Security News

Security roundup: Hackers love healthcare, voters fall prey to the dark web

Avast Security News Team, 2 November 2018

Data breached at Tomorrowland, new trojan mass harvests emails and Fortnite cyber scams run rampant

Emotet malware becomes more versatile; mass harvests emails

Emotet malware, which is usually identified as a banking trojan, is now becoming more versatile and has created a new means for stealing victims’ emails, going back as far as six months. This takes place via a new Emotet module that blindly harvests all emails sent or received from infected hosts from the past 180 days. As far as we know, it only works with Microsoft Outlook installations – for now.

While the trojan has been around for a while – since 2014 – it’s never been considered a significant threat, until recently, when Emotet revamped its code and created a malware family that continues to grow, In fact, it’s become so pervasive that the US Department of Homeland Security issued a security advisory over the summer, warning companies about the threat that Emotet poses to their networks. 

Researchers at Kryptos Logic pointed out that Emotet's mass email harvesting module is very out of the ordinary. Most malware that has engaged in anything similar has only collected email addresses, which it later used to power new spam campaigns.

In an interview with ZDNet, Jamie Hankins of Kryptos Logic said, "We believe the module is currently being widely deployed, but it is too early to confirm if it is geographically specific. Emotet is not limited to any geography, but it tends to focus on US victims."

“Stealing full emails from organizations enables the cybercriminal group using Emotet to launch highly targeted attacks against those businesses,” adds Luis Corrons, Avast security evangelist. “It can also give them access to sensitive information that could be sold on the dark web.”

SamSam ransomware targets the U.S., with its focus on healthcare

A new report says the notorious, highly targeted virus is hitting hard across the U.S., with its primary focus on the healthcare industry, where hackers believe organizations are more likely to shell out money.  

According to the report, the attacker’s impression is that healthcare targets may more readily pay ransom than other targets, showing that SamSam has a preference for low hanging fruit – i.e. companies that are more likely to fork over the ransom.

Although the majority of organizations hit by SamSam have been in the healthcare space, it has also struck down cities, public sector organizations and municipalities. Manufacturing, utilities/energy, construction, insurance firms, banking and financial institutions have also been hit.

According to the report, the SamSam hacking group has targeted at least 67 organizations this year, with 56 attacks in the United States. Just a small number of attacks were reported in France, Portugal, Ireland, Israel and Australia.

Since the ransomware began escalating attacks early this year (Allscripts and several health systems fell victim), the SamSam hacking group has banked more than $6 million from its victims. In August, a report showed that 223 of the SamSam victims paid the ransom.

The speculation for SamSam heavily targeting healthcare organizations is that they are particularly vulnerable to these types of attacks, as many fail to monitor abnormal or multiple login attempts and still use weak or reused passwords. Those that fail to limit admin credentials also are incredibly vulnerable.

Ahead of mid-terms, voter records go up for sale on the dark web

New data suggests nation-state politically motivated cyberattacks are on the rise, with China and Russia responsible for 41.4% of all reported attacks, according to the quarterly incident response threat report from Carbon Black.

The report also says that voter databases from Alabama to Washington (and 18 other states) are now for sale on the dark web.  These databases hold records from more than 80 million voters, including their IDs, names, addresses, phone numbers and citizenship status.

Two-thirds of IR professionals interviewed believe this and other related cyberattacks will influence the upcoming U.S. elections. 

The dark web makes it easy for freelance hackers to sell stolen or illegal wares. Some of them “offer to target government entities for the purposes of database manipulation, economic/corporate espionage, DDoS attacks and botnet rentals,” the report said. But their services are costly – in the “hundreds to thousands of dollars per target” range.

While the outcome remains to be seen, the real concern from a security perspective is how this information can and will be used.

More than 60,000 Tomorrowland concert goers from 2014 concert get their data hacked

Attendees of the 2014 Tomorrowland event, one of the world’s largest and most notable music festivals, have fallen prey to hackers due to a breakdown of the concert’s primary ticketing partner Paylogic.

The cyberattack exposed the personal information of an untold number of ticket holders, thought to be in the range of 60,000 plus.

An email from Tomorrowland to its customers promised “the data accessed was linked to your account and included limited personal information (name, email address, gender, age, and postal code). Other personal data like your bank details, credit card information, passwords, and other sensitive data have NOT been affected."

The email went on to inform 2014 ticket buyers that Tomorrowland's organizers had requested that Paylogic conduct an investigation in order to prevent a similar breach from happening in the future. "We are currently not aware of any malicious use of your data but would encourage you to be extra careful when receiving emails about ticket sales and promotions that do not originate from the official Paylogic or Tomorrowland communication channels," it said.

According to a Tomorrowland spokesperson, the server in question was immediately taken offline and Tomorrowland has informed the privacy commission of the incident. Anyone affected by the incident will be informed by email and are advised to change their passwords for the platform immediately.

Fortnite V-Bucks scams target millions of players online

Millions of players of the massively popular online game Fortnite, from Epic Games, are being targeted by V-Bucks scams across social media and malicious web domains, according to a report released by ZeroFOX Monday.

Over a one month period - from early September to early October -- more than 53,000 alerts were generated by Fortnite scams, the majority of which (86%) were found on social media, the report said.

While Fortnite Battle Royale is completely free to play, players can purchase cosmetic items in-game with V-Bucks, which are bought using real-world money. The standard rate is $1 USD to 100 V-bucks. While individual transactions cost only a few dollars, in aggregate, Fortnite is making an estimated $300 million per month on these in-game purchases.

“As one of the most popular free to play games available today, with more than 40 million players and hundreds of millions in monthly revenues, cybercriminals are attracted to it in different ways, from creating scams to performing money laundering,” says Corrons.

The average age range for Fornite players is between 12 and 17-years old. Considering the scope and reach of these scams and the average age of Fortnite players, understanding what these scams are, where they occur and how users can protect themselves is critical.