Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, November 25th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes Terry Cutler of Montreal’s Cyology Labs will be here with commentary on events. But first a review of some of what happened in the last seven days:
A fantasy sports betting website called DraftKings is blaming its users for re-using their passwords as the cause of the theft of US$300,000 from their accounts. Terry and I will discuss if there’s more to it than that.
We’ll also look at a couple of recent ransomware attacks. And we’ll offer advice on safe online holiday shopping.
Also this week, an international police effort has closed the criminal iSpoof website, a service that allowed crooks to make calls that spoofed the phone numbers of business and government officials, as well as to intercept passcodes for two-factor authentication. The site’s main administrator was arrested in the U.K. in an operation that also saw the arrests of over 140 people. Authorities estimate victims around the world lost about $160 million from iSpoof’s operations.
Separately, police around the world also arrested almost 1,000 suspects believed to have been committing online scams. And they seized $130 million as well. It was done in a combined operation under Interpol, the international police co-operative. While most of the suspects ran voice phishing, romance scams, sextortion and investment frauds, one group was more imaginative: They impersonated Interopol officers, tricking victims into transferring almost $150,000 to them through banks and cryptocurrency exchanges.
Ten people were charged in the U.S. with allegedly being involved in a multi-million dollar Medicare and Medicaid email scam. The con involved sending emails to public and private health insurance programs that looked like they came from real hospitals. The insurers were told to send payments to the hospitals’ new bank accounts — accounts that were set up by crooks.
Microsoft warned that a long-discontinued web server called Boa filled with vulnerabilities is still being used in industrial products around the world. That means it poses dangers to millions of organizations. The Boa web server can be found in internet-of-things devices. It’s also tucked away in some software development kits. The problem: Microsoft continues to see attackers attempting to exploit Boa vulnerabilities.
Researchers at Palo Alto Networks warned that employees are being tricked into downloading remote management tools under the guise of legitimate software. Using those tools a threat actor finds and copies sensitive data. They send an extortion note to the organization, demanding money or the copied data will be publicly released.
Thirty-four Russian-speaking threat groups are distributing malware capable of stealing passwords and other data. That’s according to researchers at Group-IB. In the first seven months of this year alone the gangs infected almost 900,000 devices and stole over 50 million passwords. The malware they use can also steal cookie files, credit card numbers, data from cryptocurrency wallets and passwords for gaming services like Steam, Epic Games and Roblox.
Finally, if you have an internet-connected video camera in or outside your home Canada’s privacy commissioner just published advice on how to keep it secure.
(The following transcript has been edited for clarity)
Howard: I want to start with news of the theft of money from subscribers to the DraftKings fantasy sports betting site. DraftKings is an American-based sport and casino betting site that is available in a number of countries. On Monday there were news reports of users noticing funds had been withdrawn from their accounts. One person told a reporter that around the same time his email was filled with spam.
The company told reporters some US$300,000 was withdrawn without permission from user accounts. An official said the company’s IT systems weren’t compromised. So it believes victims weren’t careful creating separate usernames and passwords for DraftKings. Their credentials were used elsewhere, stolen by crooks who then successfully used them on the DraftKings site.
Terry, if true this is another example of people being careless.
Terry Cutler: This is a case of people who don’t want to deal with cyber security until it’s too late. If this was really a problem with the DraftKing site it would have affected all users. I think we’re dealing with about five per cent of their entire user base [affected] because they’re worth $6.5 billion. This is classic password reuse [problem]. If these folks were cyber-educated they would have turned on two-step verification. Ironically, [competing site] Fan Duel put out a tweet around the same time saying, ‘Make sure you change your passwords and then set up two-step verification,’ because someone was trying to hack their accounts as well. What’s interesting is that this is the perfect example of an unrelated third party advising there’s a problem. Obviously, if you’re dealing with money turn on your two-step verification.
Howard: I wonder if Draft Kings also wasn’t careful if one news site reporting on this is accurate, because it quotes a privacy advocate saying that while DraftKings offers two-factor authentication to protect logins from compromise, it doesn’t force its subscribers to use it.
Terry: DraftKings says they’re going to make victims right [for their losses], but should they really need to reimburse those people that lost US$300,000? Because should have turned on two-step verification themselves. It’s a 60-second fix, but people feel it’s inconvenient. My company gets a lot of calls because people’s Instagram accounts were hacked. Instagram offers two-step verification as well. But nobody turns it on until they get hacked and try to get their accounts back. All their information’s been changed in their profile, all the recovery passwords and all the recovery phone numbers.
Howard: Another news site that interviewed victims that used DraftKings suggests the attackers were able to compromise the smartphones of users who actually did enable two-factor authentication. Somehow their two-factor authentication code went to a different phone. Presumably these were phones that were controlled by the hackers, who were then able to get into the accounts of the players once they had they had their usernames and passwords and they had the two-factor authentication code. So it seems this was a really sophisticated and targeted attack: First, the attackers researched DraftKing players and they got hold of their passwords — or they got the passwords and then researched the players — and then they compromised the two-factor authentication process in some way. Either they stole the user’s token, or they convinced the user’s cellphone company to switch their SIM card to a different phone, or perhaps they convinced the DraftKings help desk to change the target’s registered cell phone number so that the two-factor authentication code went to a phone that was controlled by the hacker.
Terry: There’s a lot of stuff going on here. There’s a high probability that the attackers bought a list of basic information, including the security questions, that users may have revealed, in a phishing attack. This way they could call up your phone provider and possibly switch your phone from one carrier to another That’s one plausible way. That’s why it’s very, very important that activate called port protection from your wireless provider … With port protection you have to show up in person to the provider with identification to transfer your account to another phone. There’s also the possiblity of token stealing. There’s so many ways to bypass 2FA. One of the main tactics used right now is a victim receives an email with a phishing link. It goes to a real website, but because of a man-in-the-middle attack your password and possibly two-step verification goes to a bad guy. With one double click the guy can get access to your account. That’s why we need to start moving away from SMS text one-time passwords over to an authenticator app for delivering codes.
Howard: This incident involves crooks getting hold of victims’ passwords. There was a related story that came out this week from a Singapore -based threat analyst firm called Group-IB. Through their research they found that there are 34 Russian-speaking threat groups distributing malware capable of stealing passwords and other data. They figure that in the first seven months of this year alone gangs infected almost 900,000 devices around the world and stole over 50 million passwords. The malware that they use can also steal cookies, credit card numbers, data from cryptocurrency wallets and passwords for gaming services. This again reinforces the point that for your security every place that you create an account has to have a separate password so you don’t get screwed if a hacker steals a password from your email and then tries to use it on your bank site — or use it on your DraftKings site.
Terry: Let’s talk quickly about passwords. Your password can be decoded if you chose really crappy one like John123. Some people have a mindset, ‘Who’s gonna want to hack me? I have nothing of value.’ You need to start creating an unbreakable password — there has to be a combination of uppercase, lowercase and symbols that’s between 16 and 25 characters long. I know what you’re thinking: How do you remember a password this long? But if you can think of song lyrics or phrases. that will help you. For example a simple phrase like, ‘Ihadagreatdayatwork!!’, that could take 10 years to break. If you replace the ‘o’s in a password with a zero and the ‘a’ with an @ symbol that password will take 39 centuries to crack. But if an attcker can access your password hash they can do a pass-the-hash attack where they can log in as you without ever knowing your password. That’s why two-step verification is key here to stopping password theft attacks.
Howard: So in this DraftKings incident what are the lessons for companies?
Terry: That nothing is foolproof. If we look at how a phishing attack works, hackers are going to try and target a company like DraftKings and use social media networks and other data points to look at who the employees are maybe some of their players. Then they’re going to try and follow them on social media to learn more about their identity, figure out their email address and send a fake message with a link. Perhaps they’re going to try and impersonate a colleague or a boss or another player. Once the target opens the message they’re at risk because they think they know who the sender is right? Once the link’s been clicked on the attacker has two choices: Steal the victim’s credentials or install malware on the PC or their smartphone. Once the hacker has compromised access they’re s going to use the back door to steal that information. That’s usually how it’s going to work.
Howard: I also think a lesson for all companies is don’t make two-factor authentication optional. Make it mandatory for all of your users.
Terry: I’m actually surprised it’s not mandatory now. We’ve been talking about data breaches and enabling two-step verification for at least 10 years.
Howard: And what lessons are there for individuals out of the DraftKings incident?
Terry: They need to get cyber-aware. There are so many ways you can get hacked, and a lot of times it starts with your password. There are sites you can check to see if your password has been stolen. One is ‘Have I Been Pwned.‘ It collects lists of stolen email and password combinations. You enter your email address and it tells you if your password has been part of a data breach. Another thing is Google your name to see what personal information about you is on the internet. Type in your first and last name with quotation marks at both ends. You might learn on the internet you’re listed personal things — say, your favourite Disney character, your favourite colour, the street you used to live on — that you use in your password. That’s how hackers can guess your password. If you wonder how you can keep up with security that’s one of the reasons why I launched the Fraudster app to help you stay current.
Howard: Let’s move on to news item number two: The wave of ransomware attacks continues. This week the city of Westmount, Quebec — which is in your neck of the woods — said it was hit with ransomware last weekend. On Monday the city said it was still assessing the damage but that its email system was offline. It hasn’t said anything since. Separately the union that represents Ontario’s public high school teachers and teaching assistants has started to notify past and present members that their personal data was stolen in a ransomware attack in May. Several new strains of ransomware were discovered and given names like AXLocker, Octocrypt and Alice. Terry, we know that not all attacks can be prevented but what can you say when once a week we hear about a successful ransomware attack in Canada or the U.S.?
Terry: A lot of the companies we investigate are being misled by the IT department — and I’m saying this based on our experience after doing incident response. After interviewing the upper management it’s always, ‘My IT guys said we don’t need antivirus on our Exchange servers because it slows us down,’ or ‘My IT guy has it covered.’ But when we ask who’s monitoring your system at 2 a.m. on a Saturday morning …. They need to understand that cybersecurity folks are always going to complement IT departments and vice versa. We [cybersecurity] are going to find things that need to be fixed up, and the IT department is going to get it done faster than us because they’re in there day-to-day. They need to better understand the threat surface. Remember that saying from GI Joe, ‘Knowing is half the battle?’ It’s true. Understanding and managing your threat surface are fundamental steps toward a better cybersecurity program. Attacks are coming to and from your network, at your endpoint and in your cloud. So how are you keeping track of all these attacks and how are you stopping them if you’re one IT guy, or have an undertrained and overworked staff? It’s very very difficult.
Howard: The goal of IT and security administrators should be to minimize the damage of ah of a successful attack. Do you sense that organizations in Canada and U.S. are getting better at this?
Terry: I find that they’re not doing enough partnering or outsourcing. IT guys are telling management they don’t need cyber security experts, or my cyber insurance will cover me. I think the biggest challenge in IT — and the cyber guys are also facing — is there’s too many tools to manage that were never made to work together. It leaves so many gaps. For example, we when we do investigations with healthcare institutions under we have to engage four different departments because they all have access to their own software tools. A lot of times they don’t have the proper logs. They’re missing information. It’s a horror show. You need to find a way to holistically manage all of the threat surfaces in your network, your cloud and your endpoints. There’s still a lot of old-school thinking that ‘I just need to have antivirus and a firewall and I’m safe.’ But with traditional technologies all an attacker has to do is send a crafted email to one of your employees and once he clicks on the link the attacker becomes an insider and bypasses the firewall. If an attacker has bypassed your firewall you need to have a good system, like EDR (endpoint detection and remediation) that will detect someone misbehaving. A lot of times IT guys are overworked so they don’t have enough time to stay on top of threats. That’s why they need to partner with cybersecurity folks that can help complement them.
Make sure you have good content filtering, including a good email spam filter … We’ve spoken in previous podcasts about how hackers get into companies and use them as a jump point to email other firms with malware. That email won’t be spotted because it’s from a legit domain. The last thing I would mention is to make sure you have a good incident response plan in place. You may be down for a minimum of 100 hours if you get hit with a ransomware attack.
Howard: Finally, because Cyber Friday officially starts today, kicking off the Christmas holiday shopping period, listeners need to be encouraged to practice safe online buying. What should they not be doing?
Terry: Don’t trust any links or attachments with sales offers that you receive by email, especially from someone you don’t know. Scams these days are getting really more sophisticated. It’s really hard to make a blanket statement like that because a scam can look really legit, like it came from someone you know. Just be wary about always opening up attachments. Always double-check shopping websites before filling out any personal information — is the URL correct? Are there spelling or grammar errors on the site? Do you want to buy something from an unknown company? Make sure to check the reviews before making a decision. There can be fake five-star reviews. Look for really stupid product reviews like, ‘Great job,’ or ‘Keep it up.’ That’s a sign the site may be buying these fake reviews to con you into spending money.
Despite all these warnings there’s a chance that you may still fall victim to fraud. So always check your credit or debit card account for unusual or unexpected charges.
Finally, don’t use public Wi-Fi, especially at a mall, because a bad guy can set up a fake hotspot that says, ‘Shopping Mall’s Fastest Wi-Fi.’ If you connect to it the guy can start intercepting your data and he might get access to your passcodes.
Howard: Think about the product that you’re buying online and whether you can afford to get scammed by a fake product from a website you don’t know. You don’t want to buy an expensive watch from a website you’ve never heard. But it also applies to buying a pair of Nike running shoes or something as inexpensive as a memory card for a camera if it’s easy for someone to substitute a fake or a used item. That’s all the more reason to be shopping at a brand name online store, or one that you’re familiar with.
Terry: And if you see prices that are so low for a really high end brand, be wary. We/ve seen expensive Canada Goose jackets advertised for 60 bucks, and a phone book arrives in the box.
For more on safe online shopping see the government of Canada’s Get Cyber Safe website and the U.S. Cybersecurity and Infrastructure Security’s online shopping tips.