Cybersecurity News of the Week, November 27, 2022

A weekly aggregation of important cybersecurity and privacy news designed to educate, support, and advocate; helping you meet your data care challenges and responsibilities.

Stan’s Top of the News

Be careful out there. It’s the holiday season and the scammers are out in force. Don’t trust emails claiming to be from the government. Don’t trust text messages claiming to be from a charity. Don’t trust voice calls claiming to be from your bank. Don’t trust. Period.

  • Preparing for the Holidays? So Are Criminals: Report Warns of Spike in Scam Attempts During the Holidays. … A new AARP Fraud Watch NetworkTM report highlights the ways criminals may target U.S. consumers this year and underscores the importance of knowing how to spot a scam during the holiday season. AARP, November 2022

How Hackable Are You? Find out how hackable you are and download our free 8-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Cyber Humor

Cybersecurity Nonprofit of the Week  …  US Valor

Kudos again this week to US Valor, a nonprofit with two intertwined objectives: (1) helping veterans transition back into civilian life and (2) helping America meet our cybersecurity workforce challenge. US Valor does this through an innovative Department of Labor approved Apprenticeship Program. The US Valor Cybersecurity Apprenticeship Program (CAP) is all about helping transitioning military personnel and U.S. Veterans experience a smooth transition from military life to the civilian world through its Department of Labor Registered Apprenticeship Program (RAP). I’m a proud member of US Valor’s Advisory Board and I encourage you to support them during this season of giving.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn

Live on Cyber with Dr. Stan Stahl: Julie and I both took the week off to be with family. Here’s last week’s discussion with my friend and colleague Kelly Kendall. Kelly’s the founder / CEO of US Valor, this week’s Cybersecurity Nonprofit. Join Kelly and me as we discuss US Valor’s innovative program to meet the twin challenges of (i) helping veterans transition back into civilian life and (ii) meeting our cybersecurity workforce challenge. 

Section 2 – Personal Data Care – Security and Privacy

Important data care stories for protecting yourself and your family.

In case you need more reasons not to trust online.

  • Microsoft Warns of Hackers Using Google Ads to Distribute Royal Ransomware: A developing threat activity cluster has been found using Google Ads in one of its campaigns to distribute various post-compromise payloads, including the recently discovered Royal ransomware. … Microsoft, which spotted the updated malware delivery method in late October 2022, is tracking the group under the name DEV-0569. … The threat actor is known to rely on malvertising to point unsuspecting victims to malware downloader links that pose as software installers for legitimate apps like Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom. The Hacker News, November 19, 2022
  • Thinking about taking your computer to the repair shop? Be very afraid: If you’ve ever worried about the privacy of your sensitive data when seeking a computer or phone repair, a new study suggests you have good reason. It found that privacy violations occurred at least 50 percent of the time, not surprisingly with female customers bearing the brunt. … Researchers at University of Guelph in Ontario, Canada, recovered logs from laptops after receiving overnight repairs from 12 commercial shops. The logs showed that technicians from six of the locations had accessed personal data and that two of those shops also copied data onto a personal device. Devices belonging to females were more likely to be snooped on, and that snooping tended to seek more sensitive data, including both sexually revealing and non-sexual pictures, documents, and financial information. ars technica, November 22, 2022
  • Scammers are targeting Californians’ Middle Class Tax Refund payments. Here’s what to know: LOS ANGELES (KABC) — Scammers are using text messages in an effort to steal Californians’ Middle Class Tax Relief payments, prompting Los Angeles City Attorney Mike Feuer to issue a warning to the public. ABC7, KABC Los Angeles, November 21, 2022
  • 42,000 phishing domains discovered masquerading as popular brands: According to researchers, this scam is highly sophisticated and large-scale, targeting brands like McDonald’s, Unilever, Emirates, Knorr, Coca-Cola, etc. … Security researchers at Cyjax have uncovered a highly sophisticated and large scale phishing campaign in which the threat actors used as many as 42,000 phishing domains to distribute malware and gain ad revenue. … Cyjax researchers noted that the threat actors have links to China and have been active since 2017. So far, the attackers, identified as the Fangxiao group, have spoofed over 400 brands from the banking, retail, travel, transport, pharmaceutical, energy, and finance sectors. … The group operates an extensive network comprising 42,000 domains used for impersonating famous brands. Their latest campaign aims to generate revenue from users who pay for traffic. At least 24,000 survey/landing domains have been used by the attackers to promote this scam since March 2022. … Fangxiao lures unsuspecting users to the malicious domains through WhatsApp messaging, informing them that they have won a prize. The users are redirected to fake dating sites, Amazon via affiliate links, adware, and giveaway sites. These sites appear convincing enough to the user. This brand impersonation campaign spoofs well-reputed names like McDonald’s, Unilever, Emirates, Knorr, and Coca-Cola.  Hackread, November 21, 2022
  • Instagram Impersonators Target Thousands, Slipping by Microsoft’s Cybersecurity: The socially engineered campaign used a legitimate domain to send phishing emails to large swaths of university targets. … Cyberattackers have targeted students at national educational institutions in the US with a sophisticated phishing campaign that impersonated Instagram. The unusual aspect of the gambit is that they used a valid domain in an effort to steal credentials, bypassing both Microsoft 365 and Exchange email protections in the process. … The socially engineered attack, which has targeted nearly 22,000 mailboxes, used the personalized handles of Instagram users in messages informing would-be victims that there was an “unusual login” on their account, according to a blog post published on Nov. 17 by Armorblox Research Team. … The login lure is nothing new for phishers. But attackers also sent the messages from a valid email domain, making it much harder for both users and email-scanning technology to flag messages as fraudulent, the researchers said. … “Traditional security training advises looking at email domains before responding for any clear signs of fraud,” they explained in the post. “However, in this case, a quick scan of the domain address would not have alerted the end user of fraudulent activity because of the domain’s validity.” DARK Reading, November 17, 2022
  • ‘Patch Lag’ Leaves Millions of Android Devices Vulnerable: Months after a fix was issued by a vendor, downstream Android device manufacturers still haven’t patched, highlighting a troubling trend. … It’s called a “patch gap” and describes the time it takes a fix for a known vulnerability to trickle down from software vendor to individual device manufacturers. And the latest casualties are the millions of Pixel, Samsung, Xiaomi, and other Android device brands. … According to Google’s Project Zero, after its team discovered five separate bugs in the ARM Mali GPU driver, ARM  “promptly” issued a patch in July and August. Yet, Project Zero reported that every test device they looked at this week remains vulnerable. … There is some light at the end of the tunnel: The Android and Pixel teams said this week, “The fix provided by Arm is currently undergoing testing for Android and Pixel devices and will be delivered in the coming weeks. Android OEM partners will be required to take the patch to comply with future SPL requirements.” … Until there’s a better solution for tightening up the lag between the time a patch is issued and reaches the wider ecosystem, it’s up to security teams to remain “vigilant,” the Google Project Zero team advised. 

A well-written analysis on passwords gives several tips for protecting your online accounts.

  • Microsoft’s latest data on hacks and why you may need new login, passwords fast: If you’ve had a password hacked recently, you aren’t alone. … The volume of password attacks has soared to an estimated 921 attacks every second. That’s a 74% rise in one year, according to the latest Microsoft Digital Defense Report. … “As long as passwords are still part of the equation, they’re vulnerable,” Joy Chik, Microsoft’s vice president of identity, wrote in a September 2021 company blog post. … Here are six ways to stay protected. CNBC, November 21, 2022

Another sad story of failure on the human side of technology.

  • The long, lonely wait to recover a hacked Facebook account: Victims are losing time, money and peace of mind. Facebook is doing next to nothing. … The first time 100 people tuned in for a live stream Lucretia Groce hosted on her Facebook cooking page, she felt a rush. Some viewers, including cancer patients whose appetites had been suppressed by chemo, told Groce that watching her cook made them feel hungry again. “It really touched me,” Groce said, adding that “it felt like I had known these people forever.” … It all abruptly ended a year ago, when Groce got kicked out of her account. Someone had posted abusive content from her page, an email from Facebook said. When she tried to report the action as an error, Facebook showed her the offending post: A video of two children being forced to perform a sex act. … Her account had been hacked. Groce said she cried for hours. … Her frustrating experience is not unique. Help Desk, the personal technology section at The Washington Post, has received hundreds of emails from people locked out of their Facebook accounts with no idea how to get back in. Many lose their accounts to hackers, who take over Facebook pages to resell them or to game search-engine rankings. … In some cases, losing the account is an inconvenience. But in many others, it is a threat to the finances, relationships or well-being of the user. Groce, for instance, estimates she has lost $18,000 in income after waiting for months for her account to be unlocked. The Washington Post, November 21, 2022

Section 3 – A Deeper Look for the Cyber-Concerned Citizen

Data Care, cybersecurity, and privacy stories to keep you informed.

Several stories on the national security front point to increasing action by the US and England in the face of privacy and surveillance risks posed by the use of Chinese technology, particularly cameras.

  • U.S. Bans Chinese Telecom Equipment and Surveillance Cameras Over National Security Risk: The U.S. Federal Communications Commission (FCC) formally announced it will no longer authorize electronic equipment from Huawei, ZTE, Hytera, Hikvision, and Dahua, deeming them an “unacceptable” national security threat. … All these Chinese telecom and video surveillance companies were previously included in the Covered List as of March 12, 2021. … “The FCC is committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here,” FCC Chairwoman Jessica Rosenworcel said in a Friday order. The Hacker News, November 26, 2022
  • How the Biden administration wants to tackle foreign commercial spyware: The Biden administration is preparing to roll out policy initiatives to combat commercial foreign spyware, including an executive order to limit whether and how the federal government can use it. … In a letter to Rep. Jim Himes (D-Conn.) and other House Intelligence Committee members last week, Biden officials said the executive order would “prohibit U.S. Government operational use of commercial spyware that poses counterintelligence or security risks to the United States or risks of being used improperly.” The order could come as soon as early next year – and at a time when NSO Group’s Pegasus spyware is at the center of investigations by reporters and researchers, drawing calls for action from the United States. The Washington Post, November 22, 2022
  • British government bans Chinese surveillance cameras from sensitive locations: The British government has banned departments from installing at sensitive locations surveillance cameras manufactured by Chinese companies due to potential information security issues, and is facing calls to ban them entirely from the public sector. … Announcing the findings of a security review on Thursday, the Cabinet Secretary Oliver Dowden said that the restrictions were being introduced “in light of the threat to the UK and the increasing capability and connectivity of these systems.” The Record, November 25, 2022

Russia’s invasion of Ukraine continues to have cybersecurity implications.

  •  ‘They grab their lunches and sit alone’: Russians shunned at global cyber confabs: The frosty situation gives the world even less visibility into Russian cyber operations at a time when it is launching repeated digital strikes in Ukraine. … Moscow’s invasion of Ukraine has raised the risk of a global cyber war — and turned Russia into even more of a pariah at summits to secure the world’s digital infrastructure. … Russia’s destabilizing cyberattacks are the elephant in the room as the Kremlin’s diplomats attend international meetings about keeping hackers out of critical computer systems like those powering hospitals and power plants. With Moscow constantly looking for ways to sabotage Ukraine’s power grid and threatening more far-reaching actions, other nations’ cyber diplomats aren’t going out of their way to welcome their Russian colleagues warmly. … “People put an empty chair on either side of the Russians and don’t sit next to them,” Nathaniel Fick, the U.S. ambassador at large for cyberspace and digital policy, said in an interview in his State Department office. … Fick, who is two months into his job as the first Senate-confirmed top U.S. cyber diplomat, spoke to POLITICO about the tenor of international negotiations on cybersecurity, his thoughts on when NATO might invoke the all-members-to-the-defense-of-one Article 5 over a cyberattack, and how the war in Ukraine has strengthened international cyber efforts. Politico, November 23, 2022
  • European Parliament faces cyberattack from pro-Russia group after terrorism declaration: The website for the European Parliament was down for about an hour after a pro-Russian hacking group targeted it with a distributed denial-of-service (DDoS) attack. … The attack came just hours after the European Parliament designated Russia a state sponsor of terrorism. The declaration argued that Russia’s attacks on Ukrainian infrastructure, schools and hospitals violated international laws. Russia has increased its shelling of energy infrastructure in recent weeks, forcing millions of Ukrainians to go without power right as the winter season begins with bitter cold weather. The Record, November 23, 2022

Following the same strategic philosophy as SecureTheVillage, there are at least 15 information-sharing initiatives around the world in the financial services industry. Information sharing and collaboration are the great leverage opportunity in how we fight cybercrime. It’s how we make 1 + 1 = 1,000.

  • Banks Start Using Information-Sharing Tools to Detect Financial Crime: Technology can help banks team up to find money launderers, but the legal basis for information-sharing is murky in many countries. … Banks have long struggled to spot illicit transactions among the multitudes they process daily because criminals move dirty money from one institution to another to cover their tracks, leaving compliance staff with only a partial road map of their actions. … That has started to change, with financial institutions and service providers in several countries creating information-sharing platforms and messaging tools with the potential to vastly improve the detection of money laundering and fraud. … A research project supported by the Royal United Services Institute, a U.K. think tank, has identified at least 15 information-sharing initiatives around the world. Although most countries don’t allow banks to share information, several recent efforts have shown significant success in identifying crime, according to the Future of Financial Intelligence Sharing project. … Countries with information-sharing platforms include the U.S., U.K., the Netherlands and Estonia. The Wall Street Journal, July 25, 2022

Two big data loss stories this week affecting WhatsApp and Twitter users.

  • WhatsApp data leak: 500 million user records for sale: Someone is allegedly selling up-to-date mobile phone numbers of nearly 500 million WhatsApp users. A data sample investigated by Cybernews likely confirms this to be true. … On November 16, an actor posted an ad on a well-known hacking community forum, claiming they were selling a 2022 database of 487 million WhatsApp user mobile numbers. … The dataset allegedly contains WhatsApp user data from 84 countries. Threat actor claims there are over 32 million US user records included. Cybernews, November 26, 2022
  • 5.4 million Twitter users’ stolen data leaked online — more shared privately: Over 5.4 million Twitter user records containing non-public information stolen using an API vulnerability fixed in January have been shared for free on a hacker forum. … Another massive, potentially more significant, data dump of millions of Twitter records has also been disclosed by a security researcher, demonstrating how widely abused this bug was by threat actors. … The data consists of scraped public information as well as private phone numbers and email addresses that are not meant to be public. … While most of the data consisted of public information, such as Twitter IDs, names, login names, locations, and verified status, it also included private information, such as phone numbers and email addresses. Bleeping Computer, November 27, 2022

Three stories on legal news: an arrest of cybercriminal gang in England; FCC action against an illegal robocaller; and a privacy settlement between Google and 40 state attorneys general.

  • More than 100 arrested in UK as fraud-as-a-service iSpoof website seized by police: More than 100 people have been arrested in the United Kingdom in what the Metropolitan Police Service described on Thursday as a take down of the country’s “biggest ever fraud operation,” with more international arrests expected to follow. … The suspects — 103 in London and 17 elsewhere in the country — are all connected to the fraud-as-a-service website iSpoof which is believed to be behind “an estimated worldwide loss in excess of £100 million” ($120 million). The Record, November 25, 2022
  • The federal government just took another big swipe at illegal robocalls: The federal government took another big swipe at illegal robocalls on Tuesday, as it moved to block a voice provider from the entire US phone network for the very first time. … The order by the Federal Communications Commission targets Global UC, a company that claims to serve more than 200 businesses globally with low-cost international calling services. … According to the FCC, Global UC’s unprecedented termination comes after it failed to comply with US regulations aimed at countering illegal robocalls. The requirements include implementing caller ID verification technology and providing the agency with explanations about how it otherwise fights spam robocalls. … While the FCC has previously issued threats to some providers warning they could be blocked from the US phone network over a repeated failure to comply, Tuesday’s action marks the first time the agency has followed through, reflecting the US government’s latest escalation against illegal robocalls. CNN Business, November 22, 2022
  • Google Reaches $391.5 Million Settlement With States Over Location Tracking Practices: Consumers who disabled their location history settings were still tracked by Google, state attorneys general say. … WASHINGTON—Google has agreed to pay $391.5 million to settle allegations that it persistently misled consumers about how it tracked them on mobile phones and other devices. … The settlement, announced by a coalition of 40 state attorneys general Monday, said that Google violated state consumer protection laws by tracking consumers even when their location history setting on their mobile phones was turned off. … “Digital platforms like Google cannot claim to provide privacy controls to users, then turn around and disregard those controls to collect and sell data to advertisers against users’ express wishes—and at great profit,” said New Jersey Attorney General Matthew Platkin in a statement. The Wall Street Journal, November 14, 2022

And finally, a great feel-good story for the holidays as a security firm knocks several cyber-criminal groups off-line.

  • A security firm hacked malware operators, locking them out of their own C&C servers: This’ll put a smile on your face: We love hearing stories of bad actors getting their comeuppance. This one is great, though, because not only did a bunch of hacker wannabes get served (literally), several of them infected themselves with malware due to misconfiguring their own equipment. … Cybersecurity startup Buguard has been hard at work hacking hackers. Using an exploit it found, it has disrupted malware and ransomware servers, locking out their operators. TechCrunch notes that the firm has effectively taken five command-and-control (C&C) servers offline, four of which have gone entirely dark. Techspot, November 23, 2022

Section 4 – Information Security and Privacy Management in the Organization

Stories to support executives and top management in managing cyber-risk, securing their organizations and protecting privacy.

Two stories this week from The Wall Street Journal’s Risk & Compliance Journal by Deloitte. The first is required reading for those concerned about privacy ethics.

  • Data Privacy, Ethics Gaps an ‘Existential Threat,’ Says OneTrust CSO: Managing data privacy and ethics goes far beyond typical data security measures and is critical to continued innovation … As computational power becomes more cost-effective and readily available, and data sharing in the cloud is increasingly the norm, the question is no longer what organizations can do with data, but what should they do. … “I fundamentally believe everything innovative in the future will rely on and use data—period,” says Blake Brannon, chief product and strategy officer at trust intelligence software company OneTrust. … Unlocking the potential of that data will demand a better understanding of the privacy and ethics implications and strategies for managing them, Brannon said during a recent episode of Deloitte’s CDO LinkedIn Live Series “Winning with Data.” Brannon joined Juan Tello, a principal at Deloitte Consulting LLP and chief data officer for Deloitte LLP, and Lacy Blalock, a vice president at Deloitte Consulting LLP, to share his thoughts on how organizations can navigate this nuanced and rapidly evolving challenge. Risk & Compliance Journal by Deloitte, The Wall Street Journal, November, 2022
  • Hot Market for Cyber Insurance Begins to Stabilize: An explosion in ransomware has led to high premiums, but the market shows signs of cooling off. … The market for cyber insurance has begun to stabilize after a surge in ransomware attacks in recent years propelled a steep rise in premiums, observers say. … Cyber insurance can pay ransoms to hackers who lock company technology systems, or it can help offset the cost of responding to data breaches. Now, the premium increases of recent years seem to be slowing, if not halting entirely, as insurers get better at evaluating risks, new market entrants begin offering coverage, and supply and demand assert themselves. … “Things are looking better,” said Jason Krauss, head of North America cyber product coverage for insurance brokerage WTW. “It’s amazing, right, that I would tell you that a 20% increase [in premiums] isn’t bad. But it’s seen as a good thing.” Risk & Compliance Journal by Deloitte, The Wall Street Journal, November, 2022

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge