Each suspect faces a maximum of 20 years in prison for conspiracy to commit wire fraud, 5 years for access device fraud and identity theft, and two years for aggravated identity theft.
Image ©Jeff Hughes
ESET Security Professionals warn that the malware is being distributed through torrents. In addition to Angry Birds, cybercriminals have disguised OSX/CoinThief as various popular Mac OS X apps such as BBEdit, Pixelmator, and Delicious Library. "There is clearly strong evidence that the trojan was specifically designed to profit from the current Bitcoin craze and fluctuating exchange rates," security expert Graham Cluley stated on ESET's WeLiveSecurity blog.
Once the malware is executed, OSX/CoinThief installs a web browser extension and monitors the victim's web traffic. An additional component that runs in the background checks for wallet login credentials and sends the information to the attackers. The malicious web extension is called "Pop-Up Blocker." If this extension is present on your Mac Internet browser, you're probably infected. Another way to find out if you're infected with OSX/CoinThief is to open Activity Monitor in the Utilities Folder and look for a process called com.google.softwareUpdateAgent. This process is created by OSX/CoinThief.
Image ©Angry Birds
McAfee predicts that virtual currencies will fuel malware attacks globally in 2014. In general, growth in virtual currencies benefits and promotes economic activity. However, this has also provides cybercriminals with an anonymous payment infrastructure that they use to collect money from their victims.
Ransomware attacks, such as CryptoLocker, will continue to flourish as long as these attacks remain profitable. Furthermore, we may see new ransomware attacks aimed at enterprises.
The good news is that thought the ransomware payload is unique, the methods cybercriminals use to distribute ransomware (spam, drive-by downloads, infected apps) are not. Therefore, keeping systems current and practicing good security practices will keep you relatively safe from these threats.
Finally, the emergence of virtual currencies and its anonymous transaction infrastructure has led to the development of a number of "Deep Web" marketplace sites that specialize in retail distribution of illegal products and services. The largest of these sites was Silk Road, which was shut down by the FBI on October 2013. Although the closure of Silk Road was a huge win for law enforcement, there are many of these Deep Web marketplaces operating globally. This issue is not going away anytime soon.
Image ©Phil Williams
On the first day of 2014, more than 4.5 million Snapchat user names and phone numbers were leaked online and made available for download. The hacker group responsible for the leak claims they had notified Snapchat of the vulnerability but Snapchat never responded.
SnapchatDB.info, the now suspended website, housed the leaked account information. On the site, the hacker group stated they censored the last two phone number digits to minimize spam and abuse but may release the digits under certain circumstances. The group explained their motivation was to raise awareness and stated "companies we trust with our information should be more careful in dealing with it."
Jeff Taylor, McAfee Consumer Operations Project Manager had this to say about the issue:"The key privacy impact with this break seems to be in the data relationships... The best-kept secret related to privacy relates to PII (personally identifiable information) data relationships, so fundamental advice may include [using] unique user names and secondary email addresses for all social media accounts. Public profiles can be tied together otherwise, and data breaches become more damaging without such steps."
Irfan Asrar, McAfee Mobile Malware Researcher, warns about malicious websites claiming to have the capability of verifying if you're one of the victims of the hack. These sites are setup to farm/harvest information by asking you to enter your number and attempt to do a partial match of the data that was released by the hackers.
LinkedIn is one of the top social media platforms for job seekers and cybercriminals are finding ways to exploit the site by posing as recruiters. According to the Better Business Bureau (BBB), scammers create fake profiles disguising themselves as recruiters and then send messages with links to malicious sites that steal your personal information. The legit looking websites often ask for your bank information, Social Security number, etc., and scammers use this information to access your bank accounts and attempt to steal your identity. Business professionals who use LinkedIn within their corporate network should also be alarmed as cybercriminals use these same methods to infect computer systems with malware.
BBB makes the following recommendations and reminders:
- Legitimate recruiters will never ask for your personal data such as banking information.
- Always research a "recruiter" who contacts you before providing your sensitive information.
- Most employers won't ask for a Social Security number until they actually provide you with a job offer.
- Don't just add anyone to LinkedIn. Do your due diligence and research their profile and connections prior to adding them.
- You should NEVER be asked to pay for a legitimate job. If a "recruiter" asks you to pay for training, block them immediately.
- Work-at-home jobs are scarce, so be cautious of these postings.
Finally, ask the "recruiters" if you can call them. If they avoid to speak with you, then you should probably block them.