June Cyber Bytes

Your social media account hasn’t been hacked; it’s been cloned!

Source: The State of Security on May 17, 2022

A recent Facebook post from a family member made me realize that I needed to write about an overused term. A term, that when used, causes chaos and concern. I don’t blame the family member for using it, I’ve seen it used hundreds of times over the past few years and I’ve seen IT and cybersecurity professionals respond without correcting, even, on occasion, offering bad advice.

So, what is the term? Hacked. We all know what it means when we hear that a website was hacked or a company was hacked. Depending on the context, synonyms could be defaced (although that seems less common these days) or breached. At the end of the day, however, the term “hacked” is completely valid and used correctly in those situations. So, when is it used incorrectly? When it is used to describe a fake social media profile.

Here’s the situation, one that we’ve all seen dozens of times. “Don’t open messages from me, I’ve been hacked!” or “Don’t open messages from <insert person here>, they’ve been hacked!” There are definitely times when people’s legitimate accounts are used to spam out malicious links and, in those cases, “I’ve been hacked!” feels appropriate. I believe, however, that context matters, and a duplicate social media profile should not be referred to as “hacked” and the actions associated with an account breach should not be taken.

So, what is a duplicate social media profile? If you have been living under a rock or are sane enough to avoid social media, you may not have encountered this phenomenon. It occurs when someone takes your publicly visible social media photo and creates a new account using your name. They then spam out messages or friend requests to everyone on your contact list. This is why restricting access to your profile picture and friends list are such important privacy steps (and yes, before you go look, this is 100% a ‘do as I say and not as I do’ moment).

Previously, this was very common within a single social media network, but with the integrated Facebook-Instagram messaging system, cross platform instances are definitely seeing an uptick. Once you are responding to the fake profile or have accepted the friend request, malicious links or a scam conversation can begin. Also, if you’ve now given access to your profile by accepting a friend request, the malicious individuals (or bots) now have the ability to harvest your information and propagate the scam.

So, why am I against calling this “hacking” or saying the account is “hacked?” Simply put… it isn’t the correct term. The word hack implies certain things and to the general public, those things generally include resetting your passwords, running malware scans, and, for people who go to extremes, wiping the computer.

Over the past few years, we’ve acknowledged more and more that changing passwords regularly is a bad thing. If you frequently have your profile cloned and used, you become guilty of the very thing that we’re trying to push enterprises away from. Since the person did not gain access to your account, changing your password simply does not make sense. However, when someone posts “Oh no, my account was hacked!”, a dozen people will reply with “Quick! Change all your passwords.”

While this may seem like a minor pet peeve, I believe it is a bigger issue. If people believe these are accounts that are hacked, it creates a false sense of insecurity which can potentially be just as dangerous as a false sense of security. Rapidly changing passwords is not good and these types of events are definitely on the rise.

So, as a reminder, your account has not been hacked… someone copied your profile in an attempt to leverage the personal connection you have with others and take advantage of them. One of the clearest indicators of this is that the messages come from a different account and appear in a different chat or they involve a new friend request. The best thing you can do is report the person, tell others who get the requests to report the person, block the account, and move on. Beyond that, there’s really nothing else to do.

Cybersecurity prompts upgrade for 1.3 billion electricity meters

Source: Security Brief on May 23, 2022

ABI Research has found the move toward Advanced Metering Infrastructure (AMI), including upgrading 1.3 billion electricity meters by 2027, is prompting utilities and energy suppliers to revisit their digital security agendas and how they manage their devices. The report says digitization of traditional electricity grids and upgrading aging energy infrastructure are among the top concerns for operators and governments worldwide. It says security for last-mile energy consumption applications was frequently overlooked. 

ABI Research senior IoT cybersecurity analyst, Dimitrios Pavlakis, says the introduction of AMI, smart metering, and grid digitization is steadily increasing spending for secure management services. He says this assists implementers in transitioning to IT (information technologies) and OT (operational technologies) security services and helping tackle their primary objectives. Pavlakis says these key objectives include streamlining consumer and commercial electricity usage, satisfying the need for increased industrial output, tackling the demand for real-time energy optimization services, assisting with introducing renewable sources and decentralized energy, and increasing the security threshold for critical infrastructure in different countries.

"The name of the game is oversight, efficiency, and security when it comes to smart metering," he says. "The responsibilities for utilities and energy suppliers have increased significantly and they are treading into new potentially unfamiliar grounds." Pavlakis says utilities are attempting to align with governmental regulations, enable new supply chain interactions with manufacturers to make sure device OEMs satisfy hardware and software security requirements for smart meters and coordinate on digital identity issuance and secure firmware installation. He says utilities also have to consider cost-efficiency for capital expenditures on long-term security investments and continue to serve their end customers while streamlining the transition to AMI services.

"The introduction of governmental regulations regarding deployment, management, and oversight in AMI is perhaps one the most important predictors in IoT security services for electricity meters, forcing utilities operators to revisit their strategies," says Pavlakis. "Identity issuance, device management, firmware over-the-air (FOTA), security intelligence, and traffic monitoring are among the top priorities for them. Additionally, the focus on regional grid management and the introduction of thousands or millions of smart meters prompts utilities to invest in their on-premises headend servers through Hardware Secure Modules (HSMs) and security management platforms to mitigate some of the long-term cost."

ABI Research says key players in the market include established smart metering and smart grid players like Landys+Gyr (aided by their security arm Rhebo), HSM specialists like Utimaco, leading players for digital infrastructure, eSIMs and HSMs like Thales, IoT communication module and connectivity providers like Sierra Wireless and PKI, Certificate Authorities like Device Authority and Globalsign, and smart grid cybersecurity and risk management service providers like OTORIO. These findings are from ABI Research's IoT Security Services in Electricity Utilities application analysis report. This report is part of the company's IoT Cybersecurity research service, including research, data, and ABI Insights.

As Ukraine conflict continues, U.S. banks still face threats from Russian cyberattacks

Source: SC Media on May 25, 2022

When the Russo-Ukrainian war began in late February, there was an almost immediate response from government and cybersecurity experts alike: the U.S. financial industry should beware that just because they may not be affected by the ground assault, there was a good chance they’d be prime targets for the online attack that was threatened. Flash forward to today, in the face of sanctions from many countries and in many sectors, it would appear from headlines that it’s the Russian banks, like Sberbank, that have felt the wrath of cyber-hijackers and even opposing nation-states. But experts on network security at U.S. financial institutions, which have been fending off Russian organized crime rings and even government-backed hackers for years, know that while the invasion of Ukraine may be winding down, the potential cyberthreats to their data, their money, their infrastructure and their customers press on.

“The Russia-Ukraine conflict will soon enter its third month. While the initial uncertainty has worn off, the cyberattacks purported by Russia and its operatives are likely to intensify as sanctions and the associated economic toll increase,” said Dan Katz, cybersecurity and data privacy director at Mazars, a global consultancy. “Russian cyberattacks will continue to inflict collateral damage on a wide variety of organizations, but will likely continue to strongly target financial services organizations,” he underscored. This is not only due to the major role of the financial and payments industries play in the global critical infrastructure, and potential data and monetary profits to be had, but also because many U.S. banks still rely on fairly complex or siloed core systems — which are often much trickier to protect.

John Horn, director for the cybersecurity practice at the Aite-Novarica Group, a financial research and consulting firm, pointed out that “even before the U.S. imposed economic sanctions on Russia ... top cybersecurity agencies warned of the heightened threat of cyberattacks” on the U.S. financial infrastructure. “Though many experts agree the threat remains,” Horn added, “they disagree over its severity and why exactly Russia has not launched any major cyber weapons that we know of.” Another reason financial firms remain cautious in guarding their online flanks is simple revenge by Russia for those controversial sanctions imposed by the U.S. and other countries. “When the sanctions were implemented against Putin, his oligarch supporters and Russia overall, Putin would like to apply pressure to the banks that are a key component of the U.S. GDP,” said Tom Atkins, a network security expert at Attivo, who often works in the financial sector.

Hence, it is believed that more pointed and pernicious attacks on the U.S. financial infrastructure may yet come to the fore, according to Neal Bridges, CISO at Query.AI and a former NSA hacker, with the specific threats varying based on how each financial institution, service or third-party interacts with Russia and Ukraine. For example, Bridges pointed out that Citigroup has an operating presence in Kyiv, which means that the global bank at least some physical IT infrastructure in place there, which is likely connected to Ukrainian internet, staffed by Ukrainian personnel, and affected by Ukrainian environmental variables. Fellow expert Atkins agreed: “Putin is very likely to target U.S. banks that operate in Ukraine as he works to physically exert his control over that market. It is very likely that he has encouraged Russian cyber-criminal groups to pick up the pace of their attacks to inflict damage through ransomware and DDoS attacks."

Hackers Drain Wedding Cash From Couples’ Zola Registry Accounts

Source: Vice.com on May 23, 2022

Hackers broke into the accounts of several couples using the wedding services site Zola and drained their wedding registry accounts, victims told Motherboard. Others were locked out of their accounts in the run-up to their weddings. “They charged thousands of dollars on my credit card beyond the max limit and potentially can steal wedding funds if this isn’t resolved by Wednesday,” one of the victims told Motherboard in an online chat. “I feel that no matter about the password issue, Zola should be held responsible and not allow credit card transactions without requiring a security code confirmation.” The victim said that Zola finally called her on Monday morning and told her that the credit card transactions “will all be refunded.”

Another victim, who asked to be identified only by her first name, Ali, told Motherboard in an online chat that her fiancé Jackie got a fraud alert from her bank on Saturday alerting her that someone was using her credit card to purchase items on Zola. “We checked in to our Zola account and saw that the email address for the account had been changed to someone we don’t know,” Ali said. “Then we noticed that all our wedding funds that had been gifted to us were being processed to be transferred to a bank account that was not ours.” Screenshots of bank statements shown to Motherboard by the victims show a string of transactions in quick succession to or from "Zola Registry."

The company disclosed the hack on Twitter apologizing to “those who detected any irregular account activity.” Several people on Twitter said hackers were able to use their credit cards and make purchases, resulting in them losing thousands of dollars. Zola spokesperson Emily Forrest said that “cash transfers were blocked. All cash funds have been restored. Any action that a couple did not take will be corrected.” Ashley Smith, another victim, told Motherboard that she and her fiancé had “$1000 stolen from a cash fund within Zola and our credit card information was stolen and used to purchase $675 in gift cards from the Zola website.” “Additionally, the email and password to the account were changed so now we’re locked out. Zola support was closed all weekend and although they were supposed to open at 10am est today it is 11:34 and the phone lines are still closed,” she said in an online chat.  “We noticed that all our wedding funds that had been gifted to us were being processed to be transferred to a bank account that was not ours.”

In a statement sent via email to Motherboard, the company said that hackers used the technique credential stuffing, whereby hackers try to break into accounts using passwords and logins that have been exposed in other data breaches hoping that the targets re-used those passwords. “These hackers likely gained access to those set of exposed credentials on third party sites and used them to try to log in to Zola and take bad actions. Our team jumped into action immediately to ensure that all couples and guests on Zola are protected. Out of an abundance of caution, our Trust & Safety team also took several additional actions including resetting all passwords,” Zola spokesperson Emily Forrest told Motherboard. “We understand the disruption and stress that this caused some of our couples, but we are happy to report that all attempted fraudulent cash fund transfer attempts were blocked. Credit cards and bank info were never exposed and continue to be protected. There was no known infrastructure breach. Service to both iOS and Android apps has been restored. Actions that were not taken by our account users will be corrected.”

Another alleged victim said on Twitter that she lost almost $4,000. Another one claimed hackers stole all their wedding funds that they had received as gifts. “Someone hacked our account and STOLE ALL OUR WEDDING GIFT MONEY!” she wrote on Twitter. “How do you plan to return the funds to us? We’ve been unable to get in touch with any customer support.” Forrest said that “ultimately, fewer than 0.1 percent of all Zola couples were impacted. Couples who did experience irregular activity on their accounts can rest assured that any outstanding issues will be resolved and addressed. We know that there are some couples who are still waiting to hear back from us on an individual request, and our support team is working tirelessly to respond to every email. But, all couples and guests can absolutely resume their normal activity on Zola. Again, we are deeply apologetic to those for whom this may have caused stress.”

“We are also aware of the gift card orders and are very quickly working to correct them. The vast majority of the gift card orders have already been refunded and 100% will be refunded by the end of the day. Any action that a couple did not take will be corrected. By the end of the day, we guarantee and ensure that the 0.1% of couples impacted will be fully refunded in every way,” Forrest added. The company alerted users in an email that said the company “detected some irregular activity, and as a precaution we have reset your password.” “We recommend you change it to one that is secure and unique, and we also suggest using a different password for every online account you have. Reusing the same passwords across multiple online accounts makes it more likely for any one of your accounts to become compromised. We are committed to protecting your personal information,” the email obtained by Motherboard read.

Chicago Public Schools data breach blamed on third-party ransomware attack

Source: Portswigger.net on May 24, 2022

Chicago Public Schools (CPS) has warned parents that the personal records of more than 495,000 children may have been exposed as the result of a ransomware attack on a third-party supplier. The cyber-attack against Battelle for Kids, an Ohio-based non-profit with a mission to modernize school systems, also exposed an estimated 56,138 staff records.

Encrypted data

Cybercriminals deploying ransomware routinely take copies of databases or other data prior to encrypting them and demand ransom in exchange for a decryption key. Alternatively, attackers can threaten victims that, unless they pay up, stolen data is likely to be dumped online. In the CPS case, cybercriminals hacked into a server that stored student course information and assessment data that is used for teacher evaluations. Attackers gained access to 495,448 student records that included names, dates of birth, genders, grade levels, courses taken, and more. Data collected between 2015 and 2019 was potentially exposed. Compromised staff records included names, schools, work email addresses, courses taught, and more.

The compromised systems did not host social security numbers, financial information, health data or home addresses. These factors limit the potential impact of the breach, which could nonetheless facilitate the distribution of more than usually convincing phishing messages. CPS published an advisory on the breach last Friday. It has promised to contact affected families and staff individually and offered victims free access to credit monitoring and identity theft protection.

Battelle Royale

The breach of Battelle for Kids took place on December 1, 2021, but the supplier only notified CPS of the problem on April 26, following confirmation of the breach by an independent forensics investigator and a police investigation. The delay in notifying affected customers about the breach has provoked some criticism on social media. The Daily Swig asked Battelle for Kids to comment on this criticism as well as the circumstances that led to the breach, what ransomware was involved, and what interaction (if any) it had with the cybercriminals behind the attack. We also asked which, if any, organizations beyond CPS were affected by the breach. No word back as yet, but we’ll update this story as and when more information comes to hand.