IT NEWS

SevenRooms, a “guest experience and retention platform” for food establishments and hospitality organisations, has confirmed it has fallen victim to a third party vendor data breach. Mostly known for its customer management platform, Seven Rooms’ breach came to light after stolen data was seen for sale on an underground forum.

Sample selection

SevenRooms confirmed to Bleeping Computer that the data, samples of which were posted on the forum on 15th December, is real. This data selection contained “thousands of files” containing data on SevenRooms customers.

The database, weighing in at 427GB, contained promo codes, payment reports, reservation lists and more, alongside folders named after well known restaurant chains.

When file transfer goes wrong

A “third party vendor file transfer interface” is the source of SevenRooms’ current woes. This tool or program was accessed without permission by the data thief, which means that certain documents sent to or from SevenRooms were pilfered.

What has been taken?

There isn’t a great amount of additional detail available in relation to this question so far. The point of note for most people will be data related to individuals. What SevenRooms has told Bleeping Computer is that “some” guest data was obtained, which could include names, emails, and phone numbers.

What was not taken includes bank account data, social security numbers, credit card details, or anything else along the lines of “highly sensitive information”.

Of course, depending on your circumstances, making names or phone numbers tied to email addresses public could still be a threat or concern. The only bright spot here is you don’t have to worry about cancelling your cards right before Christmas and the New Year.

No direct breach of SevenRooms

SevenRooms claims that nobody managed to directly breach their own systems; everything that went wrong was down to the transfer tool. With access to the tool disabled, the organisation investigated and found no evidence of its systems being accessed or otherwise tampered with.

There is no word of which businesses were impacted by this breach, and frustratingly little detail on who may have been affected individually, but we can expect outreach very soon along these lines.

No guest for the wicked: if you think you’ve been caught in the breach…

Until more information is released, it’s tricky to give specific advice. All you can really do for now is be on your guard against phishing and social engineering.

• Anything related to places you’ve stayed or eaten at, especially offers or discounts, should be treated with caution. You can always contact the business directly if you’re not sure that what you’ve been sent is genuine.

• Direct phone calls may be suspicious, especially if you remember opting out of outbound contact and marketing or other promotions. As with email or any other form of contact, don’t feel bad about going directly to the source. You won’t miss out by taking a few moments to confirm that tempting offer you’re interested in is the real thing.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

AV-TEST, a leading independent tester of cybersecurity solutions, has just ranked Malwarebytes as a Top Product for consumers and businesses for the fourth quarter in a row.
Every two months, experts at AV-Test evaluate Windows antivirus software across three categories:

• Protection against malware infections such as viruses, worms or Trojan horses.
• Performance or the average influence of the product on computer speed in daily usage.
• Usability or the Impact of the security software on the usability of the whole computer.

All products can achieve a maximum of 6 points each in of the three categories, making 18 points the best possible test result. At 17.5 points or higher, AV-TEST issues the “Top Product” award.

Each security product gets tested against 23,000 unique malware attacks, such as zero-day threats and widespread malware and must pass multiple false positives tests that include over 1 million clean files and websites.

For the latest Sep-Oct/2022 results, Malwarebytes received Top Product awards for both Malwarebytes Premium and Malwarebytes Endpoint Protection. These results mark the fourth consecutive quarter we have received Top Product awards for both products, stretching back to December 2021.

• Full Malwarebytes Premium results: https://www.av-test.org/en/antivirus/home-windows/windows-10/october-2022/malwarebytes-premium-4.5-221511/ 
• Full Malwarebytes Endpoint Protection results: https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2022/malwarebytes-endpoint-protection-1.2-222515/

Let’s take a deeper dive into the results from Sep-Oct/2022, starting with the protection category.

Real-world threats no match against Malwarebytes cyberprotection

Malware infections show no signs of slowing down. According to Malwarebytes research, malicious software increased by 77 percent in 2021 compared to 2020.

Needless to say, personal users and businesses alike need strong anti-malware to prevent the costly consequences of infection.

For the Prevention category, AV-TEST tested protection against real-world threats launched by cyber criminals—including 0-day malware attacks from the Internet, inclusive of web and email threats. It also tested the detection of widespread and prevalent malware discovered only in the last 4 weeks.

Both Malwarebytes Premium and Malwarebytes Endpoint Protection successfully prevented and detected 100% of malware threats for Sep-Oct 2022, proving that Malwarebytes can fend off the latest malware and defend against the pathways of infection used most often.

Industry-leading performance

Good cyberprotection shouldn’t have to come at the cost of system performance—the last thing you want in your security product is a slowing down of typical operations for daily work on computers.

For the Performance category, experts at the AV-TEST laboratory examined the effect security products had on performance, placing special attention to four categories:

• Slowing-down when launching popular websites
• Slower download of frequently-used programs
• Slower launch of standard software programs
• Slower installation of frequently-used programs
• Slower copying of files (locally and in a network)

Both Malwarebytes Premium and Malwarebytes Endpoint Protection scored 100% on the performance test for Sep-Oct 2022, by and large meeting or beating the industry average in each of the four categories.

Saying sayonara to false-positives

When it came to the number of false-positives generated, neither Malwarebytes Premium nor Malwarebytes Endpoint Protection disappointed.

AV-TEST recognizes that false alarms can disturb the work routine just as much as malware attacks can. That’s why, for the Usability category, AV-TEST tested the number of false positives in three stages:

• Stage 1: False alarms or blocking when visiting websites
• Stage 2: False detections of legitimate software as malware during a system scan
• Stage 3: False alarm test for standard software: false warnings concerning certain actions and blocking of these actions carried out while installing and using legitimate software

Malwarebytes Endpoint Protection had 0 false-positives out of the over 500 websites and 1+ million files used for the assessment. Malwarebytes Premium only had four false-positives.

Nothing but gold for Malwarebytes on the latest AV-TEST assessment

With the latest AV-TEST results, we’re adding yet another notch to our string of successes on leading independent assessments.

Whether it’s MITRE, MRG-Effitas, or G2, our track-record demonstrates that Malwarebytes has what it takes to keep both personal users and businesses safe from today’s most pressing cyberthreats—and do so with high performance and low false-positives.

Learn more about what experts and customers are saying about Malwarebytes:

Malwarebytes recognized as endpoint security leader by G2

MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks

Malwarebytes receives highest rankings in recent third-party tests

Malwarebytes outperforms competition in latest MRG Effitas assessment

This blog post was authored by Jérôme Segura

Online advertising is a multi billion dollar industry with projected spending to reach over 600 billion U.S. dollars for 2022. It’s not surprising that criminals are trying their hardest to abuse this ecosystem in any way that they can.

One of the biggest threats and always top of mind for advertisers is bot traffic as it is the equivalent of throwing money down the drain with ads that will never be seen by real eye balls. However, ad fraud is more than bots and in fact, even when traffic is seemingly real, there can still be abuse.

Case in point, we came across a clever ad fraud scheme where a fraudster is running a cost-effective popunder campaign on high-traffic adult websites and then making money via Google Ads. What originally caught our attention was seeing a Google advert on what appeared to be an adult page, as it is strictly against the search giant’s acceptable content policy. It turned out to be a clever way to hide a bogus blog loaded with many more ads, most of them hidden behind a fullscreen pornographic iframe.

As unaware visitors trigger the popunder landing page and continue browsing in their other tab, the decoy website is constantly refreshing with new content and of course new ads, generating millions of ad impressions per month.

We reported this invalid traffic and would like to thank Google for quickly shutting down this ad campaign.

Popunder campaign on top adult sites

It is no secret that adult websites generate a lot of traffic. Did you know that 3 of the top 20’s most visited websites are from the adult industry, the more popular one getting an estimated 2.8 billion monthly visits?

A fraudster has set up an ad campaign with one of the major adult ad networks using an ad format known as a popunder, which is one of the most cost efficient. Depending on the visitor’s geolocation and other parameters, the CPM (cost per thousand impressions) can be as low as $0.05.

A popunder is like a ‘pop-up’ in that it is triggered when a user clicks anywhere on a web page, except that the resulting ad will appear behind the open window. It’s also not like a typical banner ad, it’s actually an entire page, often referred to as a landing page whose goal is to provide clear and interesting information in order to have a high conversion ratio. Examples of common popunders for the adult industry include online dating services, adult webcams, or simply an adult portal.

At first, it appears that this popunder is simply promoting another adult website called Txxx. But a couple of things don’t add up: the page’s title and address bar show something completely unrelated and we can see what appears to be a Google ad at the bottom of the page.

The problem is that Google’s advertising policies state that sexually explicit content such as text, image, audio, or video of graphic sexual acts intended to arouse is not allowed. Technically speaking, the adult content is merely an iframe placed on top of a WordPress blog and the ad at the bottom should really have been hidden in the background.

To avoid detection, the code is heavily obfuscated and the iframe is built dynamically:

SEO-friendly content to place ad banners

The fraudster is actually deceiving Google by loading legitimate content (i.e. how to fix your plumbing issues) under a fullscreen XXX iframe. Not only that, but the page also refreshes its content at regular intervals, to serve a new article, still hidden behind with the XXX overlay to further monetize on Google Ads. This happens without the user’s knowledge since the tab was launched as a popunder.

This is no ordinary landing page, it’s actually a full blog with dozens of articles that were stolen from other sites.

• 10-home-heating-tips
• 10-ways-to-style-your-kitchen-countertops-like-a-pro
• 4-main-benefits-of-installing-gutter-protection-systems
• 8-most-common-roof-leak-causes-in-california
• before-you-plan-to-build-your-own-house-work-out-your-budget
• build-your-own-home-in-3-days
• build-your-own-home-in-the-country
• does-your-home-in-california-need-roof-ventilation
• homeowner-s-guide-to-the-best-outdoor-lighting
• how-much-does-a-mortgage-to-build-your-own-house-cost
• how-much-does-it-cost-to-build-a-new-house-in-los-angeles-area
• how-snow-and-ice-impact-your-roof
• how-solar-panels-can-make-your-roof-last-longer
• how-to-adhere-drywall-to-a-concrete-block
• how-to-build-modern-dining-room-in-california

On average (when scrolling through the entire page), there are about 5 Google ads and sometimes even video ads which are more lucrative.

Millions of ad impressions

Looking at high level metrics (taken from Similarweb) for that one decoy website we see some interesting figures. The total number of visits per month is close to 300K (and doubling based on previous month data). But the more interesting metric is the number of pages viewed per visit, which is over 51.

How can a human actually browse and read 51 articles in an average of 7 minutes and 45 seconds? The answer is simple: they don’t. The user is most likely busy minding their own business on the other active tab while the popunder page constantly reloads new articles along with Google Ads. We ran a quick capture of what this looks like based on the ad requests made to Google’s servers:

While numbers will vary based on demographics and other settings, we estimate that the page generates an average of 35 ad impressions every minute. If we do the math and multiply the total number of monthly visits (281.9K) and average duration (7:45 min or 465 seconds), we get a total ad impressions of 76,465,375 per month. Calculating the exact revenue made will depend on different factors but with a CPM of $3.50, this scheme could theoretically generate $276,629 a month.

Since these ads are not going to be seen by anyone, we could consider that all those impressions are purely driven by invalid traffic (IVT). This is not typical bot traffic though, because the unwilling participants are real users with genuine IP addresses, cookies and other browser settings. However, there are giveaways such as an unexpectedly high number of pages per visit. For comparison, the most popular adult site has an average of 9 pages and 9 minutes per visit.

There is one more twist to this ad fraud scheme that comes in the form of clickjacking. Once a user gets the tab into focus (it was a popunder), suddenly the page rotation stops and what the user sees is what looks like another adult website (the iframe). A click anywhere on the page (the user may want to select one of the thumbnails and watch a specific video) triggers a real click on a Google ad instead.

Based on the previous stats, the popunder quietly cycles through blogs and ads for an average of 7 minutes and 45 seconds before the user either closes that tab or clicks on the page which would increase the advertiser’s cost-per-click (CPC).

(Fake) real news sites

The decoy site used fairly complex and obfuscated code to defraud Google which likely was not developed for a one-off. We wrote a signature based on a string of text that stood out called ‘povtor’ and ran a retrohunt search on VirusTotal. Povtor is Russian for ‘repeat’ which aligns with our understanding of the threat actor likely being Russian.

The retrohunt search returned a number of hits for sites that had something in common: news portals registered on previously expired domains. While we have seen influence campaigns before, pushing only biased news stories for a certain political party, we don’t believe this is the case here. The news articles look balanced and real which would indicate another motive.

Last week on Malwarebytes Labs:

• Indiana sues TikTok, describes it as “Chinese Trojan Horse”
• Iranian hacking group uses compromised email accounts to distribute MSP remote access tool
• Electronic Sales Suppression Tools are cooking the books
• Silence is golden partner for Truebot and Cl0p ransomware
• iPhone user watches as stolen phone travels from UK to China
• Play ransomware attacks city of Antwerp
• Introducing Quarantine for Cloud Storage Scanning in Nebula
• Update now! Two zero-days fixed in 2022’s last patch Tuesday
• Is an outsourced SOC worth it? Looking at the ROI of MDR
• Uber data stolen via third-party vendor
• Is Apple about to embrace third-party app stores?
• Update now! Apple patches active exploit vulnerability for iPhones
• Worldwide law enforcement action takes down major DDoS booter services
• Virtual kidnapping scam strikes again. Spot the signs
• InfraGard infiltrated by cybercriminal

Stay safe!

A critical vulnerability can send countless organizations into chaos, as security teams read up on the vulnerability, try to figure out whether it applies to their systems, download any potential patches, and deploy those fixes to affected machines. But a lot can go wrong when a vulnerability is discovered, disclosed, and addressed—an inflated severity rating, a premature disclosure, even a mixup in names.

In these instances, when the security community is readying itself for a major sea change, what it instead gets is a ripple. Here are some of the last year’s biggest miscommunications and errors in security vulnerabilities. 

1. “Wormable”

There are some qualifications for vulnerabilities that send shivers up the spine of the security community as a whole. A “wormable”  vulnerability is used when the possibility exists that an infected system can contribute as an active source to infect other systems. This makes the growth potential of an infection exponential. You’ll often see the phrase “WannaCry like proportions” used as a warning about how bad it could get.

Which brings us to our first example: CVE-2022-34718, a Windows TCP/IP Remote Code Execution (RCE) vulnerability with a CVSS rating of 9.8. The vulnerability could have allowed an unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction, which makes it “wormable,” but in the end, it turned out to be not so bad since it only affected systems with IPv6 and IPSec enabled and it was patched before an in-depth analysis of the vulnerability was publicly disclosed.

2. Essential building blocks

Something we’ve learned the hard way is that there are very popular libraries maintained by volunteers, that many other applications rely on. A library is a set of resources that can be shared among processes. Often these resources are specific functions aimed at a certain goal which can be called upon when needed so they do not have to be included in the code of the software. A prime example of such a library that caused quite some havoc was Log4j.

So, when OpenSSL announced a fix for a critical issue in OpenSSL, everybody remembered that the last time OpenSSl fixed a critical vulnerability, that vulnerability was known as Heartbleed. The Heartbleed vulnerability was discovered and patched in 2014, but infected systems kept popping up for years.

However, when the patch came out for the more recent OpenSSL issue, it turned out the bug had been downgraded in severity. That was good news all around: The patch for the two vulnerabilities is available, and the announced vulnerability wasn’t as severe as we expected. And there is no known exploit for the vulnerabilities doing the rounds.

3. Zero-day

The different interpretations for the term zero-day tend to be confusing as well.

The most accepted definition is:

“A zero-day is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw.”

But you will almost as often see something called a zero-day because the patch is not available yet, even though the party or parties responsible for patching or otherwise fixing the flaw are aware of the vulnerability. For example, Microsoft uses this definition:

“A zero-day vulnerability is a flaw in software for which no official patch or security update has been released. A software vendor may or may not be aware of the vulnerability, and no public information about this risk is available.”

The difference is significant. The fact that a vulnerability exists is true for almost any complex platform or software. Someone has to find such a vulnerability before it becomes a risk. Then it depends on the researcher finding the flaw whether it becomes a threat. If the researcher follows the rules of responsible disclosure, the vendor will be made aware of the existence of the flaw before anyone else, and the vendor will have a chance to find and publish a fix for the bug before any malicious actors find out about it.

So, for a vulnerability to be alarming, I would argue it has to be used in the wild or a public Proof-of-Concept has to be available before the patch has been released.

As an example of where this went wrong, a set of critical RCE vulnerabilities in WhatsApp got designated as a zero-day by several outlets, including some that should know better. As it turned out, the vulnerabilities listed as CVE-2022-36934 and CVE-2022-27492 were found by the WhatsApp internal security team and silently fixed, so they never posed any actual risk to any user. Yes, the consequences would have been disastrous if threat actors had found the vulnerabilities before the WhatsApp team did, but there never were any indications that these vulnerabilities had been exploited.

4. Spring4Shell

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database as an individual number. CVE numbers are very helpful because they are unique and used in many reliable sources, so they make it easy to find a lot of information about a particular vulnerability. But they are hard to remember (for me at least). Coming up with fancy names and logos for vulnerabilities names, such as Log4Shell, Heartbleed, and Meltdown/Spectre helps us to tell them apart.

But when security experts themselves start to confuse different vulnerabilities in the same framework and researchers disclose details about an unpatched vulnerability because they think the information is out anyway, serious problems can arise.

In March, two RCE vulnerabilities were being discussed on the internet. Most of the people talking about them believed they were talking about “Spring4Shell” (CVE-2022-22965), but in reality they were discussing CVE-2022-22963. To add to the stress, a Chinese researcher prematurely spilled details about the vulnerability before the developer of the vulnerable Spring Framework could come up with a patch. This may have been due to the confusion about the two vulnerabilities.

In the end, Spring4Shell fizzled, working only for certain configurations and not for an out-of-the-box install.

Public service or not?

So, are we doing the public a service by writing about vulnerabilities? We feel we are, because it is good to raise awareness about the existence of vulnerabilities. But, to be effective, we need to meet certain criteria.

• First of all, it needs to be made clear who is affected and who needs to do something about it. And what you can do to protect yourself.
• While it is not always easy to make an assessment about the threat level, since we often don’t have the exact details of a vulnerability, it is desirable to not exaggerate the impact.
• Make it very clear whether or not a threat is being used in the wild if you have that information.

In a recent assessment, security researcher Amélie Koran said on Mastodon that the economic costs of Heartbleed were mostly due to vulnerability assessment and patching and not necessarily lost or stolen data. Not that it wouldn’t have backfired if the patch hadn’t been deployed, but it is something to keep in mind. A panic situation can do more harm than the actual threat.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

On June 7, 2021, the US Department of Justice announced a breakthrough: Less than one month after the oil and gas pipeline company Colonial Pipeline had paid its ransomware attackers roughly $4.4 million in bitcoin in exchange for a decryption key that would help the company get its systems back up and running, the government had in turn found where many of those bitcoins had gone, clawing back a remarkable $2.3 million from the cybercriminals.

In cybercrime, this isn’t supposed to happen—or at least it wasn’t, until recently. 

Cryptocurrency is vital to modern cybercrime. Every recent story you hear about a major ransomware attack involves the implicit demand from attackers to their victims for a payment made in cryptocurrency—and, almost always, the preferred cryptocurrency is bitcoin. In 2019, the ransomware negotiation and recovery company Coveware revealed that a full 98 percent of ransomware payments were made using bitcoin.

Why is that? Well, partly because, for years, bitcoin received an inflated reputation for being truly “anonymous,” as payments to specific “bitcoin addresses” could not, seemingly, be attached to specific persons behind those addresses. But cryptocurrency has matured. Major cryptocurrency exchanges do not want their platforms to be used to exchange stolen funds into local currencies for criminals, so they, in turn, work with law enforcement agencies that have, independently, gained a great deal of experience in understanding cybercrime. Improving the rate and quality of investigations has also been the advancement of technology that actually tracks cryptocurrency payments online. 

All of these development don’t necessarily mean that cybercriminals’ identities can be easily revealed. But as Brian Carter, senior cybercrimes specialist for Chainalysis, explains on today’s episode, it has become easier for investigators to know who is receiving payments, where they’re moving it to, and even how their criminal organizations are set up.

“We will plot a graph, like a link graph, that shows [a victim’s] payment to the address provided by ransomware criminals, and then that payment will split among the members of the crew, and then those payments will end up going eventually to a place where it’ll be cashed out for something that they can use on their local economy.”

Tune in to today’s Lock and Code podcast, with host David Ruiz, to learn about the world of cryptocurrency forensics, what investigators are looking for in reams of data, how they find it, and why it’s so hard. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Apple has released new security content for iOS 16.1.2 and Safari 16.2. Normally we would say that Apple pushed out updates, but in this mysterious case the advisory is about an iPhone software update Apple released two weeks ago. As it turns out, to fix a zero-day security vulnerability that was actively exploited.

Mitigation

The updates should all have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level.

How to update your iPhone or iPad.

How to update macOS on Mac.

If you fear your Mac has been infected, try out Malwarebytes for Mac. Or Malwarebytes for iOS for your Apple devices.

Since the vulnerability we’ll discuss below is already being exploited, it’s important that you update your devices as soon as you can.

CVE-2022-42856

Apple revealed that it is aware that threat actors are actively exploiting the vulnerability listed as CVE-2022-42856. The bug was found in WebKit which is Apple’s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps. So, it’s no surprise that you will find the same CVE number in the Safari security advisory, along with a list of others.

Apple says the impact of the vulnerability is that processing maliciously crafted web content may lead to arbitrary code execution. The underlying issue was what is called a “type confusion” issue, which was addressed with improved state handling.

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this can lead to code execution.

Another clue was given when Apple revealed that security researchers at Google’s Threat Analysis Group, which investigates nation state-backed spyware, hacking, and cyberattacks, discovered and reported the WebKit bug. That might give you an idea about who was using the exploit in the wild.

Version confusion

What remains a mystery is why Apple specifically stated that this issue may have been actively exploited against versions of iOS released before iOS 15.1.

We asked our resident Apple expert Thomas Reed why, then, did iOS 16 users get an update and iOS 15 users didn’t?

He pointed out the fact that Apple recently documented that security fixes may only apply to the latest system, and may not be back-ported to older systems. This has always been the case, but it wasn’t documented, leaving users guessing about what was going on.

“Still, Apple has been known to back-port fixes when they’re aware of active attacks on an older system, so I doubt it’s just a matter of falling back on a disclaimer. That suggests to me that there’s some difficulty involved. I don’t know exactly what changed in WebKit between iOS 15 and 16, but there were definitely a lot of Safari-related changes in iOS 16, so it’s entirely possible there’s some kind of architectural change standing in the way of back-porting.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Criminals making use of booter services which execute Distributed Denial of Service (DDoS) attacks to take down websites will have to try a little bit harder today: A major international operation has taken no fewer than 48 of the most popular booter services offline.

The operation, known as “Power Off,” included law enforcement agencies from the UK, the US, the Netherlands, Germany, and Poland.

Sites down, operators arrested

The sites that were taken down by law enforcement have been replaced with seizure notices which read as follows:

This website has been seized

The FBI has seized this website for operating as a DDoS-for-hire service. This action has been taken in conjunction with Operation Power Off, a coordinated international law enforcement effort to dismantle criminal DDoS-for-hire services worldwide. DDoS attacks are illegal.

Law enforcement agencies have seized databases and other information relating to these services. Anyone operating or utilizing a DDoS service is subject to investigation, prosecution, and other law enforcement action.

As a result of the operation, seven individuals have been arrested in the UK and US with “further actions planned” against users of the services.

The National Crime Agency (NCA) reports that one of those arrested is just 18 years of age. “Around a quarter” of referrals to the NCA involve the use of booter services.

Why are booters so popular?

Booting services typically have a low technical barrier to entry. Back in the days of Xbox360, especially around 2009, custom made booter services became very popular with gamers. If you wanted to ensure victory in an online session, you could pay a small fee and dedicated services would kick the other players out of the game or you could download and run the tools yourself.

This is one way in which DDoS made the leap from “people who have a decent idea of what they’re doing in order to take a website down” to “pay me $10 and push this button to win.” As it turns out, pushing that button to win is a lot less intensive than figuring out how to make people run your executable or set up a working phishing page.

The people running these booter services know this, and that’s why they’re so popular. Need a website kicked offline? A gamer you just can’t stand? A service playing host to people you just can’t stand? Off to the booter markets you go. More often than not, people don’t realize how much trouble they can get into by using these tools. This is especially true in situations where young children or teenagers are looking to these services.

The long arm of the law

As the various agencies involved in this operation point out, they will be going after users of these services as well as those who operated them. They’re very clear that if you’ve used the now offline booters, you can expect to be paid a visit down the line.

Previous versions of Operation Power Down have explicitly targeted the users of DDoS tools, with police visits to the home and device confiscation thrown into the mix for good measure.

If you’re tempted to use a DDoS tool of any kind, keep this in mind. “I only used it once because I was curious” is probably not going to save you from the law’s reach. As the NCA explains, a DDoS attack a crime under the UK’s Computer Misuse Act 1990. If you’re on the fringes of illegality where this is concerned, check out their Cyber Choices page as soon as possible for a solid explanation of the consequences of these actions, and how you can use your technical skills in a positive manner.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Warnings abound of a major new piece of fraud doing the rounds which uses your relative’s voice as part of a blackmail scam. What happens is the victim receives a call from said relative’s number, and they’re cut off by blackmailers who have them held hostage. The only way to get them back safely is to pay a sizable sum of money, usually within a time limit. Refusal to pay up could clearly end very badly for the person being held to ransom.

There’s just one problem with this: It’s all fake.

When virtual kidnappers attack

The tale is retold by a Tik-Tok user who fell for the scam tactic, who says:

“New scam alert. I usually don’t fall for scams but they got me.”

The victim recounts how she heard the voice of her mother “fading away.” This is supposed to sound like someone being dragged away from the phone. At this point, a stranger jumps on the call demanding money “or else.” The scammer may be working alone, or have someone else doing things like yelling in the background at the non-existent kidnap victim. It’s all designed to convince the victim to hand over a large amount of cash in as short a time as possible.

In terms of demands, the pretend abductors demanded $1,000 in US dollars via Venmo or CashApp. The recipient of this call could only afford to send $100, at which point the callers ended the call. What followed was an understandably panicked call to the victim’s mother, who was safe the whole time.

Scams go around, come around

This is clearly an unpleasant story, but let’s take a deep breath before we perhaps become a little too alarmed by references to newness and (most importantly) claims of using your relative’s voice.

First, this is not a new tactic. Not at all. These are usually referred to as virtual kidnapping scams, and they’ve been around for some years now. Here’s an FBI release regarding the targeting of doctors back in 2014.

In fact, we covered a virtual kidnapping threat around the same time which threw a few more scam tactics into the mix. In those attacks, a fraudster would: Pretend to be from a phone network, and call the person intended to be the fake kidnap victim. The fake phone network engineer would tell this person to turn the phone off for a few hours. This was so they’d be able to call the other family member they intended to extort, with no risk of them checking with the kidnapee if they were in fact kidnapped or sitting at home.

When fraudsters get vocal

As for “using your relative’s voice”, well, no. Don’t panic. People may be inclined to start worrying about deepfaked voices winging their way across the airwaves. In these cases, the victim is almost certainly listening to generic voice recordings which very quickly fade out. The relatives don’t stay on the line, or make conversation, or say anything beyond muffled screams after the call begins because they’re not there.

The scammer is very unlikely to have anything sounding identical to your supposedly kidnapped relative. It’s the adrenaline shot of the call and sheer panic making people think that their relative is pleading down the phone line. This, combined with the spoofed phone number, is enough to make it all seem real while it’s taking place.

How to spot the signs of a virtual kidnapping scam

There’s a strong social engineering component to these attacks. Scammers trawl websites, social media, and more, to obtain names of families and individual family members. They do much the same thing for phone numbers, which is how you end up with a call which looks like it’s from your relative and from their phone number. With this in mind, we have some tips and suggestions for you:

• Revisit your online presence, and lock down or delete as appropriate in relation to locations, names, and phone numbers.

• Avoid posting travel dates and locations, which can add some fake legitimacy into a scammer’s phone call.

• Family members should have a password which allows you to confirm someone actually is in some kind of serious danger.

• It used to be that these scams were almost exclusively steered towards wire transfers. As you can see from the above story, those payment requests are now moving into the realm of being fully digital.

There are other tips online sourced from law enforcement, mostly in relation to asking to speak to your supposedly kidnapped relative, trying to contact them by other means while the scammers are on the line, and slowing the situation down to allow you to try and contact the kidnapee in the first place.

Yes, this is an awful scam. However, it’s definitely not new, people only think their relative is being heard down the line, and there are many strategies and safeguards in place to get one step ahead of the virtual kidnap scammers.

Stay safe out there!

InfraGard, a partnership between the FBI and members of the private sector that was established to protect critical infrastructure in the US, has been infiltrated by a cybercriminal. As a result, its database of contact information is now for sale on an English-language cybercrime forum.

InfraGard

InfraGard is a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector that was created to help protect US critical infrastructure. In its collaboration efforts, InfraGard connects those responsible for critical infrastructure to the FBI. The FBI provides education, information sharing, networking, and workshops on emerging technologies and threats. InfraGard’s membership includes business executives, entrepreneurs, lawyers, security personnel, military and government officials, IT professionals, academia, and state and local law enforcement.

Breached

A threat actor posted samples as proof that they have obtained access to the more than 80,000-member database of InfraGard. According to KrebsOnSecuirty, the threat actor is a member of the Breached forums using the handle USDoD. Pompompurin, the administrator of the cybercrime forum Breached, is providing an escrow service for the seller. An escrow service acts as a mediator between two parties making a financial transaction and is meant to ensure no one loses their funds due to a scam. They receive the funds from the buyer and hold on to that payment until the buyer has received the purchase in good order.

False account

When asked, the threat actor revealed that they gained access by registering a false account. The user USDoD told KrebsOnSecurity that they applied with the name and real phone number belonging to a CEO of a major US financial corporation, but with an email address that was under the threat actor’s control. The application was approved, apparently without any verification that the CEO was aware of.

Once they had access, the InfraGard user data was easily available via an Application Programming Interface (API) that is built into several key components of the website.

The FBI commented that they were aware of a false account but declined to provide any further comments.

“This is an ongoing situation, and we are not able to provide any additional information at this time.”

The data

The stolen data are not earth-shattering. The stolen database has the names, affiliations, and contact information for more than 80,000 InfraGard users, but only 47,000 of the stolen records include unique emails. Probably due to the security awareness of the members, the data contained neither Social Security numbers nor dates of birth. Although fields existed in the database for that information, many users had left them blank.

What’s maybe more worrying is that the threat actor has direct access to the other InfraGard members and can use this “trustworthy” platform to engage on other phishing expeditions. USDoD said they were hoping the imposter account would last long enough for them to finish sending direct messages as the CEO to other executives using the InfraGard messaging portal.

This story looks like it might be continued. We will keep you posted here of any new developments.