Threats Without Borders - Issue 74
Matt's newsletter - Week ending April 17, 2022
I don’t like using Cisco Webex, but not for the reasons one may think. CIsco is a fine company and Webex works sufficiently well. My problem is with the pointy hatted know-it-all’s that demand Cisco be used for “security”. I’ve found most of these people work for government. I’ve been gently demeaned more than once after offering “would you like me to set up as Zoom or Teams meeting”, with a curt “Webex, please!”. Almost with a “uhhh, you stupid
local cop peasant” air of superiority. I usually ask if there is something wrong with the other options, since Zoom is pretty simple and mostly universal at this point, and who doesn’t have a Microsoft account? The answer is almost always along the lines of Webex being a more secure product.
Researchers from the University of Wisconsin published a report this week concerning their examination of several video conferencing applications and how it controls the users microphone. Specifically, does the application actually cut off the microphone when the user toggles the mute button to mute?
All of the applications tested still collected sound even when the microphone was muted. But much to my satisfaction, the researchers found that Cisco Webex was the worse violator. The application not only continued to collect sound, it also transmitted it to the companies servers just as it did when the application was unmuted.
The researchers responsibly disclosed the vulnerability to Cisco who responded that the issue wasn’t a vulnerability at all. Wait, what?
It’s a pretty safe bet to assume that every conferencing application is full of vulnerabilities. Think about everything that the app must have control over to work properly; sound, video, Internet access, system and file access, keystroke, screen recording… pretty much the entire computer and everything it does. It naively presumptive, bordering on ignorance, to claim that one is so much more superior to the others for security reasons. Move to Signal or Telegram if you’re that concerned about someone monitoring your conversations.
Take a few minutes to read the report while I set up some meetings with Teams and Jitsi.
A whole lot of ishing
The FBI released a notice through the Internet Crime Complaint Center (IC3) about fraudsters who are targeting their victims with the whole phishing suite. It starts with smishing, then leads to vishing. The victim is sent a text messages with what appear to be bank fraud alerts asking if the customer initiated an instant money transfer. When the victim responds to the alert, the cybercriminal calls from a spoofed number imitating the financial institution's legitimate 1-800 support number. While pretending to reversing the fake money transfer, victims are swindled into sending payment to bank accounts under the control of the fraudsters. https://www.ic3.gov/Media/Y2022/PSA220414
Subpoena’d by who?.
INKY details a new phishing attack that delivers an email to the victims advising they have been subpoena’d by the U.S. Supreme Court. The problem being, of course, the supreme court doesn’t issue subpoenas. The message contained a fake “Notice of Summons,” threatening arrest if the recipient didn’t appear in court. It encouraged them to click on a big orange “ATTACHED FILE” button to view or print a “petition letter”. https://www.inky.com/en/blog/fresh-phish-supreme-court-lure-follows-phishing-precedent
Researchers at Digital Shadows have calculated that two ransomware gangs, Conti and Lockbit, were responsible for over half (58%) of all attacks in the first quarter of 2022. Of the two, Lockbit is working the hardest being responsible for 38% of all attacks. The article doesn’t neglect the has-beens either, noting that the PYSA and Revil have completely disappeared. https://www.zdnet.com/article/ransomware-these-two-gangs-are-behind-half-of-all-attacks/
While everyone’s worried about Airtags
While privacy advocates are in an uproar about the harassing/stalking potential created by Apple Airtags…this guy just strapped his Apple Watch to the vehicle. The stalker wrapped his watch around the spokes of the victims car after she canceled her Life360 account - which he had been using to track her. This Gizmodo article correctly notes that an Airtag cost about 30 dollars while an Apple Watch cost between 200 and 400 dollars. Stalkers gonna stalk, regardless of the effort or costs. https://gizmodo.com/an-angry-stalker-used-an-apple-watch-wrapped-around-his-1848714771
Surprisingly - not - cryptocurrency
The U.S. Attorney’s Office for the Southern District of New York announced the indictment of ten individuals for a “pump and dump” scheme that netted them more than 100 million dollars in ill-gotten gains. The group used an international network of proxies to hype up useless stocks to sucker hapless retail investors. The group sold their shares when the stock prices peaked. You could easily exchange cyptocurrency exchanges for stock exchanges and the indictment would read the same. BTW, who does police crypto pump and dump schemes? https://www.justice.gov/usao-sdny/pr/ten-members-international-stock-manipulation-ring-charged-manhattan-federal-court
It’s refreshing to see someone still investing in “old-school” fraud. Police in Atlanta arrested a couple possessing printers capable of making driver’s licenses, credit cards, blank checks, and suitcases stuffed with stolen personal information from dozens of victims. https://www.fox5atlanta.com/news/police-bust-id-theft-fraud-operation-at-peachtree-city-hotel
If “legitimate” software has the same outcome as ransomware, is it ransomware? This guy found such a situation in the Mac App store. https://mjtsai.com/blog/2022/04/15/mac-app-store-ransomware/
Florida man arrested for stealing almost $600K from victim after stealing Trezor hardware cryptocurrency wallet. https://www.fox13news.com/news/pinellas-park-hacker-cybersecurity-analyst-steals-nearly-600000-in-cryptocurrency-from-client-police-say
The Security and Exchange Commission is demanding security compliance from small financial advisors and they don’t care about the costs. https://www.barrons.com/advisor/articles/sec-cybersecurity-proposal-small-advisors-51649852669?mod=RTA
Malwarebytes detailed a phishing attack that imitates the United States Postal Service and preys on your fear of missing a package. Wait, were you even expecting a package? No? Better check anyways. https://blog.malwarebytes.com/scams/2022/04/usps-your-package-could-not-be-delivered-text-is-a-smishing-scam/?web_view=true
Show possible name and login search patterns (with links) based on first, middle and last name - https://seintpl.github.io/NAMINT/
SAR Investigations Specialist - Cash App (definite job security)
7 rules for making more memorable connections : https://review.firstround.com/how-to-become-insanely-well-connected
Welcome new subscribers and thank you to everyone who opened this weeks email. I know that attention is at a premium nowadays and I appreciate you giving me a few minutes of yours.
“EXPERIENCE IS THE HARDEST KIND OF TEACHER. IT GIVES YOU THE TEST FIRST AND THE LESSON AFTERWARD.” - someone who’s actually learned from their lessons.