Plus, a BEC bust leads to 281 arrests, a new phishing scam cleverly uses captcha, and will the next trend of IoT hacking involve your local gas pump?
Last Friday, the Wikimedia Foundation issued a statement that a malicious attack had forced its popular information site Wikipedia to go offline for intermittent periods in several countries. The foundation confirmed to Forbes that it had been hit by a massive DDoS (Distributed Denial of Service) attack – an onslaught of access requests meant to overwhelm a system so it malfunctions or shuts down. DDoS attacks, typically carried out by botnets, can involve hundreds of thousands, sometimes millions, of hijacked servers commanded to issue concurrent and nonstop access requests. Forbes reported that Wikipedia went offline in the U.K., France, Germany, Italy, The Netherlands, Poland, and parts of the Middle East.
In an effort to help the Wikimedia Foundation recover, Craig Newmark Philanthropies – the nonprofit run by Craigslist founder Craig Newmark – has pledged a gift of $2.5 million. The foundation says the money will help grow capabilities in application security, risk management, incident response, and more. “DDoS attacks are easy to perform in a cheap way,” commented Avast Security Evangelist Luis Corrons. “Anyone with a grudge against Wikipedia could have launched it with no effort. Sadly, defending against them is not as cheap, so it is really good news that Craig Newmark has stepped up, so we can all keep benefiting from Wikipedia.”
This week’s stat
Avast researchers have found that Android flashlight applications request an average of 25 permissions to access data or features on mobile devices, potentially exposing users in unnecessary ways.
International BEC bust leads to 281 arrests
In a coordinated effort between U.S. government agencies and law enforcement, a four-month operation tracking perpetrators of business email compromise (BEC) scams led to the arrest of 281 individuals around the world. Operation reWired, as the effort was called, launched in May 2019 as a special project between the Department of Justice, Department of Homeland Security, Department of the Treasury, Postal Inspection Service, and Department of State, reported DarkReading. BEC scams often target employees who have access to company finances, starting with a phishing email pretending to be from an associated company or fellow employee requesting a wire transfer or other rerouting of funds for seemingly legitimate reasons, such as payment for a late invoice or the setup of a new bank account for direct deposit paychecks. Throughout the operation, investigators found that the BEC scammers also may have stolen more than 250,000 identities and filed more than 10,000 fraudulent tax returns, which would have generated over $91 million. The international bust involved 167 suspects in Nigeria, 74 in the U.S., 18 in Turkey, 15 in Ghana, and suspects in France, Italy, Japan, Kenya, Malaysia, and the U.K. The FBI reported that since 2013, BEC scams have cost business owners over $10 billion in losses. Avast Evangelist Corrons lauds the operation but reminds users to stay vigilant. “BEC attacks are dangerous and put companies all around the world at serious risk. It is fantastic that U.S. law enforcement agencies have been able to coordinate this global bust. Still, BEC is a profitable ‘business’ and precautions need to be taken as new players will eventually appear.”
This week’s quote
“AI security still relies on security through obscurity, meaning the only way to protect AI is by hiding it from the adversary. An adversary can fool an AI program as soon as they have access to the algorithm.” – Rajarshi Gupta, Avast’s head of artificial intelligence, on adversarial AI, a topic at the upcoming CyberSec AI Prague conference.
New phishing scam uses captcha to fool security
Bleeping Computer reported that a new phishing scam uses a captcha “I am not a robot” page to trick the victim’s secure email gateway. According to cybersecurity researchers, the scam is delivered as an email from an account called “avis.ne.jp.” The email claims to have a voicemail for the targeted victim and includes a “Play” button. Clicking the button takes the victim to the captcha page. After getting through that human verification step, the victim is presented with a spoofed Microsoft login page. Any credentials entered are then sent to the attacker. If the voicemail button in the email linked directly to the phony Microsoft page instead, certain secure email gateways would have detected the malicious link. By linking to the captcha page, the scam avoids triggering security mechanisms.
Can you hack a gas pump?
The answer is yes, and it’s being discussed in the underground forums of dark web marketplaces, ZDNet reported. In a deep investigation on the cybercrime underground, cybersecurity experts monitored dark web marketplaces in several languages. They reported that in both the Russian and Portuguese underground forums, users have been sharing step-by-step tutorials on how to hack internet-connected commercial gas pumps. Possible criminal uses for hacked gas pumps can include adjusting the internal settings to get a cheaper price, locking up the pump in order to demand a ransom from the owner, and adding the pump to a botnet for a DDoS attack. Researchers note that physically dangerous scenarios exist as well, such as adjusting the internal settings so that the gasoline will overflow a car’s tank.
This week’s ‘must-read’ on The Avast Blog
Everything we’ve commercially connected to the Internet – desktop PCs, laptops, browsers, smartphones, mobile apps, virtual servers and cloud services – got introduced with convenience as a top priority. Now cybersecurity must catch up. Veteran journalist Byron Acohido explains how we got here, and what lies ahead.
Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.