Support • (786) 621-8600 Contact us
Demo

Recent Posts

Sextortion Scam Uses Recipient’s Hacked Passwords

Here’s a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom. The new twist? The email now references a real password previously tied to the recipient’s email address.

The basic elements of this sextortion scam email have been around for some time, and usually the only thing that changes with this particular message is the Bitcoin address that frightened targets can use to pay the amount demanded. But this one begins with an unusual opening salvo:

“I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation.

The rest is formulaic:

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

KrebsOnSecurity heard from three different readers who received a similar email in the past 72 hours. In every case, the recipients said the password referenced in the email’s opening sentence was in fact a password they had previously used at an account online that was tied to their email address.

However, all three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers.

It is likely that this improved sextortion attempt is at least semi-automated: My guess is that the perpetrator has created some kind of script that draws directly from the usernames and passwords from a given data breach at a popular Web site that happened more than a decade ago, and that every victim who had their password compromised as part of that breach is getting this same email at the address used to sign up at that hacked Web site.

I suspect that as this scam gets refined even more, perpetrators will begin using more recent and relevant passwords — and perhaps other personal data that can be found online — to convince people that the hacking threat is real. That’s because there are a number of shady password lookup services online that index billions of usernames (i.e. email addresses) and passwords stolen in some of the biggest data breaches to date.

Alternatively, an industrious scammer could simply execute this scheme using a customer database from a freshly hacked Web site, emailing all users of that hacked site with a similar message and a current, working password. Tech support scammers also may begin latching onto this method as well.

Sextortion — even semi-automated scams like this one with no actual physical leverage to backstop the extortion demand — is a serious crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.

According to the FBI, here are some things you can do to avoid becoming a victim:

-Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
-Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.
-Turn off [and/or cover] any web cameras when you are not using them.

The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).

Source: KREBS ON SECURITY

Notorious ‘Hijack Factory’ Shunned from Web

Score one for the good guys: Bitcanal, a Portuguese Web hosting firm long accused of helping spammers hijack large swaths of dormant Internet address space over the years, was summarily kicked off the Internet this week after a half-dozen of the company’s bandwidth providers chose to sever ties with the company.

Spammers and Internet service providers (ISPs) that facilitate such activity often hijack Internet address ranges that have gone unused for periods of time. Dormant or “unannounced” address ranges are ripe for abuse partly because of the way the global routing system works: Miscreants can “announce” to the rest of the Internet that their hosting facilities are the authorized location for given Internet addresses. If nothing or nobody objects to the change, the Internet address ranges fall into the hands of the hijacker.

For years, security researchers have tracked the suspected theft of millions of IPv4 Internet addresses back to Bitcanal, which was also doing business under the name “Ebony Horizon.” Experts say shortly after obtaining a chunk of IP addresses, Bitcanal would apparently sell or lease the space to spammers, who would then begin sending junk email from those addresses — taking full advantage of the good or at least neutral Internet reputation of the previous owner to evade anti-spam blacklists.

Much of the hijacked address space routed by Bitcanal was once assigned to business entities that no longer exist. But some of the more brazen hijacks attributed to Bitcanal and its customers involved thousands of Internet addresses assigned to active organizations, such as the company’s well-documented acquisition of address space assigned to the Texas State Attorney General’s office, as well as addresses managed by the U.S. Department of Defense.

Bitcanal’s reputation finally caught up with the company late last month, when anti-spam activist and researcher Ron Guilmette documented yet another new major IP address hijack at the company and challenged Bitcanal’s upstream Internet providers to stop routing traffic for it (KrebsOnSecurity has published several stories about previous high-profile IP address hijacks involving spammers who were flagged by Guilmette).

Guilmette said Bitcanal and its proprietor — Portuguese businessman Joao Silveira — have a well-documented history of “behaving badly and coloring outside the lines for literally years.”

“His actions in absconding with other people’s IP address space, over the years, are those of either a spoiled child or else those of a sociopath, depending on one’s personal point of view,” Guilmette said. “In either case the Internet will, by and large, be glad to see his backside, and will be better off without him.”

Doug Madory, a researcher for Internet performance management firm Dyn (now owned by Oracle), published a blog post chronicling Bitcanal’s history as an address “hijack factory.” That post also documents the gradual ostracization of Bitcanal over the past week, as one major Internet exchange after another pulled the plug on the company.

Dyn’s depiction of Bitcanal’s final remaining upstream Internet provider pulling the plug on the company on July 10, effectively severing it from existence on the Web. Source: Dyn.

Reached for comment just days before Bitcanal was shunned by all of its peering providers, Mr. Silveira expressed shock and surprise over what he called unfair attacks against his company’s reputation. He blamed the besmirchment on one or two “bad” customers who abused his service over the years.

“My thought is that one or two customer in my network maybe [imitated] people acting like a client and force the errors or injecting bad network space,” Silveira said in an emailed response to KrebsOnSecurity. “I am not the problem and this public trial and conviction will not solve the prefix hijacking matter. If these questions remain without solution, those actors will keep doing it.”

Another business tied to Mr. Silveira suggests that Bitcanal/Ebony Horizon has long been actively involved in obtaining sizable chunks of Internet address space on behalf of its clients. The same contact phone number that once existed on the (now unreachable) home page of Bitcanal.com also appears on the homepage of ip4transfer.net, a company that advertises the ability to lease large chunks of Internet address space.

Bitcanal owner Joao Silveira.

The current WHOIS registration records for ip4transfer.net are mostly redacted by domain registrar GoDaddy, but the name Ebony Horizon appears as the current business name, and Mr. Silveira’s name is on the original domain registration records from 2016, according to historic WHOIS records maintained by DomainTools [full disclosure: DomainTools is an advertiser on this blog].

Much of the content on ipv4transfer.net seeks to answer questions about what customers should expect when leasing address space from the company, including the possibility that some leased address ranges could be flagged as malicious or spammy by Spamhaus.org, an anti-spam group whose spam blacklists are relied upon by many ISPs to block large-scale spam campaigns. Prior to Bitcanal’s final disconnection this week, Spamhaus had blacklisted virtually all of Bitcanal’s address ranges as sources of spam and/or malicious email.

“Legitimate IP address space brokers don’t need to spend a lot of ink telling their customers how to avoid getting their shiny new IP address blocks listed by Spamhaus, or how to get them unlisted by Spamhaus, or what to do about it if the shiny new block they just purchased is already listed by Spamhaus,” Guilmette said.

Because the global routing of Internet address space is largely based on trust relationships between and among network operators, those operators have an obligation to ensure they’re not inadvertently facilitating the hijacking of Internet address space.

Perhaps coincidentally to the disconnection of Bitcanal, the RIPE Network Coordination Centre — one of the five global Regional Internet Registries (RIRs) providing Internet address allocations — on July 10 published an analysis of route hijacking activity across the Internet. The analysis includes a set of tips for network operators to help avoid contributing to the overall problem.

Source: KREBS ON SECURITY

Patch Tuesday, July 2018 Edition

Microsoft and Adobe each issued security updates for their products today. Microsoft’s July patch batch includes 14 updates to fix more than 50 security flaws in Windows and associated software. Separately, Adobe has pushed out an update for its Flash Player browser plugin, as well as a monster patch bundle for Adobe Reader/Acrobat.

According to security firm Qualys, all but two of the “critical” fixes in this round of updates apply to vulnerabilities in Microsoft’s browsers — Internet Explorer and Edge. Critical patches mend software flaws that can be exploited remotely by malicious software or bad guys with little to no help from the user, save for perhaps visiting a Web site or opening a booby-trapped link.

Microsoft also patched dangerous vulnerabilities in its .NET Framework (a Windows development platform required by many third-party programs and commonly found on most versions of Windows), as well as Microsoft Office. With both of these weaknesses, an attacker could trick a victim into opening an email that contained a specially crafted Office document which loads malicious code, says Allan Liska, a threat intelligence analyst at Recorded Future.

One of the more nettlesome features of Windows 10 is the operating system by default decides on its own when to install updates, very often shutting down open programs and restarting your PC in the middle of the night to do so unless you change the defaults.

Not infrequently, Redmond ships updates that end up causing stability issues for some users, and it doesn’t hurt to wait a day or two before seeing if any major problems are reported with new updates before installing them. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

It’s a good idea to get in the habit of backing up your computer before applying monthly updates from Microsoft. Windows has some built-in tools that can help recover from bad patches, but restoring the system to a backup image taken just before installing updates is often much less hassle and an added piece of mind while you’re sitting there praying for the machine to reboot successfully after patching.

As per usual on Microsoft’s Patch Tuesday, Adobe issued an update to its Flash Player browser plugin. The latest update brings Flash to version 30.0.0.134, and patches at least two security vulnerabilities in the program. Microsoft’s patch bundle includes the Flash update as well.

Adobe says the Flash update addresses “critical” security holes, meaning they could be exploited by malware or miscreants to take complete, remote control over vulnerable systems. My standard advice is for readers to kick Flash to the curb, as it’s a buggy program that is a perennial favorite target of malware purveyors.

For readers still unwilling to cut the Flash cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

By default, Mozilla Firefox on Windows computers with Flash installed runs Flash in a “protected mode,” which prompts the user to decide if they want to enable the plugin before Flash content runs on a Web site.

Another, perhaps less elegant, alternative to wholesale junking Flash is keeping it installed in a browser that you don’t normally use, and then only using that browser on sites that require Flash.

If you use Adobe Reader or Acrobat to manage PDF documents, you’re probably going to want to update these products soon: Adobe released updates for both today that fix more than 100 security vulnerabilities in the software titles.

Some folks may be unaware that there are other free PDF readers which aren’t quite as bloated as Adobe’s. Whether these alternative readers are more secure is another question; they certainly seem to be updated less frequently, but that may have something to do with the fact that they include far fewer features and likely less overall attack surface area.

I can’t recall the last time I had Adobe Reader installed on anything I own. My preferred PDF reader for Windows is Sumatra PDF, which is comparatively lightweight and very fast. Unfortunately, no matter how many times you change Sumatra to the default PDF reader on Windows 10, the operating system keeps defaulting to opening PDFs in Microsoft Edge.

For a detailed rundown of the individual vulnerabilities patched by Microsoft today, check out the SANS Internet Storm Center, which indexes the fixes by severity, how likely it is that each vulnerability will be exploited anytime soon, and whether specific flaws were publicly disclosed prior to today’s patch release.

According to SANS, at least three of the flaws — CVE-2018-8278, CVE-2018-8313, and CVE-2018-8314 — were previously disclosed publicly, meaning that attackers may have had a head start figuring out how to exploit these flaws for criminal gain.

As always, if you experience any problems installing or downloading these updates, please don’t hesitate to leave a comment. If past Patch Tuesday posts are any indicator, you may even find helpful responses or solutions from other readers experiencing the same issues.

Source: KREBS ON SECURITY