IT NEWS

It’s time to update your Apple devices to ward off a zero-day threat discovered by an anonymous researcher.

As is customary for Apple, the advisory revealing this attack is somewhat threadbare, and doesn’t reveal a lot of information with regard to what’s happening, but if you own an iPad or iPhone you’ll want to get yourself on the latest version.

The zero-day is being used out in the wild, and Apple holding back the specifics may be enough to slow down the risk of multiple threat actors taking advantage of the issue, known as CVE-2022-42827. However, Apple’s lack of detail means it’s not possible to explain what to watch out for if you think your device may have been compromised.

The vulnerability affects the kernel code, the core of the software that operates the device. It can be abused to run remote code execution attacks, which can lead to issues like crashing and / or data corruption. According to Apple, the issue impacts:

• iPhone 8 and later
• iPad Pro (all models)
• iPad Air 3rd generation and later
• iPad 5th generation and later
• iPad mini 5th generation and later

At time of writing, there is very little you can do other than fire up your Apple product and make your way to the updates section. There is no reason to panic, but no need to delay either.

How to update your device

It’s entirely possible that your device is already set to update automatically. If so, then you shouldn’t have to worry about this one: Your device will do it all for you. If not, and your device is on the list above, don’t worry. The route to updating your iPhone or iPad is very standard across the board, no matter which specific flavour you happen to be running:

1. Plug into a power source and enable Wi-Fi

2. Select Settings > General, and then Software Update.

3. Select your desired update(s) and begin the install process.

Automatic updates can be applied like so:

1. Settings > General > Software Update

2. Select Automatic Updates, and then enable Download iOS Updates

3. Turn on Install iOS Updates.

Finally, for Rapid Security Response updates (which ensures important security fixes are applied as soon as possible):

1. Settings > General > Software Update

2. Select Automatic Updates

3. Enable the Security Responses & System Files option

There have been numerous publicly documented zero-day attacks aimed at Apple products this year. While most of these tend to be quite targeted and specific, there is absolutely no harm in getting into the habit of updating. It doesn’t just help to protect you from issues such as the one above, but many other potentially less serious issues too.

Stay safe out there!

In the 19 months between February 2021 and September 2022, two point-of-sale (POS) malware operators have stolen more than 167,000 payment records, mainly from the US, according to researchers at Group-IB. The researchers were able to retrieve information about infected machines and compromised credit cards by analyzing a command and control (C2) server used by the malware.

POS malware is designed to steal debit and credit card data from POS machines in retail stores. It does this by harvesting the temporarily unencrypted card data from the machine’s memory. Due to improved security measures against this type of theft in most countries, this type of malware isn’t as widely used as it once was, although it never disappeared completely.

The malware

The researchers found badly configured control panels for two different strains of POS malware, MajikPOS and Treasure Hunter. A possible explanation is that the operatros started out using Treasure Hunter and adapted MajikPOS at a later time. This is likely because the source code for MajikPOS has been circulating on the Dark Web and it offers additional features compared to Treasure Hunter.

The basic ability of all POS malware is the same—to steal sensitive card payment details from the RAM of a POS device where the data can be found in an unencrypted form. But different families offer other options when it comes to persistence and processing stolen data.

The machines targeted by the malware were found by scanning for remote desktop applications like RDP and VNC, and then guessing their passwords. Successfully guessing their passwords gave the attackers the same access to those computers as they would get if they were actually sat in front of them.

During the investigation, Group-IB specialists analyzed around 77,400 unique card dumps from the MajikPOS panel and about 90,000 from the Treasure Hunter panel. Most of the stolen cards were issued by US banks, and most of the infected POS terminals are located in the US.

The average price for a single card dump is around $20, so if the threat actors were able to sell the stolen dumps on an underground market, they could have made in excessive of $3 million.

Credit identity theft

Credit identity theft happens when a scammer steals your credit card data and uses it to make fraudulent purchases or obtains a credit card or loan under your name. According to the FTC, people who suspect they are the victim of credit identity theft should contact their bank or credit card company to cancel their card and request a new one. If you get a new card, don’t forget to update any automatic payments with your new card number.

To find out if you are a vicitm:

• Review your transactions regularly, to make sure no one has misused your card.
• If you find fraudulent charges, call the fraud department and get them removed.
• Check your credit report at annualcreditreport.com.

Mitigation

All the usual, basic (and effective) security advice applies to POS device owners. If you operate POS machines:

• Implement a plan for patching software in a timely manner
• Protect passwords with two-factor authentication, preferably FIDO 2
• Use a strong password policy and rate limiting to further protect passwords
• Run endpoint security software with EDR to detect malware and intruders
• Assign access rights according to the Principle of Least Privilege
• Segment networks to slow down lateral movement

The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) have issued a joint advisory about DAIXIN Team, a fledgling ransomware and data exfiltration group that has been targeting US healthcare.

First spotted in June 2022, the DAIXIN Team quickly got the government’s attention after executing multiple ransomware attacks against organizations in the health and public health sector. As is standard these days, the ransomware attacks involved both encrypting servers and stealing data. In this case the data included both personally identifiable information and patient health information PHI.

The DAIXIN leak site

The advisory reports that DAIXIN Team has been seen gaining initial access to victims’ systems through their VPN severs. In one case they accessed a victim through an unpatched vulnerability, and in another the gang used phished credentials.

Upon successful infiltration, the team conducts reconnaissance, escalates privileges through credential dumping or the pass-the-hash technique, steals sensitive data, and deploys ransomware based on the Babuk Locker source code leaked in 2021.

According to Malwarebytes’ Malware Intelligence Analyst and ransomware expert Marcelo Rivero, DAIXIN Team has been quieter of late. “At this time, they appear to have taken a hiatus, as they haven’t listed any new victims so far this month.”

As with most ransomware groups, DAIXIN team publishes details of its victims and leaks their stolen data, if they don’t pay the ransom. After publishing details of three victims in August, it only published one in September, and so far none in October, with November just around the corner. A lack of published victims may indicate inactivity, or it could be that DAIXIN Team have been successful at persuading victims to pay up.

Still, healthcare organizations must heed the alarm raised by the FBI, CISA, and the HHS. They report that out of 649 ransomware reports received by the FBI Internet Crime Complaint Center in 2021, 148 were in the Healthcare and Public Health sector. DAIXIN Team may be the latest ransomware threat, but it isn’t the only threat.

Basic mitigations can close the loopholes ransomware groups exploit:

• Create a plan for patching software in a timely manner.
• Train users to report suspicious emails and phishing attempts.
• Require two-factor authentication (2FA) on remote desktops and VPNs.
• Use endpoint security software with EDR to identify intruders and stop ransomware.
• Assign access rights according to the Principle of Least Privilege.
• Segment networks to make lateral movement more difficult.
• Create and test offline, offsite backups that are beyond the reach of attackers.

For more information about how to protect your organization against DAIXIN Team and other ransomware gangs, go to this AA22-294A alert page.

Hiep Hinh is a Principal MDR Analyst at Malwarebytes, where he supports 24/7/365 Managed Detection and Response (MDR) efforts. Hiep has over 16 years of experience in the cybersecurity and intelligence fields, including for the US Army as an intelligence analyst and for the Airforce Computer Emergency Response Team (AFCERT/33NWS). Hiep is an expert user of Endpoint Detection and Response (EDR) platforms and is highly-skilled in incident response, DLP (data loss prevention), data mining, and threat hunting, among other things. In this post, Hiep breaks down his threat hunting career and shares tips and best practices for those looking to become a cyber threat hunter (or who are just interested to listen!). 

When I first heard the words “cyber threat hunter”, I imagined a sort of Holmesian figure with an upturned collar sitting at a desk, scouring a network for signs of intruders. And when I talked to Hiep Hinh, Principal MDR Analyst at Malwarebytes, I found out I was more or less right in my guess—minus the trenchcoat, maybe. 

Threat hunting is all about nipping stealthy attackers (and malware) in the bud. It’s plain to see why this is such important work—just consider that the median number of days between system compromise and detection is 21. The earlier cyber threat hunters can find threats, the earlier they can send them off to the remediation team.

Hiep has been threat hunting for a while—since 2007, in fact. According to Hiep, threat hunting is a natural part of incident response, SOC work, and network monitoring in general. 

“I’ve been doing threat hunting for a decent amount of time. I got my start in cybersecurity at the Air Force Computer Emergency Response Team (AFCERT) in ‘07, where we monitored and defended the Air Force network,” said Hiep. “I did a lot of the forensics work back then, but we were still very deeply involved with just the network monitoring aspect as well.”

For Hiep, effective threat hunting starts with really understanding the network. 

“I think to be an effective cyber threat hunter, you have to have a good understanding of what ‘normal’ behavior is,” he says. “For example, you should be able to answer questions like, ‘What are common activities seen in the environment? What are the users usually using? When are they usually online? What are they usually connecting from?’, and so on.”

“All of this information gets put under your belt, you take that knowledge, and now look for things that stand out. Using this understanding of normal will make certain activity stand out such as users that are on way too late, or are logging in from a different country than usual.” 

“A threat hunter is most effective when they know the network well.” – Hiep Hinh

Hiep’s advice? If a cyber threat hunter isn’t a part of the company or used to seeing the environment, take some time to learn what is normal. It can be very overwhelming to jump into an environment with thousands of endpoints and separate malicious and benign activity.

“Threat hunting is used to find threats that aren’t caught by antivirus or your other defenses. It’s literally looking for things that are unfound, advanced, and hidden, right? So the only way to do that is by knowing what’s normal, and trying to catch that weird stuff, keep catching those outliers.”

If worse comes to worse, however, and a cyber threat hunter doesn’t know the network well, Hiep says there are “low-hanging fruit” you can look out for. 

“It’s easy to go after low hanging fruit. It’s easy to go after a bunch of indicators, like lists of hashes, looking for VPN and RDP tools, and looking for a lot of freeware stuff that generally is used during attacks, such as IP scanners.” says Hiep. “These are the really quick and dirty threat hunts, if you don’t have a lot of time, and you don’t have the ability to actually sit on the network for a while and find out. These findings can potentially lead you to more juicy activity.”

Of course, while threat hunting is undeniably an essential component to a security team, we want to prevent bad actors from accessing our systems in the first place. To that end, Hiep told me about some of the most common ways adversaries break into an environment. 

“The most common thing is credentials being stolen or used for to get into these systems, things like phishing. That’s like, the quickest way to do it,” says Hiep. “Otherwise, there’s other ways such as vulnerabilities that people can exploit to access your network. That’s why it’s good to keep everything updated.“

One of the things I found most interesting about my conversation with Hiep was how much of a science and art threat hunting is. Just like how scientists form a hypothesis about something before setting off to prove or disprove it, so do threat hunters. If a cyber threat hunter notices an unusual spike in network traffic, for example, their hypothesis might be that there’s an attacker on the network doing data exfiltration. 

Hiep’s cybersecurity “battle-station” 

Back view. Hiep may or may not be a fan of Godzilla. 

Hiep describes what hypotheses look like in threat hunting:

“Your hypothesis lets you target a specific problem so that you don’t get overwhelmed with all the different types of data at your disposal. As a threat hunter you hypothesize certain attack scenarios, one example could be data exfiltration.”

“Knowing that attackers may want to steal your data to ransom or sell to a third party.  We could then focus on data coming out of your network. Here is where having a solid understanding of average traffic in and out of your network becomes extremely useful or if users in the environment actively use file sharing sites.” 

Like any hypothesis, however, there is a chance that it’s wrong and the thing you’re investigating is totally normal. A big part of threat hunting is not necessarily trying to prove that an anomaly is bad, but rather just validating the activity. 

“You’re not always gonna find something when threat hunting. There’s a lot of hit and miss. Whether or not my hypothesis for some potential malicious activity bears fruit, however, the act of finding or not finding something leaves the environment safer or validates activity seen.” 

“Just because I determine that the system is downloading and uploading a ton of data doesn’t necessarily mean it’s bad. Maybe a user is just sending out their christmas pics from the last decade. It’s not bad, it just stands out.”

“There has to be like a very solid communication between the threat hunters and the IT and the security departments of the company so you can quickly go through all those validations and move on. Otherwise you will just kind of be spinning.” – Hiep Hinh

The uncertainty of whether or not an indicator of compromise (IOC) is a genuine threat or not is part of what makes threat hunting so difficult, especially when you consider the vast amount of data threat hunters have to take in from all of their endpoints. That’s why threat hunters need to rely on more than just their skills to help investigate IOCs—they also need the right Endpoint Detection and Response (EDR) platform.

“You’re gonna get an overwhelming amount of data, and will need to put it into segments, separate it, understand it, and then, potentially find something that stands out. So it’s tough. You need something that can dissect that data quickly, effectively, and present it to the threat hunter in a very clear and easy to manipulate tool, this way you spend more time finding baddies and not be bogged down in data prep.” 

Like many cybersecurity professionals, Hiep’s career is full of twists and turns; he’s probably seen more sides of cybersecurity than you can count on one hand. That includes SOC work, forensics, malware analysis, and more, each of which Hiep feels has over the years given him a leg-up in the world of threat hunting.

“Working in a bunch of different positions throughout the years is helpful because threat hunting is all about knowing what’s normal, right?” Hiep says. “And at some point in your career, you’ve gone through the gamut and looked at tons of things. This experience helps you get through the noise and make determinations on actual malicious activity.”

If you’re an aspiring threat hunter, try to get as much experience as you can working in network monitoring roles. An experienced cyber professional can look at a wall of alerts and go, ‘I’ve seen this many times. This activity is normal. This is somebody just doing XY&Z’. They can then look at another and go, ‘That’s strange.’ But, according to Hiep, they can’t easily tell you why it’s strange.

“There’s nothing that really teaches you that,” Hiep says. “It just comes from working it for a long time, like any other job, I think.”

Dedicated experts, precise technology

Hiep is just one of many experienced cyber threat hunters on the Malwarebytes MDR team. Purpose-built for resource-constrained teams, Malwarebytes MDR provides alert monitoring and threat prioritization with flexible options for remediation—at a cost that makes sense. Our highly-effective, easy-to-deploy EDR technology coupled with our team of security experts creates the perfect one-two combo for fighting cybercrime.

More MDR resources

• Get the eBook: Is MDR right for my business?

• 3 ways MDR can drive business growth for MSPs

• Cyber threat hunting for SMBs: How MDR can help

• EDR vs MDR vs XDR–What’s the Difference?

Cisco has published a security advisory for a vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) that could allow an authenticated, remote attacker to read and delete files on an affected device. The bug, with a CVSS score of 7.1 has no patch and no workaround. Cisco plans to provide a fixed release for version 3.1 in November, and a fixed release for version 3.2 in January, 2023. Release 3.0 and earlier are not vulnerable.

Cisco advises that hot fixes are available on request.

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The most urgent patch in this update is aimed at CVE-2022-20822.

CVE-2022-20822 is a path traversal vulnerability in the web-based management interface of Cisco ISE that could be exploited by an authenticated, remote attacker. Path traversal vulnerabilities allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like ../ into file or directory paths.

An attacker could exploit this vulnerability by sending a malicious HTTP request to an affected system. A successful exploit could allow the attacker to read or delete specific files on the device that they should not have access to.

Also in the advisory

The Cisco advisories page mentions another vulnerability in the ISE. The CVE-2022-20959 vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by persuading an authenticated administrator of the web-based management interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

And then there is a vulnerability worth noting because it is rated as high impact. CVE-2022-20933 is a vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices which could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit this vulnerability by crafting a malicious request and sending it to the affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to crash and restart.

A patch is available for both.

Insufficient validation

The clear pattern here then it is insufficient validation of input on remotely accessible services.

Missing or improper input validation is a major factor in many web security vulnerabilities, including cross-site scripting (XSS) and SQL injection. While customers are entitled to expect proper input validation, it is a problem that haunts all web interfaces, and has done for decades.

So, instead of relying on the input validation provided by the vendor, users should consider adding extra measures, such as only allowing connections from trusted IP addresses, a limited numbers of authentication requests, and disabling access from the internet where it’s appropriate.

A thief has been stalking London. 

This past summer, multiple women reported similar crimes to the police: While working out at their local gyms, someone snuck into the locker rooms, busted open their locks, stole their rucksacks and gym bags, and then, within hours, purchased thousands of pounds of goods. Apple, Selfridges, Balenciaga, Harrod’s—the thief has expensive taste. 

At first blush, the crimes sound easy to explain: A thief stole credit cards and used them in person at various stores before they could be caught. 

But for at least one victim, the story is more complex.  

In August, Charlotte Morgan had her bag stolen during an evening workout at her local gym in Chiswick. The same pattern of high-price spending followed—the thief spent nearly £3,000 at an Apple store in West London, another £1,000 at a separate Apple store, and then almost £700 at Selfridges. But upon learning just how much the thief had spent, Morgan realized something was wrong: She didn’t have that much money in her primary account. To access all of her funds, the thief would have needed to make a transfer out of her savings account, which would have required the use of her PIN. 

“[My PIN is] not something they could guess… So I thought ‘That’s impossible,'” Morgan told the Lock and Code podcast. But, after several calls with her bank and in discussions with some cybersecurity experts, she realized there could be a serious flaw with her online banking app. “But the bank… what they failed to mention is that every customer’s PIN can actually be viewed on the banking app once you logged in.”

Today on the Lock and Code podcast with host David Ruiz, we speak with Charlotte Morgan about what happened this past summer in London, what she did as she learned about the increasing theft of her funds, and how one person could so easily abuse her information. 

Tune in today to also learn about what you can do to help protect yourself from this type of crime. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Last week on Malwarebytes Labs:

• Thermal cameras could help reveal your password
• How to spot a scam
• Warning: “FaceStealer” iOS and Android apps steal your Facebook login
• Criminal group busted after stealing hundreds of keyless cars
• Fake tractor fraudsters plague online transactions
• DeadBolt ransomware gang tricked into giving victims free decryption keys
• Why Log4Text is not another Log4Shell
• Ransomware attack freezes newspaper printing system
• Man scammed IRL for a phone he sold online
• 5 essential security tips for SMBs
• Microsoft fixes driver blocklist placing users at risk from BYOVD attacks
• Microsoft breach reveals some customer data
• New PHP-based Ducktail infostealer is now after crypto wallets
• Venus ransomware targets remote desktop services
• Suspected LAPSUS$ group member arrested in Brazil
• Third-party application patching: Everything you need to know for your business
• Gas, a positive social network for teens (no, really)
• Looking for student debt relief? Watch out for scammers says the FBI
• Former cop abused unrevoked system access to extort women
• Large typosquatting campaign delivers tech support scams

Stay safe!

Advocate Aurora Health has disclosed that by visiting its websites users may have shared personal information, and possibly protected health information (PHI), with Google and Meta (Facebook).

Advocate Aurora Health is the 11th largest not-for-profit, integrated health system in the US and provides care for about 3 million patients. The company used tracking technology provided by Google and Meta to understand how patients and others interact with its websites.

The questions Advocate Aurora Health wanted to answer were no different than any other website owner: How do visitors use its website, what draws them here, and which pages do they visit? That is very useful information if you want to optimize your website, attract more visitors, and build something that actually fits users needs.

And their solution was no different either: They turned to Google and Meta, who provide website owners with this information through the use of tracking “pixels”. The code behind a tracking pixel can give a website owner useful information about their visitors, such as the type of device they are using, their approximation location (which can be worked out from a user’s IP address), and how they move from page to page across a website. It can also reveal if visitors are coming from a paid ads on Google, Twitter, or Facebook, so companies can tell whether their marketing dollars are being spent productively.

How data can be leaked

What the Advocate Aurora Health’s disclosure doesn’t reveal is how the information was shared, or whether or not Google and Meta were aware of it. We note that the language it uses is “disclosed” rather than “gathered”, suggesting the website over-shared rather than an overreach by the trackers.

Although both Google and Meta have, rightly, earned repuations for rapacious data gathering, the details of how their pixels work, and what they do and don’t care about, are important where health information is concerned. It is possible that neither were aware of the nature of the data being shared, and that neither would want the legal or compliance headaches that come with handling it.

If that is the case, it wouldn’t be the first time. Just two months ago North Carolina-based Novant Health notified 1.3 million patients that using the Meta pixel code may have led to unauthorized disclosure of PHI.

In 2015, when the Affordable Care act’s healthcare.gov website first launched, it was also found to be leaking data to third parties, and it provides a useful lesson in how it can happen.

Simplistically, web analytics and web ad tracking systems want to know the number of indvidual visitors to the different URLs on a website, and how those visitors got there. Each time a visitor lands on a page a tracking pixel sends the URL (along with some extra information, such as the browser type, screen resolution, IP address etc) to Google, Meta, or whoever, so that they can add +1 to the count for that URL.

The healthcare.gov site used URL parameters to pass information from page to page as people moved through the site. The parameters included the user’s age, zip code, income, and whether or not they were a smoker or pregnant. Since the URLs contained that information, and the URLs were sent to third party trackers to be counted, the third parties found themselves inadvertently receiving and storing privileged information.

Research done by TheMarkup in June of 2022 showed that Meta’s pixel could be found on the websites of 33 of the top 100 hospitals in America.

What was disclosed

For Advocate Aurora Health customers, the following information may have been involved:

• IP address
• The dates, times, and/or locations of scheduled appointments
• Their proximity to an Advocate Aurora Health location
• Information about their provider
• The type of appointment or procedure
• First, last name, first name of a proxy, and medical record number
• Information about whether they had insurance

According to Advocate Aurora Health, no social security number, financial account, credit card, or debit card information was involved in this incident.

Stop tracking me

Advocate Aurora Health disabled and/or removed tracking pixels on patient websites and applications. Luckily, not every website has to worry about that type of private information. Full disclosure, even this site uses tracking technology, but we do understand that you wish website owners didn’t.

There are several things you can do to stop this kind of tracking or limit the consequences.

• Use a browser that values your privacy. Unfortunately there is a low correlation factor between what most people find the best browsers and what are the best browsers when it comes to privacy and security.
• You can frustrate tracking by blocking and deleting cookies and making sure you log out of Facebook and Google before you visit other sites. However, this requires your full attention and in some of these cases you are relying on technology provided by Google and Facebook.
• Anti-tracking software is your easy way out. We at Malwarebytes, recommend Malwarebytes Browser Guard. You can keep on using Chrome, Firefox, Edge, or Safari and after the install you can set and forget about trackers. Our  browser extension blocks tech support scams, hijackers, pop-up ads, trackers, and more to keep users secure and free from online harassment.

Someone with a gift for technology but a nasty habit of using it for very bad things has been spared from going to jail with a suspended sentence. Peter Foy, 18 at the time of his antics, racked up a remarkable, and slightly peculiar, list of compromises before being brought before the court.

A strange combination

According to Brighton and Hove news, his spree began in 2019 with the initial purchase of a laptop from Amazon, bought with “fake Honey gift vouchers”. I would love to know more about how this initial foray into system compromise worked, as one would imagine purchasing anything with fake vouchers would be a bit of a tall order. Nevertheless, he did it, and from here a somewhat short life of crime beckoned.

From the South East Regional Organised Crime Unit:

The court heard that on 13 October, 2019, Foy committed fraud in that he made a false representation to Amazon—that he was entitled to use gift vouchers to buy an Acer laptop. It was using this laptop that Foy committed further offences.

From this report, it’s hard to tell if the vouchers were indeed fake, or obtained without permission. His compromise modus operandi was a combination of breaking into networks run by food retailers, and breaking into networks containing confidential patient records. That’s quite a peculiar mixture.

On the one hand, he was “arranging food deliveries” at a cost of thousands to the affected businesses. On the other, he was accessing patient records of a third party company providing services to the National Health Service. As the release notes, this is during the COVID-19 pandemic, where the last thing we needed was people potentially breaking health record services. Food delivery services also played an important role during lockdown, so any disruption here would also be potentially very disruptive for those most at risk. A strange combination, then, but not a very pleasant one.

Not quite Robin Hood

Eventually, he was grabbed by the long arm of the law. None of the available information explains how this happened, but it’s likely that a trail was left across the compromised businesses. Even a pro can slip up! One last roll of the dice for the defendant remained in the form of claiming that he was notifying and helping the organisations he compromised.

However, he “demanded financial rewards” from the victims, which isn’t how legitimate help works. If this was his version of a bug bounty program, it isn’t a very good one.

The attempt to downplay the crimes didn’t impress the judge much, and he was sentenced to 18 months’ custody, suspended for two years. In addition to this, he’ll also have to perform 300 hours of unpaid work. There’s no word if any sort of ban from using digital technology is included in any of this.

A hopefully short-lived impact

The details released on this set of attacks are unfortunately sparse, and perhaps not as specific as you’d expect. Detective Inspector Rob Bryant had this to say:

This case also serves as a timely reminder to anyone using their financial details online to check the security of the data. Foy was able to gain access to many victims’ accounts as they often used the same passwords across more than one account.

The Detective Inspector also went on to suggest making use of two-factor authentication (2FA), which is great advice.

If you’re notified in the near future that you’ve been impacted, or indeed have been contacted already, here’s what you can do:

• Take the advice on 2FA. Options include SMS, various apps, or even a physical hardware key. A FIDO2 hardware key is the best option.
• Grab yourself a password manager. They create and remember strong passwords to prevent reuse, and many will refuse to sign in to bogus websites.
• The various attacks outlined above likely resulted in the attacker seeing personal data he shouldn’t. This could put those people at an increased risk of social engineering or identity theft.

The FBI believes that scammers may be after people applying for the One-Time Federal Student Loan Debt Relief, a program announced by the Biden-Harris Administration in August 2022 that provides up to $20,000 in student loan debt relief. In a recent public service announcement, the agency warned of fraudulent websites, emails, texts, or phone scams aiming to defraud applicants.

Debt relief is open to people with an income of less than $125,000. Qualified Pell Grant recipients can get up to $20,000, while non-recipients can get up to $10,000.

That’s huge money, so scammers are likely to be paying attention. The FBI wants people to be on their guard for scammers pretending to be working on behalf of the program:

Cybercriminals and fraudsters may purport to offer entrance into the Federal Student Loan Forgiveness program, contacting potential victims via phone, email, mail, text, websites, or other online chat services

It warns that fraudsters may attempt to charge users for services that are free (entrance into the student loan relief program is free and never requires payment), or use the program as an excuse for collecting personal information from victims.

Keeping away from scammers

Here are some to-dos to remain vigilant against scammers who are after student loan relief applicants:

• Only use official US government websites.
• Remember that the US government doesn’t charge processing fees.
• Use your common sense: Think twice before clicking links in emails, downloading attachments, or entering data into webites.
• Be wary of emails, texts, or phone calls from individuals claiming to be from the government and offering assistance on how to qualify or apply for student loan relief.
• When you have questions about loan repayments, talk directly with the financial institution or company providing the loan.

If you think you’ve been defrauded, file a report with the FBI’s Internet Crime Complaint Center (IC3), the Department of Education, and the Consumer Financial Protection Bureau (CFPB); call your financial institution to stop or reverse the transaction; and monitor your accounts and credit reports for fraud activity.

Stay safe!