Cyber Crime and Automation: Bots, Bots, and More Bots

September 23, 2022

With tools now available at the cybercrime boutique Genesis Market, online theft, fraud, and extortion have become user-friendly. It is no wonder the problem is growing faster than ever. Insider spoke with someone who knows a thing or two about the topic and reports, “A Former Cybercriminal Who Once Worked with—and Betrayed—the Secret Service Says the Easy Access to Bots Is One of the Biggest Threats on the Internet Right Now.” Now rehabilitated, ex-hacker Brett Shannon Johnson now works at a fraud prevention company. Writer Samantha Delouya tells us:

“[Johnson] told Insider he worries that shady corners of the web, like bot marketplace The Genesis Market, have made it easier for inexperienced criminals to commit complicated financial crimes. ‘You’ve got sophisticated tools that 98% of cybercriminals simply don’t use, and what scares me right now is we’re seeing that change [to more use],’ Johnson said. Johnson says these bot marketplaces can deliver everything a low-level hacker would need to commit complicated financial crimes. ‘When you visit a Genesis Market, you can search for the target that you’re wanting to get. Chase, Bank of America, Google, Walmart …. you can search for the target. It will deliver the bots that are accessing credentials for that target… So I buy the bot, and the bot delivers everything that I need,’ Johnson added.”

Delouya notes cryptocurrencies have been an especially juicy target recently. With these tools at the ready, Johnson suspects, the challenging economy will motivate many otherwise law-abiding folks to try their hand at financial crimes. For the rest of us, let this be a reminder to stay on top of security best-practices. Have you changed your important passwords lately?

Cynthia Murrell, September 23, 2022

Is Fresh Thinking about ISPs and Network Providers Needed?

September 14, 2022

Today (September 14, 2022) I reviewed some of our research related to what I call the “new” Dark Web. Specifically, I called attention to Internet Service Providers and Network Providers who operate mostly as background services. What gets the attention are the amazing failures of high profile systems like Microsoft and Google Cloud, among others. When I hear talk about “service providers”, the comments fall into two categories:

  1. The giant regulated outfits some of which are government controlled and owned and others which are commercial enterprises with stakeholders and high profiles. The question, “Does cloud provider X allow its platform to deliver CSAM or phishing attacks?” is not top of mind.
  2. Local Internet operations which resell connectivity provided by outfits in Category 1 above or who operate servers or lease “virtual” servers on Category 1’s equipment. Most of these outfits have visibility in a specific geographic area; for example, Louisville, not far from my hovel in a hollow.

Are these two categories sufficient? Do bad actors actually do bad things on systems owned, operated and managed by Category 1 companies? Is that local company really hosting CSAM or delivering malware for a client in Hazard County, Kentucky?

The answer to these questions is, “Yes.” However, technology is available, often as open source or purpose built by some ISP/network providers to make it difficult to determine who is operating a specific “service” on third party equipment. Encryption is only part of the challenge. Basic security methods play a role. Plus, there are some specialized open source software designed to make it difficult for government authorities to track down bad actors. (I identified some of these tools in my lecture today, but I will not include that information in this free blog post. Hey, life is cruel sometimes.)

I mention the ISP/Network Provider issue because the stakes are rising and the likelihood of speeding up some investigative processes is decreasing. In this post, I want to point you to one article, which I think is important to read and think about.

Navigate to “Naver Z Teams Up with Thai Telecom Giant to Build Global Metaverse Hub.” Naver is in South Korea. True is in Thailand. South Korea has some interesting approaches to law enforcement. Thailand is one of the countries with a bureaucratic method that can make French procedures look like an SR 71 flying over a Cessna 172. (Yes, this actually happened when the SR 71 was moving at about three times the speed of sound and the Cessna 172 was zipping along at a more leisurely 120 knots.)

The write up states:

Naver Z, the metaverse unit of South Korean internet giant Naver, has partnered with Thai telecom conglomerate True to build a global metaverse hub for creators.

The new service will build on the Zepeto metaverse platform. Never heard of it? The service has 20 million monthly active users.

Here’s a key point:

The platform is particularly attractive for K-pop fans. Zepeto recently collaborated with Lisa, a member of the popular South Korean girl group Blackpink, to host a virtual event where her fans could take selfies with her avatar on Zepeto.

So what?

What if a CSAM vendor uses the platform to distribute objectionable materials? What if the bad actor operates from the US?

What type of training and expertise are required to identify the offending content, track the source of the data, and pursue the bad actor?

Keep in mind that these are two big outfits. The metaverse is a digital datasphere. Much of that environment will be virtualized and make use of distributed services. Obfuscation adds some friction to the investigative processes.

For those charged with enforcing the law, the ISPs/and Network Providers — whether large or small — will become more important factors in some types of investigations.

Is CSAM going to find its way into the “metaverse”?

I think you know the answer to the question. Now do you know what information is needed to investigate an allegation about possibly illegal behavior in Zepeto or another metaverse?

Think about your answer, please.

Stephen E Arnold, September 14, 2022

Is Digital Piracy Is Similar to the US Anti-Drug Campaign

September 9, 2022

From the 1980s-2000s. American kids were subjugated to the DARE. The DARE program was a federal drug prevention program that was supposed to educate kids about the dangers of drugs and alcohol. It failed miserably. Instead, kids were exposed to more knowledge about drugs and alcohol. The same thing happened with anti-piracy ads: “Why Piracy PSAs Often Fail Spectacularly” says The Hustle.

Ever since the Internet allowed people to pirate everything from music to movies to software, screens were flooded with anti-piracy PSAs. The anti-piracy ads compared digital theft to stealing a car, bike, etc. The PSAs did more harm than good, like DARE, but they are entertaining as eye-rolling memes. Why did they fail?

“Many don’t see it as theft. It’s called file sharing.

Messaging is too extreme. It’s reasonable to compare downloading a movie to stealing a DVD — not to grand theft auto.

They’re not relatable. People might be deterred by malware warnings, but an Indian PSA featuring Bollywood stars — who are worth up to 200k times the nation’s annual per capita income — failed to garner sympathy.

Declaring piracy a widespread issue implies everyone’s doing it. So, why not you?”

In the United States, pirates aka file sharers are not bothered by the idea of stealing a few bucks from Hollywood. Piracy is also a white-collar crime. While there are fines and stiff penalties, the risks are minor compared to hacking, identity theft, murder, sex trafficking, and the list goes on.

No one cares unless it allows law enforcement to issue a warrant to prevent worse crimes or the moguls lose a lot of money, then they get the talking political heads involved.

Digital piracy is not new and we can thank the 1990s for the legendary rap, “Don’t Copy That Floppy.”

Whitney Grace, September 9, 2022

Open Source: Everyone Uses It. Now Bad Actors Know Where to Aim

September 2, 2022

Peace of mind is a valuable thing, a commodity one might think worth allocating some funds to ensure, particularly when one is engaged in permanent cyber warfare. Yet, according to BetaNews, “80 Percent of Enterprises Use Open Source Software and Nearly All Worry About Security.” A recent report from Synopsys and based on research by Enterprise Strategy Group found 80% of enterprises use open source software (OSS), and 99% of those are concerned about related security issues. Apparently one percent is not paying attention—such worry is justified because few in the IT department know what’s in the open source libraries or know how to find manipulated or rogue instructions. Reporter Ian Barker tells us:

“In response to high profile supply chain attacks 73 percent of respondents say they have increased their efforts significantly to secure their organizations’ software supply chain. Steps taken include the adoption of some form of multi-factor authentication technology (33 percent), investment in application security testing controls (32 percent), and improved asset discovery to update their organization’s attack surface inventory (30 percent). Despite those efforts, 34 percent of organizations report that their applications have been exploited due to a known vulnerability in open source software within the last 12 months, with 28 percent having suffered a previously unknown zero-day exploit found in open source software.

Pressure to improve software supply chain risk management has shone a spotlight on software Bills of Materials (SBOMs). But exploding OSS usage and lackluster OSS management has made the compilation of SBOMs complex — the ESG research shows that 39 percent of survey respondents marked this task as a challenge of using OSS. … [The study also found] 97 percent of organizations have experienced a security incident involving their cloud-native applications within the last 12 months.”

All this, and the use of open source software is expected to jump to 99% next year. It seems those who hold organizational purse strings care more about saving a few bucks than about their cybersecurity teams’ sleepless nights. If they suffer a breach, however, they may find that metaphoric purse has acquired a large hole. Just a thought, but an ounce of prevention may be warranted here.

Cheap and easy? Yep.

Cynthia Murrell, September 2, 2022

Star Power and Crypto: Fading Magnetism

September 2, 2022

Cryptocurrencies are a mystery to most people. One would think they would have gone by the wayside, however, faithful followers are still chugging along mining coins. Unfortunately social media influencers who are experts in digital currencies were paid to promote them and they lied to their views. The guilt has now set in says NBC News in “Some Social Media Influencers Are Being Paid Thousands To Enforce Cryptocurrency Projects.”

Ben Armstrong of the BitBoy Crypto YouTube channel was paid to promote DistX as his “coin of choice.” DistX turned out to be a scam and investors were left high and dry. The currency is now worth less than a penny. Armstrong and other influencers are paid tens of thousands of dollars to promote cryptocurrencies.

Armstrong stated he was upfront about products he was paid to promote. Unfortunately many YouTubers are not as honest as him. He also refunded investors of DistX with his promotion fees. Years ago YouTubers did not have to disclose they were paid to promote products, but now they are supposed to state when content is sponsored. Some bad-acting YouTubers fail to follow guidelines.

Politicians are even getting involved:

“But state regulators warn that there are still influencers who lack transparency. Joe Rotunda, the director of the enforcement division of the Texas State Securities Board, said he’s seen paid promotions that are not only undisclosed but are pushing fraudulent ventures.

Rotunda and a team of regulators recently filed enforcement actions against two casinos in the metaverse, the new digital frontier where users can attend virtual concerts, purchase digital assets or even gamble at a casino.”

Cryptocurrencies are predicted to fail even more in the coming years. Why not stick to better forms of investment than risking it all on “get rich quick schemes?” Will the endorsers find their actions a future legal issue?

Whitney Grace, August September 2, 2022

Australia: Harbinger for Tech Giants and Their Exposed Quite Weak Spot?

August 31, 2022

The US technology giants color many discussions. Facebook seems to want everyone to live and work in a computer graphics generated world. Google allegedly wants to improve search. Yada yada yada.

The weak spot for most of these outfits is the perception that online provides a haven for bad actors. Among bad actors, one of the least salubrious niches is CSAM, jargon for child sexual abuse material. For some bad actors, the last couple of decades have been the digital equivalent of a Burning Man devoted to the heavy metal life of shadows.

True or false?

It depends on whom one asks. If you ask me and my team, the big technology outfits as well as the feeder modules like shadow Internet Service Providers have not taken enough positive steps to address the CSAM issue.

Australia Orders Tech Giants Apple, Microsoft, Snap and Meta to Step up Actions against Child Abuse Material” may be a harbinger of what’s coming from other countries in 2023. The article from the estimable Epoch Times reports:

Australian authorities have ordered global tech giants to report on the actions they have taken to stop the spread of child sexual exploitation materials on their platforms and will impose penalties on non-compliant companies.

What happens if New Zealand, the UK, Canada, the US, and other like minded companies follow in Australia’s footsteps?

CSAM is a problematic and troublesome issue. Why is Australia taking this action? The Wild West, “I apologize, senator” approach has worn thin.

CSAM is a weak spot, and big tech and its fellow travelers will have to do some fancy dancing in 2023 in my opinion. It’s time for the night club to close.

Stephen E Arnold, August 31, 2022

Favorite Phishing Holes of 2022

August 16, 2022

Cybercriminals can always rely on user gullibility, which is why the phishing tactic is not going away any time soon. Cybersecurity firm AtlasVPN presents us with what their researchers found to be the “Top 5 Phishing Statistics of 2022.” Think of it as a how-to for phishers, if you will, but we can also consider it a list of things to watch out for. The first item, for example, is easy to spot right there in the subject line:

“If there is a tell-tale sign that the email one received is a phishing attempt is an empty subject line. Research finds that 67% of cybercriminals leave the subject line blank when sending malicious emails. Other subject lines attackers use, although less frequently, include ‘Fax Delivery Report’ (9%), ‘Business Proposal Request’ (6%), ‘Request’ (4%), ‘Meeting’ (4%), ‘You have (1*) New Voice Message’ (3.5%), ‘Re: Request’ (2%), ‘Urgent request’ (2%), and ‘Order Confirmation’ (2%).”

It is also good to know which companies are most often spoofed and exercise extra caution when something supposedly from them hits the inbox. This year LinkedIn was impersonated in just over half of all attacks, giving it the dubious honor of being the first social media platform to surpass Apple, Google, and Microsoft. Crypto currencies are also a hot scam right now, with Blockchain, Luno, and Cardano the most-spoofed projects. Then there is Amazon, especially targeted on the much-hyped Prime Day. We learn:

“Amazon’s Prime Day is a long-awaited sales event for shoppers. However, while consumers enjoy great deals, criminals are working hard to lure them into fake websites. Amazon was the most frequently impersonated of all the retail brands, with over 1,633 suspicious sites detected in the last 90 days (till July 12, 2022). While the websites are being continuously taken down, as of July 12, the Amazon Prime Day, as many as 897 websites were still live.”

The write-up reports that 54% of phishing attacks that manage to hook a victim result in a data breach while a staggering 83% of organizations have suffered successful attacks so far in 2022. Stay vigilant, dear reader.

Cynthia Murrell, August 16, 2022

TikTok: Is It a Helpful Service for Bad Actors?

August 9, 2022

Do you remember the Silicon Valley cheerleaders who said, “TikTok is no big deal. Not to worry.” Well, worry.

TikTok: Suspected Gangs Tout English Channel Migrant Crossings on Platform” states:

The Home Office [TikTok] said posts which “promote lethal crossings” were unacceptable, but there are calls for more to be done to stop people-smuggling being advertised online.

TikTok is allegedly taking the position that such criminal promotions “have no place” on the China-linked service. The BBC report includes this statement:

A spokesman for TikTok said: “This content has no place on TikTok. We do not allow content that depicts or promotes people smuggling…and have permanently banned these accounts. “We work closely with UK law enforcement and industry partners to find and remove content of this nature, and participate in the joint action plan with the National Crime Agency to help combat organized immigration crime online.”

I am skeptical about TikTok for these reasons:

  1. Data collection
  2. Analyses which permit psychological profiling so that potential “insiders” can be identified
  3. Injection of content which undermines certain social concepts; that is, weaponized information.

Net net: Delete the app and restrict access to the system. Harsh? Maybe too little too late, cheerleaders.

Stephen E Arnold, August 9, 2022

Commercializing Cyber Crime with Search and Retrieval

July 14, 2022

I read “Ransomware Gangs Offer Ability to Search Stolen Data.” The write up reports:

Bleeping Computer reported today that the ALPHV/BlackCat ransomware gang was the first to offer the feature, announcing that they have created a searchable database with leaks from nonpaying victims. The hackers said that their stolen data had been fully indexed and that the search feature included support for finding information by filename or by content available in documents and images. The BlackCat ransomware gang claims it is offering the search service to make it easier for cybercriminals to find passwords or other confidential information.

Other alleged bad actors are offering a search function as well. These are Lockbit and Karakurt.

Several observations:

  1. Commercialization of cyber crime has been a characteristic of some of the more forward-leaning bad actors
  2. The availability of open source search makes it easy to add functionality
  3. More productization is inevitable; for example, subscriptions to Crime as a Service.

Net net: The focus of crime analysts and investigators may have to embrace enablers like Internet Service Providers, cloud services, and open source code repositories.

Stephen E Arnold, July 14, 2022

Indonesia: Good Actors and Bad Actors May Be Interested

June 30, 2022

I am not sure how the “new” visa described in “Indonesia Is Offering A Special Visa To Remote Workers, Allowing Them To Stay There For 5 Years Tax-Free, Including The Dream Destination, Bali.” The write up reports:

Freelancers and remote workers will soon be able to work tax-free in Indonesia, including the island of Bali, as the country’s tourism minister Sandiaga Uno announced the five-year ‘digital nomad visa’…

I did not know that Indonesia had a slogan; namely, “sun, sea and sand.” The proposed visa will shift the emphasis about 180 degrees to “serenity, spirituality and sustainability.” Got it? Sure.

The write up notes:

Living tax-free isn’t always a guarantee if you’re granted a digital nomad visa. For example, Americans will still have to file taxes if they’re granted one, because the US taxes citizens based on citizenship itself, rather than their residence.

The write up points out “there are snakes in Indonesia. If the visa plan becomes a reality, a few digital snakes may enliven daily life. Bad actors with a laptop may appear to be Silicon Valley wizards eager to avoid the rigors of work elsewhere. No Zooms when the surfs up.

Stephen E Arnold, June 30, 2022

Next Page »

  • Archives

  • Recent Posts

  • Meta