AskCyberSecurity.com

Cyber Security News and Education

HP Direct

hack

Hacked Payment Cards from WaWa Data Breach Now for Sale on the Dark Web

by

Hacked Payment Cards from WaWa Data Breach for Sale on the Dark Web Marketplace Joker’s Stash – 30 Million Stolen Payment Cards from Philadelphia Based Wawa Convenience Stores and Fuel Pumps

Hacked Payment Cards from WaWa Data Breach are currently for sale on a dark web marketplace known as Joker’s Stash. According to cyber security research firm Gemini Advisory, which discovered the batch of stolen payment cards. The biggest concentration of cards for sale trace back to WaWa customer card use in Florida and Pennsylvania.

In December 2019, Pennsylvania-based WaWa announced it discovered that hackers had breached their payment processing servers. The hacker’s malware had been recording bank card and credit card numbers and sending the payment information to hackers since March 2019 until it was discovered in December. The payment card breach involved all 850 WaWa stores and potentially exposed 30 million sets of payment record making it one of the largest payment card breaches of 2019.

The payment cards went on sale Monday 28 January on dark web marketplace Joker’s Stash. The cache of cards is named “BIG BADABOOM-III” by Joker’s Stash. The database of stolen payment information includes over 30 million card accounts issued by thousands of financial institutions across more than 40 U.S. states.

Although about 30 million payment card numbers were stolen, Joker’s Stash is only selling 100,000 at this time. This is a common practice to keep the price of the stolen card information up. Hackers usually release stolen data in batches.

What Happened in the WaWa Data Breach?

Wawa says discovered the data breach on 10 December 2019 and halted the malware attack on 12 December. However, the payment card skimming malware is believed to have been living on WaWa Point-of-sale terminals in stores and at fuel pumps since 04 March 2019. So, for nine months, the malware sent customer payment card numbers back to hackers from WaWa registers. Hacked information included debit and credit card numbers, expiration dates, and cardholder names. The breach did not expose personal identification numbers (PINs) or CVV records (the three-digit security code printed on the back of a payment card or four-digit code for American Express cards)

What is the Dark Web?

The dark web is another part of the internet that the average internet user never uses. The visible, everyday portion of the web that that average user accesses is referred to as the clear web or surface web. The dark web is associated with criminal activity such as selling stolen payment information, illegal drug trafficking, and weapons sales, and hacking tools. It’s known as a place for hackers and is only accessible with special web browsers like Tor Browser.

The dark web is not to be confused with the deep web. The deep web is another part of the web that is not indexed by standard web search engines like Google and Bing. Web pages on the deep usually need login credentials to access their contents. For example, your email, bank account, and news subscription website are accessible only by logging in with a username and password. They are part of the deep web.

How is Hacked Payment Information Used?

Hacked payment information is used to help establish an identity, reproduce physical payment cards, or card numbers can be sold in on dark web marketplaces in large databases after large data breaches such as the WaWa breach. Hackers sell large databases of stolen payment information at Joker’s Stash and other marketplaces. According to Gemini, “The median price of US-issued records from this breach is currently $17, with some of the international records priced as high as $210 per card.”

Hackers may also use the stolen payment information to reproduce physical cards which can also be sold or used for expenses. However, hackers may also use stolen payment information for other scams such as identity theft, tax theft, or medical fraud

What is Joker’s Stash?

Joker’s Stash is an online dark web marketplace that sells stolen credit cards. It first appeared in 2014 and has become a popular marketplace for stolen credit cards from online and physical transactions. Stolen payment information includes cards hacked from Hy-Vee supermarkets in the Solar Energy breach, the Davinci breach, and over one-million cards from banks in India. Joker’s Stash goods for sale now include personally identifiable information including social security numbers.

How Hackers Make Money Illegally

How Hackers Make MoneyHackers make money illegally by stealing data, login credentials, and payment information from victims. Some hackers work at the behest of governments and steal data and sensitive corporate trade secrets, and government information as a full-time job. Other hackers develop malware that they sell on the dark web to other hackers. Hackers use malware to make money illegally by stealing payment information like credit cards, debit cards, and login credentials to financial accounts.

With stolen credentials, hackers can transfer money away from the victim’s bank or produce duplicate credit cards with stolen payment information imprinted on them. They then use the cards to pay for purchases or may sell the cloned cards or stolen credit card numbers in large batches in online dark web marketplaces such as Joker’s Stash. They can also sell the duplicated physical cards to buyers on the street.

Large lists of hacked emails, usernames, and passwords are sold online on the dark web. The list can be sold to multiple buyers. People frequently use the same username email address and password combination across multiple online accounts. If a hacker can steal a set of login credentials to a social media account, they can often use it to log into more sensitive online accounts like banks and credit cards.

Hacker make money illegally by stealing yours. That’s why it’s always important to have a strong and unique password for every online account. If you cannot remember a unique password for each account, it’s best to use a password generator and vault.

What is WaWa?

Wawa, Inc. is a chain of convenience stores and gas stations located along the East Coast of the United States. The company was founded in 1964 in Folsom, Pennsylvania. The chain has 842 stores in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Washington, D.C., and Florida and has a cult following of loyal customers.

My Payment Card Was Hacked What Do I Do Next?

Consumers are not liable for fraudulent credit card charges as long as they notify their bank of the fraud within a reasonable timeframe. Federal law protects consumers from paying for fraudulent credit card charges such as those from a payment card breach like WaWa.

Wawa is offering free credit monitoring services for customers involved in the payment card breach. The company says it will work with customers who have issues with their banks reimbursing them for fraudulent charges. United States Service personnel are entitled to free credit monitoring and credit monitoring services.

  1. Freeze Your Credit.
    Freezing your credit prevents anyone, including you, from opening up new credit accounts in your name. When you freeze your credit, it stops someone from using your stolen credentials from obtaining car loans, mortgages, new credit cards, or other lines of credit in your name. It also prevents credit line increases.
  2. Get Identity Theft Protection
    Wawa is offering free Identity Theft Protection, but you may want to get an enhanced version of identity theft monitoring covers all of your payment cards and banks.
  3. Review Payment Card Account Statements.
    Review bank statements and credit card statements to look for fraudulent charges. Hackers are actively selling payment cards from the WaWa Payment Card breach right now. The card numbers can be used to make purchases online or to clone physical cards to use in stores. Review your bank and credit card statements. Order a new card from your bank with a new set of numbers.
  4. Get a Credit Report.
    Order a copy of your credit report. All consumers in the United States are entitled to an annual free credit report from each of the three major credit reporting bureaus. Any time a credit application is denied, you are entitled to a free report from the reporting agency that turned down your application

  5. Use a Mobile Wallet to Pay in Stores.
    A mobile wallet is an encrypted way to pay with physical credit cards without having to swipe or dip the card in the POS reader. The card information is stored on your phone. Using a mobile wallet keeps your payment information safe because the full card information is not revealed to the retailer.
Michelle - Profile Photo

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers

www.metrony.com/

Iran Hack – 10 Tactics Iranian Hackers Use to Attack the United States

by

Iran Hack Attempts Almost Triple – Iran Has Already Hacked the U.S. At Least 4 Times – Patterns of Publicly Known Iranian Advanced Persistent Threats

The number of Iran hack attempts against targets in the United States has almost tripled. The increase in Iran hack attempts has intensified since the assassination of Iranian military leader Qasem Soleimani. Cyberattacks originating from Iran targeting government websites of all levels doubled then continued to increase.

An Iran hack may be initiated from state-sponsored hacking groups or individuals who are looking to steal money or data. Iran technical prowess has increased since 2009 and the country has a server known state-sponsored Advanced Persistent Threat groups to carry out cyberwarfare. APT hacking groups are organized hackers that are often state-sponsored cyberwarfare organizations.

Iran hack attempts against the United States have been successful before. Government targets include the U.S. Federal Depository Library Program (FDLP) website and a dam in Rye, New York. Iranian hackers target engineering companies, financial sector, energy, utilities, oil and gas industries, as well as government entities.

Cyberattacks originating from Iranian IP addresses targeting federal, state, and local government websites have doubled according to American web infrastructure and website security company Cloudflare. In just two days, the Iran hack attempts on targets globally, has now increased to almost triple their former rate.

Iran has a history of attacking targets in the United States and across the globe. Although their repertoire of cyberattacks does not show to skill level of hackers from China and Russia, they can still cause damage, even if it is sometimes a symbolic nuisance.

RELATED READS:

What is an Advanced Persistent (APT) Threat Group?

An Advanced Persistent Threat Group, known as an APT Group, is an organized hacking organization. APT groups often work at the behest of a national government to steal money to fund other activities, spy on other countries or political targets, or conduct corporate espionage. APT hacking groups are given numbers and names by cyber security researchers to rack their activities and to avoid offending the governments the APT groups work for. The names represent something the country is know for. For example, Iran APT groups are APT33, APT34, and APT 35. State sponsored APT33 is also known as Elfin, Magnallium, or Refined Kitten. Gothic Panda is a pseudonym for APT3, a Chinese APT group.

McAffee Total Home

Iran Hack – How to Prepare

  • Use strong password protection tool
  • Use two-factor or multi-factor authentication for all online accounts
  • Use biometric login for the highest protection on phones, tablets, and laptops, and computers. If your device phone or laptop is too old to support finferprint login, the consider upgrading to a new phone or laptop
  • Make sure computers, laptops, tablets, and phones have the latest software installed
  • Create backups of important files, photos, and critical documents like taxes, 401K. and stock accounts
  • Ensure backups are kept up-to-date
  • Small business owners should ensure their websites and critical systems are backed up and accessible in case of internet connection disruptions

U.S. Government Website Defaced

During the first week of January 2020, U.S. Federal Depository Library Program (FDLP) was defaced with anti-U.S. President Trump messaging on 4 January 2020.

The Texas Department of Agriculture website and an Alabama veterans’ group were both defaced this week with an image of Iranian Commander Soleimani. The pro-Iran image was accompanied by a message stating the website was, “Hacked by Iranian hacker.” The city of Las Vegas, Nevada was attacked on 07 January 2020 and city services were temporarily shutdown. The cyberattack struck on the first day of the annual massive Computer and Electronics Show (CES). It is too soon to tell if any of these incidents were the work of state-sponsored hackers.

Iranians Tried to Hack 2020 Campaign

Microsoft disclosed that Iranians tried to hack 2020 Presidential campaign. The Iran hack attacked over 200 email accounts related to a campaign.

How Wealthy Is Iran?

Iran ranks 94th in the world by nominal GDP per capita. The United States ranks eighth. The top ten countries ranked by GDP (nominal) per capita from number one to ten, are Luxembourg, Switzerland, Macau, Norway, Iceland, Ireland, Qatar, United States, Singapore, Denmark, Australia.

Iranian APT Hacking Organizations

Cybersecurity and Infrastructure Security Agency (CISA) shared cyber security information on the history and typical profile of Iran hack attacks. The following are typical Iran hack profiles regarding publicly known Iranian Advanced Persistent Threat (APT) techniques.

10 Tactics Iranian Hackers Use to Attack the United States

According to CISA, these are ten tactics used by Iran hackers to compromise networks and computers in the United States and across the world.

  1. Credential Dumping – Credential dumping refers to any process of stealing account login and password information from passwords stored in plain text or with weak encryption. The passwords are then used to login and hack more computers on the same network.
  2. Obfuscated Files or Information – An attempt by the hacker to hide malware payloads with by compressing, archiving (zip files), splitting up, or encrypting malicious files to avoid detection by automated cyber security systems and firewalls.
  3. Data Compressed – Hacked data is compressed to minimize the amount of network resources used while the hacked information is being transmitted over back to the hacker’s servers. This is a move to avoid detection by networking monitoring tools.
  4. PowerShell – PowerShell is Microsoft’s command-line shell and associated scripting language built on the built on the .NET Framework and designed especially for system administration. PowerShell commands let you manage computers from the command line. Iranian hackers have exploited PowerShell to execute malicious code on compromised computers.
  5. User Execution – User Execution is when the hack depends on actions taken by a human to successfully execute or run malware. User execution may involve an email recipient clicking on a link delivered by a phishing email. The file execution may exploit a browser or application vulnerability to compromise a computer or network.
  6. Scripting – Hackers use scripts to speed up tasks that otherwise would have to be done manually. For example, compressing data on a machine and sending it back to the hacker. Scripts can be embedded inside malicious Microsoft Office documents as macros.
  7. Registry Run Keys/Startup Folder – All Windows computers have a registry key that allows software to open and execute software based on the users’ s permission level. Registry keys can be added, edited, and deleted to run legitimate and malicious apps at startup using the user’s permission levels. Malware may alter the machine’s registry so that the malware is always run at startup, making it hard to stop and remove.
  8. Remote File Copy – Remote file copy is the staging of malicious files from one network or computer to another.
  9. Spear Phishing Link – A spear phishing link is a clickable link is sent within the body of a targeted spear phishing email. The hacker relies on user execution to begin a malware download, execute a malicious script, or sends to target to a spoofed website to gather further sensitive data.
  10. Spear Phishing Attachment – A spear phishing attachment is a malicious file, often a MS Word document, Excel Spreadsheet, or Adobe pdf file, that executes a malicious script if the recipient of a spear phishing email is tricked into opening the attachment. The spear phishing attachment may launch a script or begin other malware downloads.
Michelle - Profile Photo

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers

www.metrony.com/

Wawa Data Breach – 4 Things to Do to Protect Your Money

by

Wawa Data Breach – 4 things you should be doing if affected by the cyber security incident – What you need to know and do right now about the Wawa data breach

Wawa convenience stores have reported a malware attack that affects all of its 850 locations. The corporate announcement stated that payment information including credit card and debit card numbers were stolen over a ten-month period from stores and at gas pumps. Malware was discovered on Wawa’s payment processing IT system on December 10th, 2019. The cyber attack was mitigated on December 12th. Wawa stated the data breach affected thousands of customers and all locations for over ten months.

Payment card numbers were stolen from in-store payment terminals and fuel pumps from all Wawa locations. The hacked information includes card expiration dates and cardholder names, but not the security codes, called CVV numbers.

Hackers infected payment processing servers and stole credit card and debit card numbers from point-of-sale (POS) terminals in stores and at gas pumps.

READ: 8 Easy to Use Security Apps to Protect a Phone Right Now

The malware infected some payments servers in stores beginning around March 4, 2019. By approximately April 22, 2019, the malware had infected most Wawa store systems. Wawa officials said that debit card PINs or credit verification values (CVV) numbers were not exposed but full card numbers were. In-store ATMS were not affected.

A third-party cyber security forensics firm is investigating the data breach. Law enforcement is conducting a criminal investigation.

McAffee Total Home

The average cost of a data breach is almost $4 million globally according to IBM. In the United States the average cost of a data breach is about $8 million. This has been an especially busy year for hackers.

Ransomware infected municipalities and educational institutions across the United States. The ransomware attacks locked up computer systems of public institutions holding them for ransom. In some cases, cities paid the ransom, but in most they opted to take the data losses and restart their IT systems on their own. Often malware attacks are successful because computer users do not keep their hardware and software up-to-date with the latest security patches. Malware can go unnoticed for long periods of time, just like in the Wawa data breach incident. Sometimes the only clue that a device is infected with malware is that the system slows down or uses high amounts of data.

Save $100 on Samsung Galaxy Unlocked Phones
Plus Free Shipping!

Wawa Data Breach – Should I Be Concerned?

Hackers make money by selling payment card numbers on the dark web. When a large volume of cards is stolen from a retailer like Wawa, the cards may appear on a number of dark web marketplaces. Hackers also make money by cloning credit card numbers onto physical new cards and selling them. When physical cards are sold with stolen names and numbers on them, many may already be shut down by vigilant consumers, but many go unnoticed.

What is Identity Theft?

Victims of the Wawa data breach are also vulnerable to identity theft. In addition to stealing payment card information, hackers also have the names of all Wawa customers affected by the security incident. Hackers can combine that information with other information found publicly to steal customers’ identities.

Best Price Yet! Get $200 off any ALL NEW Lenovo Yoga C940 2-in-1 Laptop
Use code EXCLUSIVEC940

Identity theft occurs when a thief steals the personal data of someone else. They use it to open up lines of credit, take out loans, or open credit cards using the stolen identity. Hackers may even file fraudulent tax returns or medical benefit claims to get money.

READ: How to Unlink a Payment Method from Android Wallet

Why Mobile Wallets are Safer than Credit Cards

Mobile wallets are a secure way to shop online from your smartphone at retail stores like Wawa. With a mobile wallet, the retailer never has access to your full payment information. So, in the case of the Wawa data breach, your payment card information would be secured.

Mobile wallets afford other protections to users. The retailer does not have access to purchases history and it also prevents tracking from advertisers. Facebook tracks credit card purchases through some of its advertising partners. If you see an advertisement on Facebook or Instagram and buy with one of the tracked cards, then Facebook collects that data about your shopping habits and sells it to advertisers.

Wawa Data Breach – What Should I Do?

Consumers are not liable for fraudulent credit card charges because of federal law protections.

Wawa is offering prepaid credit monitoring services for customers who may have been affected by the breach. Although it is way too soon to know, so far there are not reported incidents of identity theft or fraudulent credit card charges.

  1. Freeze Your Credit

    Freezing your credit report prevents a scammer from opening up new accounts in your name. When you freeze your credit, it stops someone from using your stolen credentials from impersonating you and opening up car loans, mortgages, new credit cards, or any other line of credit. It also prevents credit line increases.

  2. Review Bank Statements and Payment Card Account Statements

    Review your bank statements and credit card accounts to look for signs of fraud. Hackers sell stolen credit card numbers in dark web marketplaces and clone new bank cards with your information on them. They use the cards to rack up fraudulent charges. Review your bank and credit card statements to make sure there are no suspicious or fraudulent charges. If you spot them report them to your financial institution.

  3. Get a Credit Report

    Get a copy of your credit report. All consumers in the United States are entitled to one free credit report per year from each of the three major credit reporting bureaus. If you have recently been denied credit for any reason you can obtain a free credit report with each denial.

  4. Get Identity Theft Protection

    Wawa is offering free Identity Theft Protection, but you may want to get an enhanced version of identity theft monitoring covers all of your accounts, monitor all your payment cards for you and your family.

Remember – United States Service personnel are entitled to free credit monitoring and credit monitoring services.

People affected by the Wawa data breach can sign up for free for Experian Identity Works service Visit https://www.experianidworks.com/credit Use activation code: 4H2H3T9H6. Wawa set up a call center to answer customer concerns. Call 1-844-386-9559 if you have any questions.

What are Wawa Convenience Stores?

Wawa is a privately held Philadelphia. Based chain of over 850 convenience stores and 600 gas stations located in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Washington, D.C. and Florida. The company was founded in 1964.

Michelle - Profile Photo

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers

www.metrony.com/

Hacker Gift Ideas for the Holidays

by

Hacker Gift Ideas for Your Favorite Hacker and Cyber Security Professionals

The best hacker gifts include laptops, technology, privacy apps, and even clothing. If you are looking for a useful gift for the hacker or programmer in your life, read onward.

Ten of thousands of people make legitimate a living as a professional hackers. Someone who is a corporate hacker may have a job title like Cybersecurity Researcher, Penetration Tester, Cyber Security Forensic Investigator, or Cyber Security Analyst. Still others may earn money in hackathons where they are given a task that can earn prize money if completed successfully. Programmers sharpen their skills by hacking into their own IT networks, routers, phones, and hardware. Many corporations, like Google, encourage white hat hackers with prize money awarded through bug bounty programs.

Hacker Hoodie

Hoodies are standard garb for hackers. These hacker hoodies are great for programming, working out, and every day wear. The Cruise Performance hoodie is breathable and moisture wicking. It has a kangaroo pocket for stowing phones and money. It’s made from a 60% Cotton and 40% Polyester blend.

511 Tactical Hoodie Women

The Cruise Performance hoodie comines in sizes for women and sizes for Men

511 Tactical Hoodie Men
511 Tactical Hoodie Men

Hacker Hat

Boonie Hat from 5.11 Tactical

Every hacker needs to look the part. Now that you have the laptop, backpack, and hoodie, a hat is necessary to top it off the hacker style.
The 5.11 Tactical Boonie Hat is a poly/cotton blend with ripstop fabric and a Teflon finish. It is lined with a jersey cotton headband that wicks sweat away.

Boonie Hat
Boonie Hat

Phone

If you want to give your favorite hacker an upgrade, get them a new phone. Phones with more memory and faster data connections are useful for penetration testers, SysAdmins, and CISOs so they can stay in touch with their IT network status and corporate offices.

Save $100 on Samsung Galaxy Unlocked Phones
Plus Free Shipping!

Lenovo Laptop

Hackers need a lot of computing power, fast processors, and superior graphics to work quickly and efficiently. A quality laptop with a fast internet connection is a hacker’s most important tool.

Lenovo ThinkPad P73 mobile workstations come with Intel high-performance processors. They can be customized with up to an i9 eight-core CPU and NVIDIA RTX Quadro 5000 series graphics for powerful 3D and VR rendering. This workstation includes ISV certification for ArcGIS, AutoCAD, Creo, Decision Space, McKesson, Revit, SolidWorks, and 3dsMax.

Lenovo Thinkpad P73
Lenovo Thinkpad P73

The ThinkPad P73 has data transfer speeds up to 9.6 GBps and WiFi-6. Lenovo claims the battery can hold a charge for almost 17 hours. One hour of charging restores about 80 percent (13 hours) of battery charge capacity.

This laptop can be customized with optional 4K UHD (3840 x 2160), 400-nit and Dolby Vision high dynamic range (HDR) display technology. The sound system includes Dolby Atmos enabled audio and a dual far-field microphone.

Laptop Backpack

If you’re going to buy a slick laptop, a hacker needs a bag to protect it. A cut and water-resistant bag that is comfortable to wear makes a good choice.
The Dart24 Pack 30L hacker backpack can accommodate up to a 15-inch laptop. This laptop backpack has an1830 Cubic Inch (30 Liter) capacity. Side entry compartments have admin and organization panels. The bag has a fleece lined eyewear compartment to protect your favorite hacker glasses.

511 DART24 Backpack

The storage compartments are customizable, and the laptop section is completely removable. There is a removable accessory board with padded laptop sleeve and admin org. The accessory board can be inserted in the main compartment, rear compartment, or removed all together.

This backpack is made from Water-resistant 420D Nylon and has a comfortable padded back with mesh to keep you cool.

  • Top loading main compartment
  • Left and right entry side compartments
  • Side stretch pockets
  • Dual zipper access to rear compartment with loop panel for accessories
  • Quick release shoulder straps
  • Optional waist belt attachment
  • Main Compartment 18.5 inches high x 11.0 inches wide x 7.0 inches deep
  • Weight – 3.2 pounds

VPN

Professional hackers need to use a virtual private network, or VPN. A VPN lets reroutes internet connections through servers in locations of the user’s choosing. Sending data through other locations, protects the hacker’s identity and stops web cookie trackers.

VPNs are not just for hackers. They safeguard information for anyone working on a shared internet connection like those found in coffee shops, workplaces, hotels, and retail stores.

Password Safe

Password keepers create, store, and protect passwords for online accounts. Stronger passwords are harder to hack. It’s important to create a unique password for each online account but it’s hard to remember every username and password combination.

Keeper Password Protection
Keeper Password Protection

McAffee Total Protection Subscription

Get it all bundled in one subscription application with McAffee Total Protection. Protect a home IT network against ransomware, viruses, malware, spyware, and adware. Plans that cover one to ten devices.

McAffee Total Protection is not just an antivirus, the service offers a password manager and file encryption too. The password manager creates and stores strong and unique passwords for online accounts. McAffee Total Protection protects all the PCs, Macs, smartphones, and tablets.

McAffee Total Home
McAffee Total Home
Michelle - Profile Photo

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers

www.metrony.com/

Words with Friends Hacked – 218M Players Affected

by

Zynga Reports Words with Friends Players Hacked – Pakistani Hacker Steals Over 218 Million Zynga Words Gamer Data

Zynga announced thier Words with Friends game was comprmised. In an interview with Hacker News, a Pakistani hacker compromised 218 million Words with Friends game accounts gaining access to player’s names, phone numbers, and other account information. Words with Friends is a Scrabble-like social gaming app available for Android, Windows phones, iPad, iPhone, iPod Touch, Kindle Fire, and Nook Tablet. The game can also be played on Facebook. Words with Friends is owned by Zynga one of the world’s largest social game producers. The data breach affects all players using the Words with Friends on Android and iOS apps who signed up before 2nd September 2019.

In addition, account credentials for Zynga’s game Draw Something may have also been compromised.

Words with Friends FOX
Credit: Zynga – Words with Friends FOX

The hacker, who goes by the handle Gnosticplayers, previously stole almost a billion logins from about 45 other websites and apps. Hacked accounts from fitness app MyFitnessPal (151 million accounts breached), file sharing site ShareThis (41 million accounts hacked), dating site CoffeeMeetsBagel (6 million accounts hacked), home improvement site Houzz (57 million accounts compromised), as well as Petflow and Vbulletin forum were all hacked by Gnosticplayers.

Some of the hacked user data from the previous data breaches was put up for sale on dark website Dream Market.

Save $100 on Samsung Galaxy Unlocked Phones
Plus Free Shipping! Limited Time!

Hacked player information includes:

  • Player name
  • Email address
  • Login IDs
  • Hashed passwords
  • Password reset token (if ever requested)
  • Player phone numbers
  • Facebook ID (if connected)
  • Zynga account ID
Words with Friends HAT
Credit: Zynga – Words with Friends HAT

Zynga reports that no financial information from the Words with Friends hack was stolen.
“As a precaution, we have taken steps to protect these users’ accounts from invalid logins. We plan to further notify players as the investigation proceeds,” Zynga stated.

Like many other companies affected by data breaches, Zynga hired a third-party forensics firms to carry out an investigation.

Charge any battery type with the Tenergy TN471U Universal Charger
SHOP NOW!

Zynga Hack – What to Do Next

  1. If you use Facebook to log into Words with Friends, then your account is still secure
  2. Change your Zynga game passwords. If you use the password across multiple accounts, the hacker may be able to hack those accounts next. This is especially important if you use the same password for banking apps or credit cards
  3. Do not reuse passwords on multiple online accounts. Even if an account does not seem like it is important – like social media or games – a hacked low-level account can give a hacker information they need to get into more sensitive data and steal money

What is Social Engineering?

Hackers gather information for future phishing email campaigns and malware attacks with a cyber attack strategy known as social engineering. In social engineering attacks, hackers gather personal information about individuals by scraping data from low-level online accounts like games, gleaning personal details from social media sites like Facebook that yield answers to password reset questions, or assembling publicly available information from corporate websites.

Publicly available data like name and email address may seem harmless, but it can be matched with data from other sources and used to gain access to credit cards and banking apps. Information from social media accounts can be used for spear phishing emails or to guess at and reset passwords to far more sensitive accounts.
The goal maybe to steal money, place fraudulent credit card charges, or launch malware attacks.

Keeper Unlimited – 15% Off
Save 15% on Keeper Password Manager today!

What is Zynga?

Zynga is the developer of popular social games like FarmVille, Words with Friends, Zynga Poker, Mafia Wars, and Café World which are played all over the world. The company’s games have over one million players. Zynga has a market capitalization of over five billion USD.

Michelle - Profile Photo

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers

www.metrony.com/

Hacked SharePoint Site Used to Phish Office 365 Credentials

by

Hacked SharePoint Sites Are Being to Launch Phishing Email Attacks – Targets Banks

Hacked Microsoft SharePoint sites are being used to send phishing emails that beat most spam filters. Hackers are targeting financial services organizations mostly in the UK with this cyber attack. Cyber security researchers at Codefense discovered the phishing campaign designed to steal Office 365 credentials. Hackers use SharePoint, a content management system integrated with Microsoft Office 365, along with malicious emails to target British financial sector businesses. If a recipient clicks on the link in the initial email, they are sent to a compromised SharePoint site. The hacked site prompts the victim to review a OneNote document but attempting to download it sends the victim to a login credentials phishing page.

Common Hacked Passwords
Common Hacked Passwords

Because the embedded URL in the first email links to a SharePoint account and the email doesn’t contain malware or any suspicious attachments, it bypasses security checkpoints and spam filters.

Image Credit: Codefense Hacked SharePoint Site

SharePoint Phishing Campaigns – How it Works

The initial email comes from a compromised SharePoint account (independentlegalassessors.co.uk) which belongs to Independent Legal Assessors, a legitimate London based legal services firm.
The phishing emails contain typical office communications about legal issues, billing, or invoices. Recipients of the email are prompted to review legal information by clicking on a link to a SharePoint site. If the reader clicks on the link, it sends the reader to a compromised SharePoint site that contains a malicious OneNote document. The document is illegible and prompts the reader to download it by clicking on another URL. Attempting to download the document sends the victim to a spoofed OneDrive for Business site that functions as a credential phishing page. Victims are prompted to login with either Office 365 credentials or another username and password.

What is SharePoint?

SharePoint is an online content management system for businesses launched in 2001. It integrates with Microsoft Office. There are over 190 million users and 200,000 business customers. SharePoint is available in 47 languages. Although it is primarily a document storage and management system it is highly customizable. SharePoint users can belong to 5000 different groups likewise each group can have up to 5,000 users. There can be up to 10,000 groups in a site collection.

SharePoint Phishing Page
Image Credit: Codefense SharePoint Phishing Page

Phishing Attacks – How to Protect Against Them

Cybercriminals and hackers are increasingly using online content management systems such as Google Docs, Dropbox, SharePoint, and other business tools to launch phishing and malware attacks.

  • To protect against phishing attacks, users should consider implementing two-factor Authentication (2FA) for their online accounts if you’re not familiar with 2FA see our guide on how to factor Authentication can help you secure and protect login credentials
  • Businesses and individuals can also use an up-to-date anti-virus software to protect all electronic devices
  • Account passwords should be changed regularly, and the same password should not be used across multiple accounts.
  • Avoid using passwords and the annual most common password list.
How to Enable 2FA
How to Enable 2FA
Michelle - Profile Photo

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers

www.metrony.com/

Russian Hackers Targeting Banks Worldwide

by

Russian Silence Hacking Group Targeting Banks Worldwide

Silence APT, an organized hacking group, has sent out over 170,000 phishing emails to develop targets and steal money from financial institutions worldwide as reported by Group-1B cyber security researchers. The hackers’ most recent cyber attack targeted Bangladesh-based Dutch-Bangla Bank. The bank lost over $3 million from a series automated teller (ATM) cash withdrawals during an attack that persisted for several days.

Silence APT hackers begin their attacks by sending two phishing emails. After successful infection the hackers download malware to an infected system and move on to control cash machines. Cyber security researchers from Group-IB stated report that Silence APT compromised banks in India (in August 2018), Russia (February 2019), Kyrgyzstan (May 2019), Russia (June 2019), Bulgaria (July 2019) as well as Chile, Ghana, and Costa Rica. In another attack, Silence stole $150,000 from ATMs in one night.

Silence hackers use a two-stage phishing emails cyber attack vector. The first phishing emails containing images or a link for the reader to click on. The phishing emails do not contain malicious code or attachments and serve to refine the email list of targets. The second spear-phishing email campaign begins the infection. The phishing emails usually contain Microsoft Word documents as attachments. The docs contain macros or exploits, CHM files, and .LNK shortcuts as malicious attachments to infect victims’ machines with backdoors and downloaders. Upon successful infection the hackers manually load TrueBot malware, also known as Silence.Downloader to the users’ system.

What is Silence APT?

Silence APT is a Russian Advanced Persistent Threat (APT) group. Silence hackers target banks and financial institutions to steal money. The hacking group is believed to have been in operation since about 2016.

Silence APT CYBER ATTACK HISTORY

Silence hacking groups’ activities from May 2018 through 1 August 2019 as tracked by Group-IB cyber security specialists. Money mules in Bangladesh were arrested but the attacks still increased in frequency and geographical region. Group IB Threat Intelligence reports on Silence APT groups’ activities are available for download

Advanced Persistent Threat List
  • 28 May 2018 – An email phishing Russian language campaign sent with Microsoft Word attachment that contained an exploit for CVE-2017-11882 vulnerability. The exploit installs Silence’s loader
  • August 2018 – A bank in India was compromised by Silence
  • 16 October 2018 – Russian Silence hackers conducted a malicious campaign targeting Russian banks. The emails were sent from info @ bankuco. com
  • 18 October 2018 – Silence APT sent a test email campaign to UK financial companies
  • 18 October 2018 – Silence sent emails to Russian banks and digitally impersonated a legitimate bank due to the lack of SPF settings
  • 25 October 2018 – Silence sent emails from info @ bankuco . com to Russian banks. The emails refer to the opening and maintenance of a correspondent account and were sent from a non-existent bank name
  • 15 and 16 November 2018 – Silence sent a large-scale email phishing campaign posing as the Central Bank of the Russian Federation. The goal of the cyber attack was to deliver the second stage of Silence’s Trojan, Silence.MainModule
  • 20 November 2018 – A first stage phishing campaign sent to Asian banks
  • 25 and 27 December 2018 – A new malicious phishing campaign sent from pharmkx[ . ] group and cardisprom[ . ]ru domains
  • 4 January 2019 – Silence attacked financial organizations in the UK containing an attachment signed by SEVA MEDICAL LTD
  • 16 January 2019 – For the first time, Silence disguised a malicious attachment. It was a fake invitation to the international financial forum iFin-2019. The attachment contained Silence.Downloader
    (TrueBot) malware
  • February 2019 – Silence hackers compromised another Indian bank
  • February 2019 – Silence stole 25 million rubles (about $400,000 USD) Russia’s Omsk IT Bank
  • 21 May 2019 – Phishing emails sent out purporting to be from the bank’s client with a request to block a credit card. The emails contained a fileless Trojan, Ivoke backdoor
  • 20 June 2019 – Silence attacked banks in Russia
  • July 2019 – Banks in Chile, Bulgaria, Costa Rica and Ghana were compromised

What is an Advanced Persistent Threat Group?

Advanced Persistent Threat Groups are organized cyber criminals that hack corporations, governments, organizations, and individuals. Many APT groups work at the behest of a government entity. APT groups have different goals. While some are conducting corporate or political cyber espionage, others steal data, contacts, or money to fund other missions.

APT groups are assigned numbers to help cyber researchers track their activity. They are also given multiple names so as not to offend the governments that sponsor them. The names loosely follow a naming convention associated with each APT groups’ home country. For example, Chinese APT groups are named for Pandas while Iranian hacking groups are named for Persian Cats or oil industry terms. Iranian state-sponsored APT34 is also known as OilRig and HelixKitten. The United States APT group is called Equation Group.

Michelle - Profile Photo

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers

www.metrony.com/

North Korean Hackers Stole $2 Billion

by

United Nations Reports that North Korea Hacks Banks and Cryptocurrencies to Fund Initiatives

A leaked report from the United Nations (UN) stated that the Democratic People’s Republic of Korea (DPRK) deploys state-sponsored hackers who have netted an estimated $2 billion from financial institutions and cryptocurrency exchanges in just three years. DPRK’s intelligence arm, the Reconnaissance General Bureau (GRU), has focused its Lazarus hacking group’s skills on stealing money for North Korea.

The UN report states that North Korean is hacking banks and crypto to illegally raise money for a weapons program in violation of sanctions. North Korea’s technology skills have increased and confirms that financial gain is one of their primary goals. North Korean hackers targeted financial institutions and cryptocurrency exchanges in seventeen different countries. See the full UN report here.

Heimdel Malware Protection
Heimdel Malware Protection

North Korea’s Lazarus hackers focus on the theft of currency from real-world banks or cryptocurrencies from online exchanges. North Korea’s state-sponsored hackers are responsible for $81 million of stolen from the Central Bank of Bangladesh. At least another $571 million was stolen from five cryptocurrecny exchanges: Yapizon, Coinis, YouBit, South Korean exchange Bithumb, and Coinckeck. The exchanges are a favorite target because they are harder to trace.

Financial gain remains one of the main goals for Lazarus. The experts said North Korea “used cyberspace to launch increasingly sophisticated attacks to steal funds from financial institutions and cryptocurrency exchanges to generate income.

APT38 – Advanced Persistent Threat Group

One of North Korea’s state-sponsored hacking groups, Lazarus Group, has been operating since 2009. Lazarus is an Advanced Persistent Threat Group, or APT38. Lazarus typically breaches financial institutions to steal money for North Korean initiatives. APT38 has infiltrated the IT networks of over sixteen organizations in eleven countries. The hacking group is associated with the 2017 WannaCry ransomware cyber attack, the 2014 Sony Pictures hack, and the 2016 SWIFT Banking cyber attack.

An Advanced Persistent Threat Group, or APT Group, is an advanced hacking organization with a level of skill that warrants monitoring. Some, but not all APT groups are state-sponsored. They are often given other names by cyber security researchers. For example, Chinese state-sponsored groups tend to be named after Panda Bears and Iranian hackers are named after Persian Cats. AN APT group can have multiple names as they are informal. The hacking groups given other names so as not to directly offend a sponsoring government in reports.

APT hacking groups typically use a low and slow approach to hacking. Their cyber attacks may go undetected for years. These advanced hacking groups are after technology, conduct espionage, and steal money.

Hacking for Money

Cryptocurrencies are targeted by hackers because are not as easy to track and subject to less government oversight. Tokyo-based Remixpoint, which runs the BITPoint exchange, lost 3.5 billion yen. In 2017, state-sponsored hackers launched a spear phishing attack against a London cryptocurrency firm as well as a low and slow cryptocurrency mining operations. In 2018, over £31m was heisted from South Korean exchange Bithumb.

A Panel of Experts to the United Nations Security Council, cited a series of cyber attacks in 2018. Hackers stole tens of millions of dollars from banks and transferred the money to accounts in 30 different countries and Hong Kong. Funds were quickly withdrawn in thousands of transactions.

Michelle - Profile Photo

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers

www.metrony.com/

Capital One Credit Cards Hacked

by

Capital One Financial Hacked – Over 106 Million Credit Card Applicants Affected

Capital One Financial Corporation annuonced that the company has been hacked. About 100 million credit card holders and applicants in the United States and another six million in Canada are affected. Hacked data includes information from Capital One credit card holders, including small businesses, as well as people who applied for Capital One credit cards from 2005 through the beginning of 2019. The data was compromised on July 17, 2019.

Hacked information includes full names, addresses, postal codes, phone numbers, email addresses, birthdates, and income reported by personal and small business credit card applicants. Some Social Security numbers, Canadian Social Insurance numbers, and bank account numbers were also stolen. The hacker also downloaded portions of credit card customer data including credit scores, credit limits, account balances, payment history, and contact information. Also breached were fragments of Capital One credit card transaction data from a total of 23 days during 2016, 2017, and 2018.

Capital One Hacker Posted Message on Slack

The Federal Bureau of Investigation (FBI) has already arrested and charged the suspected hacker. Paige Thompson, a software engineer and former employee of Amazon Web Services. Thompson hacked into Capital One cloud computing services, a web service used by Capital One, on July 17 and exploited a misconfigured web application firewall to gain access to customer data. Computer fraud and abuse is punishable by up to five years in prison and a $250,000 fine.

Identity Force
Identity Force

Thompson, aka erratic, posted a message on a Slack channel, a messaging service used by businesses and developers stating. “I wanna get it off my server that’s why I’m archiving all of it lol,” Thompson posted. She had put the information on her GitHub account using her full name. She also Tweeted that she had taken the Capital One information. A person who saw the data on GutHub notified Capital One. The web server vulnerability has since been patched.

In addition to the compromised credit card application data, the hacker also downloaded United States credit card customer data including credit scores, credit limits, account balances, payment history, contact information, and portions of credit card transaction data during 2016, 2017, and 2018. About one million Social Insurance Numbers were compromised from Canadian customers.

Capital One App
Capital One App

No credit card account numbers or website log-in credentials were compromised in the data breach. Over 99 percent of Social Security numbers on the Amazon cloud web servers were not compromised but still about 140,000 Social Security numbers were hacked from credit card customers. Also about 80,000 linked bank account numbers of secured credit card customers were stolen.

What Do I Do About the Capital One Hack?

Capital One is not providing a way for credit card customers or credit applicants a way to check and see if they are victims of the data breach. According to their website post, the company will be notifying those who are affected and supplying free credit monitoring and identity protection available to them.

WebRoot cyber sec

Hackers frequently dump personal data online or sell credit card data on the dark web. Hackers and scammers but the stolen credit card numbers and used them to buy items online or take cash advances. Identity theft is when a scammer uses someone else’s name, address, social security numbers and other personal data to open up credit cards or other financial accounts in the victim’s name. Fraudulent accounts can be used to receive money from other scams. Identity theft can also be used in conjunction with tax scams to steal income tax refunds or file erroneous tax returns.
Scammers can also buy hacked personal data on the dark web and use it for various scam calls. The goal is to trick and intimidate spam call recipients into sending money to bank accounts that hacker can access.

If you suspect your data has been stolen and that you may be one of the Capital One data breach victims, then:

  • Check your credit cards, bank accounts, and other financial accounts for fraudulent transactions or increases in credit limits
  • Freeze your credit to stop any new accounts from being opened in your name
  • Be vigilant for scams, phishing emails, and erroneous transactions

If you need help identifying phishing emails, types of scams, or how to stay safe while traveling, please read our posts and cyber security guides

Michelle - Profile Photo

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers

www.metrony.com/

Russian Intelligence Agency Hacked

by

Russian Spy Agency FSB Hacked in Largest Breach Ever Exposing Effort to Crack Tor Anonymous Web Browser

Russian intelligence agency, Federalnaya Sluzhba Bezopasnosti, (FSB) or Federal Security Service in English was the target of a cyber attack. According to the BBC, hackers stole 7.5 terabytes of data including Russia sponsored plans to gather data from social media accounts and hack encrypted Tor browsing sessions. Russia’s FSB is the equivalent of the United States Central Intelligence Agency and Britain’s Security Service known as MI5.

Hackers breached an FSB contractor, Sitec on July 13. The hacking group named 0v1ru$ defaced Sitec’s website with a smiling YOBA Face, or ПеКа-фейс, along with the names of discovered secret projects. Federal Security Service project names exposed: (Arion, Relation, and Hryvnia) are all names of employees at Sitec. 0v1ru$ sent the hacked data to hacking group Digital Revolution which in turn sent the files to media outlets and posted the news on Twitter.

Digital Revolution Twitter
Digital Revolution Twitter

Russia is trying to crack Tor anonymous web browser. Hacked FSB project plans were sent to local news outlets by Digital Revolution as proof of the activity. Hacked information includes plans to strip anonymity from Tor browsing, scraping of social media sites (including Facebook and LinkedIn for personal information, and plans to segregate Russian internet from the rest of the world. It appears that the FSB has been trying to decrypt Tor web traffic since 2012.

Hacked FBS Projects

  • Nautilus collected information of internet users seeking to anonymize online activities
  • Nautilus-S was developed by Sitec to work on intercepting anonymized Tor web traffic. The project was launched in 2012 under the direction of Russia’s Kvant Research Institute
  • Hope and Tax-3 are the names of the projects that are working toward a separate internet for Russia. Russian President Vladimir Putin signed legislation to ensure stable operation of the Russian Internet (Runet) disconnected from the global internet services.

0v1ru$ downloaded part of the project files before deleting them from Sitec servers. Digital Revolution is the organization that hacked Kvant Research Institute in December 2018. Kvant is administered by the FSB.

A BBC post states that Sitec’s projects were mostly contracted with FSB Military Unit 71330, part of FSB’s 16th Directorate. Military Unit 71330 handles signals intelligence. The hacked projects do not involve state secrets.

What is Russia’s Federal Security Service?

Russia’s Federal Security Service (FSB) is the successor to the former Soviet-era Komitet Gosudarstvennoy Bezopasnosti or KGB. FSB was created in 1994 and is headquartered in Moscow. The FSB is responsible for counterintelligence gathering, antiterrorism efforts, military surveillance, and electronic surveillance abroad. FSB’s Military Unit 71330 of the 16th Directorate is accused of emailing spyware to Ukrainian intelligence officers in 2015.

What is TOR Browsing

Tor browsing is a technology used to keep internet traffic including web browser activity, messaging, forums, and other communications private and secure. Tor browsing thwarts network surveillance or traffic analysis. All internet traffic is funneled through a global overlay network consisting of more than seven thousand relays from volunteers who runs servers for free. Tor traffic cannot be intercepted between or at the nodes.

Tor web browser is a open source web browser used to ensure that all web traffic is kept anonymous. It connects automatically to the Tor network. Brave browser is another lesser known private web browser.

Michelle - Profile Photo

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers

www.metrony.com/