Busting SIM Swappers and SIM Swap Myths

KrebsOnSecurity recently had a chance to interview members of the REACT Task Force, a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that has been tracking down individuals engaged in unauthorized "SIM swaps" -- a complex form of mobile phone fraud that is often use...

Who’s In Your Online Shopping Cart?

Crooks who hack online merchants to steal payment card data are constantly coming up with crafty ways to hide their malicious code on Web sites. In Internet ages past, this often meant obfuscating it as giant blobs of gibberish text that was obvious even to the untrained eye. These days, a...

SMS Phishing + Cardless ATM = Profit

Thieves are combining SMS-based phishing attacks with new "cardless" ATMs to rapidly convert phished bank account credentials into cash. Recent arrests in Ohio shed light on how this scam works. A number of financial institutions are now offering cardless ATM transactions that allow customers to...

Equifax Has Chosen Experian. Wait, What?

A year after offering free credit monitoring to all Americans on account of its massive data breach that exposed the personal information of nearly 148 million people, Equifax now says it has chosen to extend the offer by turning to a credit monitoring service offered by a top competitor --...

Mirai Co-Author Gets 6 Months Confinement, $8.6M in Fines for Rutgers Attacks

The convicted co-author of the highly disruptive Mirai botnet malware strain has been sentenced to 2,500 hours of community service, six months home confinement, and ordered to pay $8.6 million in restitution for repeatedly using Mirai to take down Internet services at Rutgers University, his alm...

How Do You Fight a $12B Fraud Problem? One Scammer at a Time

The fraudsters behind the often laughable Nigerian prince email scams have long since branched out into far more serious and lucrative forms of fraud, including account takeovers, phishing, dating scams, and malware deployment. Combating such a multifarious menace can seem daunting, and it calls...

Who Is Agent Tesla?

A powerful, easy-to-use password stealing program known as Agent Tesla has been infecting computers since 2014, but recently this malware strain has seen a surge in popularity -- attracting more than 6,300 customers who pay subscription fees to license the software. Although Agent Tesla includes ...

Supply Chain Security 101: An Expert’s View

Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager, senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency. We talked at length about many issues, including supply chain...

Patch Tuesday, October 2018 Edition

Microsoft this week released software updates to fix roughly 50 security problems with various versions of its Windows operating system and related software, including one flaw that is already being exploited and another for which exploit code is publicly available. The zero-day bug --...

Naming & Shaming Web Polluters: Xiongmai

What do we do with a company that regularly pumps metric tons of virtual toxic sludge onto the Internet and yet refuses to clean up their act? If ever there were a technology giant that deserved to be named and shamed for polluting the Web, it is Xiongmai -- a Chinese maker of electronic parts th...

Supply Chain Security is the Whole Enchilada, But Who’s Willing to Pay for It?

From time to time, there emerge cybersecurity stories of such potential impact that they have the effect of making all other security concerns seem minuscule and trifling by comparison. Yesterday was one of those times. Bloomberg Businessweek on Thursday published a bombshell investigation allegi...

When Security Researchers Pose as Cybercrooks, Who Can Tell the Difference?

A ridiculous number of companies are exposing some or all of their proprietary and customer data by putting it in the cloud without any kind of authentication needed to read, alter or destroy it. When cybercriminals are the first to discover these missteps, usually the outcome is a demand for mon...

Voice Phishing Scams Are Getting More Clever

Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it's easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams. Think you're too smart to fall for one?...

Facebook Security Bug Affects 90M Users

Facebook said today some 90 million of its users may get forcibly logged out of their accounts after the company fixed a rather glaring security vulnerability in its Web site that may have let attackers hijack user profiles. In a short blog post published this afternoon, Facebook said hackers hav...

Secret Service Warns of Surge in ATM ‘Wiretapping’ Attacks

The U.S. Secret Service is warning financial institutions about a recent uptick in a form of ATM skimming that involves cutting cupcake-sized holes in a cash machine and then using a combination of magnets and medical devices to siphon customer account data directly from the card reader inside th...

Beware of Hurricane Florence Relief Scams

If you're thinking of donating money to help victims of Hurricane Florence, please do your research on the charitable entity before giving: A slew of new domains apparently related to Hurricane Florence relief efforts are now accepting donations on behalf of victims without much accountability fo...

Credit Freezes are Free: Let the Ice Age Begin

It is now free in every U.S. state to freeze and unfreeze your credit file and that of your dependents, a process that blocks identity thieves and others from looking at private details in your consumer credit history. If you've been holding out because you're not particularly worried about ID...

Mirai Botnet Authors Avoid Jail Time

Citing "extraordinary cooperation" with the government, a court in Alaska on Tuesday sentenced three men to probation, community service and fines for their admitted roles in authoring and using "Mirai," a potent malware strain used in countless attacks designed to knock Web sites offline --...

GovPayNow.com Leaks 14M+ Records

Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six...

U.S. Mobile Giants Want to be Your Online Identity

The four major U.S. wireless carriers today detailed a new initiative that may soon let Web sites eschew passwords and instead authenticate visitors by leveraging data elements unique to each customer's phone and mobile subscriber account, such as location, customer reputation, and physical...

Patch Tuesday, September 2018 Edition

Adobe and Microsoft today each released patches to fix serious security holes in their software. Adobe pushed out a new version of its beleaguered Flash Player browser plugin. Redmond issued updates to address at least 61 distinct vulnerabilities in Microsoft Windows and related programs, includi...

In a Few Days, Credit Freezes Will Be Fee-Free

Later this month, all of the three major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents. Maybe you've been holding off freezing your credit file because your home state currently charges a fee for placing or thawing a credit freeze, or...

Leader of DDoS-for-Hire Gang Pleads Guilty to Bomb Threats

A 19-year-old man from the United Kingdom who headed a cybercriminal group whose motto was "Feds Can't Touch Us" pleaded guilty this week to making bomb threats against thousands of schools. On Aug. 31, officers with the U.K.'s National Crime Agency NCA arrested Hertfordshire resident George...

Browser Extensions: Are They Worth the Risk?

Popular file-sharing site Mega.nz is warning users that cybercriminals hacked its browser extension for Google Chrome so that usernames and passwords submitted through the browser were copied and forwarded to a rogue server in Ukraine. This attack serves as a fresh reminder that legitimate browse...

For 2nd Time in 3 Years, Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records

mSpy, the makers of a software-as-a-service product that claims to help more than a million paying customers spy on the mobile devices of their kids and partners, has leaked millions of sensitive records online, including passwords, call logs, text messages, contacts, notes and location data...

Alleged ‘Satori’ IoT Botnet Operator Sought Media Spotlight, Got Indicted

A 20-year-old from Vancouver, Washington was indicted last week on federal hacking charges and for allegedly operating the "Satori" botnet, a malware strain unleashed last year that infected hundreds of thousands of wireless routers and other "Internet of Things" IoT devices. This outcome is hard...

Instagram’s New Security Tools are a Welcome Step, But Not Enough

Instagram users should soon have more secure options for protecting their accounts against Internet bad guys. On Tuesday, the Facebook-owned social network said it is in the process of rolling out support for third-party authentication apps. Unfortunately, this welcome new security offering does...

Fiserv Flaw Exposed Customer Data at Hundreds of Banks

Fiserv, Inc., a major provider of technology services to financial institutions, just fixed a glaring weakness in its Web platform that exposed personal and financial details of countless customers across hundreds of bank Web sites, KrebsOnSecurity has learned. Brookfield, Wisc.-based Fiserv...

Who’s Behind the Screencam Extortion Scam?

The sextortion email scam last month that invoked a real password used by each recipient and threatened to release embarrassing Webcam videos almost certainly was not the work of one criminal or even one group of criminals. Rather, it's likely that additional spammers and scammers piled on with...

Experts Urge Rapid Patching of ‘Struts’ Bug

In September 2017, Equifax disclosed that a failure to patch one of its Internet servers against a pervasive software flaw -- in a Web component known as Apache Struts -- led to a breach that exposed personal data on 147 million Americans. Now security experts are warning that blueprints showing...

Alleged SIM Swapper Arrested in California

Authorities in Santa Clara, Calif. have arrested and charged a 19-year-old area man on suspicion hijacking mobile phone numbers as part of a scheme to steal large sums of bitcoin and other cryptocurrencies. The arrest is the third known law enforcement action this month targeting "SIM swappers,"...

Indian Bank Hit in $13.5M Cyberheist After FBI ATM Cashout Warning

On Sunday, Aug. 12, KrebsOnSecurity carried an exclusive: The FBI was warning banks about an imminent "ATM cashout" scheme about to unfold across the globe, thanks to a data breach at an unknown financial institution. On Aug. 14, a bank in India disclosed hackers had broken into its servers,...

Hanging Up on Mobile in the Name of Security

An entrepreneur and virtual currency investor is suing AT&T for $224 million, claiming the wireless provider was negligent when it failed to prevent thieves from hijacking his mobile account and stealing millions of dollars in cryptocurrencies. Increasingly frequent, high-profile attacks like the...

Patch Tuesday, August 2018 Edition

Adobe and Microsoft each released security updates for their software on Tuesday. Adobe plugged five security holes in its Flash Player browser plugin. Microsoft pushed 17 updates to fix at least 60 vulnerabilities in Windows and other software, including two "zero-day" flaws that attackers were...

FBI Warns of ‘Unlimited’ ATM Cashout Blitz

The Federal Bureau of Investigation FBI is warning banks that cybercriminals are preparing to carry out a highly choreographed, global fraud scheme known as an "ATM cash-out," in which crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to...

Florida Man Arrested in SIM Swap Conspiracy

Police in Florida have arrested a 25-year-old man accused of being part of a multi-state cyber fraud ring that hijacked mobile phone numbers in online attacks that siphoned hundreds of thousands of dollars worth of bitcoin and other cryptocurrencies from victims. On July 18, 2018, Pasco County...

Credit Card Issuer TCM Bank Leaked Applicant Data for 16 Months

TCM Bank, a company that helps more than 750 small and community U.S. banks issue credit cards to their account holders, said a Web site misconfiguration exposed the names, addresses, dates of birth and Social Security numbers of thousands of people who applied for cards between early March 2017...

The Year Targeted Phishing Went Mainstream

A story published here on July 12 about a new sextortion-based phishing scheme that invokes a real password used by each recipient has become the most-read piece on KrebsOnSecurity since this site launched in 2009. And with good reason -- sex sells the second most-read piece here was my 2015 scoo...

Reddit Breach Highlights Limits of SMS-Based Authentication

Reddit.com today disclosed that a data breach exposed some internal data, as well as email addresses and passwords for some Reddit users. As Web site breaches go, this one doesn't seem too severe. What's interesting about the incident is that it showcases once again why relying on mobile text...

State Govts. Warned of Malware-Laden CD Sent Via Snail Mail from China

Here's a timely reminder that email isn't the only vector for phishing attacks: Several U.S. state and local government agencies have reported receiving strange letters via snail mail that include malware-laden compact discs CDs apparently sent from China, KrebsOnSecurity has learned. This...

LifeLock Bug Exposed Millions of Customer Email Addresses

Identity theft protection firm LifeLock -- a company that's built a name for itself based on the promise of helping consumers protect their identities online -- may have actually exposed customers to additional attacks from ID thieves and phishers. The company just fixed a vulnerability on its si...

Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M

Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million total. Now the financial institution is suing its insurance provider for refusing to fully cover the losses. According to a lawsuit filed...

Google: Security Keys Neutralized Employee Phishing

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. A YubiKey Security Key made by...

Human Resources Firm ComplyRight Breached

Cloud-based human resources company ComplyRight said this week that a security breach of its Web site may have jeopardized sensitive consumer information -- including names, addresses, phone numbers, email addresses and Social Security numbers -- from tax forms submitted by the company's thousand...

‘LuminosityLink RAT’ Author Pleads Guilty

A 21-year-old Kentucky man has pleaded guilty to authoring and distributing a popular hacking tool called "LuminosityLink," a malware strain that security experts say was used by thousands of customers to gain unauthorized access to tens of thousands of computers across 78 countries worldwide. Th...

Sextortion Scam Uses Recipient’s Hacked Passwords

Here's a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who's compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release th...

Notorious ‘Hijack Factory’ Shunned from Web

Score one for the good guys: Bitcanal, a Portuguese Web hosting firm long accused of helping spammers hijack large swaths of dormant Internet address space over the years, was summarily kicked off the Internet this week after a half-dozen of the company's bandwidth providers chose to sever ties...

Patch Tuesday, July 2018 Edition

Microsoft and Adobe each issued security updates for their products today. Microsoft's July patch batch includes 14 updates to fix more than 50 security flaws in Windows and associated software. Separately, Adobe has pushed out an update for its Flash Player browser plugin, as well as a monster...

ExxonMobil Bungles Rewards Card Debut

Energy giant ExxonMobil recently sent snail mail letters to its Plenti rewards card members stating that the points program was being replaced with a new one called Exxon Mobil Rewards+. Unfortunately, the letter includes a confusing toll free number and directs customers to a parked page that...

Plant Your Flag, Mark Your Territory

Many people, particularly older folks, proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data -- including everything from utilities and mobile phones to retirement benefits and online banking services. The reasoning behind this strategy is a...