Browse > Home / Archive by category 'cybercrime'

Gannett: Allegedly Manipulating Online Advertising for Gain

March 16, 2022

What? Online advertising subject to manipulation? I thought this was impossible. The players have the highest ethical standards. The online services make the leaders of a half dozen major religions look like moral slackers.

Doman Spoofing on Gannett Sites” suggests that one of the brightest lights in the galaxy of highly regarded “real news” outfits may have been putting its thumb on the grocer’s scale. The write up asserts:

Domain spoofing — where ad inventory is misrepresented as being from a different site — is often talked about as a solved problem by adtech insiders. Despite this, USA Today and hundreds of local newspapers owned by Gannett were sending spoofed bid requests to multiple ad exchanges for over 9 months.

The write up marshals evidence which will be impenetrable to those who are not familiar with Web coding and advertising mechanisms. Nevertheless, the main point is that Gannett is in the center of something that looks to the author (braedon.dev_) suspicious.

The write up adds:

This is unlikely to be the only case of this kind of authorized spoofing in the wild. Exchanges, DSPs, and anti-fraud vendors need to take a good look at why it seemingly went undetected for so long, and where else it might be happening.

My goodness, is domain spoofing and digital bait and switch widespread? Of course not. Ad sales are infused with the integrity of the MBA and coders who do what seems like fun.

Stephen E Arnold, March 16. 2022

Written by Stephen E. Arnold · Filed Under Advertising, cybercrime, News | Comments Off on Gannett: Allegedly Manipulating Online Advertising for Gain 

Google: Defines Excellence for Android Users

March 3, 2022

I read a hoot of a story. “Data Stealing App Found in Google Play Downloaded Thousands of Times.” The idea for branded stores is consistency, compatibility, and trust. No one wants to buy an air fryer that explodes and maims an influencer. Why would one want to download a mobile app which allows a bad actor to seize data or control of one’s mobile device.

The write up reports:

A notorious Android banking trojan designed to steal user data, like passwords and text messages, has been discovered in Google Play and downloaded thousands of times. The TeaBot banking trojan, also known as Anatsa and Toddler, was first observed in May 2021 targeting European banks by stealing two-factor authentication codes sent by text message.

Yep, malware direct from the Google. Let’s rundown those qualities of a branded store:

  • Consistency
  • Compatibility
  • Trust

Check, check, and check.

Ah, Google, are you entering a security drag race against the Softies?

Stephen E Arnold, March 3, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, cybersecurity, Google, News | 1 Comment 

Microsoft and Security: A Probably Trivial Item

March 2, 2022

An online publication called Venture Beat published “Russia May Use SolarWinds-Like Hacks in Cyberwar over Ukraine.” The article contained a paragraph I found suggestive. Here’s the passage:

…the attackers are believed to have gained access for as much as nine months to numerous companies and government agencies, including FireEye, Microsoft and the Departments of Defense, State and Treasury.

The point for me is that the extent of the breaches is not fully known. It is easier to issue news releases and make high-profile marketing moves than come to grips with the allegedly accurate information in the Venture Beat article.

Stephen E Arnold,March 2, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, cybersecurity, News | Comments Off on Microsoft and Security: A Probably Trivial Item 

Insider Threat: A Tricky Risk for Everyone

February 28, 2022

I spotted two report. One is from the once-upon-a-time Google- and In-Q-Tel outfit Recorded Future. The company published “Conti Ransomware Gang Chats Leaked by Pro-Ukraine Member”. Another version (maybe not verification of the Recorded Future story) appeared in “Backing Russia Backfires as Conti Ransomware Gang Internal Chats Leak.” I am never sure if stories are spot on, recycled rumors, or “real” news.

The main point of both stories is thought provoking.

A group of bad actors named “Conti” want to support a specific regime. One of the members of this group was not on board with the concept. This individual obtained confidential messages from members of the Conti outfit. With the information in hand, the “insider” made the content available to people outside of the gang.

From my point of view, the two stories make one point clear: If true, insider threats are often more of a threat that other types of actions. If false, the two stories provide a road map for individuals who want to pay off or cause some other factor to spark an insider into spilling the beans.

Net net: Insider threats are a vulnerability which warrant attention, not just a Fancy Dan automated email list of new exploits. Plus, this is a useful anecdote to share with those who tell me, “It can’t happen in my group.”

Stephen E Arnold, February 28, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, News | Comments Off on Insider Threat: A Tricky Risk for Everyone 

Australia: A Harbinger of Investigative Capability

February 11, 2022

Australia is a country which has been a pioneer in some investigative methods. Another innovation has been described in “Home Affairs Says Online Account Takeover Powers Now in Use.” The write up states:

…the Australian Federal Police and Australian Criminal Intelligence Commission have access to three new warrants to tackle serious crime enabled by anonymising technology. The warrants allow the agencies to take control of a person’s online account, as well as add, copy, delete or alter material to disrupt criminal activity and collect intelligence from online networks.

Australia is a participant in the Five Eyes’ group. Others in that federation are likely to monitor how Australia’s innovation works in the real world. Worth watching.

Stephen E Arnold, February 11, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, Legal matters, News | Comments Off on Australia: A Harbinger of Investigative Capability 

Insider Threats: Still a Useful Mechanism for Bad Actors

January 27, 2022

I read “Ransomware Gangs Increase Efforts to Enlist Insiders for Attacks.” I am not down with the notion of “increase efforts.” Identifying individuals who will provide user names, passwords, or facile fingers to slip a malware loaded USB key into a computer connected to an organization’s network has been a go-to method for a long, long time.

The write up states:

The survey was conducted by Hitachi ID, which performed a similar study in November 2021. Compared to the previous survey, there has been a 17% rise in the number of employees offered money to aid in ransomware attacks against their employer. Most specifically, 65% of the survey respondents say that they or their employees were approached between December 7, 2021, and January 4, 2022, to help hackers establish initial access.

The factoid in the magic-with-statistics write up is that a lot of individuals report brushes with the insider ploy. What’s important to remember, an insider can come from several different pools of people:

  1. There are disaffected employees who can be identified and then interviewed for a bogus news service or for a consulting job. A skilled contact working with an annoyed employee  can often extract what might be termed a mother lode of useful information, including details about security, access, and other disaffected employees who want to put it to the “man” or “woman” who ruined a perfectly good morning of reading online news.
  2. Clueless former employees who respond to a LinkedIn-type job posting or an engaging individual in what sure looks like a chance encounter. Some individuals need or love money, and the engaging individual can buy or solicit security information from the CFE (clueless former employee).
  3. Happy current employees who find themselves confronted with a person who has information about a past indiscretion memorialized on Instagram, Meta, or TikTok. Maybe the current happy employee has forgotten text and images sent to an individual with some interesting preferences or behaviors. Blackmail? Well, more like leveraging TikTok-type data to identify and screen potential targets.
  4. Contractors — those faceless, often nameless — individuals who have to eat in their cube, not the two-star real employee cafeteria. Contractors can be hired and one can interact with these professionals. It is possible that these individuals can provide the keys to the kingdom so to speak without knowing the treasures unlocked with what seems to be casual conversation.
  5. Children of employees can be asked to give mom or dad a USB. The unwitting employee slams the key into the slot unaware that it has been weaponized. Who asks kids? A skilled operative can present herself as a colleague at the front door, explain this was your mom or dad’s memory stick, and ask the young person to hand it over to the parent. (If this method works, bingo. If it fails, another approach can be made. Wearing Covid masks and dressing in normcore gray with a worn ball cap can help too.)

Why am I identifying pools of insiders? Most of the cyber security firms do not have systems which cover these points of insider vulnerability. Do some of the firms purport to have these bases covered?

Of course.

That’s the point. The customer won’t know until it is too late. Predictive analytics and cyber threat intelligence struggle in certain situations. Insiders is one such example.

Stephen E Arnold, January 27, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, cybersecurity, News, Security | Comments Off on Insider Threats: Still a Useful Mechanism for Bad Actors 

Excited about Microsoft and Games? What about Other Issues? Like, Uh, Security?

January 25, 2022

We learn of a recent complaint against SolarWinds from GitHub contributor jaybobo, who helpfully shares both the full filing and key highlights. The case was filed in Delaware’s Court of Chancery by shareholders, including the Construction Industry Laborers Pension Fund and the Central Laborers’ Pension Fund. In light of the Sunburst hack, the plaintiffs assert the company failed to appropriately secure their investments against cybersecurity risks. The complaint alleges:

“SolarWinds: (i) used weak passwords for its software download webpages such as ‘solarwinds123;’ (ii) did not properly segment its IT network; (iii) directed its clients to disable antivirus scanning and firewall protection on its Orion software; (iv) cut investments in cybersecurity; and (v) listed its sensitive and high-value clients on its webpage for anyone to see.”

Oof—these are indeed the opposite of security best practices. The parties insist this alleged negligence allowed the Sunburst attack to succeed, tanking their investments. The filing describes the impact:

“In the days following the Company’s initial public disclosure of SUNBURST in December 2020, SolarWinds’ stock lost nearly 40% of its value. As of today, the stock trades at more than a 30% discount to its pre-revelation trading price. For the six months ended June 30, 2021, the Company incurred $34 million in direct expenses related to SUNBURST, stemming from, inter alia, costs to investigate and remediate the cyber attack; legal, consulting, and other professional service expenses; and public relations costs. In the first six months ended June 30, 2021, the Company also experienced a 27% decline in its license revenue relative to the previous year. SolarWinds explained that this decline was ‘primarily due to decreased sales of our licensed products as a result of the Cyber Incident [i.e., SUNBURST]’ (among other factors). The Company’s net increase in cash and cash equivalents for the same period was down over 74% relative to the previous year, which the Company also attributed, in part, to SUNBURST.”

The plaintiffs go on to note several ongoing investigations and lawsuits now facing SolarWinds as a result of the debacle. Then there are the related insurance rate hikes, finance charges, and compliance activities. They estimate these factors add another $20 million a year in expenses that will also diminish their investments. The filing requests several measures from the court, like requiring the company to implement better security and, of course, awarding damages.

We want to point out the information in “Microsoft Discovers Undisclosed Bug in SolarWinds Server.” That write up which we spotted on January 22, 2022 (a Saturday by the way) states:

During the sustained monitoring of threats taking advantage of the ‘Log4j2’ vulnerabilities, the Microsoft Threat Intelligence Centre (MSTIC) team observed activity related to attacks being propagated via a previously undisclosed vulnerability in the SolarWinds ‘Serv-U’ software. “We discovered that the vulnerability is an input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation,” Microsoft said in its security update. SolarWinds said the Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized.

Worth monitoring security, but the metaverse more zippy.

Cynthia Murrell, January 25, 2021

Written by Stephen E. Arnold · Filed Under cybercrime, cybersecurity, Legal matters, News | Comments Off on Excited about Microsoft and Games? What about Other Issues? Like, Uh, Security? 

A Sporty Cyber Centric Write Up with Key Information Left Out

January 10, 2022

I read “Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers.” The main point of the write up is that some clever cyber people have been working to figure out how a particular exploit works. The exploit is called DanderSpritz, which is a full featured framework for obtaining useful information from a target system. The Shadow Brokers leaded the software in 2017. It took the folks writing the article four years to figure out the method. Non US outfits figured it out more quickly. What’s left out of the write up?

I noted these omissions:

  1. Details of the DanderSpritz methods incorporated into other exploit tools
  2. Explanation of who and what the Equation Group is. The Web site link does not provide substantive information.
  3. Why do long between the release of the exploit and a public analysis?

Personally I would not get too frisky when it comes to the Equation Group. I apply this type of thinking to any outfit conveniently located near an NSA facility. In the case of Shadow Brokers, my recollection is that this outfit found a way to obtain Equation Group code. My hunch is that this is a sore point for the Equation Group, and the embarrassment of the DanderSpritz dump may still cause some red faces.

Stephen E Arnold, January 7, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, Government, News | Comments Off on A Sporty Cyber Centric Write Up with Key Information Left Out 

The Price of a Super Secure Mobile for Questionable People

December 29, 2021

Criminals are sometimes the smartest people in the world, but other times they are the dumbest. The Sydney Morning Herald reported a story on some of the latter in, “‘Invulnerable To Law Enforcement’: More Alleged Drug Criminals Outed By Encrypted App.” Australian criminals Duax Ngakuru and Hakan Ayik were used an encrypted phone platform that was surreptitiously created by law enforcement.

Australian and New Zealand law enforcement teamed together on Operation Ironside and they infiltrated the encrypted AN0M phone network. Authorities monitored Ngakuru and Ayiks’ drug activity for three years:

“The work of Australian and New Zealand authorities has – especially since Operation Ironside was unveiled publicly in June with sweeping arrests and raids across the globe – made the Ngakurus and Ayik among the most wanted men on the planet, crippling the drug syndicates the trio helped operate.

The police files also reveal how the AFP’s infiltration of the encrypted AN0M phone network suggest the Ngakurus and Ayik successfully imported many drug shipments into Australia and New Zealand over many years. On May 17, Shane Ngakuru was covertly recorded using his AN0M phone device to describe sending “methamphetamine to New Zealand, Melbourne, and Perth” from his base in Thailand.”

The bad actors believed they were invulnerable and the most powerful men in Turkey if not Oceania. While their drug operations were cleverly planned, the stupidity surfaces when they did not research their communication networks. Their so-called invulnerability comes about when they thought AN0M could not be hacked. They did not check up on updates or in other bad acting communities to see if there were hints of police crackdowns.

The US FBI, CIA, and other law enforcement organizations never shared information in the past, but they discovered it was mutually beneficially to do so. Criminals often do the same. Unfortunately Ayik and Ngakurus’ egos got the best of them.

Whitney Grace, December 29, 2021

Written by Stephen E. Arnold · Filed Under cybercrime, Mobile, News | Comments Off on The Price of a Super Secure Mobile for Questionable People 

DarkCyber for December 28, 2021, Now Available

December 28, 2021

This is the 26th program in the third series of DarkCyber video news programs produced by Stephen E Arnold and Beyond Search. You can view the ad-free show at this url. This program includes news of changes to the DarkCyber video series. Starting in January 2022, Dark Cyber will focus on smart software and its impact on intelware and policeware. In addition, Dark Cyber will appear once each month and expand to a 15 to 20 minute format.

What will we do with the production time? We begin a new video series called “OSINT Radar.” OSINT is an acronym for open source intelligence. In a December 2021 presentation to cyber investigators, the idea surfaced of a 60 second profile of a high value OSINT site. We have developed this idea and will publish what we hope will be a weekly video “infodeck” in video form of an OSINT resource currently in use by law enforcement and intelligence professionals. Watch Beyond Search for the details of how to view these short, made-for-mobile video infodecks. Now when you swipe left, you will learn how to perform free reverse phone number look ups, obtain a list of a social media user’s friends, and other helpful data collection actions from completely open source data pools.

Also, in this DarkCyber program are: [a] the blame for government agencies and specialized software vendors using Facebook to crank out false identities. Hint: It’s not the vendors’ fault. [b] why 2022 will be a banner year for bad actors. No, it’s not just passwords, insiders, and corner-cutting software developers. There is a bigger problem. [c] Microsoft has its very own Death Star. Does Microsoft know that the original Death Star was a fiction and it did not survive an attack by the rebels?, and [d] a smart drone with kinetic weapons causes the UN to have a meeting and decide to have another meeting.

Kenny Toth, December 28, 2021

Written by Stephen E. Arnold · Filed Under cybercrime, cybersecurity, DarkCyber, law enforcement, Online (general), Osint Radar, Video | Comments Off on DarkCyber for December 28, 2021, Now Available 

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta