Log in links for this page

Cybercrimes and scams - 2021

Stories and headlines related to cybercrimes and scams, digital hygiene and privacy, and other consumer-related bulletins.

Table of Contents

October

New report reveals majority of online consumers have poor security practices 

PUBLISHED: Oct. 12, 2021 

Bitdefender, a global cybersecurity leader, today released the 2021 Bitdefender Global Report: Cybersecurity and Online Behaviors, which reveals how consumers across various age groups and socio-demographic backgrounds behave on popular platforms, applications and devices, affecting cybersecurity risk. Findings show basic practices for securing data, protecting identity and sharing information are lacking despite increased threats and heightened concern over cybercrime. 

The report examines the use of popular online platforms and services, personal cybersecurity practices, level of exposure to threats and more. 

Key findings from the report include… 

  • Poor password practices are still common 

  • Many don't use cybersecurity protection software on mobile phones 

  • Mobile phone scams lead the threats 

  • Lack of child supervision poses significant security risks 

  • Majority of consumers are highly exposed 

A total of 10,124 internet users between the ages of 18 and 65 years old were polled online. Surveys were conducted across 11 countries in North America, Europe and Australia, with total data weighted according to the size of online population in each country. Data was collected and analyzed from June 2021 to August 2021. 

Source: 

  • Bitedefender

 

Amazon-owned Twitch has entire source code stolen 

PUBLISHED: Oct. 6, 2021 

Amazon-owned video game streaming site Twitch has been the victim of a devastating hack, having its entire source code, including unreleased software, SDKs, financial reports, internal red-teaming tools, and payout rates for top streamers stolen. 

An anonymous poster on the 4chan messaging board has released a 125GB torrent, which they claim includes the entirety of Twitch and its commit history. The poster claims the leak is designed to “foster more disruption and competition in the online video streaming space.” The leak has been confirmed to be legitimate and includes code that is as recent as this week. The leak is labelled as “part one,” suggesting there could be more to come. 

Twitch has officially confirmed the veracity of the breach and now says it was caused by a "server configuration change" that caused "some data" to be exposed but has yet to confirm if all the data posted online is genuine, though multiple industry publications have confirmed the stolen data is indeed authentic. 

The leak does not appear to include password or address information on Twitch users, but that does not mean this information has not been obtained as part of this breach. The leaker seems to have focused on sharing Twitch’s own company tools and information, rather than code that would include personal accounts. 

Sources: 

The Verge, BBC News

August

“Breach Fatigue” sets in 

PUBLISHED: Aug. 19, 2021 

A data breach that affected more than 40 million current, former and prospective T-Mobile customers is a massive cybersecurity incident that is bound to spark a public backlash. Or, then again, maybe it will be forgotten in a week… 

The proliferation of ever-larger breaches during the past decade has left the public so inured to such news that it has become increasingly less likely that a breach will make any public splash at all, no matter how big it is. It’s an effect security researchers describe as “breach fatigue.” This phenomenon has made it harder for any single data breach to galvanize action in Washington or state legislatures. 

“I think the public is already at the point of seeing tens of millions of customer accounts compromised as a non-story,” Maurice Turner, cybersecurity fellow at the German Marshall Fund’s Alliance for Securing Democracy, told me. 

“The sheer volume of this latest breach … can make it difficult to appreciate the tremendous damage being done to individuals when their information is seized by hackers,” Rep. Jim Langevin, co-chair of the Congressional Cybersecurity Caucus, told me. 

It has also made it far more difficult for cyber educators to persuade people to adopt better behavior, such as adding extra authentication procedures to access accounts and not clicking on suspicious-looking links. 

Perhaps most concerning, it has become clear that as the public has become numb to the endless onslaught of ransomware attacks, Washington has become far less likely to focus on breaches that affect only tens of millions of victims. 

Source

  • Washington Post

March

Big chains look to monetize data gained through vaccine distribution 

PUBLISHED: March 2, 2021 

Chains such as CVS Health Corp., Walmart Inc. and Walgreens-Boots Alliance, Inc. are collecting data from millions of customers as they sign up for shots, enrolling them in patient systems and having recipients register customer profiles. 

The retailers say they are using the information to promote their stores and services, tailor marketing and keep in touch with consumers. The companies also say the information is critical in streamlining vaccinations and improving record-keeping, while ensuring only qualified people are receiving shots. 

CVS executives say they plan to stay in touch with vaccine recipients beyond receiving their second shot and use information gleaned in the process to better market to them. The company said about eight million people who received coronavirus tests from the chain hadn’t filled a prescription at a CVS in the previous year, signaling that Covid-19 services promise to bring in new customers. A CVS spokesman declined to comment on the chain’s use for marketing purposes of medical information gleaned through the vaccine process. 

Source

  • Wall Street Journal

February

Big chains look to monetize data gained through vaccine distribution 

PUBLISHED: March 2, 2021 

Chains such as CVS Health Corp., Walmart Inc. and Walgreens-Boots Alliance, Inc. are collecting data from millions of customers as they sign up for shots, enrolling them in patient systems and having recipients register customer profiles. 

The retailers say they are using the information to promote their stores and services, tailor marketing and keep in touch with consumers. The companies also say the information is critical in streamlining vaccinations and improving record-keeping, while ensuring only qualified people are receiving shots. 

CVS executives say they plan to stay in touch with vaccine recipients beyond receiving their second shot and use information gleaned in the process to better market to them. The company said about eight million people who received coronavirus tests from the chain hadn’t filled a prescription at a CVS in the previous year, signaling that Covid-19 services promise to bring in new customers. A CVS spokesman declined to comment on the chain’s use for marketing purposes of medical information gleaned through the vaccine process. 

Source

  • Wall Street Journal

 

Video game and digital entertainment studios remain prime targets for ransomware attacks 

PUBLISHED: Feb. 9, 2021 

Another video game studio has revealed they were the victim of a ransomware attack. CD Projekt S.A., creator of AAA digital products including The Witcher 3 and Cyberpunk 2077, said on Tuesday that the perpetrators of the attack were threatening to sell or leak proprietary source code and share internal documents with their “contacts in gaming journalism”. The attack comes after several high-profile stories alleging an unhealthy work culture within CD Projekt S.A and the company’s demands on its staff. The ransom note left by the attackers alludes to these allegations. 

The attackers have also dumped or threatened to dump “documents related to accounting, administration, legal, HR, investor relations and more.” 

“We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data,” CD Projekt Red wrote in response. It added that although some devices in its network have been encrypted, “our backups remain intact,” and it has secured its IT infrastructure and started restoring data. 

This follows a similar ransomware attack in November against Capcom, a Japanese multi-national studio responsible for a number of multi-million-selling game franchises including Resident Evil and Street Fighter. 

Sources: 

  • Bloomberg, Wall Street Journal

January

January 28th is International Data Privacy Day 

PUBLISHED: Jan. 27, 2021 

Data Privacy Day aims to inspire dialogue and empower individuals and companies to take action and stay aware and informed about how their personal information is being used, collected or shared in our digital society. 

Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Data Privacy Day is observed annually on Jan. 28. On Jan. 27, 2014, the 113th U.S. Congress adopted S. Res. 337, a non-binding resolution expressing support for the designation of Jan. 28 as “National Data Privacy Day.” 

The National Cyber Security Alliance (NCSA) officially leads the Data Privacy Day campaign and is advised by a distinguished advisory committee of privacy professionals to help the campaign align with the most current privacy issues in a thoughtful and meaningful way. 

This year’s Data Privacy Day spotlights the value of information and how to “Own Your Privacy” and “Respect Privacy”. 

You can learn more about Data Privacy Day at the Mass Cyber Center or at the additional resources listed below. 

Resources: 

CSIAC, Stay Safe Online

 

Changes to Apple App Store could benefit privacy advocates 

PUBLISHED: Jan. 27, 2021 

Apple has updated the terms of their App Store to require software developers to include so-called “privacy labels” which list the types of data collected by an app in an easily scannable format. The labels, which resemble a nutrition marker on food packaging, were implemented in December of last year. 

Apple’s privacy labels are the latest attempt by tech developers to make understanding security terms of service easier for the average consumer to understand. The locked or unlocked padlock icon in internet browsers for instance, long a basic indicator of a site’s overall security, is an earlier iteration of this trend. It remains to be seen whether Apple’s new labels will demonstrably influence the choices its user’s make. “After they read it or look at it, does it change how they use the app or stop them from downloading the app?” asked Stephanie Nguyen, a research scientist who has studied user experience design and data privacy. 

After researching dozens of apps with a focus on their privacy labels and use of a user’s data, the New York Times discovered that apps that appear identical in function can vastly differ in how they handle our information. The comparison of two popular encrypted messaging apps, WhatsApp and Signal, proved to illuminate this point. Though both apps basic functionality is to allow users to communicate with each other over voice and text privately, how each app handled a user’s data was radically different. WhatsApp, for instance, shares a group chat’s name and group profile photos with its parent company, Facebook. Signal, on the other hand, developed a complex chat system that encrypts the entirety of a group conversation, including the people participating in the chat, and their avatars, effectively blocking Signal from access to this information entirely. 

“In some instances it’s more difficult to not collect data,” Moxie Marlinspike, the founder of Signal, said. “We have gone to greater lengths to design and build technology that doesn’t have access.” 

Ms. Nguyen, the researcher, said a lot had to happen for the privacy labels to succeed. Other than behavioral change, she said, companies have to be honest about describing their data collection. Most important, people have to be able to understand the information. 

“I can’t imagine my mother would ever stop to look at a label and say, ‘Let me look at the data linked to me and the data not linked to me,’” she said. “What does that even mean?” 

Source

 

North Korean hackers use social media to target security researchers 

PUBLISHED: Jan. 25, 2021 

Google has issued a warning that it has uncovered an “ongoing” state-backed hacking campaign run by North Korea targeting cyber security researchers. 

The Silicon Valley search giant said its threat analysis team found that cyber attackers posing as researchers had created numerous fake social media profiles on platforms such as Twitter and LinkedIn. After establishing communication with an actual researcher, the attackers would ask the target to work together on cyber vulnerability research and then share collaboration tools containing malicious code to install malware on the researcher’s systems. 

Of particular concern is Google’s claim that, in some cases, the attackers were able to create a backdoor to the victim’s computer even when their systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. 

Google attributed the latest campaign to “a government-backed entity based in North Korea” — one of the biggest state sponsors of hacking alongside Russia, Iran and China. The Wall Street Journal has previously reported on accusations against North Korea of carrying out cyber attacks to steal coronavirus vaccine-related research and data. 

Belying perceptions of the country as a technological backwater, its hackers have a record of major cyber disruptions including hacking Sony Pictures in 2014 and the WannaCry malware attack in 2017. In 2019 a UN sanctions report estimated that $2bn had been raised for Kim Jong Un’s weapons programme via North Korean cyber actors. 

Source

  • The Financial Times

 

Popular dating app fined $11.7 million under European law 

PUBLISHED: Jan. 25, 2021 

The world’s most popular gay dating app, Grindr, has been fined 100 million Kroner, or roughly $11.7 million US dollars, by the Norwegian Data Protection Authority for illegally disclosing private details about its users to advertising companies. 

The Norwegian agency said the app had transmitted users’ precise locations, user-tracking codes and the app’s name to at least five advertising companies, essentially tagging individuals as L.G.B.T.Q. without obtaining their explicit consent, in violation of European data protection law. 

“We’re trying to make these apps and services understand that this approach — not informing users, not gaining a valid consent to share their data — is completely unacceptable,” said Tobias Judin, head of the Norwegian Data Protection Authority’s international department. 

The fine comes one year after European nonprofit groups lodged complaints against Grindr and its advertising partners with data protection regulators. In tests last January, The New York Times found that the Android version of the Grindr app was sharing location information that was so precise, it pinpointed reporters on the side of the building they were sitting on. 

Privacy experts say the ruling could have widespread repercussions beyond dating apps. 

Source

  • New York Times

 

Intelligence analysts reportedly use U.S. smartphone location data without warrants 

PUBLISHED: Jan. 25, 2021 

An unclassified memo obtained by the New York Times alleges that a military arm of the U.S. intelligence community buys commercially available databases containing location data from smartphones apps and searches it for American’s past movements and does so without a warrant. 

Defense Intelligence Agency analysts have searched for the movements of Americans within a commercial database in five investigations over the past two and a half years, agency officials disclosed in a memo they wrote for Senator Ron Wyden, Democrat of Oregon. 

Such data is typically drawn from smartphone apps such as weather, games and other apps that get user permission to access a phone’s GPS location. A robust commercial market exists for such data for advertising and other commercial purposes. 

The disclosure sheds light on an emerging loophole in privacy law during the digital age: In a landmark 2018 ruling known as the Carpenter decision, the Supreme Court held that the Constitution requires the government to obtain a warrant to compel phone companies to turn over location data about their customers. But the government can instead buy similar data from a broker — and does not believe it needs a warrant to do so. 

The Wall Street Journal revealed last year that U.S. government agencies were also buying access to that data from commercial brokers without a warrant, raising questions about whether those agencies were adequately safeguarding the privacy and civil liberties of Americans. In particular, it found, two agencies in the Department of Homeland Security — Immigration and Customs Enforcement, and Customs and Border Protection — have used the data in patrolling the border and investigating immigrants who were later arrested. 

Sources

  • New York Times, Wall Street Journal

 

Can exercise equipment be a security risk? 

PUBLISHED: Jan. 25, 2021 

White House personnel and cyber experts are weighing in on the potential security risks of President Biden’s Peloton exercise bike. 

The Peloton, an indoor stationary exercise bike, integrates with a proprietary social media network allowingusers to livestream their workouts or take on-demand classes with online instructors. The equipment’s online and social media features, which utilize built-in cameras and microphones to allow users to see and hear one another if they choose, are the potential areas of concern. 

Consensus amongst security experts seems to point toward the President keeping the Peloton as part of his workout routine – though the bike itself may bear little resemblance to the off-the-assembly-line version after the Secret Service and the National Security Agency are finished with it. (There have been news reports that Michelle Obama has a modified Peloton, but her spokeswoman would not confirm them.) 

Mr. Biden would not be the first occupant of the White House whose technological preferences clashed with the cybersecurity needs of being president. President Trump continued to prefer private calls to friends on his personal iPhone, while President Obama insisted on continued use of his BlackBerry. Security experts eventually found ways to accommodate both men’s preferences. 

“Presidential security is always about balancing presidential needs and desires and the relative security risk of any single thing,” said Garrett Graff, the director of the cybersecurity initiative at the Aspen Institute, a research organization. “The threat is real, but it is presumably a manageable risk given enough thought and preparation.” 

Source

  • New York Times

 

Growing "Big Tech" fears leads to boom in adoption of encrypted messaging 

PUBLISHED: Jan. 14, 2021 

Millions of new users are making the jump to encrypted messaging apps in the wake of last week’s Capitol Hill riots. Growing anxiety surrounding the world’s largest tech companies and their control over user’s personal data has led to tens of millions of downloads of Signal and Telegram, two WhatsApp-competitors. Both are chat apps that offer end-to-end encryption outside of Big Tech’s grasp. Encrypted messaging apps can offer more security, privacy and features than plain text messaging—but their encryption methods and data collection vary. 

Signal, which utilizes end-to-end encryption, estimates that it has gained over forty million new users in under a week. Telegram, which offers some encrypted messaging options but is largely popular for its group-based chat rooms, has also gained new users numbering in the tens of millions. 

The rise of Telegram and Signal is sure to reignite the debate over encryption, which helps protect the privacy of people’s digital communications but can stymie the authorities in criminal investigations because conversations are hidden. 

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback