Sextortionist government worker gets nearly 5 years in the slammer

A former US Embassy worker who sextorted, phished, broke into email accounts, stole explicit images and cyberstalked hundreds of women around the world from his London office has been sentenced to nearly 5 years in jail.

Michael C. Ford, of Atlanta, pleaded guilty in December to nine counts of cyberstalking, seven counts of computer hacking to extort, and one count of wire fraud.

He ran his predatory scams from his official, government-issued computer for more than two years, posing as a member of the fictional Google “Account Deletion Team.”

He used aliases including “David Anderson” and “John Parsons”, telling victims that their email accounts would be deleted if they didn’t respond.

Once he’d gained access to their Gmail accounts, he used the details to hijack at least 450 Google, Facebook, Twitter and iCloud profiles belonging to 200 individuals. He ransacked their personal information and photos, then he’d start extorting them.

His preferred prey was young females, some of whom were students at US colleges and universities, with a particular focus on members of sororities and aspiring models.

Having stolen photos and personally identifying information (PII) that included their home and work addresses, school and employment information, and names and contact information of family members, Ford went on to demand more sexually explicit material and personal information, emailing victims the photos he’d stolen and threatening to publish them if they didn’t give him what he demanded.

Specifically, Ford demanded that his victims record and send to him videos of “sexy girls” undressing in changing rooms at pools, gyms and clothing stores.

He was a busy guy.

Ars Technica’s Cyrus Farivar posted a sentencing memorandum filed by prosecutors prior to the sentencing hearing on Monday.

In it, they expressed shock at the scale of Ford’s activities:

The sheer number of phishing emails that Ford sent is astounding.

According to the memorandum, on one day alone – 8 April, 2015 – Ford sent phishing emails to about 800 unique email addresses.

That’s not all. On the same date, he sent 180 followups to targets who hadn’t yet responded to his original email, plus 15 emails to potential targets who’d provided the wrong passwords.

Jamie Perry, a prosecutor, wrote this in the filing:

Considering Ford’s daily volume, repeated over the course of several months, the number of Ford’s potential phishing victims is staggering.

Uber’s offering you $10K to hack its software

Wednesday, 23 Mar 2016 | 6:40 AM ETCNBC.com

U.S. ride-hailing app Uber is offering hackers up to $10,000 to hack its system to uncover flaws, the company said on Tuesday.

Uber has released a “treasure map” of its software infrastructure, highlighting what each part does and the potential security vulnerabilities present.

The idea of asking friendly, so-called White Hat hackers to test your system for a reward is not new. Several companies including Facebook, which pays hackers at least $500 to trace bugs, and Google, which offers a maximum prize pot of $20,000, have these so-called “bug bounty” programs.

While, the idea has not always been a comfortable one for many organizations, Uber’s launch of its own prize program highlights the growing acceptance of the method amid an increasingly dangerous threat of hacking.

“Even with a team of highly-qualified and well trained security experts, you need to be constantly on the look-out for ways to improve,” Joe Sullivan, chief security officer at Uber, said in a blog post.

“This bug bounty program will help ensure that our code is as secure as possible.”

Uber will offer payouts of up to $10,000 for what it deems “critical issues”.

The first reward program season will begin on May 1 and last 90 days. Once a hacker finds a bug, they need to report it to Uber and wait for it to be verified as a genuine issue before they are paid.

If a hacker finds a fifth issue within the 90 day sessions they will get a bonus payout. This will be 10 percent of the average payouts for all the other issues found in that session. Uber also said that it will publicly disclose and highlight the highest-quality submissions.

Uber also revealed that it launched a private beta bug bounty program for over 200 security researchers last year and they found nearly 100 bugs, all of which were fixed.


SHOW COMMENTS Please add a username to view or add commentsPublic Username for Commenting

View the original article here

How a hacker’s typo helped stop a $1B bank heist

A spelling mistake in an online bank transfer instruction helped prevent a nearly $1 billion heist last month involving the Bangladesh central bank and the New York Fed, banking officials said.

Unknown hackers still managed to get away with about $80 million, one of the largest known bank thefts in history.

The hackers breached Bangladesh Bank’s systems last month and stole its credentials for payment transfers, two senior Bangladesh Bank officials said.

Commuters pass by the front of the Bangladesh central bank building Commuters pass by the front of the Bangladesh central bank building

They then bombarded the Federal Reserve Bank of New York with nearly three dozen requests to move money from the Bangladesh bank’s account there to entities in the Philippines and Sri Lanka, the officials said.

Four requests to transfer a total of about $81 million to the Philippines went through, but a fifth, for $20 million, to a Sri Lankan non-profit organisation got held up because the hackers misspelled the name of the NGO.

The full name of the non-profit could not be learned. But one of the officials said the hackers misspelled “foundation” in the NGO’s name as “fandation”, prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction.

Deutsche Bank declined to comment.

At the same time the unusually high number of payment instructions and the transfer requests to private entities — as opposed to other banks — made the Fed suspicious, which also alerted the Bangladeshis, the officials said.

The details of how the hacking came to light and was stopped before it did more damage have not been previously reported. Bangladesh Bank has billions of dollars in a current account with the Fed, which it uses for international settlements.

The transactions that got stopped totaled between $850 million and $870 million, one of the officials said.

Last year, Russian computer security company Kaspersky Lab said a multinational gang of cybercriminals had stolen as much as $1 billion from as many as 100 financial institutions around the world in about two years.

SHOW COMMENTS Please add a username to view or add commentsPublic Username for Commenting

View the original article here

‘Pay me or I’ll delete’! Cyber ransom on the rise

Bob Woods, special to CNBC.com Wednesday, 17 Feb 2016 | 10:12 AM ETCNBC.com

Extortion, one of the oldest tricks in the criminal bag, is wreaking havoc in the brave new digital world — and generating lots of money for cyber crooks.

Ransomware, as this latest wrinkle in malicious software, or malware, is known, stealthily infects a desktop or laptop computer, sometimes locking up the machine, but more often encrypting data and files, rendering them unusable. Then an ominous message from the attacker pops up, demanding a ransom be paid in order to unlock the computer or decrypt the data.

The latest notable casualty is a Hollywood-area hospital that had its internal hospital computer system shut down by hackers who demanded $3.7 million in ransom this week.

Participants at a hacking conference. Participants at a hacking conference.

Conceivably, every business and consumer using the Internet is a potential target for ransomware perpetrators, although small and medium-size businesses (SMBs) have become particularly easy marks.

“SMBs are incredibly vulnerable to these types of attacks,” warned Ed Cabrera, vice president of cybersecurity strategy at Trend Micro, an IT security company in Irving, Texas, adding that large companies’ IT departments usually invest in robust cybersecurity programs. “I’d say the threat level is critical. Small businesses lack the resources, the security and the multi-layer defense programs to help protect themselves. And it’s only escalating.”

Early versions of ransomware have lurked for more than a decade, but the latest ones are increasingly sophisticated, as are the cyber crime gangs that assiduously update their malignant programs and find novel ways to elude cybersecurity experts and law enforcement.

“Never before in the history of humankind have people across the world been subjected to extortion on a massive scale as they are today,” stated The Evolution of Ransomware, a 2015 report from Mountain View, California-based cybersecurity firm Symantec.

While ransomware is a global menace, the Symantec report said, the U.S. is the primary bull’s eye.

“This is a business, and it’s all about making money,” said Dmitriy Ayrapetov, director of product management at Dell SonicWALL, the Round Rock, Texas-based computer company’s network cybersecurity division.

Just how much these nefarious businesses are making is tough to peg. Ransom demands have reportedly been for as much as $50,000, yet the average paid is $300, and nearly 3 percent of the victims agree to pony up, according to Ayrapetov. With the cyber criminals hitting millions of users, the FBI reports.

Originally, cash cards and wire transfers were the currency of choice, but because cash can be traced, bitcoin is now the favored tender, exchanged over Tor and other anonymous online networks. “It’s the perfect payment method,” said Kevin Haley, director at Symantec Security Response. Many victims are unfamiliar with digital currencies including bitcoin, but like any diligent web enterprise, “these guys will walk the uninitiated through the process,” Haley said. “This gives you an idea of the operations and how successful they are. They have people in technical support, for God’s sake.”

How they propagate their pernicious payloads reveals the technological state of this dark art. One pathway is through Internet browsers running versions of Java, Flash, Shockwave and other ubiquitous software and plug-ins that haven’t been updated with the latest security patches. Ransomware creators are constantly embedding advertising, pornography, shopping and other highly trafficked online networks with their handiwork, which is programmed to ferret out those browser vulnerabilities and infect computers when the end-users click on activating links.

The other common entry point is through spam emails that contain an attachment including ransomware. The email is disguised to look like it’s from a package delivery service, such as a bank, the IRS, an employment agency or even the FBI, and prompts the recipient to download the attachment, thus unleashing the ransomware.

The urgent ransom notes that appear are basically intended to freak out the victim to pay up or else. For example, a screen purportedly from the FBI, including its official logo, alerts the victim that suspicious downloads — of porn, copyrighted music or other illicit material — have been detected. Another ruse is that a user account needs to be updated by clicking on a link, or that tax returns aren’t complete. The attacker threatens that unless the ransom is paid, typically within a couple of days, the encrypted files will be forever lost and legal action may follow. Payment instructions follow.

Then comes the decision of whether to pay the extortionist or not.

“Never before in the history of humankind have people across the world been subjected to extortion on a massive scale as they are today.” -The Evolution of Ransomware, Symantec report

“If you’re a small business, all of a sudden all your data is encrypted and you can’t recover customer information, contracts, legal documents and other vital material,” Ayrapetov said. “Is it worth being able to continue running your business for just $200?” Considering that the National Cyber Security Alliance has estimated that 60 percent of small businesses hit by cyber attacks end up going out of business, it’s a difficult call.

Those who do pay, however, most often can recover their data. “They stick to their word,” Ayrapetov said of the hackers, “because they want the business to be a sustainable model.”

Indeed, the ransomware business is expanding beyond computers to target smart phones, tablets and potentially anything connected to the burgeoning Internet of Things. “Imagine your watch, your router, almost any device that has an operating system — your smart television, cable box, car, doors, thermostat,” Haley said, also imagining the ransom threat. “You can heat up your house, but it will cost you a bitcoin.”

So how can individuals and SMBs protect themselves from ransomware? “The No. 1 thing is to make backups” of critical files, said Nate Villeneuve, a principle threat intelligence analyst at FireEye, a cybersecurity firm in Milpitas, California. Beware, however, that any servers, hard drives or other backup sources connected to a network will probably be infected, too. It may be wise, therefore, to back up onto a separate source or a cloud storage service.

“Also, keep operating systems, browsers and plug-ins, especially Flash and Java, up to date,” Villeneuve said. In other words, when you see those update notices pop up on your screen, do as they say. Off-the-shelf antivirus software adds another layer of protection, and FireEye, Symantec, Trend Micro, Dell and other cybersecurity vendors offer solutions for SMBs.

Experts urge everyone to be extra vigilant for spam, even if it looks legitimate, and to never download an unknown file. Many companies run drills, sending employees fake emails to see how many get fooled. “Use it as a teaching moment, not ashaming moment,” Haley said.

Meanwhile, the FBI, other law enforcement agencies and cybersecurity vendors are collaborating in the hunt for ever-evolving ransomware and “the bad guys” who scramble to stay one step ahead of the cyber cops. It’s a perpetual cat-and-mouse game, but Ayrapetov, for one, is optimistic that ransomware’s days are numbered, with a caveat: “In about two years, it will probably be difficult enough for the malware writers that they’ll start looking for something new.”

— By Bob Woods, special to CNBC.com

SHOW COMMENTS Please add a username to view or add commentsPublic Username for Commenting

View the original article here

Web browser Opera adds built-in ad-blocker

Friday, 11 Mar 2016 | 7:50 AM ETCNBC.com

Software company Opera has introduced a built-in ad-blocking feature into its internet browser, which will allow users to surf the web without seeing ads, in the process depriving websites of revenue.

Opera announced the feature this week and said the tool would allow users to choose whether or not to block ads from a particular website while browsing the internet.

The company claims that using the ad blocker on its browser will load web pages on average 90 percent faster than using Internet Explorer and 45 percent faster than using Google Chrome with an ad-blocker extension.

Security

Around 5 percent of internet browsing is performed using Opera, according to web analytics service StatCounter. In comparison, Google Chrome is the most used browser, accounting for 45 percent of activity.

In a blog post, the company explained its reasons for introducing the tool was to improve the consumer experience and send a message to advertisers that internet ads are too large and intrusive.

“Today, bloated online ads use more download bandwidth than ever, causing webpages to load more slowly, at times covering the content that you’re trying to see or trying to trick you into clicking ‘fake download buttons’,” wrote Krystian Kolondra, senior vice president of global engineering for Opera, in the blog post .

“Another rising concern is privacy and tracking of your online behavior.”

While ad-free browsing may be faster and more convenient for web users, websites end up paying a price. Ad-blocking cost digital publishers an estimated $22 billion in revenue in 2015, with around 198 million global people using the software, according to a report by PageFair and Adobe.

In response to the rise of ad-blocking, the New York Times began trialling a system this week that detected visitors to the news site using an ad-blocker and asked them to purchase a subscription or “whitelist” the site (make it exempt from the ad-blocker).

Opera follows Samsung and mobile phone company Three in implementing ad-blocking services. Previously, internet users had to download and install ad-blocking software.

According to Eleni Marouli, senior analyst at IHS Technology, there is a trend of telecom companies trying to be included in the mobile advertising ecosystem.

“Telcos have traditionally been just data ‘pipes’ which provided the infrastructure for mobile internet and hence mobile advertising,” she said in a report. “They have attempted to monetise content through advertising, but have made little progress in claiming significant market share.

“The ad blocking announcement (by Three) is a plea to companies like Facebook and Google to include Three and other mobile operators in the mobile advertising value chain.”

Follow CNBC International on Twitter and Facebook.

SHOW COMMENTS Please add a username to view or add commentsPublic Username for Commenting

View the original article here

Facebook stumbles with ‘Safety Check’ after Lahore blast

Facebook apologized to users on the other side of the world from Sunday’s suicide bombing in Pakistan who received computer-addressed notices asking if they were safe.

Facebook users as far away as New York and Virginia showed notifications they received on social media site Twitter.

“Unfortunately, many people not affected by the crisis received a notification asking if they were okay,” Facebook said in a post on its site. “This kind of bug is counter to the product’s intent… We apologize to anyone who mistakenly received the notification.”

Some of the notices went out as text messages to mobile phones and asked, “Are you affected by the explosion?” without giving any indication of where, or how close, the recipients were to danger.

Pakistani security officials collect evidence at the cordoned-off site of the March 27 suicide bombing, in Lahore on March 28, 2016. Pakistani security officials collect evidence at the cordoned-off site of the March 27 suicide bombing, in Lahore on March 28, 2016.

More common notices displayed on computer screens and mobile devices said the explosion was in Lahore. The blast by a suicide bomber at a park killed at least 65 people, mostly women and children.

The flawed notices were the latest stumble in Facebook’s evolving “Safety Check” practice of prompting users to quickly let their friends know they are okay after being in the vicinity of a tragedy.

In November, hours after blasts in Nigeria, Facebook activated Safety Check after criticism that it was being selective about deploying it. A few days before those blasts, Facebook had used it after gun and bomb attacks in Paris but not after suicide bombings in Beirut.

Facebook previously had used the feature after natural disasters, but not bombings or attacks.

Follow CNBC International on Twitter and Facebook.

SHOW COMMENTS Please add a username to view or add commentsPublic Username for Commenting

View the original article here

Report: 1.5 million Verizon customers hacked

Thursday, 24 Mar 2016 | 4:22 PM ETCNBC.com

A pedestrian talks on his cell phone while walking past the Verizon Communications Inc. headquarters in New York. Andrew Harrer | Bloomberg | Getty ImagesA pedestrian talks on his cell phone while walking past the Verizon Communications Inc. headquarters in New York.

More than 1.5 million Verizon Enterprise customers had their contact information leaked on an underground cybercrime forum this week, according to cybersecurity blogger Brian Krebs.

A security vulnerability, now fixed, provided an opening for the attacker, the business-to-business arm of the mobile and telecom giant told KrebsoOnSecurity. The breach involved basic contact information, not propriety network information, the company told Krebs.

Prices of the customer data ranged from $10,000 to $100,000, Krebs reported.

Verizon, used by almost all Fortune 500 companies, is widely known for its cybersecurity prowess, and releases an annual report on avoiding cyberthreats, Krebs wrote.

Verizon told CNBC that impacted Verizon Enterprise customers are being notified, and no data about consumer customers was involved.

For the full story, read more at KrebsOnSecurity.com.

— CNBC’s Ryan Ruggiero contributed to this report.

SHOW COMMENTS Please add a username to view or add commentsPublic Username for Commenting

View the original article here

Tax scammers new target? Your medical records

Friday, 11 Mar 2016 | 9:30 AM ETCNBC.com

Cybercriminals increasingly are using stolen medical records for other types of identity theft beyond health-care fraud, including filing fraudulent tax returns.

Last year, almost 100 million health-care records were compromised, making them a hacker’s No. 1 target, according to a report by IBM. Now, hackers have realized “you can use those profiles for normal fraud stuff,” wrote one seller of medical records on a website shown to CNBC by IBM.

Hackers sell the medical records to other criminals on the so-called dark Web, a portion of the Internet not indexed by search engines. In order to access these websites, you need to download a special browser.

More than 30 breaches of health-care data involving 500 or more people have already been reported in 2016, according to the U.S. Department of Health and Human Services’ Office for Civil Rights.

Read MoreAs health data breaches increase, what do you have to lose?

545861843 Tek Images | Science Photo Library | Getty Images

Along with that bounty of personal information compromised by hackers in health-care breaches, experts expect a similar increase in tax fraud this year, possibly rising to as much as $21 billion, according to the IRS.

In fact, the agency has suspended processing of 4.8 million suspicious returns so far this year, worth $11.8 billion, the IRS said in an email to CNBC. Among that number are 1.4 million returns with confirmed identity theft, totaling $8.7 billion.

Some fraudulent returns do get through. The Government Accountability Office found that in 2013, the IRS paid out $5.8 billion in tax refunds where the victim’s identity was stolen.

Read MoreTax-refund fraud to hit $21 billion, and there’s little the IRS can do

The fake tax returns are part of how cybercriminals cash in on big breaches. They work like organized crime rings, with “specialists” for each part of the attack.

“You have experts in different fields. There are those who are great at obtaining information. And then there are other guys, who will buy this data and use it to commit fraud,” said Etay Maor, an executive security advisor at IBM Security.

Health-care records fetch higher prices, as much as 60 times that of stolen credit card data, because they contain much more information a cybercriminal can use.

“Criminals want what they refer to as fulls, full information about their victim. Name, birth date, Social Security number, address, anything they can learn about their victim. All that information is in your health-care records,” said Maor.

Part of the reason for the higher prices is that while credit card numbers can change, your Social Security number generally stays the same.

“As long as entities use Social Security numbers to authenticate you, the criminals will have a record that is never-ending,” said Maor.

Read MoreBe prepared: It’s tax-return fraud season

While a Social Security number can be purchased on the dark Web for around $15, medical records fetch at least $60 per record because of that additional information, such as addresses, phone numbers and employment history. That in turn allows criminals to file fake tax returns.

Surprisingly, the dark Web is actually easy to use, with websites resembling those of popular e-commerce sites.

“It’s exactly like going on a store for criminals. Criminals actually take the time to write reviews about their fellow peers and how good the information they sold was,” Maor said.

To protect yourself, Maor said avoid giving out your Social Security number, even to your doctor.

“Every time you give information to any entity, you’re actually exposing yourself in one way or another. If your doctor asks you for your Social Security number you should not be afraid to ask why. Why do need that information to take care of me?” Maor said.

Read MoreE-filing taxes? Watch out for fraud.

In most cases, health-care providers do not need your Social Security number. If the doctor insists on having it, Maor suggests you ask for a changeable PIN as a substitute to authenticate you.

Experts also advise you file your tax returns as soon as you can. Filing earlier gives criminals less time to file a fake return in your name.

Security experts also say if you have been a victim of a health-care breach you should monitor your brokerage, bank and credit card accounts for any unusual activity.

You should also let the three major credit reporting companies — Equifax, Experian and TransUnion — know so they can place fraud alerts on your account.

In addition, you should take advantage of free credit monitoring that may be offered to victims of breaches.

SHOW COMMENTS Please add a username to view or add commentsPublic Username for Commenting

View the original article here

Ex-FBI official: IRS is a favorite hacking target

Wednesday, 10 Feb 2016 | 4:27 PM ETCNBC.com

An automated attack on the IRS’ computer systems in January used stolen personal data to create fake logins through the agency’s Electronic Filing PIN service.

About 464,000 Social Security numbers were used in the attack on the IRS.gov system, the agency said late Tuesday, and 101,000 of those numbers allowed the attackers to get at an E-file PIN. The PIN can be used to electronically file a tax return.

“No personal taxpayer data was compromised or disclosed by IRS systems,” the IRS said in a statement Tuesday. “The IRS also is taking immediate steps to notify affected taxpayers by mail that their personal information was used in an attempt to access the IRS application. The IRS is also protecting their accounts by marking them to protect against tax-related identity theft.”

The IRS also said that the attack was not related to an outage of its computer systems that hampered its ability to process tax returns last week.

“The IRS and taxpayer data is the gold standard. It’s the treasure trove of information that they’re looking for. They can do a lot with it,” said former FBI Assistant Director Chris Swecker on CNBC’s “Power Lunch” on Wednesday.

Though the culprit behind the attack has not yet been confirmed, the IRS is “the favorite target” of Russian criminal organizations, which were involved in previous IRS hacking attacks, Swecker added.

Hackers in 2015 were able to access tax information for what may have been as many 338,000 victims through the IRS’ Get Transcript system, the IRS previously reported. That system allows taxpayers to pull up returns and filings from years past.

“Taxpayer data or taxpayer returns have so much information that not only can they file false tax returns and get refunds, they can also sell that data on the black market and make an additional profit,” he said.

Using publicly available data to authenticate taxpayers is one of the main problems with the current system, Swecker noted. People oftentimes use questions that can be answered by looking at their Facebook or LinkedIn pages, which are easily accessible to hackers.

“This is what organized crime looks like in the year 2016. These are the most profitable, most capable criminals in the world and we’ve got to do a better job of keeping them out.”

— NBC News contributed to this report.

SHOW COMMENTS Please add a username to view or add commentsPublic Username for Commenting

View the original article here