The Sting 01/23/2023
Security Alert: Recent Data Breaches and Cyberattacks
01/23/2023
Riot Games Hacked, League Of Legends, VALORANT, And Other Titles Affected
Riot Games, the developer of popular titles such as League of Legends, Wild Rift, VALORANT, Teamfight Tactics, and Legends of Runeterra, announced on Jan. 20 that their ‘development environment had been compromised via a social engineering attack’. Riot said in a tweet that there was 'no indication' that layer information such as passwords, user names, and personal information was taken. However, since it was the development environment that had been hacked, this may affect upcoming patch releases across various of Riot’s titles. It’s unknown to what extent the development teams of the rest of Riot Games titles were affected, with the company admitting that they “don’t have all the answers right now.” Riot, founded in 2007, is headquartered in Los Angeles, Calif., and has 4,500+ employees in 20+ offices worldwide. Full Story
Source: Yahoo! News
01/21/2023
Costa Rica’s Ministry Of Public Works And Transport Crippled By Ransomware Attack
Costa Rica’s government has suffered another ransomware attack just months after several ministries were crippled in a wide-ranging attack by hackers using the Conti ransomware. On Jan. 17, Costa Rica’s Ministry of Public Works and Transport (MOPT) said in a statement that 12 of its servers were encrypted. Cybersecurity experts from the National Security Directorate and the Ministry of Science, Innovation, Technology and Telecommunications were called in to address the situation and all of MOPT’s computer systems were knocked offline. The government did not respond to requests for comment but released a follow-up statement on Jan. 18 saying international organizations were brought in for support. The MOPT warned citizens to watch out for scammers, noting that no one is being contacted by the ministry over email or phone to process any of its services. Full Story
Source: The Record
01/20/2023
T-Mobile Says Hackers Stole Data On About 37 Million Customers
T-Mobile US Inc. said hackers accessed data, including birth dates and billing addresses, for about 37 million of its customers, the second major security lapse at the wireless company in two years. The company said in a regulatory filing yesterday that it discovered the problem on Jan. 5 and was working with law-enforcement officials and cybersecurity consultants. T-Mobile said it believes the hackers had access to its data since Nov. 25 but that it has since been able to stop the malicious activity. The cellphone carrier said it is currently notifying affected customers and that it believes the most sensitive types of records—such as credit card numbers, Social Security numbers and account passwords—weren’t compromised. T-Mobile has more than 110 million customers. The Federal Communications Commission, said it had opened an investigation. “This incident is the latest in a string of data breaches at the company, and the FCC is investigating.” Full Story
Source: The Wall Street Journal
01/19/2023
Intuit's Mailchimp Comes Forward On A Recent Social Engineering Attack
"On Jan. 11, the Mailchimp Security team identified an unauthorized actor accessing one of our tools used by Mailchimp customer-facing teams for customer support and account administration," reads a Jan. 13 post (updated Jan. 18) on the Mailchimp website. "The unauthorized actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to select Mailchimp accounts using employee credentials compromised in that attack. Based on our investigation to date, this targeted incident has been limited to 133 Mailchimp accounts. After we identified evidence of an unauthorized actor, we temporarily suspended account access for Mailchimp accounts where we detected suspicious activity to protect our users’ data." Founded in 2001 and headquartered in Atlanta with additional offices in Brooklyn, N.Y., Oakland, Calif., and Vancouver, Canada, Mailchimp (acquired by Intuit in Sep. 2021) is used by millions of customers around the world. Full Post
Source: Mailchimp
Ransomware at Large: Current and Recent Incidents
01/21/2023
Costa Rica’s Ministry Of Public Works And Transport Crippled By Ransomware Attack
Costa Rica’s government has suffered another ransomware attack just months after several ministries were crippled in a wide-ranging attack by hackers using the Conti ransomware. On Jan. 17, Costa Rica’s Ministry of Public Works and Transport (MOPT) said in a statement that 12 of its servers were encrypted. Cybersecurity experts from the National Security Directorate and the Ministry of Science, Innovation, Technology and Telecommunications were called in to address the situation and all of MOPT’s computer systems were knocked offline. The government did not respond to requests for comment but released a follow-up statement on Jan. 18 saying international organizations were brought in for support. The MOPT warned citizens to watch out for scammers, noting that no one is being contacted by the ministry over email or phone to process any of its services. Full Story
Source: The Record
01/20/2023
Yum Brands Says Nearly 300 Restaurants In UK Impacted Due To Cyber Attack
Yum Brands Inc said on Jan. 18 a ransomware attack impacted certain information technology systems of the company which led to the closure of nearly 300 restaurants in the UK for a day. The company added all the stores were now operational and it had initiated response protocols detection of the incident. It added an investigation had also been initiated while Federal law enforcement were notified. Yum, which also owns the Pizza Hut chain and Taco Bell, did not specify which restaurants were impacted by the attack. The KFC parent said there was no evidence customer databases were stolen even though data was taken from the company's network. The company said the event was not expected to have a material adverse impact on its business, operations or financial results. Full Story
Source: Reuters
01/18/2023
Vice Society Ransomware Gang Claims Attack On One Of Germany’s Largest Universities
The Vice Society ransomware group said it was responsible for a Nov. 2022 attack against one of Germany’s largest universities. The University of Duisburg-Essen in the country’s North Rhine-Westphalia region was forced to shut down its entire IT infrastructure and disconnect it from the network following the incident. The university has 12 departments and about 43,000 students. Hackers managed to obtain some of the university’s data and put it on the dark web, according to a statement released by the university on Jan. 16. The leaked data allegedly contains financial documents, student information and research papers. At the time of publication, the university had not responded to The Record’s request for comment. The University of Duisburg-Essen did not name Vice Society as the perpetrator of the cyberattack, but the group itself listed the university as one of its victims. Full Story
Source: The Record
The Cryptocrime Scene: A Summary of recent incidents and developments
01/19/2023
U.S. Arrests Russian Founder Of China-Based Crypto Exchange
U.S. law enforcement officials said yesterday that they've arrested the Russian founder of a China-based cryptocurrency exchange, disrupting an online platform used by criminals on the darknet. Anatoly Legkodymov, 40, the majority owner of Hong Kong-registered Bitzlato, was taken into custody in Miami, Florida, on Tuesday evening and charged with conducting an unlicensed money transmitting business, officials said at a press conference at the Justice Department. Meanwhile, French authorities working with Europol and other European law enforcement agencies took down Bitzlato’s digital infrastructure and seized its cryptocurrency, officials said. Full Story
Source: VOA
01/19/2023
South Korea Indicts 20 People For Illegal $170M Crypto Profiteering
South Korean prosecutors indicted 20 people on Jan. 18 for illegally remitting roughly 4 trillion won (roughly $3.2 billion) overseas to profit from the kimchi premium, according to a local news report. Cryptocurrencies are generally sold at a higher price on South Korean exchanges compared to foreign counterparts and the difference is referred to as the kimchi premium. The accused individuals used 256 South Korean bank accounts to transfer funds disguised as foreign trade payments to Hong Kong and other countries to buy cryptocurrencies from abroad. The individuals then sold the cryptocurrencies in South Korea for a premium, the prosecutors alleged, according to the report. The illegal transactions allegedly took place between Jan. 2021 and Aug. 2022. Prosecutors estimate that the accused individuals earned as much as 210 billion won (roughly $170 million) from the illegal trades. Full Story
Source: CryptoSlate
01/18/2023
FTX Says $415M In Crypto Was Hacked Since It Filed For Bankruptcy
Bankrupt crypto exchange FTX said in a report to creditors on Tuesday that about $415 million in cryptocurrency had been stolen as a result of hacks. Some $323 million in crypto had been hacked from FTX’s international exchange and $90 million had been hacked from its US exchange since it filed for bankruptcy on Nov. 11, CEO John Ray said in a separate statement on Tuesday. “We are making progress in our efforts to maximize recoveries, and it has taken a Herculean investigative effort from our team to uncover this preliminary information,” Ray said in the statement. During FTX’s initial investigation into hacks of its system, it uncovered a November asset seizure by the Securities Commission of the Bahamas, which led to a dispute between FTX’s US-based bankruptcy team and Bahamian regulators. Full Story
Source: New York Post
01/17/2023
North Korean Hacking Group Tied To $100M Harmony Hack Moves 41,000 Ether
Blockchain sleuth ZachXBT said yesterday that part of the funds tied to last year’s $100 million attack on the Harmony network were moved over the weekend. “North Korea’s Lazarus Group had a very busy weekend, moving $63.5 million (~41,000 ETH) from the Harmony bridge hack through Railgun before consolidating funds and depositing on three different exchanges,” The Lazarus Group, a North Korean hacking group believed to be supported by the regime of dictator Kim Jung Un, is likely behind last year’s hack of Harmony Bridge. The attack drained the service of $100 million worth of crypto, including ether (ETH), tether (USDT) and wrapped bitcoin (wBTC) on Jun. 24, 2022. Binance founder Changpeng Zhao said yesterday on Twitter that addresses connected to the hack moved the stolen stash to crypto exchange Huobi, which blocked the transfers and froze the accounts. Over 124 bitcoin were recovered, Zhao said. Full Story
Source: CoinDesk
Cybercriminals Brought to Justice: Current and Recent Arrests and Convictions
01/19/2023
U.S. Arrests Russian Founder Of China-Based Crypto Exchange
U.S. law enforcement officials said yesterday that they've arrested the Russian founder of a China-based cryptocurrency exchange, disrupting an online platform used by criminals on the darknet. Anatoly Legkodymov, 40, the majority owner of Hong Kong-registered Bitzlato, was taken into custody in Miami, Florida, on Tuesday evening and charged with conducting an unlicensed money transmitting business, officials said at a press conference at the Justice Department. Meanwhile, French authorities working with Europol and other European law enforcement agencies took down Bitzlato’s digital infrastructure and seized its cryptocurrency, officials said. Full Story
Source: VOA
01/19/2023
South Korea Indicts 20 People For Illegal $170M Crypto Profiteering
South Korean prosecutors indicted 20 people on Jan. 18 for illegally remitting roughly 4 trillion won (roughly $3.2 billion) overseas to profit from the kimchi premium, according to a local news report. Cryptocurrencies are generally sold at a higher price on South Korean exchanges compared to foreign counterparts and the difference is referred to as the kimchi premium. The accused individuals used 256 South Korean bank accounts to transfer funds disguised as foreign trade payments to Hong Kong and other countries to buy cryptocurrencies from abroad. The individuals then sold the cryptocurrencies in South Korea for a premium, the prosecutors alleged, according to the report. The illegal transactions allegedly took place between Jan. 2021 and Aug. 2022. Prosecutors estimate that the accused individuals earned as much as 210 billion won (roughly $170 million) from the illegal trades. Full Story
Source: CryptoSlate
01/19/2023
Hackers Stole $1.5 Million Using Credit Card Data Bought On The Dark Web
In what sounds like a movie script, over $1 million was stolen by a group that made use of thousands of credit cards posted for sale on the dark web. Some of the details of this complex cybercrime operation have come to light following an indictment by the U.S. Department of Justice. The defendant, Trevor Osagie of Bronx, N.Y., has pleaded guilty to conspiracy to commit credit card fraud from 2015 to 2018. Osagie worked with a network of thieves and managed to rack up over $1.5 million in damages. At least 4,000 people were affected. Osagie faces up to 30 years in prison and a fine of $1 million dollars. The sentencing is set for May 25. By using the dark web, Osagie was able to recruit and manage other co-conspirators, who played various roles in the fraud. Full Story
Source: Digital Trends
01/17/2023
Kingpin Of Inter-State Cybercrime Gang In India Nailed
The cybercrime police have arrested the kingpin of an inter-state gang involved in creating fake helplines of Punjab State Power Corporation Limited (PSEB) in India and fraudulently withdrawing money from the bank accounts of their victims. A team of the cybercrime police was sent to Jharkhand and Yar Mohammad, alias Guddu Raza, of Deoghar, was arrested on Jan. 10. He was produced before the court that sent him to five-day police remand. During investigation, it came to light that Guddu’s father, Noshad, is the Sarpanch of Mathadangal village and also Pardhan of the Gram Panchayat. The accused is a habitual cybercriminal. When the cybercrime police of his area conducted a raid to nab him, they were attacked by his accomplices. The accused has made about Rs 50 lakh through his cybercrime activities as well as other illegal works all over India. He used the ill-gotten money to fund the election campaign of his father, purchase luxury cars and to build a new house in his village. Full Story
Source: The Tribune
The Cybercrime and Privacy Landscape: A Summary of Recent Developments and News
01/23/2023
Aussie Tourism Island Lord Howe Ravaged By X-Rated Cyber Attack
Anyone checking out the website for Australia’s Lord Howe Island today may have gotten a very rude shock, after the page was flooded with X-rated articles. Lord Howe Island is located off the coast of Port Macquarie in NSW and is one of Australia’s most popular island holiday destinations. However, there appeared to have been some difficulties with the official tourism website for the island this morning, after a number of articles appeared on the page referencing things like dating apps, sex acts and even links to pornographic websites. It appears the articles have since been deleted from the website, but not before they were screenshot and shared to a popular meme Facebook group. A spokeswoman for the website told The Daily Telegraph that IT specialists had now neutralized the hack and were monitoring the site. Full Story
Source: New Zealand Herald
01/23/2023
Cybercrime Blitz Shuts Thousands Of Websites In Thailand
An ongoing anti-cybercrime campaign by the Thailand government has so far resulted in the suspension of over 50,000 fraudulent bank accounts and the shutting down of almost 2,000 gambling websites, deputy government spokeswoman Rachada Dhnadirek said yesterday. Ms Rachada said government agencies such as the Royal Thai Police, the Ministry of Digital Economy and Society (DES), the National Broadcasting and Telecommunication Commission (NBTC), Anti-Money Laundering Office (Amlo) and the Bank of Thailand are collaborating in the campaign, that began last year. She said 58,463 fraudulent bank accounts had been suspended, and 1,830 gambling websites were taken down in 2022. More than 118,530 phone numbers were also suspended for phishing text messages, she said. Full Story
Source: Bangkok Post
01/23/2023
Meta's WhatsApp Fined 5.5 Mln Euro By Lead EU Privacy Regulator
Meta's WhatsApp subsidiary was fined 5.5 million euros ($5.95 million) on Jan. 19 by Ireland's Data Privacy Commissioner (DPC), its lead EU privacy regulator, for an additional breach of the bloc's privacy laws. The DPC also told WhatsApp to reassess how it uses personal data for service improvements following a similar order it issued this month to Meta's other main platforms, Facebook and Instagram, which stated Meta must reassess the legal basis upon which it targets advertising through the use of personal data. The Irish watchdog, which is the lead EU regulator for many of the world's top technology companies due to the location of their European headquarters in Ireland, directed WhatsApp to bring its processing operations into compliance within six months. Full Story
Source: Reuters
01/23/2023
USPS Tightens Online Security After Fraudsters Steal Employees’ Paychecks
The U.S. Postal Service is tightening its online security measures, in response to fraudsters targeting the financial information of its employees. USPS, in a memo to its workforce on Jan. 17, warned that cyber criminals are targeting USPS employees by creating fake websites that closely resemble LiteBlue, the agency’s online employee portal. Postal unions are warning members that fraudsters are using these spoofed websites to obtain USPS employees’ login credentials, and reroute direct-deposit paychecks to their own bank accounts. LiteBlue allows employees to their paycheck information, access their Federal Employee Health Benefits (FEHB), access their Thrift Savings Plan and contact USPS human resources. Full Story
Source: Federal News Network
01/21/2023
Costa Rica’s Ministry Of Public Works And Transport Crippled By Ransomware Attack
Costa Rica’s government has suffered another ransomware attack just months after several ministries were crippled in a wide-ranging attack by hackers using the Conti ransomware. On Jan. 17, Costa Rica’s Ministry of Public Works and Transport (MOPT) said in a statement that 12 of its servers were encrypted. Cybersecurity experts from the National Security Directorate and the Ministry of Science, Innovation, Technology and Telecommunications were called in to address the situation and all of MOPT’s computer systems were knocked offline. The government did not respond to requests for comment but released a follow-up statement on Jan. 18 saying international organizations were brought in for support. The MOPT warned citizens to watch out for scammers, noting that no one is being contacted by the ministry over email or phone to process any of its services. Full Story
Source: The Record
01/21/2023
University Of Michigan Fires QB Coach After ‘Computer Access Crimes’ Investigation
The University of Michigan has fired co-offensive coordinator and quarterbacks coach Matt Weiss amid an investigation into alleged computer crimes inside the football team's offices. This comes during an investigation by the UM police department of alleged computer crimes involving unauthorized access to email accounts at Schembechler Hall, which houses the football team's offices, including that of coach Jim Harbaugh and Weiss.The allegation involving email accounts was included in daily university police logs Jan. 5, five days before sources told The Detroit News that UM police investigators searched Weiss’ home in Ann Arbor. The sources, including an eyewitness, said law enforcement officers and unmarked vehicles were present at the home. Full Story
Source: The Detroit News
01/21/2023
U.S. Airline Accidentally Exposes ‘No Fly List’ On Unsecured Server
An unsecured server discovered by a security researcher last week contained the identities of hundreds of thousands of individuals from the U.S. government’s Terrorist Screening Database and “No Fly List.” Located by a Swiss hacker, the server, run by the U.S. national airline CommuteAir, was left exposed on the public internet. It revealed a vast amount of company data, including private information on almost 1,000 CommuteAir employees. Analysis of the server resulted in the discovery of a text file named “NoFly.csv,” a reference to the subset of individuals in the Terrorist Screening Database who have been barred from air travel due to having suspected or known ties to terrorist organizations. The list appeared to have more than 1.5 million entries in total, including several notable figures. The data included names as well as birth dates. It also included multiple aliases. Full Story
Source: Daily Dot
01/21/2023
Long Island Resident Sounds Alarm On Facebook Puppy Scam That's Put Her Safety At Risk
A woman from Long Island is sounding the alarm about a lucrative puppy scam that she only discovered after people started showing up at her home to pick up their brand new dog. Northport, N.Y. resident Jayne Dietl described a scam on her Facebook account that has gotten pretty frightening. The account, which she hadn't touched in about three years, was suddenly putting up ads for puppies, Yorkies, suggesting a DM for payment through Zelle. "My friends they're saying, 'Oh, you're selling puppies, they're so beautiful, can I see them?' I'm like, 'puppies? What are you talking about,'" Dietl said. It got worse. People who paid hundreds of dollars for the puppies started showing up at Dietl's door. "One paid $600, one paid $650, one paid $350, another one gave a $150 dollar deposit," she said. "I'm worried about my safety and the children's safety. We can't have people coming here." Full Story
Source: CBS NEW YORK
01/21/2023
B.C. School District Investigating Data Breach Affecting Up To 19,000 People
The Maple Ridge-Pitt Meadows School District is warning its school community about a data breach involving more than 19,000 records. In a bulletin posted Jan. 19, the district said it is investigating how files containing first names, last names, schools/departments, district email addresses and student grades were released. The data likely affects both students and staff, the district said. it warned that the information could be used for “targeted phishing attacks.” The school district in British Columbia, east of Vancouver in Canada, is warning students, families and staff to be extra vigilant if using their district email account for any emails asking for personal information or passwords. “While it is possible this information was obtained because of a compromised student or staff email account, our investigation into how this data was accessed is ongoing,” the district said. Full Story
Source: Global News
01/21/2023
Sophisticated 'VastFlux' Ad Fraud Scheme That Spoofed 1,700 Apps Disrupted
A sophisticated ad fraud scheme that spoofed over 1,700 applications and 120 publishers peaked at 12 billion ad requests per day before being taken down, bot attack prevention firm Human says. Dubbed VastFlux, the scheme relied on JavaScript code injected into digital ad creatives, which resulted in fake ads being stacked behind one another to generate revenue for the fraudsters. More than 11 million devices were impacted in the scheme. The JavaScript code used by the fraudsters allowed them to stack multiple video players on top of one another, generating ad revenue when, in fact, the user was never shown the ads. VastFlux, Human says, was an adaptation of an ad fraud scheme identified in 2020, targeting in-app environments that run ads, especially on iOS, and deploying code that allowed the fraudsters to evade ad verification tags. Full Story
Source: SecurityWeek
01/20/2023
T-Mobile Says Hackers Stole Data On About 37 Million Customers
T-Mobile US Inc. said hackers accessed data, including birth dates and billing addresses, for about 37 million of its customers, the second major security lapse at the wireless company in two years. The company said in a regulatory filing yesterday that it discovered the problem on Jan. 5 and was working with law-enforcement officials and cybersecurity consultants. T-Mobile said it believes the hackers had access to its data since Nov. 25 but that it has since been able to stop the malicious activity. The cellphone carrier said it is currently notifying affected customers and that it believes the most sensitive types of records—such as credit card numbers, Social Security numbers and account passwords—weren’t compromised. T-Mobile has more than 110 million customers. The Federal Communications Commission, said it had opened an investigation. “This incident is the latest in a string of data breaches at the company, and the FCC is investigating.” Full Story
Source: The Wall Street Journal
01/20/2023
PayPal Hacker Attack Exposes Customer Names And Social Security Numbers — What To Do Now
PayPal has begun sending out data breach notifications to users of the online payment service whose accounts were accessed by hackers last month. In a Notice of Security Incident sent out to affected customers, PayPal explained that the attack itself took place between December 6-8 of last year. The company detected the attack was taking place and took steps to mitigate it at the time. However, PayPal also launched an internal investigation to find out how the hackers responsible were able to access the accounts of its customers. Although the company claims that the hackers were not able to perform any transactions using the breached accounts, they did manage to steal quite a bit of sensitive information from affected customers including their full names, dates of birth, physical addresses, Social Security numbers and tax identification numbers. Full Story
Source: Tom's Guide
01/20/2023
Yum Brands Says Nearly 300 Restaurants In UK Impacted Due To Cyber Attack
Yum Brands Inc said on Jan. 18 a ransomware attack impacted certain information technology systems of the company which led to the closure of nearly 300 restaurants in the UK for a day. The company added all the stores were now operational and it had initiated response protocols detection of the incident. It added an investigation had also been initiated while Federal law enforcement were notified. Yum, which also owns the Pizza Hut chain and Taco Bell, did not specify which restaurants were impacted by the attack. The KFC parent said there was no evidence customer databases were stolen even though data was taken from the company's network. The company said the event was not expected to have a material adverse impact on its business, operations or financial results. Full Story
Source: Reuters
01/20/2023
Nunavut Power Utility’s Servers Hit By Cyber Attack
The territorial utility that provides power to Nunavut can’t say yet if customer data was copied after a cyberattack earlier this week. Qulliq Energy Corporation was targeted in a cyberattack last weekend, the firm said yesterday. “QEC’s network was breached, and the corporation took immediate actions to contain the situation.” Outside cybersecurity experts are working with IT teams from QEC and the Government of Nunavut’s teams to investigate the cause and scope of the attack. “As soon as we learned there was a possible issue, we activated our crisis response plan to take control of the situation,” utility CEO Rick Hunt said in a statement. The utility delivers electricity to approximately 15,000 electrical customers across 2 million sq. km. of Canada’s far north through stand-alone diesel power plants in 25 communities. Full Story
Source: IT World Canada
01/20/2023
Hundreds Of Vulnerable WordPress Sites Compromised With Different Database Infections
Vulnerabilities within WordPress can lead to compromise, and oftentimes known vulnerabilities are utilized to infect WordPress sites with more than one infection. It is common for out of date websites to be attacked by multiple threat actors or targeted by the same attacker using multiple different channels. Sucuri recently came across a database injection that has two different pieces of malware accomplishing two unrelated goals. The first injection redirects users to a spammy sports website and the second injection boosts authority of a spammy casino website within search engines. So far, roughly 270 sites have been impacted by the first injection, while 82 sites have been impacted by the second. Both pieces of malware can be found scattered throughout a WordPress database but they each accomplish different tasks. Full Story
Source: Sucuri
01/20/2023
Get Ready For Netflix's Account Sharing Crackdown This Quarter
If you borrow a Netflix account, don’t be surprised if you lose access in the coming weeks. The streaming service signaled in its latest earnings report that it'll start cracking down on account sharing this quarter. The looming crackdown will no doubt annoy users. Netflix anticipates some paid subscribers will end up canceling their accounts in response. The company saw this in Latin America when it began testing the paid sharing options. But over time, Netflix expects the crackdown to spur revenue growth either through users opting into the paid sharing plan or signing up for their own standalone accounts. How Netflix will exactly crackdown on account sharing remains unclear. But the company will likely examine the IP addresses and device models freeloaders are accessing Netflix from and block ones that don’t match the IP address and devices of the main account holder. Full Story
Source: PCMag