IT NEWS

In 2017, the largest ransomware attack ever recorded hit the world, infecting more than 230,000 computers across more than 150 countries in just 24 hours. And it could have been solved with a patch that was released nearly two months prior.

This was the WannaCry ransomware attack, and its final, economic impact—in ransoms paid but also in downtime and recovery efforts—has been estimated at about $4 billion. All of it could have been avoided if every organization running a vulnerable version of Windows 7 had patched that vulnerability, as Microsoft recommended. But that obviously didn’t happen.

Why is that?

In today’s episode of Lock and Code with host David Ruiz, we speak with cybersecurity professional Jess Dodson about why patching is so hard to get right for so many organizations, and what we could all do to better improve our patching duties.

According to Dodson, the problem of patching isn’t just a problem of resources—time, staffing, funding—but also of mindset. For some organizations, refusing to patch almost brings with it a bizarre sense of pride, Dodson said.

“I was having a chat to a fellow security professional who was doing some work for an organization where they were boasting about servers being up for 1,000 days. That’s not something to be proud of. I don’t get the whole idea of being proud of your uptime.t That just means you haven’t done any updates on that thing for three years.”

Jess Dodson

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Why we don’t patch, with Jess Dodson: Lock and Code S03E02 appeared first on Malwarebytes Labs.

Eight members of the REvil ransomware group have been arrested in Russia and will be pressed with criminal charges.

Russia’s intelligence bureau, the FSB, announced on Friday that it had conducted an operation together with the Interior Ministry in Moscow, St. Petersburg, and the regions of Moscow, Leningrad and Lipetsk to detain the gang members.

In total, the FSB raided 25 homes of 14 members of the group and seized more than 426 million rubles ($5.6 million) including $600,000 in cryptocurrency; €500,000; computer equipment, the crypto wallets that were used to perpetrate crimes, and 20 luxury cars that were purchased with illicitly obtained money.

Eight of the suspects have been indicted. They are suspected of committing a crime stipulated under Part 2 of Article 187 of Russia’s Criminal Code (‘Illegal Circulation of Payments’).

US input

The FSB began the investigation after receiving information from US agencies about a criminal group and its involvement in attacks on foreign high-tech companies, by implanting malware, encrypting data and extorting money for its decryption. Based on the information provided, the FSB managed to identify all members of the REvil gang, document their illegal activities, and establish their participation in “illegal circulation of means of payment.”

The question about whether the arrests are a direct result of the pressure the Biden administration has been applying on Russian President Vladimir Putin to move against ransomware groups operating in Russia will probably never receive an official Russian answer. The United States government hasn’t indicate how it planned to respond to attacks emanating from Russia, but in July 2021 Biden hinted at digital retaliation if Russian cooperation was not forthcoming.

A Kremlin statement back then said Putin told Biden that Russia had not received any requests from the relevant US departments in the last month, and said that Russia was ready to jointly stop crime.

Now it looks like that might have happened, and hopefully not for the last time. There are many other ransomware groups believed to be based in the CIS.

REvil

We have talked about REvil here many times. Among other articles, you can find a threat spotlight from 2019, and a detailed report about REvil’s supply chain attack against Kaseya. That one even made it into the three most significant cyberattacks of 2021.

According to the FSB, as a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the REvil gang now ceases to exist after their information infrastructure used for criminal purposes was neutralized.

A lot of writing and speculation has been done about REvil’s origin, whether the gang would come back after a part of their infrastructure was shut down, or when affiliates were arrested. So, if you ask us whether this will be the end of REvil, it’s hard to give a definitive answer.

But whether the gang reopens operations under the same name, or whether it spawns a new organization under new management, the result will be the same. The infection methods, the extortion tactics, and the merciless attacks will undoubtedly continue.

Stay safe, everyone!

The post REvil ransomware gang busted by Russian Federal Security Service appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Ransomware cyberattack forces New Mexico jail to lock down
• Some Android users can disable 2G now and why that is a good thing
• Phishers on the prowl with fake parking meter QR codes
• Update now: Microsoft patches 97 bugs including 6 zero-days and a wormable one
• Software engineer hacked webcams to spy on girls—Here’s how to protect yourself
• FIFA 22 phishers tackle customer support with social engineering
• Ransomware targets Edge users
• Intimate photo hacker spared from jail, said he “liked the detective work”
• The Facebook Pixel Hunt aims to unravel Facebook’s tracking methods. Will you join?
• How to share your Wi-Fi password safely
• Night Sky: the new corporate ransomware demanding a sky high ransom
• Attackers are mailing USB sticks to drop ransomware on victims’ computers

Stay safe!

The post A week in security (January 10 – 16) appeared first on Malwarebytes Labs.

The Electronic Frontier Foundation (EFF) has happily informed people that Google has quietly pushed a new feature to its Android operating system allowing users to optionally disable 2G at the modem level in their phones.

This is beneficial because 2G uses weak encryption between the tower and device that can be cracked in real time by an attacker to intercept calls or text messages.

What is 2G?

Knowing that some countries are already preparing for 6G, you will understand that 2G, which is short for second generation, is an outdated communication standard. Another name for the 2G network that you may be familiar with is GSM (global system for mobile communications). 2G was set up in 1991 and in 2017 some providers started closing down their 2G networks. However, some carriers think that closing down 2G is not the best idea and continue their operations.

Why should I not use 2G?

You should avoid using 2G since it doesn’t use strong encryption and, over the years, many vulnerabilities have been found.

The encryption between the tower and the device is so weak that it can be cracked in real time by an attacker to intercept calls or text messages. In fact, the attacker can do this passively without ever transmitting a single packet.

Another major problem is that there is no authentication of the tower to the phone, which means that anyone can impersonate a real 2G tower, and a device using the 2G protocol will happily use it without questioning.

Cell-site simulators

Cell-site simulators, also known as Stingrays or IMSI catchers, are devices that pretend to be legitimate cell-phone towers, tricking devices within a certain range into connecting to the simulator rather than a tower.

Cell-site simulators operate by conducting a general search of all cell phones within range, in violation of basic constitutional protections.  Law enforcement use cell-site simulators to pinpoint the location of phones with greater accuracy than phone companies. Cell-site simulators can also log IMSI numbers (International Mobile Subscriber Identifiers are numbers which identify a mobile subscriber by their SIM card) of all of the mobile devices within a given area. Some cell-site simulators may have advanced features allowing law enforcement to intercept communications or even alter the content of communications.

3G, 4G, and 5G deployments fix the worst vulnerabilities in 2G that allow for cell-site simulators to eavesdrop on SMS text messages and phone calls. It’s not that they don’t have vulnerabilities, it’s just that they are a big step forward.

Who can disable 2G?

For now, only the newest Android models will have the option to disable 2G. These users can disable 2G right now by going to Settings > Network & Internet > SIMs > Allow 2G and turning that setting off. On older Android phones, these steps may or may not work. Unfortunately due to limitations of old hardware, Google was only able to implement this feature on newer phones.

The EFF urged Apple to support this feature as well, and has started a Twitter campaign to nudge Apple along. The EFF also strongly encouraged Google, Apple, and Samsung to invest more resources into radio security so they can better protect smartphone owners.

Completely abandoning 2G is not an option yet, since many people still rely on it as the main mobile technology, especially in rural areas. That’s why brand-new, top-of-the-line phones on the market today still support 2G technology. But they should at least offer those users that do not depend on it, the option to disable 2G. The first step has been made, so let’s keep things moving.

Stay safe, everyone!

The post Some Android users can disable 2G now and why that is a good thing appeared first on Malwarebytes Labs.

Five days after the new year, the Metropolitan Detention Center (MDC) in Bernalillo County, New Mexico suddenly went on lockdown. The reason? A ransomware cyberattack has knocked the jail’s internet connection offline, rendering most of their data systems, security cameras, and automatic doors unusable. Prisoners were confined in their cells while MDC technicians struggled to get everything back up and running again.

This attack forced the facility to suspend all prison visits, including from family members and lawyers, which the facility claimed was for the safety of everyone involved. And according to a public defender who represents some of the inmates, the facility’s response to the attack also threatened the prisoners’ constitutional rights.

No, the Metropolitan Detention Center was not targeted

According to a 7-page emergency notice, the entire Bernalillo County was attacked by unknown ransomware threat actors on the 5th of January, Wednesday, between midnight and 5:30AM local time. While the MDC itself isn’t the target, the after effects of the attack have spread within the facility just the same. County Internet systems were said to be compromised with staff having limited access to email. This greatly affects MDC staff, because the facility’s structure and location prevents them from using cellular data, which is usually a good alternative if the county experiences an internet outage.

On top of this, several databases within MDC have been confirmed to be corrupted by the attack. Two important systems, namely the facility’s Incident Tracking System (ITS), a system where incident reports are created and stored, and the Offender Management System (OMS), a system housing prisoner account data, were rendered inaccessible and were suspected to be corrupted.

“One of the most concerning impacts of the cyber attack is that MDC is unable to access facility cameras,” per the notice, “As of this evening, January 5th, there was no access to cameras within the facility.”

The only known reprieve at that time had been the immediate restoration of the automatic doors in the afternoon. Staff would no longer have to manually lock and unlock facility doors using keys.

A breach in the system could result in unforseen problems

This ransomware cyberattack has pushed Bernalillo County into potentially violating a settlement agreement [PDF] from a two-decade old lawsuit, which is why it filed an emergency notice to the federal court. This agreement requires county jails to improve conditions within the facility and address complaints like overcrowding. This also includes providing inmates with regular access to telephones and other communications devices (e.g. tablets). But because the attack affected their internet connection—rendering inmates unable to use such devices—and because jail staff decided to keep inmates confined to their cells, the county has found itself unable to fulfill conditions in the settlement.

The county has already reached out to federal law enforcement to assist in addressing the ransomware attack. For now, Bernalillo County has taking steps to mitigate the effects of the attack.

We’ve entered 2022 with many of us only hoping that we’d have less ransomware attacks. But as we already know, what we hope for doesn’t always equate to reality. Ransomware has been a top threat for years now. Unless organizations take a serious stance on cybersecurity, there is no way we can (at least) slow these attacks down.

The post Ransomware cyberattack forces New Mexico jail to lock down appeared first on Malwarebytes Labs.

QR codes come and go as a threat. The last time we wrote about them they were causing problems at gas stations, and by sheer chance this latest outing shares vehicular related subject matter. Law enforcement in the US is sounding the alarm regarding parking meters.

A quick refresher

QR (Quick Response) codes are square barcodes, scanned by your smartphone to perform a variety of tasks. If you use authentication apps on your mobile, you’ve almost certainly had to scan one to set up 2FA for websites you use. Similarly, these codes can be found in the street, covid tests, in businesses, or pretty much anywhere else you can think of.

On this occasion, they’ve been spotted in relation to a parking meter scam looking to snag payment details.

Sound the QR alarm

This particular attack seems to have been happening over a period of at least a few weeks, with multiple law enforcement Twitter accounts referencing it like so: 

The so-called “pay to park” scam involves bogus QR code stickers being placed onto parking meters, urging people to pay using the code. At first, I wasn’t sure if they were placing bogus stickers over genuine payment QR code notices or if it involved fake notices too. However, this article includes a photograph of the scam in action.

It’s a genuine “pay by app parking” notice printed onto something, with the bogus QR code sticker placed on the bottom right hand corner. This is some opportunistic work slotting it into the overall design and making it look like it’s supposed to be there.

From scan to phish

When scanned, potential victims are directed to a fake “quick pay parking” website. From there, payment detail harvesting is but a few clicks and entry forms away. There’s no word as to what level of personal details are taken with the card, but at a bare minimum, we’d expect things like name, address, date of birth. This means anyone who’s fallen for it will need to keep a close eye on other forms of correspondence, as it could easily serve as a launchpad for further phishing or social engineering attempts. If payment details have been handed over, victims will need to cancel those payment details before the scammers can go on any spending sprees.

The site referenced in the article is now down, but we can’t say for sure if other bogus codes all direct to the same site or a variety of phishy links. The City of Houston states that it doesn’t use QR codes for parking payments. However, this isn’t an easy thing to communicate to a large mass of people. Additionally, the pandemic has made this technology one of the “go-to” bits of tech gaining more widespread use. As a result, many folks wouldn’t find a QR code asking for payment to be particularly odd.

The muddled convenience of guesswork

QR codes occupy a weird space in daily life. They’re a genuinely useful way of doing what you need to do in a pandemic with minimal fuss. The downside is you’re utterly reliant on technology to scan the code, with no idea what lurks beneath till you’ve done it.

Scammers here are relying on the convenience of paying by code. If you’re in a hurry to be somewhere, it’s still advisable to slow down and cast some healthy suspicion on QR codes presenting themselves for duty. If in doubt, contact whoever maintains the parking service you’re using and see if that code is indeed genuine. It’ll probably save you a lot of additional time and effort down the line.

The post Phishers on the prowl with fake parking meter QR codes appeared first on Malwarebytes Labs.

Michael Grime, a British games programmer, has escaped jail after using stolen credentials to access several women’s personal email accounts and social media accounts in order to steal their private and intimate photos.

Grime was caught by the National Crime Agency (NCA) as part of an operation involving several agencies and the FBI. The agencies were able to link his email address to an account in WeLeakInfo[dot]com, a website that sells leaked credentials. Grime is said to have been paying $2 USD a day to access this site before it was taken down by law enforcement in early 2020.

WeLeakInfo[dot]com is marketed as a site that offers access to 12 billion user records collected from more than 10,000 data breaches. These records contain user names, email addresses, IP addresses, passwords, and phone numbers.

In November 2020, law enforcement officers raided Grime’s home and seized a PC tower, three external hard drives, and his mobile phone. Thousands of photos and videos of women either topless or nude were found on his devices, many of which were images that had never been shared publicly.

The NCA primarily identified 11 women in the UK, most of whom went to school with Grime or had known him since childhood. It isn’t specified how many women Grime victimized outside of the UK. Some of his victims are popular figures on YouTube and Only Fans.

During a Preston Crown Court hearing, Grime admitted to having access to “around 50 accounts”. In one incident, Grime, who was described as “geeky, loner, and odd”, hacked the account of one of the women’s boyfriend’s to access private photos shared between the couple.

Lisa Worsley, prosecuting, told the court that his victims “felt betrayed and sad. One woman’s first response was to delete all her social media which she found upsetting.”

“Another said her Snapchat has been unstable and would log her out three or four times a day.” That’s a red flag there.

On the defending side, the lawyer whom outlets only name as “Mr. Forbes” told the court that Grime is “socially awkward” and may be on the autistic spectrum, although Grime has never had an official diagnosis. Forbes also said that his client became obsessed with hacking and “liked the detective work”.

“Many cybercriminals rely on the fact that lots of people use the same password on multiple sites and data breaches create the opportunity for fraudsters to exploit this,” said Detective Inspector Chris McClellan from the North West Regional Organizaed Crime Unit, who carried out the warrant at Grime’s home address in November.

“He knew it was wrong,” Forbes is quoted saying, “He stopped on occassions but [sic] and deleted material and would start again. This was something over which he felt he had little to no control over.” Forbes said Grime’s arrest was a “relief” for the young programmer as Grime didn’t have to rely on his weak will to stop himself from hacking accounts and downloading photos.

Although he wasn’t imprisoned, Michael Grime was given a community order, which orders him to do unpaid community work for 80 hours over two years. He was also ordered to undergo rehabilitation for 30 days and pay £500 as compensation for each of his 11 victims.

DI McClellan advised internet users to check if their credentials and personal data have been part of a data breach by using legitimate websites like haveibeenpwned.com. If users find one or more of their accounts have been compromised due to breaches, they should make new strong passwords for each account.

“Do not reuse passwords and where possible apply Two Factor Authentication (2FA). This will help you prove you are who you say you are when you are logging into your account. Do not share the 2FA code with anyone.”

Sage words.

The post Intimate photo hacker spared from jail, said he “liked the detective work” appeared first on Malwarebytes Labs.

Unless you’ve been hiding under a rock for the last twenty years, you’ve probably heard the one about “keeping your software up to date”. Applying software updates promptly is arguably the single most useful thing you can do to keep yourself secure online, and vendors, experts, pundits, and blogs like ours, never let users forget it!

And because it’s good advice that’s easy to follow, cybercriminals like to use fake software updates to con users.

Fake software updates have been a go-to tactic for getting users to download malware for many years. A convincingly-branded message that tells users they need to update their out of date software taps into all the good security messaging users have soaked up, it gives them a reason to install strange software from the Internet, and it carries exactly the right mixture of implied threat and urgency that social engineers like.

For years, fake Flash updates were a fixture of web-based malware campaigns. Flash provided just the right kind of patsy: It was famous for its security holes, and new updates were released almost every month. But with Adobe’s media player a year into its long overdue retirement, criminals have had to look elsewhere for a convincing cover story, and where better than perhaps the most frequently updated software of them all, the web browser? Browsers have an almost frenetic update schedule, and many users understand that installing regular updates is a normal and important part of their everyday use.

Last week, Malwarebytes’ Threat Intelligence worked with nao_sec researchers to investigate a recently-discovered update to the Magnitude Exploit Kit that was duping users with a fake Microsoft Edge browser update.

The Magnitude exploit kit uses a grab-bag of social engineering lures and exploits to attack web users and install ransomware on their computers. Although Magnitude has been used to target different geographies and deliver different kinds of ransomware in the past, these days it is strictly focussed on installing Magniber ransomware on targets in South Korea.

The fake Edge update attack flows like this:

1. A user visits an ad-heavy website and encounters a malicious ad.
2. The malicious advert redirects them to a “gate”, known as Magnigate.
3. Magnigate runs IP address and browser checks to determine if the user will be attacked.
4. If the user fits the attackers’ criteria, Magnigate redirects them to the Magnitude exploit kit landing page.
5. Based on information from Magnigate, the exploit kit chooses an attack from its collection.
6. In this case, the exploit determines the best attack is a fake Microsoft Edge update.
7. The “update” is actually a malicious Windows Application package (.appx) file.
8. The .appx file downloads Magniber ransomware from the Internet.
9. Magniber encrypts the user’s files and demands a ransom.

Magnitude is regularly updated with fresh attacks, and the fake Edge update appears to have been added in the last few weeks. In the past, Magnitude has made extensive use of Flash and Internet Explorer vulnerabilities, but as the software landscape has changed it has had to adapt. In late 2021, it was seen targeting a sandbox escape vulnerability in the Chrome browser family, for example. That should be no surprise, Chrome is the most popular web browser by far and it suffered from an unprecedented glut of zero-days in 2021.

The number of problems affecting Chrome’s V8 JavaScript engine suggest there may be underlying problems in that part of the browser, and we fully expect that the near-term future of exploit kits will be Chrome exploits. However, that won’t stop exploit kits from taking advantage of other tactics, like fake updates, where they’re more likely to succeed.

Although Edge is based on the same browser as Chrome, uses the same V8 JavaScript engine, and is vulnerable to the same exploits, those exploits will only work on browsers that are out of date. And since browsers are pretty good at installing updates, Magnitude also needs attacks that work against fully updated browsers.

The irony is that the users most likely to run into an attack telling them they need to update their browser are the ones who already have.

If you want to know what version of Edge you’re running and if there are updates available, we suggest you follow the official guidance from Microsoft:

1. Open Edge, select Settings and more, and then select Settings.
2. Scroll down and select About Microsoft Edge.

Malwarebytes blocks Magniber ransomware.

The post Ransomware targets Edge users appeared first on Malwarebytes Labs.

Players of smash hit gaming title FIFA 22 have become the target of a wave of attacks focused on account compromise. Up to 50 “high profile” accounts were hijacked by what may have been the same group.

FIFA games are, traditionally, a big draw for scammers and phishers. Many sports titles offer in-game digital items and benefits, paid for with real money. Sometimes you buy specific items via purchases called microtransactions. Other times, it might be a form of lucky dip, where you spend money on boxes which contain random items. They can be worthless, or incredibly valuable, and you don’t know what you’ll receive till you buy the so-called lootboxes. Games like FIFA frequently draw ire for it, and players who buy a lot of lootboxes are popular targets for phishers. Wherever you have players investing large sums of money, you’ll find the sharks circling in the water.

Someone decided to make a big splash with this particular attack. This isn’t supposed to be a stealthy compromise and a slow burn of stolen and plundered accounts, the attackers took over some of the biggest names in the FIFA game space and fired half a dozen flare guns at the same time. As Bleeping Computer notes, targets included actual players, currency traders, and streamers. Someone wanted attention, and they went about it in a way which guaranteed it.

Setting the scene

The problem was so visible that EA published a statement on the attacks. One may have assumed the first point of entry would be phishing gamers with fake logins and stealing their accounts. This is where additional security measures such as 2FA come in. If the attackers gain login details via bogus websites, they still need to login to the real site as the victim. If 2FA (or similar) is active, they won’t be able to do it without the 2FA code.

This potentially gives victims enough time to realise something isn’t right, and change their login details leaving the phisher with nothing.

However, even with 2FA enabled, things can go wrong. Typically this approach again focuses on the victim. A fake login site will ask for username and password, but then also ask the victim to enter their 2FA code on the phishing site. This code will then be automatically entered onto the real thing, or punched in manually (and with haste!) by the attacker. Sometimes they even ask victims to upload files designed to keep attackers from logging in.

However, on this occasion, they set EA customer support agents in their sights instead.

Going head to head with customer support

The statement reads as follows:

Through our initial investigation we can confirm that a number of accounts have been compromised via phishing techniques. Utilizing threats and other “social engineering” methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts. 

Attacking victims via customer support isn’t a new technique, but it was used to spectacular effect here. It’s not clear from the statement exactly how this played out. However, phishers often steal logins via fake sites first, then go to customer support pretending to be the victim who is “locked out” or has forgotten their details. They use pieces of the already stolen data to convince customer support they’re the real deal, and then take info from customer support to complete the attack.

The other approach is to talk to customer support with no action taken beforehand, and “simply” social engineer their way into full account control. Tricky, but not impossible, and a lot of it comes down to staff training.

Damage done, and further steps

Here’s the next part of the statement:

At this time, we estimate that less than 50 accounts have been taken over using this method…our investigation is ongoing as we thoroughly examine every claim of a suspicious email change request and report of a compromised account.

Whether pre-armed with pilfered data or not, the scam involved altering the registered mails associated with accounts. More training definitely seems to be key here, as they go on to say:

All EA Advisors and individuals who assist with service of EA Accounts are receiving individualized re-training and additional team training, with a specific emphasis on account security practices and the phishing techniques used in this particular instance.

We are implementing additional steps to the account ownership verification process, such as mandatory managerial approval for all email change requests.

Our customer experience software will be updated to better identify suspicious activity, flag at-risk accounts, and further limit the potential for human error in the account update process.

All good moves by EA.

A wide world of 2FA protection

A caveat: phishers bypassing you completely and leapfrogging customer support means your 2FA may not help in that situation. On the other hand, keeping accounts locked down with tools like 2FA may contribute to them having to dream up scams like this in the first place. Making them work harder, and going the extra mile, naturally puts up a bit of a fatigue barrier. Many will also simply move on and target less secure accounts.

I can’t think of many gaming platforms or title specific services involving passwords which don’t also offer 2FA. Playstation has it, Xbox has it, as does Steam and Epic. Many platforms and titles offer bonuses for enabling additional security measures.

All of these forms of protection differ, with varying degrees of security. Some are SMS based, which are better than nothing, but ripe for exploitation via SIM swap. Phishers will come up with inventive ways to bypass apps, especially where some crossover to the desktop exists.

The best combination, if available, is probably a password manager and a hardware security key. Some password managers, for example LastPass, will prefill login details for you, but only if you’re on the genuine website. If you’re sent to a bogus site, nothing will happen and you’ll know you’re in the wrong place.

Meanwhile, the physical security key deals with authentication – no text messages or apps required. There’s a few examples of successful attacks on physical sticks, but they’re pretty rare. Again: this won’t help if the attackers haul themselves over the finish line through customer support. That’s out of your hands. Even so, you’ve locked things down at your end and that can only possibly be a benefit to you and a hindrance to those that matter.

The post FIFA 22 phishers tackle customer support with social engineering appeared first on Malwarebytes Labs.

A 32 year-old software engineer has been sentenced to two years and two months in prison for remotely accessing chat logs, photos, videos, and webcams of his female victims.

For nine years, between 2010 to 2019, Robert Davies used malware to infiltrate his targets’ devices and access their data without them knowing. In one incident Davies accessed a schoolgirl’s webcam and secretly filmed her undressing and showering.

Davies is not only a voyeur but also a catfish. He is said to have created multiple accounts on Skype to get close to his targets with the end goal of eventually tricking them into performing sex acts for him. While using one of his Skype personas, he befriended an 11 year-old girl and built a relationship with her over the course of two years. He eventually gained access to her computer and switched on her webcam without her realizing.

Andrew Shorrock of the UK’s National Crime Agency (NCA) is quoted saying: “Davies has amassed what can only be described as a cybercriminal’s toolkit. Not only was he using these tools to break in to people’s devices, he was using them to spy on his unsuspecting victims and to steal naked images of them for his own sexual gratification.”

All in all, Davies victimized 25 individuals.

Davies pleaded guilty to all 25 counts of “causing a computer belonging to another to perform a function with intent to secure unauthorized access”, one count of voyuerism, four counts of making sexual photos of children, and one count of owning extreme pornographic media.

“The extent of the damage you have caused is immeasurable and constitutes a total violation of their privacy, ” said Judge Julie Warburton of Nottingham Crown Court as she carried out the sentence.

How to protect yourself from voyeurs and catfishers

Technology has made it possible for anyone with the right know-how and ill intent to access someone else’s device and spy on them. Thankfully, incidents of voyuerism and catfishing can be avoided. Here are some tips:

Webcams

• If you use a laptop, make sure you put something over the webcam. A simple piece of tape will do, or you can use a specially made webcam protector.
• If you have a webcam that’s not built into your computer, then get into the habit of manually disconnecting your webcam when you’re not using it.
• If your webcam has a password, change it from the default to a long and complicated one

Instant messengers (IMs) and voice-over-IP (VoIP) apps

• Treat your IM or VoIP app chat of choice as you would your online social media account: lock down your security and privacy settings, and make sure your ID/handle is not searchable just by anyone (if at all), which means random strangers cannot just add you as a contact.
• Keep chats and video sessions clean as much as possible. It may be fun for you to try something risque every now and then, but remember that the threat of sextortion, revenge porn, and blackmail are real.

General tips

• It goes without saying that you should make sure you have good security software installed on your device and keep it up to date.
• And talking of updates, make sure you’re applying them as soon as they’re available, whether that’s your phone, your computer’s OS or your browser. Cybercriminals use known flaws to exploit systems so keeping your system up to date is one way of making things harder for them.

If there is one final takeaway we can get from the Davies case, it’s that cybercriminals can be very patient. And sometimes, all it takes is one person to choose to take advantage of our trust. One can never be too careful, especially online.

Stay safe!

The post Software engineer hacked webcams to spy on girls—Here’s how to protect yourself appeared first on Malwarebytes Labs.