Archive for January 15, 2025

UK considers ban on public sector ransomware payments 

Posted in Commentary with tags on January 15, 2025 by itnerd

On Tuesday, the UK government published a Home Office-led consultation proposing a ban on the public sector and critical infrastructure organizations making ransomware payments with the hope of disrupting ransomware gangs’ financial models and gather intelligence to help law enforcement target their operations.

The Home Office said that expanding an existing ban on ransomware payments would help make critical services such as hospitals, schools, railways, and other essential public services less attractive targets for ransomware attacks.

In addition to the ban, ransomware incident mandatory reporting has also been proposed aiming to boost UK law enforcement agencies’ access to intelligence on attacks and support international law enforcement operations targeting ransomware gangs.

“With an estimated $1bn flowing to ransomware criminals globally in 2023, it is vital we act to protect national security as a key foundation upon which this Government’s Plan for Change is built.

“These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate,” UK Security Minister, Dan Jarvis, commented.

Furthermore, the consultation will explore the implementation of ransomware payment prevention regime, offering victims guidance on how to respond to cyber incidents. It would also help block payments to known criminal groups and sanctioned entities.

The consultation will run for 12 weeks, ending on April 8.

Evan Dornbush, former NSA cybersecurity expert had this to say:

  “Something needs to change. The economics of cybercrime favor the aggressor. Until solutions can effect an increase in attackers’ costs and/or a decrease in attackers’ revenues, there is nothing to suggest the increasing rates of attack will diminish.”

I have said for a while that nobody should ever pay a threat actor who is holding their data hostage or is threatening to leak their data. Or perhaps both. It emboldens them to do more of this which is bad for all of us. This is a start, but more needs to be done to make sure that crime doesn’t pay.

UPDATE: Lawrence Pingree, VP, Dispersive adds this:

  “The benefit of this approach is that the reward for doing the ransom goes away. Australia did a similar mandate. I think it will likely have a positive effect on larger entities where the targeting often happens.”

Leave a comment »

Happy New Year…. A BMO Text Message Scam Is Making The Rounds

Posted in Commentary with tags on January 15, 2025 by itnerd

A reader of this blog sent me a screenshot of a text message scam that he just received:

Now this is an easy to spot scam for the following reasons:

  1. The text message states “We’ve detected unusual activity on your BMO client card starting with 551029.” The thing is, more recent BMO client cards start with that number. There’s nothing unique about that, which means that this text message is being sent to thousands of people and the threat actors are hoping to get 1% to fall for it because they’re not paying attention to a detail like that. For the record, BMO along with any other bank would use the last 4 digits of your credit or debit card in a situation like this. Assuming that they would send you a text message like this. More on this in a moment.
  2. The website that is mentioned isn’t “bmo.com” or something like that. This is clearly a website that has been set up to phish your banking details so that they can steal your money. And it goes without saying that you should not click on the link.
  3. BMO, nor any other bank would alert you to fraud via a text message. That never, ever happens.

I’m not going to go down the rabbit hole in terms of looking at the website or anything like that. Because we already know that this is a scam and should be avoided. Thus if you get a text message like this, delete it and move on with your day.

Leave a comment »

Watch Out For Scams Related To The Los Angeles Wildfires

Posted in Commentary with tags on January 15, 2025 by itnerd

The wildfires in Los Angeles and surrounding areas have left residents and businesses vulnerable to exploitation by scammers looking to take advantage of them for financial gain, to steal their identities, and other fraudulent activities. Here’s a few examples from the news that illustrate what I am talking about.

Jim Routh, Chief Trust Officer at cybersecurity company Saviynt, commented:

“Enterprises with geo-location settings used for authentication validation purposes should adjust their models to acknowledge those employees forced to evacuate their home.

“Major catastrophic events like the fires in California bring out kindness and empathy from many people who are not victims for days following the event. Unfortunately, these events also bring out cyber criminals seeking to capitalize on the victim’s misfortune by designing phishing emails supposedly from FEMA, fire officials or other state and local agencies offering relief options. We recommend:

1.      Review your passwords for key accounts/sites and consider improving the complexity of the password (use a password manager and ensure that you have access to it from all devices)

2.      Read email messages closely and identify the origin of the sender’s email address

3.      Avoid clicking on links in email messages unless you are certain of the validity of the sender

4.      Print a list of emergency numbers to keep handy and include the FEMA Fraud Hotline:

1.      To protect yourself from fraud and identity theft, we encourage you to be careful when sharing your personal information.

If you believe you are a victim of identity theft, or someone applied to FEMA using your personal information, please call 800-621-3362. Do not contact the FEMA Fraud Investigations and Inspections Division, DHS Office of Inspector General, or the National Center for Disaster Fraud for the purpose of reporting identity theft.

Report any other types of disaster fraud by emailing StopFEMAFraud@fema.dhs.gov. For more information, visit the disaster fraud page.

5.      Employees and third parties will be forced to access networks from different locations using potentially different devices. Increase staffing levels of IAM ops staff to address the needs of storm victims and expand call coverage

6.      Advise employees to consider donations to the American Red Cross and other disaster relief organizations that are well established vs. newly formed entities specific to the California fires.”

James McQuiggan, security awareness advocate at cybersecurity company KnowBe4:

“The fires in Los Angeles County have caused significant loss of homes and property, leaving many residents vulnerable to exploitation. Scammers often prey on homeowners facing challenges with their insurance providers, posing as fake adjusters, offering fraudulent services, or ways to get money fast to start rebuilding. These schemes often involve promises of quick resolutions in exchange for upfront payments or steep fees. Some may claim they can prevent insurers from dropping coverage, adding to the stress of an already difficult situation. 

“Homeowners should confirm the identity of any insurance representative by contacting their provider directly and avoid making hasty decisions or signing agreements without proper verification. Outside of LA, individuals moved by the destruction will be targeted by fake donation campaigns or fraudulent grassroots donation platforms. Scammers create convincing appeals, often using AI-generated synthetic images to portray fabricated victims or destroyed homes. These scams manipulate people’s emotions and ask for donations quickly. 

“People looking to help should prioritize verified charities with established reputations and avoid sharing financial information through requests or unverified crowdfunding campaigns. Careful research and communication with the proper and recognized organizations can ensure that contributions are used for legitimate relief efforts.

“Disaster-related scams are not new and have appeared after hurricanes, floods, and earthquakes, following a similar pattern of urgency and emotional manipulation. The tactics remain consistent: leveraging heightened emotions and telling stories to exploit our human nature. It’s essential to remain cautious and somewhat skeptical during such events. Taking the time to verify claims, conducting research, and educating others can significantly reduce the effectiveness of these schemes. Awareness is critical to prevent fraud from happening based on the devastation of these events and ensure that support reaches those who need it most during their time of need.”

So the question becomes how can you help and not get scammed. Here’s a list that I’ve complied:

California Community Foundation

California Fire Foundation

L.A. Fire Department Foundation

Pasadena Humane Society

Ventura County Community Foundation

American Red Cross of Greater Los Angeles

Center for Disaster Philanthropy

Direct Relief

World Central Kitchen

Any assistance to any of these organizations is appreciated.

Leave a comment »

DOJ Discloses Operation That Deleted PlugX Malware from 4,250 Hacked Computers

Posted in Commentary with tags on January 15, 2025 by itnerd

The DOJ has disclosed that a multi-month law enforcement operation allowed the FBI to delete PRC-associated PlugX malware from over 4,250 infected computers:

The Justice Department and FBI today announced a multi-month law enforcement operation that, alongside international partners, deleted “PlugX” malware from thousands of infected computers worldwide. As described in court documents unsealed in the Eastern District of Pennsylvania, a group of hackers sponsored by the People’s Republic of China (PRC), known to the private sector as “Mustang Panda” and “Twill Typhoon,” used a version of PlugX malware to infect, control, and steal information from victim computers.

According to court documents, the PRC government paid the Mustang Panda group to, among other computer intrusion services, develop this specific version of PlugX. Since at least 2014, Mustang Panda hackers then infiltrated thousands of computer systems in campaigns targeting U.S. victims, as well as European and Asian governments and businesses, and Chinese dissident groups. Despite previous cybersecurity reports, owners of computers still infected with PlugX are typically unaware of the infection. The court-authorized operation announced today remediated U.S.-based computers infected with Mustang Panda’s version of PlugX.    

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 had the following comment on this news:

“It’s always a good day when the good guys get a win! As simple as it seems for anyone to go in and proactively remove malware, it really isn’t easy to do. First, you’ve got to make sure you can do it legally. That often takes lawyers and legal review, and in most cases, lawyers with experience in global cybercriminals and laws. It takes someone in law enforcement who cares enough to push it. They’ve got to make a case and get it approved by senior management. Then, the removal process has to be tested.” 

“In this case, the FBI relied upon the bot’s own removal instructions, but it isn’t always this easy. Historically, there have been instances of less mature and capable but well-meaning defenders who have less elegantly removed malware and caused more problems than the malware did. The solution has to be tested and retested. Then, it has to be globally coordinated to happen as quickly as it can before the attackers know something is up and implement defenses.” 

“The overall process is more difficult than it first sounds. There’s a reason why proactive removal isn’t that common. With that said, it does seem like we are seeing just a bit more of these proactive removal projects than we used to see. Of course, expect to see the hackers respond by making it harder for unauthorized removal schemes to take place. It’s a business, and the bad guys see the good guys as adversaries and will respond accordingly. The bad guys won’t sit back and stay defeated. They will respond. They will make it harder for future efforts to be as successful. But for today, let’s celebrate the win!”

Wins seem to be hard to come by these days. Thus I will take this one. But realistically what needs to happen is prevention and detection means need to be better so that actions like these are the exception.

Leave a comment »

Nearly 250,000 Records Exposed by Fintech Company 

Posted in Commentary with tags on January 15, 2025 by itnerd

A significant data exposure involving Willow Pays, a payment software company offering AI software solutions was recently uncovered by cybersecurity researcher Jeremiah Fowler.

What happened:

A database containing nearly 250,000 records was exposed. The exposed database includes customer names, emails, home addresses, partial debit and credit card numbers, scanned bills and loan payment documents and more.

Why it matters: 

This exposure presents serious risks, such as invoice fraud, phishing schemes or social engineering attempts.

To learn more, read the detailed report here: https://www.websiteplanet.com/news/report-willowpays-breach/

Leave a comment »

Elon Musk Gets Sued By The FTC Over Twitter Takeover

Posted in Commentary with tags on January 15, 2025 by itnerd

This lawsuit was guaranteed to happen, and it finally has. The SEC has finally sued Elon Musk over his takeover of Twitter:

The US Securities and Exchange Commission sued Elon Musk on Tuesday for allegedly failing to properly disclose his ownership of X, then known as Twitter, as required by federal law, which allowed him to buy shares of the platform at “artificially low prices.”

Before he closed his $44 billion deal to buy Twitter in October 2022, Musk began to acquire a “significant number” of Twitter shares. By mid-March 2022, he owned more than 5% of the company’s common stock and was required to disclose that to the SEC within 10 calendar days. The filing alleged that Musk failed to disclose that information until April 4, 2022.

Had Musk and his wealth manager disclosed his ownership as required, the stock price would likely have increased significantly,” the suit alleged.

Now of course Elon is denying all of this. And I bet he’s hoping that his buddy Donald Trump does him a big favour and makes this go away. But if that doesn’t happen, Elon is in a whole lot of trouble here. Especially since he’s flipped off the SEC on multiple occasions, which isn’t a good idea if you ask me. But I think he’s about to find that out. And I am here for it.

Leave a comment »