AuthorTAFA Archives
April 2024
Categories
All
|
Back to Blog
Striking a Balance: Singapore's May Split Liability For Financial Scams Between Banks & Victims29/9/2023 The digital age has brought tremendous convenience, but it has also birthed new forms of crime. Financial scams, such as phishing, have been a persistent issue causing substantial losses to both individuals and financial institutions. In response to this growing concern, Singapore is delivering a consultation paper detailing a split liability scheme, which aims to ensure that the burden of financial losses due to scams is shared between consumers and banks. This article delves into the details of this approach, its implications, and the need for such measures in today's digital landscape. How Did The Idea of Split Liability Come About? The catalyst of a shared liability strategy came about in February 2022 after cybercriminals stole a combined SG$13.7 million (US$10.2 million) from around 800 customers of a single bank [the Overseas-Chinese Banking corporation (OCBC)] via the use of spoofing text messages. These SMS disguised as messages sent from OCBC, asked account holders to click a link to resolve account issues that redirected them to a fake bank website. This allowed the cybercriminals to collect their logins and passwords. This resulted in the cybercriminals being able to transfer the digital token over to their own devices, and drain the victims’ accounts. Initially, OCBC offered “goodwill” payments to only 6.4% of victims. It was only when the Monetary Authority of Singapore (MAS) threatened action, did OCBC change their stance and stated that they would issue “full goodwill payouts” to all victims. The sheer amount of required payouts make Singapore rethink their anti-scam measures. The then-minister of finance, now deputy prime minister, Lawrence Wong stated that there would be a shared responsibility for any losses by both banks and customers. This is to prevent customers having a “weaken[ed] incentive to be vigilant” against phishing scams, in particular social engineering scams. What About Other Countries? The UK will enforce a mandatory reimbursement by banks within 48 hours to customers that have been scammed to send money to scammers in 2024. This new mandatory reimbursement system by the Payments Systems Regulators (PSR) are designed to ensure that customers will get a refund if they fall victim to authorized push payment fraud (APP), which is where a victim is tricked into making a payment to scammers posing as a legitimate organization such as a bank or police. The PSR proposed that banks must reimburse payments over 100 pounds to a maximum of a million pounds, although many banks have lower limits. This reimbursement bill will be shared between the sending and receiving banks. Australia seems to be adopting similar measures, whereby the country’s financial services minister, Stephen Jones, has said the government is “going to ensure that the banks are accountable for much more”, and that they will “probably look at something which travels in the same direction” as the UK. This comes after a recent report whereby they found that Australia’s big banks reimburse less than 5% of scam victims. Similarly, the European Commission has also proposed refunding victims of authorized payment fraud in certain circumstances. Why is Singapore Going Forward With the Liability Scheme? Based on the views of other countries, it seems that Singapore is going in a different direction. As Alvin Tan, Singapore’s minister of state, told the Parliament, it seems that some have the perception that banks can easily absorb losses from these scams. However, making banks fully responsible for these losses without considering culpability “is neither fair nor desirable”. And as talked about above, they are afraid that if banks become fully responsible for the losses, this could de-motivate customers to be vigilant towards scams, making customers complacent. Tan did also state that in scam cases, banks have to “consider if they have fulfilled their obligations, and whether the victim had acted responsibly.” Elaborating further, Tan did state that victims who did practice good cyber hygiene, and did their best such as “preventing their login information and [one-time passwords] from being divulged to third parties, should not have to bear losses”. What This Means… Based on this, it seems that under the new scheme, consumers are expected to exercise due diligence in their financial transactions, and banks are expected to enhance their security measures and educate consumers on potential risks. Banks are accountable for ensuring a safe banking environment, and have to promptly investigate and resolve scam cases. However, they will not be the sole bearers of financial losses. Consumers who follow best practices are less likely to suffer losses and therefore share in the responsibility for any financial setback. Disagreement to the Scheme However, there are disagreements within the parliament itself on this stance. Slyvia Lim, a parliament member, said that “banks should take on an outsized role in preventing [scams]”, and that banks in Singapore should be required by law to fully reimburse scam victims. Her underlying argument was that customers are not well-equipped as compared to banks to combat scams, as customers do not have the resources and position that banks have. Furthermore, she states that Singapore should adopt the UK system of mandatory reimbursement that will be implemented in 2024, and it can be “scoped to protect customers who are consumers, small businesses and charities.” Lim also said that more has to be done for scam victims, as currently some Singapore banks’ goodwill payments are “paltry” compared to the victims’ losses. Such goodwill offers are usually tied to non-disclosure agreements, which not only needs customers to maintain confidentiality but also forgo all rights to recover further sums. Lim called these agreements to be one-sided, and pushed MAS to consider establishing regulatory guidelines in the settlement of consumer disputes. As of today, the consultation paper on the framework of the liability scheme has not yet been published due to the complexity of issues involved. The government aims to issue the public consultation paper in the 3rd quarter of 2023. Implications of the Split Liability Scheme The split liability scheme brings several implications to the fore: 1. Promoting Awareness and Responsiveness This approach encourages consumers to be vigilant and take precautions when engaging in financial transactions, fostering a safer digital ecosystem. 2. Financial Prudence Consumers are incentivized to exercise caution and implement security measures, fostering financial prudence and minimizing potential losses. 3. Shared Responsibility By distributing accountability, both consumers and banks must actively collaborate to mitigate the risks of financial scams. This strengthens the overall security landscape. Takeaway The introduction of the split liability scheme in Singapore represents a fundamental shift in how financial losses due to scams are perceived and managed. By distributing accountability, this approach aims to instill responsibility, awareness, and prudence within the financial ecosystem. Striking a balance between consumer caution and enhanced bank security, the split liability scheme is a step towards a more secure and informed digital future for Singapore. As technology continues to evolve, so do the strategies to combat cyber threats. The split liability scheme is a testament to Singapore's commitment to adapting and innovating in the face of modern challenges. It's a paradigm shift that could set the tone for similar initiatives globally, as societies grapple with the ever-changing landscape of digital risks and financial scams. Related Topics Navigating the Digital Peril in Singapore: Phishing & Ransomware Continue To Pose Significant Risk Singapore Healthcare Cybersecurity Compliances You Must Know
Back to Blog
In the digital landscape of cybersecurity, 2 common nefarious software tend to pop out the most - Malware and Ransomware. Both software are designed to infiltrate, infect, and wreak havoc on your digital life. In this article, we'll pull back the curtain on these digital adversaries, exploring what sets them apart and why they're such a significant threat in today's interconnected world.
Unmasking Malware: The Sneaky Saboteur Malware, a portmanteau of malicious software, is a software designed to achieve malicious purposes on an infected computer. Essentially, it is a broad term encompassing various types of unwanted software designed to infiltrate or damage your system without your consent. It includes adware, cryptominers, botnets, ransomware, infostealers, mobile malware, trojans, viruses, worms, wipers, and more. These different types of malware are designed differently depending on their goals. For example, malware designed to serve unwanted advertisements is vastly different from ransomware, which encrypts files on infected systems. Although, these malware variants do use many of the same techniques to achieve their different goals. Malware can stealthily enter your system through email attachments, infected websites, or software downloads, often exploiting vulnerabilities in outdated software and human vulnerabilities. Malware's motives range from simply causing chaos to stealing sensitive information like passwords or financial data. Some disguise themselves as legitimate programs, lurking in the background and siphoning off your data, while others might bombard you with unwanted ads or even encrypt your files like ransomware. Ransomware: The Digital Kidnapper Ransomware is a specific type of malware that takes digital extortion to a whole new level. Essentially, all ransomware is malware, but not all malware is ransomware. The goal of ransomware is to deny the victim access to their files via encryption, and demand a ransom in exchange for the decryption key, which restores access. Once ransomware gains access to a computer, it will work its way through the filesystem, checking the types of files found. If a file matches the built-in list of file extensions, the malware will encrypt the file data, and will replace the original data with the encrypted version, and wipe any record of the original in the system. Many ransomware variants will also work to spread beyond the initial target. This allows cybercriminals to infect a greater number of systems, access higher-value systems, and increase their ransom demand. After the ransomware completes the encryption process, a ransom demand will be presented to the users - either pay the ransom within a specified time or risk losing their files forever. If the user pays the ransom demand, the cybercriminal will give them the decryption key for their files. This key should allow the victim to be able to decrypt most or all of their files, hence restoring access. Recent years, there has been an alarming rise in ransomware attacks, impacting individuals, businesses, and even critical infrastructure. Attackers have refined their tactics, often employing phishing emails and social engineering to deceive victims into triggering the ransomware. Ransomware: It’s Evolution With Other Malware Ransomware has been evolving, whereby hybrids have been created with ransomware and other types of malware are being used together. Examples include:
Ransomware VS Malware: How They Differ The critical difference between malware and ransomware lies in their intent and impact. Malware has a broader agenda, from data theft to system disruption. It can be covert, stealthily spying on your activities, or overt, bombarding you with pop-ups and ads. On the other hand, ransomware has a singular, malicious goal: encrypting your data and demanding a ransom. It's a direct, in-your-face attack that leaves you with a chilling choice: pay or lose your valuable files. Protecting Your Digital Realm Against Malware The best way to protect against malware attacks is via prevention.
Takeaway In the ever-evolving digital landscape, understanding the distinctions between malware and ransomware is crucial for fortifying your defenses. Both are formidable foes, but with the right knowledge and security measures, you can tilt the odds in your favor. Stay vigilant, stay informed, and let your digital fortress stand strong against the relentless tide of cyber threats. Related Topics Ransomware - A Growing Problem & Best Practices For You and Your Company Ransomware Payments Skyrocket in 2023: The Unprecedented Surge and its Implications What Is A Ransomware Attack? How does it Work? & Best Practices What is Ransomware as a Service (RaaS)? Unmasking The Dark Side Of Cybercrime-as-a-Business
Back to Blog
Last week, more data breaches, cyberattacks and ransomware attacks occurred across several industries - from hotels and casinos, to the public sector, with some having even more devastating consequences. Furthermore, new malware, vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them when possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Pizza Hut Australia has been data breached: 193,000 customers’ personal information exposed. Pizza Hut Australia is sending data breach notifications to their customers, which warned that the cyberattackers have gained unauthorised access to Pizza Hut Australia systems that store customers’ personal information who made online orders - this includes customer record details and online order transactions. This incident impacted 193,000 customers. The information exposed in this data breach includes customers’ full name, delivery address, delivery instructions, email address, phone number, masked credit card data, and encrypted passwords for online accounts. In the notice, the company does recommend to their customers to consider updating their password despite being “one-way encrypted” in the database. They also urged customers to be aware of phishing attacks and any suspicious links that are sent to them via unsolicited communications. Pizza Hut did state that the Office of the Australian Information Commissioner (OAIC) has been fully informed about the situation. Hong Kong Consumer Council has been attacked by ransomware: Warns of suspected data breach. Hong Kong’s consumer watchdog, the Consumer Council, said on Friday that a cyberattack occurred on their computer system, which was identified on Wednesday. This attack caused damage to about 80% of their systems, and disrupted their hotline services and price comparison tools. Also it was found that a “data transfer volume of 65GB higher than usual was observed”. However, the Consumer Council has not yet confirmed if a data breach has occurred, and not yet determined the scope of the data leak. This may potentially affect current and former staff, job applicants, and subscribers to the monthly CHOICE magazine. The potentially at risk data includes the HKID number of current and former staff, their family members, and credit card information for around 8,000 subscribers of the council’s monthly CHOICE magazine. A ransomware note was also left, and claimed to have obtained employee and client data during the attack. They have demanded a ransom of US$500,000 to be paid by Saturday night, and up to US$700,000 if the deadline was not met. However, Chan, Consumer Council chairperson, stated that they will not pay the ransom, and will support police investigations. This incident has also been reported to the Privacy Commissioner’s Office. Greater Manchester Police suffered a third-party data breach that exposed officers and staff personal data. The UK’s Greater Manchester Police (GMP) has been affected by a third-party breach, whereby the breach occurred in one of their suppliers that produces GMP’s staff ID cards. This breach has exposed the personal data of GMP’s officers and staff. Although financial details and home addresses were not exposed, their names, ranks and photographs from warrant badges have been exposed. Also, GMP has not yet determined the number of impacted officers and staff, and the nature of the data. GMP also did not state the identity of the third-party supplier. The assistant Chief Constable of GMP did disclose that breach involved ransomware. Although they did not disclose the ransomware attacker’s identity, and if they received any ransomware demands. A national investigation into this breach which involved regulatory and law enforcement agencies have begun. This third-party data breach may also impact undercover officers and agents working on special missions. Hence, the National Crime Agency (NCA) has stepped in to prevent this possibility. Hotel hackers redirect customers to a fake Booking.com payment page, stealing their cards. Security researchers discovered a multi-step stealing campaign that has hackers breaching the systems of hotels, booking sites, and travel agencies, and then use their access to steal customers’ financial information. Through this approach and a fake Booking.com payment page, these hackers have a higher chance of success at collecting credit card information. Researchers at Akamai found that cybercriminals will establish communication with a hotel, and via a special request or medical condition, they will send documents via a URL. The URL leads to info-stealing malware that collects sensitive information such as credentials or financial information. After the info-stealer is executed on the original target (the hotel), the cybercriminal can access messaging with legitimate customers. Cybercriminals can now send phishing messages that look like legitimate requests from the now-compromised hotel, booking service or travel agency. The message tends to ask for additional credit card verification, and is written in such a way that it looks like a genuine interaction. What makes it more legitimate is that these phishing messages are delivered through the booking platform sites itself. The victim will receive a link for the alleged card verification, which will show a fake Booking.com payment page. It is highly recommended for users to not click on unsolicited links, even if they look legitimate. Ensure to check URLs for indicators of deception, and be suspicious of messages that are urgent or threatening that ask for immediate action. It is also highly recommended to contact the company directly at their official email address or phone number to get clarifications about the message. MGM restored casino operation 10 days after ransomware attack. MGM Resorts’ hotel and casino operations were restored 10 days after the devastating ransomware attack, Some sources say MGM has been losing more than US$8 million per day. Although MGM hotel and casinos are operating normally now, MGM are still working to restore online hotel booking, and some MGM Rewards functionality. Furthermore, some MGM workers beg to differ. An alleged MGM employee wrote that MGM employees are significantly affected, whereby their entire employment information has been hacked into, and have not gotten any answers from MGM. Additionally, they have “no schedule…no vacation (PTO) hours…All info pertaining to my 401…Time card and tokes made…Attendance points” MGM as of yet, has not provided any information about what information was compromised in this attack or how much sensitive data may have been stolen by the attackers. PhilHealth temporarily shut down their system to contain cyberattack. In a statement on Saturday , the Philippine Health Insurance Corporation (PhilHealth) informed the public that they had to temporarily shut down some of their systems to contain a cyberattack. They also stated that they are investigating this incident, and are implementing containment measures against the cyberattack. PhilHealth did state that they will issue an advisory once the affected systems are online again. As of 23 September, their website is inaccessible. The Department of Information and Communications Technology and other concerned agencies are involved in this investigation. Clorox Company says cyberattack is still disrupting operations. The Clorox Company, the manufacturer and marketer of bleach and other household cleaning products, has stated that they don’t expect operations to return to normal until the end of the month due to “widescale disruption to operations” caused by last month cyberattack. In the latest update to the SEC, the company stated they are operating at a “lower rate of order processing” and only just “begun to experience an elevated level of consumer product availability issues.” Clorox also stated that they do believe that the cybercriminals’ activity has been contained. However, the attack has damaged parts of their IT infrastructure, and hence they are currently repairing the infrastructure, and re-integrating the systems that were taken offline. A return to normal automated order processing is scheduled for 25 September. At the vast majority of their manufacturing sites, production has been resumed and full production is expected to occur over time. However, Clorox is unable to estimate how long it will take them to resume fully normalised operations. The International Criminal Court experienced a cyberattack, where hackers accessed their systems. The International Criminal Court (ICC), the only permanent war crimes tribunal, has said they had experienced a cyberattack last week as hackers managed to access their internal systems. ICC confirmed on Tuesday that they detected an “anomalous activity affecting its information systems”. ICC immediately utilised security measures to respond to the incident and to mitigate its impact. Further assistance was also provided by the Host Country (the Netherlands) authorities to place additional response and security measures. The nature of the incident remains unclear, and it is not yet known whether any data in their systems was accessed or exfiltrated. National Student Clearinghouse data breach affects 890 schools. National Student Clearinghouse, a US educational non-profit, has disclosed a data breach affecting 890 schools across the United States. In a breach notification letter, Clearinghouse stated that the cybercriminals managed to gain access to their MOVEit managed file transfer server, and stole files that contain personally identifiable information (PII). The stolen PII includes names, birth dates, contact information, social security numbers, student ID numbers, and school related records such as enrollment records, degree records and course-level data. According to the data breach notification letters, the exposed data varies for each impacted individual. The list of affected educational organisations by this breach can be found here. Clearinghouse has stated that after learning about the incident, they immediately started an investigation with cybersecurity experts, as well as coordinated with law enforcement. City of Dallas says Royal ransomware attack compromised their networks using a stolen account. The City of Dallas, Texas, said that the Royal ransomware attack managed to gain access to the City’s network via the use of a stolen domain service account. This attack forced them to shut down all IT systems in May. Royal managed to gain access to the compromised systems between 7 April to 4 May, which allowed the cybercriminals to collect and exfiltrate 1.169TB worth of files. Royal also deployed the ransomware payloads on 3 May, using legitimate Microsoft administrative tools to encrypt servers. After the attack was detected, the City took high-priority servers offline to impede Royal’s progress. They also started the process of restoring all servers, which took just over 5 weeks. The City reported that the personal information of 26,212 Texas residents, and a total of 30,253 individuals was potentially exposed in this attack. The personal information compromised includes names, addresses, social security information, health information, health insurance information, and other such information. The Dallas City Council has set a budget of US$8.5 million for the ransomware attack restoration efforts, with the final costs to be shared later. Air Canada discloses data breach: Employees data and “certain records” stolen. Air Canada has disclosed a data breach that occurred this week in which hackers managed to obtain limited access to their internal systems. This breach resulted in some of employees’ data and “certain records” stolen. Fortunately, customer data was not accessed, and the airlines’ flight operation systems and customer-facing systems were not affected. The airline has contacted affected parties, and relevant law enforcement. Hackers infect Android devices with malware using fake Youtube clones. The APT36 hacking group has been observed using at least 3 Android apps that mimic Youtube to infect devices with CapraRAT, their signature remote access trojan (RAT). Once the malware is installed on the victim’s device, it can harvest data, record audio and video, or access sensitive communication information. Essentially, it operates like a spyware tool. It is highly recommended for Android users to only download apps from Google Play, Android’s official app store. As these malicious apps are distributed outside of Google Play. What makes it worse is that the interface of these malicious apps attempts to imitate Google’s real Youtube app, but it rather resembles a web browser rather than the native app. New sophisticated backdoor Deadglyph malware used against government agencies. A new and sophisticated backdoor malware ‘Deadglyph’ was seen used in an attack against a government agency in the Middle East. This malware is attributed to a state-sponsored hacking group from the UAE - Stealth Falcon APT. This hacking group has been known for targeting activists, journalists and dissidents for almost a decade. The Deadglyph malware is modular, which means that cybercriminals can create new modules as needed to tailor attacks, which can be pushed down to victims to perform additional malicious functionality. ESET believes that there are 9-14 different modules but could only obtain 3: a process creator, an information collector, and a file reader. The information collector feeds information such as the victims’ operating system, network adapters, installed software, drives, services, drivers, processes, users, environment variables and security software. The process creator executes specified commands as a new process, and gives the result to the Orchestrator. The file reader module reads the content of files and passes it to the Orchestrator, while also giving the operators the option to delete the file after reading. Although ESET was only able to uncover some of the malware’s capabilities, it is evident that Deadglyph is a serious threat. New info-stealing malware ‘LuaDream’ used to target telcos. ‘Sandman’, a previously unknown threat actor, is using a modular info-stealing malware ‘LuaDream,’ to target telecommunication service providers in the Middle East, Western Europe, and South Asia. The operational style of Sandman is to keep a low profile to evade detection while performing lateral movement and maintaining long-term access to breached systems to maximise cyber-espionage operations. SentinelLab reports that the workstations targeted were assigned to managerial personnel, this indicates that they are interested in privileged or confidential information. Sandman joins a growing list of advanced attackers that are targeting telecom companies for espionage, who use unique stealthy backdoors that are challenging to detect and stop. Update your Apple devices now: Patches for zero-days flaws that are used to plant spyware. On Thursday, Apple released urgent security updates for all Apple devices (iPhones, iPads, Macs, Apple Watch and Safari users) to patch 3 zero-day vulnerabilities (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) that are being actively exploited. It was found that between May and September 2023, the attackers exploited these vulnerabilities in attacks using decoy SMS and WhatsApp messages to target former Egyptian MP Ahemed Eltantawy. The 3 vulnerabilities, which were discovered by Maddie Stone, essentially form part of an exploit chain, which are used together to gain access to a target’s device. The latest update essentially blocked an exploit used to plant the Predator spyware on the phone of the former Egyptian MP. Predator spyware can steal the contents of a person’s phone when planted, often via spoofed text messages that link to malicious websites. The list of affected devices includes a wide range of older and newer device models:
It is highly recommended for all Apple users to update their devices now. GitLab urges users to install security updates to patch a critical pipeline flaw. GitLab has released security updates to address a critical severity vulnerability (CVE-2023-5009) that basically allows attackers to run pipelines (a series of automated tasks) as other users via scheduled security scan policies. This could result in attackers accessing sensitive information or being able to abuse the impersonated user’s permissions to run code, modify data, or trigger specific events within the GitLab system. This is potentially damaging, as such a compromise could result in loss of intellectual property, damaging data leaks, supply chain attacks, and other high-risk scenarios. This flaw impacts GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 to 16.2.7, and versions 16.3 to 16.3.4. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
Healthcare data breaches have become not just a concern but a crisis. They inflict substantial financial damage on healthcare organizations, and more alarmingly, they jeopardize the security and privacy of patients. In fact, it is the complexity and volume of health data that healthcare organizations possess, and them being a critical infrastructure industry, that makes healthcare data breaches one of the most costliest data breaches in any industry. The healthcare sector continues to be the most expensive industry for data breaches for the 13th year in a row. The average cost of a healthcare data breach reached nearly US$11 million in 2023. This is a 53% increase in cost since 2020. In this article, we'll delve into the intricate web of healthcare data breaches, exploring why they are so expensive, and the crucial measures healthcare institutions must take to safeguard sensitive patient information. The Healthcare Data Breach Landscape The healthcare industry is in the crosshairs of cybercriminals, and for good reason. Electronic Health Records (EHRs) contain a treasure trove of sensitive patient information, including medical histories, Social Security numbers, and insurance details. This is exacerbated with the increase in reliance on EHRs and shifting more operations to the cloud in recent years. This makes them an attractive target for cybercriminals seeking financial gain through identity theft and fraud. As Loke stated in a conference, healthcare organizations are prime targets due to the sheer volume of data healthcare organizations are handling, and it is more than any data that other industries handle. There has been an alarming rise in cyber threats in the healthcare industry, with healthcare organizations becoming the top targets for ransomware gangs. This is because of the fact that the healthcare industry is seen as profitable targets by cybercriminals. It has been found that in 2022, healthcare organizations experienced 1,426 attacks PER WEEK - this is a 60% increase from the previous year. This growing trend raises serious concerns about patient safety, data privacy, and the integrity of critical healthcare systems. Why Is The Healthcare Industry So Vulnerable? The healthcare industry is among the most vulnerable to data breaches because of several reasons. 1. Expanding Attack Surfaces Since the pandemic, there has been a dramatic acceleration of the use of network and internet-connected devices. With this digitalisation of patients’ data, processes and services, this has led to easier accessibility and communication. However, this results in more open points in which cybercriminals can attack from, expanding their attack surfaces. This has led to the healthcare industry becoming even more attractive targets to cybercriminals and becoming more vulnerable to data breaches. 2. Complex Supply Chains The healthcare system is a highly complex supply chain which includes a myriad of products and services. Examples such as scanning machines and CRM appointment software. This complex extensive network of medical devices (which hospitals can have up to thousands of medical devices) and services makes security practices tougher to incorporate. What is so dangerous about this complex extensive network is that each act as a potential threat/weak point for cybercriminals to attack. This is scary as all you need is just to compromise 1 device to access the whole network, which cybercriminals can then breach your data and hack into your medical devices. 3. Outdated Medical Devices Many medical devices do play a critical role in modern healthcare, however these devices increase the entry points for attacks. Medical devices are developed to fulfill certain specific roles such as dispensing drugs or scanning the body. Therefore, cyber security and patient data protection is not the primary concern in design. Although these devices do not hold patient information, cybercriminals tend to use these medical devices as an easy gateway to launch an attack on a server that has valuable information. This is because medical devices tend to lack the security that laptops and computers tend to have. What makes it worse is that cybercriminals can disrupt a healthcare organization’s operations, that could hinder life-saving treatments for patients, by completely taking over a medical device, and preventing proper use of it. 4. Lagging in Cybersecurity In terms of cybersecurity, the healthcare industry lags behind other critical infrastructure industries such as the financial and manufacturing sector. Both of these sectors are built around securing data and patient information. This is evident whereby the healthcare sector was ranked the lowest in several cybersecurity domains such as having the 2nd lowest score in identity management security, lowest in network security, & sensitive data and information management. This is further corroborated by a report which found that non-for-profit healthcare organizations are at a “very high risk” for cyberattacks, and corporate healthcare organizations are at a “high risk” for cyberattacks. 5. Dependency On Third Parties The healthcare industry has a wide array of third party partners that have access to their systems. This includes vendors or other agencies. With the healthcare industry becoming more reliant on these services, this opens up for more attacking surfaces in which cybercriminals can target. This is evident from the fact that 17% of healthcare breaches occurred due to a third-party being compromised. As of recently, many organizations have been breached by the MOVEit attacks due to their third-party vendors. Examples include 612,000 Medicare beneficiaries exposed due to a Medicare contractor being hit by the MOVEit attack and 4 million Coloradans’ medical data exposed due to the contacting company being exploited by the MOVEit attack. 6. Overstretched, Overwork Staff Majority of data breaches are due to human error and unauthorized disclosure. With the amount of work and stress that hospital’s workers go through, it is not surprising that for many, cybersecurity is not the top of mind for them. Hence, people might also tend to use shortcuts to work more efficiently, which results in them engaging in sloppy practices such as keeping passwords on a sticky note stuck to their monitor, or using easily guessable passwords. The Expensive Toll of a Data Breach in Healthcare Healthcare data breaches exact a multifaceted toll on organizations, encompassing financial, reputational, and regulatory consequences: 1. Financial Fallout
2. Reputational Damage
3. Regulatory Scrutiny Healthcare organizations are subject to strict regulations and compliance standards, such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). These regulations mandate the protection of patient data and hold organizations accountable for security breaches. Failure to comply with these regulations can result in severe legal and financial consequences. Best Practices To Protect Patient Data & Healthcare Systems 1. Implement Robust Security Measures Healthcare institutions should deploy multi-layered security measures, including:
2. Regular Employee Training Healthcare personnel must be well-informed about cybersecurity best practices.
3. Incident Response Plans Healthcare organizations should develop comprehensive incident response and recovery plans to minimize the impact of cyber attacks.
4. Endpoint Security & Backups
5. Compliance Adhere to your country’s and industry standards and regulations such as the General Data Protection Regulation (GDPR) for the former and the Health Insurance Portability and Accountability Act (HIPAA) regulations for the latter. These regulations mandate the protection of patient data and hold organizations accountable for security breaches. Failure to comply with these regulations can result in severe legal and financial consequences. Ensure to also maintain a culture of compliance within the organization. This is important as this not only minimizes the possibility of a data breach, and hence the severe legal and financial consequences you might face. Takeaway Healthcare data breaches come at a high cost, both financially and in terms of patient trust. To protect sensitive patient information and the financial health of their institutions, healthcare organizations must make data security a top priority. The proactive measures discussed in this article are not just good practices; they are essential defenses against the costly consequences of data breaches in the healthcare sector. In a world where data is king, safeguarding it is paramount. Cyber Security For Healthcare with TAFA Healthcare organizations are top targets for cyber threat actors, and they are facing increasingly sophisticated cyber threats. To protect against these threats, it is necessary to utilize cybersecurity solutions that can prevent zero-day and advanced cyber threats and help ensure regulatory compliance. With our prevention first and zero-trust approach to security using machine learning (ML) and artificial intelligence (AI), TAFA Shield will strengthen your company's ability to prevent and block cyber attacks and threats. To learn more information about TAFA Shield and how we can help your company, do not hesitate to contact us for more information. Related Topics The Vital Importance of Cybersecurity in Healthcare: Safeguarding Lives and Data The Urgent Need for Cybersecurity in the Healthcare Industry: Lessons from the ASL 1 Abruzzo Cyber Attack. Unraveling the MOVEit Data Breach: More Than 554 Organizations & 37 Million Individuals Affected Cybersecurity Wake-up Call: The Skyrocketing Breach Costs of 2023 At All-Time High Ransomware - A Growing Problem & Best Practices For You and Your Company
Back to Blog
Last week, more data breaches, cyberattacks and ransomware attacks occurred across several industries, with some having even more devastating consequences. TikTok has been fined by the EU, and a new attack has been discovered that can steal numerical passwords over Wi-Fi. Furthermore, new vulnerabilities and patches have also been found and released. It is highly recommended to not only be aware of them but to also update them when possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Facebook Messenger phishing campaign targets roughly 100,000 business accounts per week. Threat actors are using fake and compromised Facebook accounts to send out roughly 100,000 Messenger phishing messages to target Facebook business accounts with password-stealing malware. The threat actors trick the targets into downloading a RAR/ZIP archive containing a stealer that grabs cookies and passwords stored in the victim's browser. Guardio Labs researchers warn that roughly 1 out of 70 targets will be ultimately compromised. The researchers also found that these phishing messages are sent mainly to Facebook users in North America, Europe, Australia, Japan and Southeast Asia. Guardio Lab also reports that approximately 7% of all Facebook’s business accounts have been targeted, with 0.4% having downloaded the malicious archive. MGM Resorts cyber attacked and forced to shut down IT systems. MGM Resorts International disclosed on 11 September that they had identified a “cybersecurity issue” that has affected some of their systems, which includes their main website, online reservations, and in-casino services, like ATMs, slot machines, and credit card machines. After detecting the issue, they shut down certain systems to protect their systems and data. It appears that the outrage started on Sunday night and computer systems in the resorts were down. All MGM websites that used the same domain name as the main one (mgmresorts.com) had been offline for hours. Their MGM Rewards app was also not working, displaying a persistent error message. Furthermore, it was reported that some guests’ room keys were not working, and slot machines displayed a temporarily unavailable message. MGM has stated they have begun an investigation, and also have notified relevant law enforcement. These issues still persisted on Friday, with booking capabilities still being unavailable, and MGM Resorts offering penalty-free room cancellations through 17 September. Casino Giant, Caesars confirms data breach and ransom payment for stolen customer data. Caesars Entertainment, one of the largest U.S. casino chains, has stated that they had paid a ransom to prevent their customers’ data, which was stolen in a data breach, to be leaked online. A Wall Street Journal report says that Caesars paid roughly US$15 million, which is half of the attackers’ initial demand of US$30 million. Caesars stated that the attackers stole their loyalty program database, which stored customers’ driver license numbers and social security numbers. Although they did state that there is “no evidence that any member passwords/PINS, bank account information or payment card information (PCI) were acquired by unauthorized actors.” The company also highlighted that customers not enrolled in Caesars’ loyalty program were not impacted by the data breach, and they will notify all affected customers over the coming weeks. The company also stated that they have notified relevant law enforcement, and begun investigation into the cyberattack. Although Caesars did not link the attack to a specific cybercrime gang or actor, a Bloomberg report claimed that the attack was conducted by Scattered Spider, a financially motivated threat group. It uses a combination of social engineering, multi-factor fatigue, and SMS credential phishing attacks to steal user credentials and breach targets’ networks. This is the 2nd casino chain impacted by a cyberattack recently, with MGM Resorts International being impacted earlier this week as seen above. Airbus data breached, employees’ information stolen. Airbus, the aerospace giant, has been data breached due to a third party vendor. Hudson Rock, a cybercrime intelligence company, published evidence that a cybercriminal “USDoD” posted 3,200 Airbus vendors’ personal information on a hacking forum. The leak seems to be a simple data dump. USDoD also explained that they had managed to access the information via the exploitation of a Turkish airline’s employee access. Through this, the team managed to trace to a Turkish computer infected with information-stealing malware in 2023. They also managed to provide evidence that the infected computer belongs to “an employee of Turkish Airlines, and contains 3rd party login credentials details for Airbus.” The computer became infected due to an attempt of downloading an unauthorized version of Microsoft. Airbus has told The Register that they had launched an investigation, stating that an account associated with an Airbus customer had been attacked, but did not confirm the identity of said customer. Furthermore, they had taken follow-up measures to prevent the compromisation of their systems. Dymocks confirms 1.2 million customers’ information was shared on the dark web after last week’s data breach. In an email sent to their customers on Friday, Dymocks has confirmed that 1.24 million customers’ information were stolen and made available on the dark web. Although they did state that investigations are still ongoing. Dymocks also confirmed that the stolen information includes customers’ names, birthdate, email addresses, postal address, gender, and membership details for Booklovers (such as account status and card ranking). Mark Newman, Dymocks’ CEO also iterated that no information of customers’ passwords, identification, and highly sensitive information such payment information or credit card details were published on the dark web. Also the email stated that it appears that the data breach occurred to the compromise of an external data partners’ systems. Dymocks’ customers are urged to remain vigilant against potential fraud and scams. Cyberport data breached - Staff and job applicants’ data stolen and leaked. Cyberport, Hong Kong tech hub, apologized on Thursday after a data breach led to sensitive staff information being offered for sale on the dark web. The files stolen included their staff, former employees and job applicants’ personal data, as well as credit card records during the mid-August cyberattack. The leaked personal information includes individuals’ names, phone numbers or email address, identity card number, birth date, social media accounts, academic and bank account details, and health information. They have begun investigation into the extent of the data leak and have also pledged to invest resources needed to strengthen network security. Cyberport CEO, Peter Yan King, has said in a media briefing that the data breach was confined to “some information stored in some parts of some servers” and maintained that there are no system-wide security loopholes, and there is no evidence of human error in the data breach. The cybercriminals reportedly demanded Cyberport to pay US$30,000 for the return of the data by Tuesday or the data would be sold on the dark web. Shell: Australian BG Group affected by MOVEit breach. Shell announced on Friday that they had identified a cybersecurity incident that involved some employees at Australia’s BG Group, which is the latest company to be affected by the MOVEit breach. Shell identified that there was unauthorized access to some personal information of the affected individuals, and had made attempts to notify them. Shell stated that although the compromised data was from 2013, and some may be out of data, there is still a risk of identity theft for the impacted individuals, and they could also be targeted by phishing campaigns.A person with direct knowledge has said that Shell has begun informing affected employees in early July. Rollbar discloses data breach - customer access tokens stolen. Rollbar, a software bug-tracking company, disclosed a data breach after unknown threat actors hacked into their systems in early August and managed to gain access to their customer access tokens. Rollbar discovered the data breach on 6 September when reviewing their warehouse logs and discovered that a service account was used to log into the cloud-based bug monitoring platform. Once inside Rollbar’s systems, the threat actors searched the company's data for cloud credentials and coin wallets. Rollbar stated that once they were aware of this access, they disabled the service account, and started an investigation. The investigation so far has found that the attackers had accessed sensitive customer information, including usernames, email addresses, account names, and project information such as environment names and service link configuration. More importantly, customers’ project access tokens were stolen. The company has stated that access tokens allowing access to Rollbar project data have expired, and for those allowing to send data to an active project will expire in 30 days. ORBCOMM ransomware attack caused service outage disrupts trucking fleet management ORBCOMM, a trucking and fleet management solutions provider, confirmed that a ransomware attack has caused recent service outages that prevent trucking companies from managing their fleets. ORBCOMM customers have reported that since 6 September, they have been unable to track their transported inventory or use Blue Tree Electronic Logging Devices (ELD), forcing truckers to switch to paper logs. After being contacted by BleepingComputer, ORBCOMM then stated that they have experienced a ransomware attack which has temporarily impacted their FleetManager platform and BT product line. They also said that all of the other systems and service offerings are completely operational. However, due to ongoing investigation, no further information could be shared. On 15 September, the US Federal Motor Carrier Safety Administration issued a waiver allowing truckers to continue using paper logs until the service is restored, and no later than 29 September. Ransomware attack exposed Manchester Police officers’ personal data. UK Greater Manchester Police (GMP) stated on 14 September that some of their employees’ personal information was affected by a third-party supplier that suffered a ransomware attack. The third-party supplier is a supplier for GMP and other organizations across the UK. GMP does not believe that the compromised data includes financial information. However, GMP did not provide details on what types of information might have been compromised in this attack. Data from Academy of Medicine, Singapore leaked on the dark web. The Academy of Medicine, Singapore (AMS) had their servers hit by a ransomware attack, which they discovered on 13 July. Last Sunday (11 September), the personal information of some 50 doctors, including senior figures in the medical fraternity, was put up on the dark web for free. The affected doctors include both locals and foreigners, ranging from the academy’s directors to their teachers, and students undergoing advanced specialist training in Singapore. In the 13.69GB database, information leaked includes NRIC numbers, home addresses, log-in credentials for AMS’ social media accounts, and a list of AMS’ staff and their mobile phone numbers. The staff contact list was correct as of May, and there is an earlier version from 2019 in a folder labeled “To be deleted”. The folder also contains a 2021 contract which lists the recipient’s home address, and 5 letters that were dated 23 March 2022, showing the recipient’s home address. Another folder also contains letters from Brunei’s Public Service Department which outlines the allowances that 7 Bruneian doctors would receive as they undergo specialist training in Singapore. AMS had immediately taken their servers offline once they discovered their servers were compromised. They also immediately started working with cybersecurity and legal experts to review and strengthen their cybersecurity infrastructure while investigations were ongoing. AMS have also alerted relevant law authorities, as well as informed their members and individuals who have had dealings with the academy about the data breach. EU fines TikTok €345 million over child data breaches. The Ireland’s Data Protection Commission (DPC) has hit TikTok with a €345 million fine for child data breaches, and have given 3 months to TikTok to bring their processing to comply with their regulations. The DPC began examining TikTok’s compliance with GDR in relation to platform settings and personal data processing for under 18 users. DPC also looked at TikTok’s age verification measures for people under 13, which they found no infringement. Although they did find TikTok to not properly assess the risks to younger people registering on the platform. DPC emphasized in their ruling that when children sign up on TikTok, their accounts are set to public by default which allows anyone to view or comment on their content. DPC also criticized TikTok’s “family pairing” mode, where the parent or guardian status was not verified by the platform. In response to the fine, TikTok “respectfully disagrees” with the verdict, and are evaluating how to proceed. A TikTok spokesperson said that DPC’s criticisms were focused on settings and features that were 3 years ago, however they made long changes before the investigation began, such as setting all under 16 accounts to private by default. TikTok also insists they closely monitor the age of their users and when needed, take action - the platform says they deleted almost 17 million accounts globally in the first 3 months of 2023 due to suspicions that they belonged to people under 13. Associated Press warns that AP Stylebook breach led to phishing attack. The Associated Press warns that an old third-party AP Stylebook site (that is no longer in use) has been breached, allowing for 224 customers’ data to be stolen, and using the stolen data to conduct phishing attacks. The stolen data includes customers’ names, email addresses, street addresses, city, state, zip code, phone number and User ID. For customers who enter tax-exempt IDs such as social security numbers or employer identification numbers, have been stolen as well. Once AP learnt of the phishing attack, they took the old site offline to prevent further attacks. At the end of July, the company started to alert AP Stylebook customers of the phishing attacks, warning that emails that came from ‘support@getscore.my[.]id’ with a subject similar to “Regarding AP Stylebook Order no. 07/20/2023 06:48:20 am”. AP Also requires all AP Stylebook customers to reset their passwords. New WiKI-Eve attack steals numerical passwords over WiFi. WiKI-Eve, a new attack, can deduce individual numeric keystrokes at an accuracy rate of up to 90% and hence enabling to steal numerical passwords via intercepting the cleartext transmissions of smartphones connected to modern WiFi routers. They do so by exploiting beamforming feedback information (BFI), which allows devices to send feedback about their position to routers so the routers can direct their signals more accurately. However, as the data is in cleartext form, this means that the data can be intercepted and readily used without needing to crack an encryption key or carry out hardware hacking. This security gap was discovered by a team of university researchers in China and Singapore. What they found:
CISA: Government agencies are to patch security vulnerabilities to secure iPhones against spyware attacks. The U.S. CISA has ordered federal government agencies to patch security vulnerabilities that are being exploited as part of a zero-click iMessage exploit chain that infect iPhones with NSO Group’s Pegasus spyware by 2nd October 2023. This warning comes after Citizen Lab disclosed that the 2 flaws (tracked as CVE-2023-41064 and CVE-2023-41061) were used to compromise fully-patched iPhones belonging to a Washington DC-based civil society organization. Citizen Lab also warned Apple customers to apply emergency updates issued on Thursday immediately, and also urged individuals that are susceptible to targeted attacks to enable Lockdown Mode. The list of impacted devices is extensive due to the flaws affecting both older and newer devices:
Adobe warns of zero-day vulnerability in Acrobat and Reader exploited in attacks. Adobe has released security updates to patch a zero-day vulnerability (tracked as CVE-2023-26369) in Acrobat and Reader that can be exploited in cyberattacks. This vulnerability does affect both Windows and macOS systems. This vulnerability has been classified by Adobe with a maximum priority rating, with Adobe strongly recommending administrators to install the update as soon as possible, ideally within a 72 hour window. The list of affected products and versions are:
Adobe has also addressed more security flaws in Adobe Connect (tracked as CVE-2023-29306 and CVE-2023-29306) and Adobe Experience Manager (tracked as CVE-2023-38214 and CVE-2023-38215) software. These flaws can be exploited to access cookies, session tokens or other sensitive information that is stored in victims’ web browsers. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
The Importance of Regular Backups in Enhancing Cybersecurity (In Short: It's Super Important!)15/9/2023 In today's digital age, our lives are entwined with technology, and our data is the lifeblood of our online existence. From cherished family photos to critical business documents, the data we generate and rely on is vulnerable to a myriad of cyber threats that lurk around every digital corner. One often-overlooked practice stands as a stalwart defender of your digital assets: regular backups. Imagine it as a shield that guards your data, an insurance policy against the unexpected.
In this article, we'll uncover the vital role that regular backups play in not only preserving your digital data but also in bolstering your overall cybersecurity posture. The Digital Vulnerability Conundrum The digital era has ushered in unparalleled convenience and connectivity, but it has also birthed a new breed of threats. From ransomware attacks that hold your data hostage to hardware failures that can wipe out years of work in an instant, the digital realm is fraught with dangers. This is especially evident with recent reports of the rise of ransomware, such as Singapore Cybersecurity Agency (CSA) releasing a publication of the increase threats of phishing and ransomware for organizations and individuals, and Thales report that 48% of IT professionals reported an increase in ransomware attacks in 2023. This is also evident from the myriad of news whereby companies such as CloudNordic had their servers and customers' data wiped out by cybercriminals via encryption as they did not pay the ransom. As you can see, cyber threats are not cooling down, on the contrary, there seems to be a spike. Hence, not only do we have to raise awareness about this worrying trajectory, but also start acting against this to protect our digital assets. Every Business Needs A Backup Strategy: Smaller Doesn’t Mean You Get Off The Hook Unfortunately, many small businesses believe that they will never be targeted by cybercriminals as they are too small. However, in reality, this is not the case. Cybercriminals actually tend to target small businesses as they see small businesses as an easy target and payday. Make no mistake, companies of every size are vulnerable to cyberattacks. This is especially true with cybercriminals utilizing phishing and social engineering attacks as entry points, whereby they target human vulnerabilities via highly sophisticated and personalized messages to divulge confidential information or granting unauthorized access. The Backup Paradox: A Simple Solution to Complex Problems Consider regular backups as your digital superhero, silently working in the background to keep your data safe. Regular backups are the digital equivalent of secure vaults that houses duplicates of your most cherished digital assets. They are copies of your data stored in a secure location, shielded from the chaos of the digital wilds. Backups essentially protect your data against virus attacks, hardware failure, human errors, and even natural disasters. 1. Resilience Against Ransomware Ransomware, the menacing digital extortionist, encrypts your data and demands a ransom for its release. According to Veeam, organizations attacked in 2021 reported that on average they are only able to recover 69% of their data. With regular backups, you can turn the tables on these cybercriminals. If your data is held hostage, you can simply wipe your affected system clean, restore your data from the backup, and continue without yielding to the extortionists' demands. However it is important to note that while regular backups are a vital safeguard, this should NOT be your only safeguard. It is essential to maintain backups separate from the main network (some companies do fail to do so). You may ask why must I do so? It’s because sophisticated cybercriminals are finding pathways to businesses’ backups after breaching their network. 2. Protection From Hardware Failures Hard drives can fail, and computers can crash. Without backups, this could spell disaster, resulting in the loss of valuable personal or business data. Regular backups create a safety net, allowing you to recover swiftly from hardware failures and continue your digital journey uninterrupted. 3. Defense Against Data Corruption Data corruption can silently creep in and wreak havoc on your files. Backups ensure that you have clean, uncorrupted copies of your data that can be restored at a moment's notice. 4. Protection From Accidental Deletion We've all experienced that sinking feeling when we accidentally delete an important file. Regular backups serve as a safety net, enabling you to recover files that you thought were lost forever. 5. Cybersecurity Contingency In a world where cyber threats evolve continuously, backups are your cybersecurity contingency plan. They provide a safety net, an emergency exit strategy, when faced with digital disasters. Best Practices For Regular Backups
Takeaway In an increasingly digital world where data is the new currency, regular backups are the guardians of your digital fortress, no matter the size of your business or whether you are just an individual. They offer a lifeline in the face of cyber threats and hardware disasters. Making backups a routine part of your digital hygiene is not just good practice; it's an essential pillar of modern cybersecurity. So, remember to backup regularly, backup wisely, and safeguard your digital world from the uncertainties of the digital frontier. Your data—and your peace of mind—will thank you for it. Related Topics Unraveling the MOVEit Data Breach: More Than 554 Organizations & 37 Million Individuals Affected What Is A Ransomware Attack? How Does it Work? & Best Practices Ransomware - A Growing Problem & Best Practices For You and Your Company Ransomware Payments Skyrocket in 2023: The Unprecedented Surge and its Implications What is Ransomware as a Service (RaaS)? Unmasking The Dark Side Of Cybercrime-as-a-Business Cybersecurity Wake-up Call: The Skyrocketing Breach Costs of 2023 At All-Time High
Back to Blog
What is Ransomware as a Service (RaaS)? Unmasking The Dark Side Of Cybercrime-as-a-Business13/9/2023 In the world of cybercrime, malicious actors are always on the lookout for new ways to profit from their nefarious activities. One such innovation is Ransomware as a Service (RaaS), a chilling concept that has transformed ransomware attacks into a sinister form of cybercrime business. In this article, we will delve into the intricate web of RaaS, unraveling what it is, how it operates, and the implications it holds for the digital world. What is Ransomware as a Service (RaaS)? Ransomware as a Service (RaaS) is a malicious business model that allows cybercriminals to distribute ransomware through a subscription-based service. Basically, this allows the buyers, called affiliates, to pay to launch ransomware attacks. Rather than developing their own ransomware strains and infrastructure, affiliates can now rent or purchase ready-made ransomware kits from darknet marketplaces. This ominous innovation has lowered the entry barriers into the world of cyber extortion, allowing even those with limited technical expertise to become ransomware operators. Hence, RaaS is one of the prominent reasons for the rapid growth of ransomware attacks worldwide. The RaaS operations model makes it much easier for anyone to carry out a ransom campaign. As they provide affiliates with expert-level software to encrypt files and 24/7 software support. How Dangerous is RaaS? Ransomware as a cyber threat continues to grow rapidly in 2023. Ransomware attacks have continuously increased with a report that showed 1 in 31 organizations worldwide experienced a ransomware attack weekly over the first quarter of 2023. From Corvus research, the number of ransomware attacks increased by roughly 180% in June 2023 as compared to the same month last year. Furthermore, Cyberint reported that there was a 67% increase in ransomware cases in Q2 of 2023 as compared to Q1. Compared to Q2 2022, there was a 97% increase in ransomware cases. How Does RaaS Work? The mechanics of RaaS are as unsettling as they are efficient.
Below are the 4 common RaaS revenue models: While payment details vary depending on RaaS revenue model, affiliates tend to take a significant cut of the ransom (typically 70-80%). Below are the 4 common ways profits can be split.
Implications & Challenges RaaS present several concerning implications:
Best Practices To Defend Against Ransomware & RaaS
Takeaway Ransomware as a Service (RaaS) represents a disturbing evolution of cybercrime, democratizing the ability to conduct ransomware attacks. As individuals and organizations grapple with this growing threat, staying informed and implementing robust cybersecurity measures is paramount. By understanding the insidious nature of RaaS, we can collectively work toward a safer digital landscape, one that is less susceptible to the dark designs of cybercriminals operating in the shadows of the web. Securing Your Organization With TAFA With the current cyber environment, organizations are facing increasingly sophisticated cyber threats such as the MOVEit theft-attack. To protect against these threats, it is necessary to utilize cybersecurity solutions that can prevent zero-day and advanced cyber threats, and help ensure regulatory compliance. With our prevention first and zero-trust approach to security using Machine Learning (ML) and Artificial Intelligence (AI), TAFA Shield will strengthen your company's ability to prevent and block cyber attacks and threats. Not only do we protect your endpoints, but we also proactively detect and respond to cyber threats, provide managed SOC services to further improve your security posture, and lastly provide you with professional cybersecurity services that delivers guidance, support and expertise in designing, implementing and managing cybersecurity solutions tailored to your specific needs. Furthermore, with our comprehensive customized vulnerability assessment and penetration testing (VAPT) service, not only do we ensure the safety and security of your organization’s operation and data, but also we ensure that you will meet the required industrial and regulatory compliances. To learn more information about TAFA Shield and our VAPT service, and how we can help your company, do not hesitate to contact us for more information. Related Topics Unraveling the MOVEit Data Breach: More Than 554 Organizations & 37 Million Individuals Affected What Is A Ransomware Attack? How Does it Work? & Best Practices Ransomware - A Growing Problem & Best Practices For You and Your Company Ransomware Payments Skyrocket in 2023: The Unprecedented Surge and its Implications Cybersecurity Wake-up Call: The Skyrocketing Breach Costs of 2023 At All-Time High
Back to Blog
Last week, more cyberattacks and data breaches occurred across several industries, with some having even more devastating consequences. Members of TrickBot/Conti ransomware sanctioned by the US and UK, and a hacking device have been found to launch iOS Bluetooth spam attacks. Furthermore, new malware variants, vulnerabilities and patches have also been found, and it is highly recommended to not only be aware of them but to also update them when possible.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Johnson & Johnson patients compromised by IBM data breach. Johnson & Johnson Health Care Systems (“Janssen”) has informed their Carepath customers that a 3rd-party data breach involving IBM has compromised their sensitive information. IBM, a technology service provider, manages Carepath application and database. Janssen stated they became aware of a security gap that could give unauthorized access to the Carepath database. Upon investigation, it showed that unauthorized users accessed sensitive information such as Carepath users’ full name, contact information, birth data, health insurance information, medication information, and medical condition information. Luckily, social security numbers and financial account data were not compromised as they were not kept in the breached database. Impacted Carepath users include users who enrolled on Janssen’s online services before 2 July 2023. The compromised data can be used for highly effective phishing and scamming attacks. Furthermore, these data could be sold on the dark market due to the high value of medical data. IBM also published a statement that there are no indications that the stolen data has been misused. IBM is offering free of charge a 1 year credit monitoring to all impacted individuals to protect them from fraud. It is highly recommended for impacted customers to remain vigilant and closely monitor their account statements for suspicious activity, and to also be vigilant against phishing and scamming attacks. Chipmaker NXP confirms data breach: Customers’ information compromised. NXP Semiconductors, a Dutch chipmaker, has alerted customers via email to a data breach that involves their personal information. Customers affected appear to be individuals with an online NXP account - which provides access to technical content and community support. NXP spokesperson confirmed in a statement that an unauthorized party had acquired “basic personal information” from a system connected to NXP’s online portal. Data compromised included customers’ full names, email addresses, postal addresses, business phone numbers, mobile phone numbers, company names, job titles and description, and communication preferences. However, NXP did decline to state how many customers were impacted, and elaborate on the nature of the breach. In the email sent to affected customers, NXP recommends users to be wary of unsolicited communications requesting personal information or containing links. Researchers fear hackers may be breaking into keys stolen in LastPass breach. Some researchers believe that hackers may have cracked into the LastPass vaults compromised in a data breach last year. An investigation showed that longtime cryptocurrency investors and security-minded individuals (about 150 in total) were collectively robbed of more than $35 million worth of cryptocurrency. Interestingly, none appeared to suffer attacks that tend to preface a high-dollar crypto heist such as the compromise of one’s email and/or mobile phone. Researchers found that the common cause among these victims was that nearly every victim had previously used LastPass to store their private key needed to unlock access to their cryptocurrency investments. Traderie, in-game trading marketplace, alerts users to data breach. Traderie, a website owned by Akrew that allows users to trade and sell in-game items from a range of games, has alerted users to a data breach that has compromised their personal information. In an email sent to affected users, the company stated that an unauthorized party had acquired “some data from your account”. The incident also affected Akrew’s Nookazon website, which allows gamers to trade and sell in-game items from Animal Crossing: New Horizons. In the email, Traderie did not state which user data had been accessed or how many individuals were impacted by the breach. A post on BreachForums - a hacking forum - claims to have more details about the breach. In a post published in early August, a user called “victim” claims that as many as 2.6 million Traderie users are impacted by the breach, and said the compromised information includes email addresses, IP addresses and online identifiers for various services such as Discord, TikTok, Roblox, Xbox Live, Apple, Google and more. The user also claims that the compromised information includes some Stripe information, which Traderie uses for processing payments, including customers’ IDs and subscription statuses. However, a statement from Traderie did note that they do not “directly store passwords and any financial information handled by payment platform Stripe.” Dymocks, Australian bookstore chain, warns customers of possible data breach. Dymocks, an Australian bookstore chain, has warned customers of a possible data breach that might lead to the exposure of their personal information on the dark web. In an email sent to members on Friday, Mark Newman, the managing director, stated that an unauthorized party was detected on Wednesday, and may have access to some of their customers’ records. Troy Hunt reports that Dymocks’ customer data has been circulated in various Telegram channels and hacking forums since at least June 2023. Customers were warned that leaked information could include their email addresses, phone numbers, postal addresses, gender, birth dates, and membership details. Newman stated that an investigation was launched as soon as the breach was detected, however cybersecurity experts have found evidence of discussions pertaining to customer records being available on the dark web. Fortunately, initial indications in their investigation shows that passwords and financial information have not been compromised. Dymocks apologized, and stated they are unsure how many customers were impacted, and promised to update those affected. However, Have I Been Pwned has confirmed that the data leaked online consists of 1.2 million user records for 836,120 unique Dymocks accounts. W3LL phishing kit that can bypass MFA compromised more than 8,000 365 corporate accounts. Security researchers found that W3LL’s custom phishing kit that consists of 16 tools that allows attackers to carry out phishing attacks, were used to conduct about 850 phishing campaigns between October 2022 and July alone that targeted credentials for more than 56,000 Microsoft 365 accounts. And via this phishing kit, which can bypass MFA (multi-factor authentication) compromised more than 8,000 Microsoft 365 corporate accounts. Some have deemed the W3LL Panel one of the most advanced phishing kits. Not only in their technicality but also their service covers almost the entire BEC (business email compromise) chain of operations - this means that they offer solutions for BEC attacks from the initial stage of selecting victims and phishing baits to the launching of phishing emails to the victims’ inboxes. The Coffee Meets Bagel cyberattack caused recent worldwide outrage. The Coffee Meets Bagel, a dating platform, confirmed that last week’s worldwide outrage was because of cybercriminals breaching the company’s systems and deleting the company’s data. This led to their production servers no longer able to operate correctly. The outrage resulted in users being able to coordinate planned dates or continue communication with their matches. The service has been back online since 3 September, with the company extending chats by 7 days and subscriptions by 14 days. They have also notified relevant law enforcement about this cyberattack. The company has warned all users to log back into the systems as they had automatically logged all users out of the system at the time of the attack. Sabre data breach: Dunghill Leak group claims responsibility. Sabre, a travel booking giant, stated they are aware of the data exfiltration claims made, and are currently investigating to determine the validity. The Dunghill Leak group claimed responsibility for the apparent cyberattack by listing it on their data leak site, and claimed to have taken about 1.3 terabytes of data, which includes databases on ticket sales, passenger turnover, employees’ personal data and corporate financial information. The group also posted some of the files they allegedly stole, and claimed that the full cache will be made “available soon”. From some of the screenshots seen by TechCrunch, there were several database names relating to booking details and billing which contain tens of millions of records. Furthermore, there were screenshots containing records of employees, which include email addresses and their work locations. One screenshot contained employee names, nationalities, passport numbers, and visa numbers. Other screenshots also show several US I-9 forms of employees. US and UK sanctioned 11 members of Trickbot and Conti ransomware group. The US and UK sanctioned 11 Russian nationals associated with the TrickBot and Conti ransomware cybercrime operations. The group’s cybercrime activities led to the theft of $180million globally, and targeted hospitals, schools, local authorities and businesses. These sanctions are in addition to the 7 Trickbot/Conti members sanctioned in February. As part of these sanctions, all US and UK organizations are banned from conducting financial transactions with these individuals. This includes paying ransom demands. New Mirai variant spotted infecting low-cost Android TV set-top boxes. A new Mirai malware botnet variant has been discovered to infect inexpensive Android TV set-top boxes used by millions for media streaming. Primary targets are low cost Android TV boxes such as Tanix TX6 TV Box, M10 Pro 6K and H96 MAX X3, which are capable of launching powerful DDoS attacks even in small swarm sizes. Dr Web reports that the malware is introduced on the devices either via a malicious firmware update signed with publicly available test keys or via malicious apps on domains targeting users interested in pirated content. They also report that the malware can perform DDoS attacks, open a reverse shell, mount system partitions for modifications, and more. Google: State hackers targeting security researchers using zero-day flaw. Google’s Threat Analysis Group (TAG) states North Korean state hackers are targeting security researchers using at least 1 zero-day flaw in an undisclosed popular software. It is currently undisclosed as it is likely the vendor is still in the process of patching the vulnerability. Researchers attacked in this campaign are involved in vulnerability research and development. Attackers utilize Mastodon and Twitter to contact targets, and after establishing a relationship and moving to secure communications (such as Signal, Wire or WhatsApp), the attackers will send them malicious files designed to exploit the zero-day. This will lead to the sending of collected information (including screenshots) to the attackers’ command and control servers. Flipper Zero, a hacking device, can be utilized to launch iOS Bluetooth spam attacks. Flipper Zero, a small device that can perform wireless attacks on devices in its range, such as iPhones, car keyfobs, contactless and RFID cards.This attack essentially a denial-of-service, whereby hackers can use this device to spam your iPhone with annoying pop-ups to connect to a nearby AirTag, Apple TV, AirPods and other Apple devices, which can make an iPhone nearly unusable. The exploits worked on iPhones when Bluetooth was both enabled or switched-off in the Control Center, but did not work when Bluetooth was fully switched off from the Settings. Apple fixes zero-day bugs used to plant Pegasus spyware. Apple released security patches on Thursday to patch 2 zero-day exploits whereby victims don't have to tap or click anything for the malware to be introduced to their devices. Citizen Lab, an internet watchdog group that investigates government malware, also found that the vulnerability was used to deliver NSO Group’s malware (known as Pegasus). They stated that the exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim. It is highly recommended for all iPhone users to update their phones. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches!
Back to Blog
In the ever-evolving landscape of cyber threats, ransomware stands out as one of the most insidious and damaging forms of malware. Ransomware has quickly become one of the most prominent type of malware, and it has become a growing problem for both individuals and organisations. A ransomware attack can cripple organizations, disrupt lives, and leave victims in a state of turmoil. Understanding what ransomware is, how it operates, and how to defend against it is crucial in our digitally connected world.
What is a Ransomware Attack? Ransomware is a malware designed to prevent users or organizations access to files, databases or applications on their computer. Ransomware is often designed to spread across a network and target database and file servers, and this can quickly paralyze an entire organization. At its core, a ransomware attack is a form of digital extortion. By encrypting these files, databases or applications, and demanding a ransom payment for the decryption key, cybercriminals place organizations in a position where paying the ransom will be the cheapest and easiest way to regain access to their files, databases or applications. Some may add additional functionality, such as data theft, to further push ransomware victims to pay the ransom. Why Is Ransomware Worrying? Ransomware attacks pose a serious risk not only to your company assets and reputation, but also to individual privacy, and even national security. The consequences of ransomware attacks are devastating as not only are individuals’ personal data compromised, but also organizations do suffer huge financial losses and operational difficulties. Ransomware attacks have continuously increased with a report that showed 1 in 31 organizations worldwide experienced a ransomware attack weekly over the first quarter of 2023. From Corvus research, the number of ransomware attacks increased by roughly 180% in June 2023 as compared to the same month last year. This is fueled by the MOVEit attack by Clop ransomware whereby nearly 20% of the alleged June victims were associated with the MOVEit breach. As of 6 September 2023, the number of known impacted victims of this ransomware attack is 1129 organizations and 53.8-58.6 million individuals. What’s shocking is that the number of individual victims are actually much higher than that as only a fifth of the affected organizations have publicly released the total number of individuals who had their personal information exposed. Not to mention, Chainanalysis report revealed a startling reality: ransomware payments are reaching record-breaking levels in 2023. In fact they state that ransomware attackers are on their way to their second-biggest year ever, as they have extorted at least $449.1 million through June. It was even revealed that the cumulative yearly ransomware revenue for 2023 has reached 90% of the 2022 total figure in the first half of the year. How Does Ransomware Work? Step 1: Infection Ransomware usually enters a system through malicious email attachments, compromised websites, or software vulnerabilities. Once the ransomware is downloaded, it begins to execute its code. Another popular mode of infection is via Remote Desktop Protocol (RDP). Cybercriminals who stole or guessed an employee’s login credentials can utilize them to remotely access a computer within the organization. Following this, the cybercriminal can directly download the malware and execute it. Step 2: Encryption The ransomware encrypts files and data on the victim's system using a strong encryption algorithm, replacing the originals with the encrypted versions. This process can happen quickly and can affect a wide range of file types, from documents to images and databases. Some ransomware variants will even delete the backup and shadow copies of files to make recovery without the decryption key even more difficult. Step 3: Ransom Note After encrypting the victim's data, a ransom note is typically displayed on the victim's screen. This note includes instructions on how to pay the ransom and a deadline for payment. It may also include threats of permanent data loss or public data exposure. Usually, the cybercriminal demands payment in cryptocurrency, making it difficult to trace. Victims are instructed to make the payment and, in return, receive the decryption key. Step 4: Decryption (Sometimes) If the victim complies with the ransom demand, they receive the decryption key to unlock their files. However, there are no guarantees that paying the ransom will result in the safe return of data. Best Practices To Prevent Ransomware Attacks Prevention is the absolute key. Once ransomware has infected your system, it can be incredibly difficult to remove. Furthermore, the effects of ransomware, not only on your operation but also on your reputation will be devastating. Here are a few best practices to prevent ransomware attacks:
How To Respond To A Ransomware Attack?
Takeaway Ransomware attacks continue to pose a significant threat in today's digital age. Understanding how these attacks work and implementing robust prevention measures is crucial for individuals and organizations alike. By staying informed and adopting a proactive stance, we can collectively defend against this relentless and damaging form of cybercrime, protecting our data and digital lives from the clutches of ransomware attackers. Securing Your Organization With TAFA With the current cyber environment, organizations are facing increasingly sophisticated cyber threats such as the MOVEit theft-attack. To protect against these threats, it is necessary to utilize cybersecurity solutions that can prevent zero-day and advanced cyber threats, and help ensure regulatory compliance. With our prevention first and zero-trust approach to security using Machine Learning (ML) and Artificial Intelligence (AI), TAFA Shield will strengthen your company's ability to prevent and block cyber attacks and threats. Not only do we protect your endpoints, but we also proactively detect and respond to cyber threats, provide managed SOC services to further improve your security posture, and lastly provide you with professional cybersecurity services that delivers guidance, support and expertise in designing, implementing and managing cybersecurity solutions tailored to your specific needs. Furthermore, with our comprehensive customized vulnerability assessment and penetration testing (VAPT) service, not only do we ensure the safety and security of your organization’s operation and data, but also we ensure that you will meet the required industrial and regulatory compliances. To learn more information about TAFA Shield and our VAPT service, and how we can help your company, do not hesitate to contact us for more information. Related Topics Unraveling the MOVEit Data Breach: More Than 554 Organizations & 37 Million Individuals Affected Ransomware - A Growing Problem & Best Practices For You and Your Company Ransomware Payments Skyrocket in 2023: The Unprecedented Surge and its Implications Cybersecurity Wake-up Call: The Skyrocketing Breach Costs of 2023 At All-Time High
Back to Blog
Last week, more data breaches occurred across several industries, with some having even more devastating consequences. Furthermore, a scam-as-a-service operation has been spreading their reach globally, and new research has found that Chrome extensions can steal plaintext passwords from websites.
Read on to receive a quick summary of what happened this week in the space of cybersecurity. Paramount Pictures suffered a data breach that exposed personal data. In a data breach notification letter written to impacted customers, Paramount Pictures, a production company, revealed that a data breach has led to the exposure of personal information. The cybercriminal gained access to their systems between May and June 2023, which allowed them to access the victims’ personal data. The personal information accessed includes name, birth date, social security number or other government-issued identification number (e.g. drivers license number or passport number), and information related to victims’ relationship with Paramount. A Paramount spokesperson has stated that the number of individuals that had their personal information accessed were less than 100, and the impacted individuals and relevant authorities had been notified. However, they did not reveal if the data accessed were of Paramount’s customers or employees. Paramount also reassured that the breached systems have been secured, and that there is no evidence that the breached personal data has been misused. Enhanced measurements were also put into place to prevent this incident from occurring again, and Paramount are offering free credit protection and identity theft monitoring service to those affected for 2 years. University of Sydney data breach: Applicants’ personal data accessed. The University of Sydney has put out a statement that their third-party provider suffered a data breach causing a “limited number of recently applied and enrolled international applicants’ personal data being accessed”. Although the accessed personal data has not been specified. From what they found so far, no domestic students, staff, alumni or donors’ data has been affected. This cyber incident was isolated on a single platform, and had no impact on other University systems. As of current, the University is determining the scope of the impact of this data breach, and is in the process of contacting the affected students and applicants. As of now, there is no evidence that any of the accessed personal data has been misused. University of Michigan cuts off Internet for 2 days. The University of Michigan shut down internet access for 2 days due to a “significant cybersecurity issue”. This decision was made as the cybersecurity incident caused IT outrages and disrupted access to vital online services such as Google, Canvas, Wolverine Access, and email. For safety precaution, the university has taken all of its systems and services offline, causing a widespread impact on online services the night before classes started. This decision affected roughly 120,000 individuals across the Ann Arbor, Flint and Dearborn campuses. On Wednesday, the university stated that internet service had been restored although they did warn their students that there could be some issues with selected U-M systems and services in the meantime, as their remediation efforts are not fully complete. Forever 21 data breach affects 539,207 people. A data breach notice filed with Maine’s attorney general stated that Forever 21 was hacked for 3-months beginning early January 2023, during which cybercriminals managed to access and obtain files from its system. The data accessed included the personal information of 549,207 current and former employees. Personal information access includes their name, birth date, social security number, bank account number and information on employees’ Forever21 health plan (enrollment and premiums paid). Forever 21 also stated they had taken steps to ensure that the unauthorized 3rd party no longer has access to the data. Based on their ambiguous wording, Techcrunch said it could imply that the company paid the ransomware group in exchange for deleting the data. Callaway, a golf gear giant, suffered a data breach that exposed the information of 1.1 million. Topgolf Callaway, an American golf gear equipment maker and seller, suffered a data breach in the beginning of August, which exposed the sensitive personal and account data of 1,114,954 of their customers. In a letter sent to impacted individuals on 29 August, the company stated that an IT system incident occurred on 1 August which has affected the availability of their e-commerce services and also exposed certain customer information to the cybercriminal. The compromised customer data includes full names, shipping addresses, email addresses, phone numbers, order histories, account passwords, and answers to security questions. This data breach not only impacts customers of Callaway but also their sub-brands Odyssey, Ogio, and Callaway Gold Preowned sites. Due to the exposure of customers’ passwords and security questions, Calllaway has forced a password reset for all customer accounts to prevent unauthorized access. The notice clarified that no payment card information, government ID or social security numbers were exposed during this incident. It is highly recommended for impacted customers that use the same credentials for other sites or online services, to change their passwords to a stronger and more unique password. This will help in reducing the risk of credential stuffing attacks. Also it is highly recommended for impacted customers to be suspicious of any communications that ask you to share additional data, and treat messages from unknown senders as potentially malicious. LogicMonitor customers hacked due to default passwords. Some customers of LogicMonitor, a network security company, have been hacked due to the use of default passwords. A LogicMonitor spokesperson stated that they are currently addressing a security incident that affected a small number of customers, and they are working closely with the affected customers to mitigate the impact of this breach. According to an anonymous source, the incident occurred due to LogicMonitor assigning customers default passwords that were weak. The anonymous source also stated that LogicMonitor did not require the changes, nor were these passwords temporary until this week (whereby the setup passwords last 30 days, and must be changed on first login). Byju’s server misconfiguration exposed sensitive data of their students. Byju’s, an Indian edtech giant and startup, has fixed a server misconfiguration that exposed the sensitive data of their students. The exposed data includes students’ names, phone numbers, addresses, email IDs, loan details such as payouts, links to scanned documents and transactional information. Bob Diachenko, a security researcher, found that this was due to a misconfigured Apache Kafka server used by Byju’s to send and receive data in real time. Furthermore, there were several IP addresses with the misconfigured server, which allows anyone to access to read the records without a password. Although the exact number of students impacted is unclear, Diachenko did say that 1-2 million records were accessible due to this issue. Byju’s confirmed with TechCrunch that they had fixed the security lapse but also stated that “no data or information was exposed or compromised” during the week that the servers were exposed. However, they also did not answer if they had the technical means to determine what data, if any, was accessed during this exposure incident, and by whom. Purfood suffered a data breach: Health & payment information of 1.2 million customers affected. Purfood has notified more than 1.2 million people that their personal and medical data, which includes payment card, bank account numbers, security codes, and some protected health information, may have been stolen from their servers during a data breach earlier this year. Purfood, a health-focused food delivery company, works with more than 500 health providers to deliver meals to people covered under Medicare and Medicaid. Cybercriminals managed to access Purfoods’ network on 16 January, and encrypted some files containing customer information, and may have exfiltrated some data (this was due to the found presence of tools that could be utilized for data exfiltration. Purfood had hired a 3rd party incident response firm to help investigate this breach and the review concluded on 10 July. It was found that the potentially exfiltrated information includes names, birth dates, social security numbers, driver’s license/state identification numbers, financial account and/or payment card information in combination with security code, access code, PIN or password for the account, medical information and health information. Purfood has notified the relevant authorities, and are providing free credit monitoring to all affected individuals for 12 months. Furthermore, they are currently putting more security measures in place and employee training. Chrome extensions can steal plaintext passwords from websites. Researchers from the University of Wisconsin-Madison have uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website’s source code. Researchers found that numerous websites that have millions of visitors, which included Google and Cloudflare portals, store passwords in plaintext within the HTML source code of their web pages. This allows extensions to retrieve them. More specifically, they found from the 10,000 websites, roughly 1,100 are storing user passwords in plain text form. And another 7,300 websites were deemed vulnerable to DOM API access and direct extraction of the user’s input value. The researchers explain that the source of the problem is that browser extensions are given unrestricted access to the DOM tree of sites they load on, which allows the access of potentially sensitive elements. Researchers also found that approximately 17,300 extensions (12.5%)in the Chrome Web Store had the required permissions to extract sensitive information from websites. These extensions include widely used ad blockers and shopping apps that have millions of installations. Well-known websites that lack protections of the above include: gmail.com, cloudflare.com, facebook.com, citibank.com, irs.gov, capitalone.com, usenix.org and amazon.com. Classiscam, a scam-as-a-service operation, spreads its reach globally, targeting 251 brands. The Classiscam, scam-as-a-service operation has expanded their reach globally, targeting many more brands, countries and industries. This has caused more significant financial damage than before. This Telegram-based operation recruits affiliates who use the service’s phishing kits to construct fake ads and pages to steal financial information such as credit card and banking credentials, and also money. This criminal platform has continued to grow, whereby Group-IB, has reported that Classiscam has made $64.5 million from scamming users of their money and payment card details. The number of targeted brands has grown to 251 brands this year, and there are now 393 criminal gangs targeting users in 79 countries. The number of Classiscam groups on Telegram found was 1,366, with a total of at least 38,000 participants in this scam. The key industries targeted are logistic companies, bank transfer services, classified sites, and carpooling. Group-IB also reports that Classiscam has become more automated - they use Telegram bots to create phishing and scam ad pages in mere seconds. Furthermore, the phishing sites have been greatly enhanced. They are able to mimic the login pages of 63 banks in 14 countries, including financial institutions in many countries such as Singapore, Spain and France. Furthermore, they can also perform balance checks to assess the maximum amount they can charge on a victim, as well as, feature fake bank login pages to steal victim’s e-banking account credentials. That is all! Enjoy the rest of the week and don't forget to update your devices and systems to the latest patches! |