July
T-Mobile reaches historic $350 million settlement in 2021 data breach
PUBLISHED: July 25, 2022
T-Mobile on Friday said it agreed to pay $350 million to a group of victims and commit $150 million extra to security upgrades to settle a class-action lawsuit brought in the wake of a 2021 hack of sensitive customer data.
The settlement would be one of the largest data breach penalties levied against a company in the U.S. — only Equifax, which agreed in 2019 to pay at least $575 million to settle allegations tied to a 2017 data breach brought by the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories, has faced steeper penalties.
“Like Equifax, they have a settlement that seems both large and small at the same time,” said Melissa Krasnow, a partner at VLP Law Group who specializes in data security and privacy, who emphasized that government investigations would continue even after a class-action settlement is paid out. “It seems huge, but just as with Equifax I wonder if there’s more [to come].”
The breach, which T-Mobile disclosed last August, was originally believed to have affected about 50 million people in the U.S., but that number was later revised to 76.6 million people. Exposed information included customers’ first and last names, Social Security numbers and driver’s license information.
A 21-year-old living in Turkey took credit for the attack, and said he did it to gain attention, The Wall Street Journal reported.
Sources:
LinkedIn remains the most impersonated brand in phishing attacks
PUBLISHED: July 20, 2022
LinkedIn is holding the top spot for the most impersonated brand in phishing campaigns observed during the second quarter of 2022. Statistical data from cybersecurity company Check Point shows that the social platform for professionals is at the top of the list for the second quarter in a row.
Compared to the first quarter of the year, LinkedIn impersonation dropped from 52% to 45%. However, it maintains a considerable distance from the second most imitated brand by fraudsters, Microsoft, currently at 13%. The central theme in spoofed Microsoft emails is requests to verify Outlook accounts to steal usernames and passwords.
DHL currently holds the third spot in the list with 12%, down from 14%. Amazon rose to the fourth position, jumping from 2% in Q1 2022 to 9% this quarter, while Apple follows on fifth place with 3%; also a notable increase compared to last quarter’s 0.8%. In the case of Amazon, the phishing emails attempt to steal the target’s billing information, including full credit card data, the researchers say.
With access to a LinkedIn account, a threat actor could deploy targeted phishing campaigns to reach the victim's coworkers or valuable individuals in their connections network. Another reason for targeting LinkedIn accounts is that they can be used to set up fake job offer campaigns. In a recent example, North Korean hackers were able to trick an employee of a token-based online video game into downloading a malicious PDF that allowed the threat actor to steal $620 million worth of cryptocurrency.
Sources:
LinkedIn remains the most impersonated brand in phishing attacks | Bleeping Computer
Hackers steal 50,000 credit cards from 300 U.S. restaurants
PUBLISHED: July 19, 2022
Payment card details from customers of more than 300 restaurants have been stolen in two web-skimming campaigns targeting three online ordering platforms. Web-skimmers, or Magecart malware, are typically JavaScript code that collects credit card data when online shoppers type it on the checkout page.
Recently, Recorded Future’s threat detection tools identified two Magecart campaigns injecting malicious code into the online ordering portals of MenuDrive, Harbortouch, and InTouchPOS. As a result, 50,000 payment cards were stolen and have already been offered for sale on various marketplaces on the dark web.
According to Recorded Future, both campaigns are ongoing, and their corresponding exfiltration domains are still online and operational. The security firm has alerted all impacted entities of the compromise, but they have not received a response yet. Law enforcement agencies and payment platforms have been informed accordingly.
Sources:
Hackers steal 50,000 credit cards from 300 U.S. restaurants | Bleeping Computer
June
9 arrested in Netherlands after Europol raids on phishing gang
PUBLISHED: June 21, 2022
Nine people were arrested on Tuesday during raids on 24 homes across the Netherlands as Belgian and Dutch police partnered with Europol to shut down an alleged criminal gang involved in lucrative phishing scams.
In a statement, Europol said the raids “dismantled” an organized crime group that conducted a range of fraud, scams and money laundering. Guns, ammunition, jewelry, electronic devices, thousands of euros and cryptocurrency were seized during the operation. Dutch Police released their own statement on the raids, which it said were conducted in Amsterdam, Central Netherlands, West Brabant, Rotterdam, Eastern Netherlands and The Hague.
Europol confirmed that the group typically contacted victims through email, text message and mobile messaging applications. “These messages were sent by the members of the gang and contained a phishing link leading to a bogus banking website,” Europol said. “Thinking they were viewing their own bank accounts through this website, the victims were duped into providing their banking credentials to the suspects. The investigative leads suggest that the criminal network managed to steal several million euros from their victims with this fraudulent activity.”
The group allegedly used money mules to get the money out of victim accounts and some members of the gang are reportedly connected to drug and firearm trafficking. Europol said it sent three experts to the Netherlands and helped coordinate the raid with Police Fédérale/Federale Politie in Belgium and the Dutch Police.
Sources:
9 arrested in Netherlands after Europol raids on phishing gang | The Record by Recorded Futures
Arizona hospital says SSNs of 700,000 people leaked during April ransomware attack
PUBLISHED: June 13, 2022
A major hospital in Yuma, Arizona is sending breach notification letters to more than 700,000 patients after a ransomware attack in April lead to a data breach involving Social Security numbers.
In letters to victims recently made public, Yuma Regional Medical Center (YRMC) said it discovered a ransomware attack on April 25 and immediately took systems offline before contacting cybersecurity experts and law enforcement. “The investigation determined that an unauthorized person gained access to our network between April 21, 2022, and April 25, 2022, and removed a subset of files from our systems,” the organization said. “The files contained certain patient information, including names, Social Security numbers, health insurance information and limited medical information relating to care as a YRMC patient.”
Ransomware attacks on healthcare organizations have continued throughout 2021 and 2022, including recent attacks on a California nonprofit in March by the Hive ransomware groups.
FBI Director Christopher Wray said last week that an Iran-based group attacked the Boston Children’s Hospital with ransomware last June.
Sources:
May
Wedding site Zola confirms hack after several users report attacks
PUBLISHED: May 26, 2022
The popular wedding planning website Zola, known for its online gift registries, guest list management, and wedding websites, confirmed Monday that hackers had managed to access the accounts of a number of its users and tried to initiate fraudulent cash transfers.
Several Reddit users said they received emails this weekend showing charges of hundreds of dollars in either gift cards or monetary gifts. Some users said the email connected to their account was changed, making it impossible for them to log into their accounts. Others wrote that the money in their honeymoon funds had been transferred out or used to purchase gift cards. Several other users said the credit cards associated with their Zola accounts were used to make high-priced purchases, even if they had not stored the card on the site and had only used it to shop on the platform.
Zola does not currently provide any two-factor authentication for account users, making credential stuffing attacks far easier to achieve. The lack of a secondary authentication process goes against best practice for a site like Zola, which handles a large amount of personally and financially sensitive user data.
Zola has been directing any users who have been affected to contact support@zola.com for further information.
Sources:
Hackers breach Zola wedding registry accounts and make fraudulent purchases | The Verge
April
German wind turbine maker shut down after cyberattack
A German wind turbine maker was forced to shut down its IT systems across multiple locations and business units after it was hit with a cyberattack on March 31. Nordex designs, sells and manufactures wind turbines, reporting nearly $6 billion in sales in 2021. The company has factories in Germany, China, Mexico, the United States, Brazil, Spain and India. Last Thursday, the company said it detected an intrusion “in an early stage” and managed to initiate response measures quickly.
“The incident response team of internal and external security experts has been set up immediately in order to contain the issue and prevent further propagation and to assess the extent of potential exposure,” the company said in a statement. “Customers, employees, and other stakeholders may be affected by the shutdown of several IT systems. The Nordex Group will provide further updates when more information is available.”
Nordex did not respond to requests for comment about the state of its operations on Monday.
The incident was first reported by Reuters, and German news outlet Erneuerbare Energien said on Friday that calls to the company’s office returned busy signals. The news outlet also reported that the Nordex website initially said “Due to maintenance work, we are currently unavailable. Please try again later.” The website is currently back up and running.
Sources:
March
Sharp increase in Ukraine-related spam
PUBLISHED: March 18, 2022
The world has responded to Russia's invasion of Ukraine with an outpouring of support for the Ukrainian people. That hasn't escaped the notice of scammers, who are all too willing to take advantage of people's desire to help.
Spam and scam attempts will frequently reference global fundraising efforts in support of places and people in crisis and Ukraine is no different. Proofpoint, an enterprise security company, has observed a marked increase in Ukraine-relate spam since March 1st, 2022.
ukrainewelfare[.]com, a good example of this phenomenon, was registered on March 5th and is a fake Non-Governmental Organization soliciting donations and aid. The site utilizes screenshots of news clips, headlines, and photographs from the crisis in Ukraine. It also contains various links to donate cryptocurrency but, notedly, does not provide specifics as to how the money will be used.
"Wherever there is war," said Bogdan Botezatu, who runs threat research at cybersecurity technology company Bitdefender, "there will be jackals trying to piggyback on people's pain."
There's no shortage of legitimate charities raising money online to help refugees. The best way to reach them is to type their URL directly into your browser or get a link from a trusted source. If you are donating money through an organization like the American Red Cross, for example, be sure you’re on the actual Red Cross site and not a cleverly disguised phishing site. It’s easy to copy the look of a website and steal official logos. The real tipoff is the URL. Don’t rely on a link you received from someone or clicked on social media; navigate to the official website yourself.
Sources:
February
San Francisco 49ers confirm ransomware attack
PUBLISHED: Feb. 13, 2022
The San Francisco 49ers NFL team has fallen victim to a ransomware attack that encrypted files on its corporate IT network, a spokesperson for the team has confirmed. The team confirmed the attack after the operators of the BlackByte ransomware listed the team as one of their victims on Saturday on a dark web “leak site” the group typically uses to shame victims and force them into paying their extortion demands.
The team said it notified law enforcement and is working with third-party cybersecurity firms to investigate the attack.
If the team had qualified for the Super Bowl, the attack could have seriously disrupted the team’s game preparations, bringing ransomware to the forefront of the US media cycle once again after several high-profile incidents last year. It is unclear how the current attack will impact the team’s plan for the next NFL season/year, which will start later this month with the free agency signing period, NFL Combine event, and subsequent NFL Draft.
Source:
2021 Trends Show Increased Globalized Threat of Ransomware
PUBLISHED: Feb. 9, 2022
CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have released a joint Cybersecurity Advisory (CSA) highlighting a global increase in sophisticated, high-impact, ransomware incidents against critical infrastructure organizations in 2021. This CSA provides observed behaviors and trends as well as mitigation recommendations to help network defenders reduce their risk of compromise by ransomware.
CISA encourages users and administrators to review joint CSA: 2021 Trends Show Increased Globalized Threat of Ransomware and visit StopRansomware.gov for more information on protecting against and responding to ransomware attacks.
Source: