IT News

The Federal Bureau of Investigation (FBI) recently released a Private Industry Notification warning agriculture cooperatives (also known as “farmers’ co-ops”) of the looming danger of well-timed ransomware attacks. The agency warns that during the critical planting and harvesting seasons, attacks could result in the theft of proprietary information, and operational disruption leading to financial losses and even food shortages.

This is the second time the FBI has warned the food and agriculture sector. In September 2021, the agency revealed that ransomware threat actors were ramping up attacks as the sector adopted more smart technologies.

“Since 2021, multiple agricultural cooperatives have been impacted by a variety of ransomware variants,” the agency said, “Initial intrusion vectors included known but unpatched common vulnerabilities and exploits and secondary infections from the exploitation of shared network resources or compromise of managed services.”

The FBI is concerened that threat actors might think agricultural cooperatives have an extra incentive to pay ransoms because some phases of their work are so time-sensitive.

After-effects of ransomware attacks against the FA sector

Attacks against organizations at the root of the food supply chain can cause significant downstream disruption.

During the same month as the FBI’s initial warning, in September 2021, BlackMatter ransomware hit Iowa’s NEW Cooperative, demanding a ransom of $5.9 million. The company was forced to take affected devices offline to stop the threat from spreading, and the ransomware gang was reportedly able to steal 1,000GB of data, including financial documents, employee data, and source code for a farming technology platform.

Two days after the NEW Cooperative attack, Crystal Valley Cooperative, a major farmer’s co-op in Minnesota, was hit by a still-unnamed ransomware strain. This stopped the group from processing major payment cards and caused its phone system some downtime.

In the last decade, the agriculture sector has been through a rapid technological transformation as traditional farm machinery—such as tractors—have joined the Internet of Things (IoT).

In a recent Lock and Code podcast about the vulnerability of agricultural technology, podcast host Davd Ruiz interviewed Sick Codes, a hacker who has taken a deep dive into the security of John Deere and other agricultural equipment manufacturers.

He told us that while the industry is beginning to think about the cybersecurity of its devices and systems, many vendors still struggle with the basics like where they store data and how to make it safe, leaving it open to easy exploitation. In one example of what might be possible, Sick explained that threat actors might be able to “game” the market for corn prices by intercepting unencrypted data about the crop as it moves from tractor fleets into the cloud:

If somebody is to catch that data on the way out, they will be able to predict the price of corn. And corn is a commodity. It fluctuates daily. So actually if you have all that data, you’d be out to make serious money.

The FBI has taken stock of ransomware gangs that have hit organizations within the food and agriculture sector: BlackByte, BlackMatter, Conti, HelloKitty (aka Five Hands), LockBit, Sodinokibi (aka REvil), and SunCrypt.

FBI recommendations

The agency advises the sector to focus on protecting its networks, systems, and applications as threat actors can and will exploit vulnerabilities in them. It also offered some guidance on how to protect against ransomware attacks, including:

• Regularly back up data to an offline, air-gapped location where it can’t be reached by attackers.
• Patch software and firmware as soon as security updates become available.
• Segment networks to slow down attackers, make finding them easier, and limit their damage.
• Use multi-factor authentication (MFA) whenever possible.
• Use strong passwords and avoid reusing them.

More guidelines can be found in the agency’s Private Industry Notification on the subject.

For a glimpse of the current state of cybersecurity in an Internet-connected agriculture sector, listen to our Lock and Code podcast below:

The post FBI warns food and agriculture to brace for seasonal ransomware attacks appeared first on Malwarebytes Labs.

We tend to accept that younger folks are supposed to be more tech savvy, given they’ve grown up with computers and the Internet pretty much their whole lives. If you go back about 15 or so years, a lot of security advice focused on the “warning your grandmother away from scams” routine.

The default assumption was that people over a certain age simply did not know about computers and the threats that come with them. Grandparents were the short-hand, go-to frame of reference for examples in posts about scams or fraud: Watch out for grandfather this; your grandmother will fall for that.

Your grandfather knows what he’s doing

Crude, age-based categorisations were always dubious, and they are looking more and more baseless as the years tick by. Tech has now been around for a long time, whether it had some Internet bouncing around inside it or not. The oldest gamers playing on machines like Binatones in the 1970s might now be approaching 70 years of age themselves. Many studies have come and gone in the last couple of years declaring certain age groups to be at risk at one time or another. The interesting part is that more and more are declaring that younger age groups are at the greatest risk.

Older folks are dodging COVID-19 scams and all sorts of other shenanigans. Meanwhile, the news is definitely not as good the lower down the age slide we go.

Over here, Barclays twenty-somethings are most likely to be caught by scams. Over there, The Better Business Bureau finds that year after year it’s the younger folks getting stung by scams. In this direction, the UK’s Local Government Association has warned that it’s 16-34 year olds mostly feeling fakeout wrath. Some of the surveys listed claim that those in both the 31-40 or 71+ ranges are more susceptible to forms of advance fee fraud, but that seems to be about the only real negative mark against them.

Everything else is grim reading for the younger netizens out there.

Are digital natives in trouble?

A new study has just landed and guess what? It’s more misery for the so-called “digital native” generation (and, perhaps, those just on the fringes).

The Financial Times reports that a joint study by Visa and Aston University’s Institute for Forensic Linguistics brings bad tidings for the young. One in four 18-34 year olds trust scam messages, which is “more than double” of those over 55.

Gen-X, forgotten again.

Crunching numbers

We cover the “urgent action” type scams a lot, because it’s a core component of so many fakeouts. Nothing has people clicking links they shouldn’t click faster than the threat of losing access to accounts or finances. According to the study, some 70% of messages analysed contained some kind of “Hurry up please” messaging.

Gift cards and Bitcoin—cybercriminals’ favourite currencies—feature heavily, as you’d expect. And it’s no surprise that aspects of younger culture are tied up in the most common scam messages.

More than 50% of 18-34 year olds had sent cash to fakers pretending to be friends or family. Again, this is likely another tick in the pandemic box. There’s a lot more stats in the report itself [PDF], but that’s not what I’m most interested in. Despite it being focused on the language of fraud, there’s one key aspect which isn’t really touched upon.

Reports state that a quarter of 18-34 year olds don’t check for spelling and grammar mistakes. As the PDF itself notes that poor spelling, typography, and grammar are often indicators of a scam message, we may wonder how this disconnect is happening—and how to address it.

Annoying your spell-check for fun and profit

Security advice nowadays tends to steer clear of the “Your grandfather doesn’t understand computers” routine for the previously mentioned reasons. It’s just a bit crass and not particularly accurate.

And there may be other age-related pieces of security advice to reassess too.

Misspelling and errors have been a feature of scams for years, and a useful red flag we could advise people to watch out for. But does that advice still work for a generation that’s grown up on social media and messaging apps, and loosened its adherence to language norms by communicating with emojis and paired-down, abbreatived, vowelless blasts of text?

Some People Write On Social Media Like This.

others write everything in lower case and don’t even bother to consider throwing in the occasional comma or even a full stop because their messages are still entirely understandable

The rules have mostly gone out the window, and the “watch out for typos” advice might have to go with it. After all, you can’t tell people to beware strange spelling when everyone is officially doing their own thing.

Some good news for Gen Z and Millennials

Thankfully, “watch out for typos” is far from the only piece of security advice we can give when warning people away from bogus SMS messages or suspicious emails. When we warn you away from a phish, we give you several things to look out for in combination. It’s the same for a malware scam, or a bogus phone download, or something targeting young gamers.

The survey recognises this, and stresses the importance of picking out combinations of factors to spot a scam. It’s not just typos: It’s combinations of certain words, pressures exerted on the recipient, mismatches between sender and links given, and a dash of ambiguity. One of these alone probably won’t help, but a few of them together most likely will.

The post Why you should be taking security advice from your grandmother appeared first on Malwarebytes Labs.

The Computer Emergency Response Team in Ukraine (CERT-UA) has announced that Ukraine government web portals and pro-Ukraine sites are subjected to ongoing DDoS (distributed denial of service) attacks. They don’t currently know who is behind these attacks.

The attack involves injecting a malicious JavaScript (JS)—officially named “BrownFlood”—into compromised WordPress sites, arming them with the ability to DDoS sites. The script, which is encoded in base64 to avoid detection, is injected into the HTML structure of the sites’ main files. Whoever visits these sites are then turned into an unknowing accomplice to an online attack they are unaware of.

Target URLs are defined in the code.

Even the owners of these compromised WordPress sites do not realize that they were involuntarily signed up for a cause against Ukraine.

BleepingComputer revealed that the same JS script shared on GitHub had been involved in a DDoS attack a month ago against a smaller pool of pro-Ukraine sites. It then came to light that a particular pro-Ukrainian site had used the same DDoS code to target Russian sites.

CERT-UA worked closely with the National Bank of Ukraine to strengthen its defensive stance against DDoS attacks. The agency also informed WordPress site owners of their compromise and provided guidance on detecting and removing the malicious JS.

CERT-UA listed three recommendations for WordPress site admins to follow, which we have replicated the translated version of below:

1. Take steps to detect and remove malicious JavaScript code.
2. Provide up-to-date [active plug-ins] and up-to-date support for website content management systems (CMS).
3. Restrict access to website management pages.

The agency also provided a detection tool (scroll down to the bottom of the page) admins can use to scan their sites.

The post Ukraine government and pro-Ukrainian sites hit by DDoS attacks appeared first on Malwarebytes Labs.

In-game cheats are about to have an even harder time of things in triple AAA titles such as Call of Duty. Activision’s “Ricochet” software – a kernel level driver anti-cheat system – has added another twist to the tale of how players are protected via a new system called “Cloaking”.

Making all new punishments fit the crime

Anti-cheat software typically sniffs out people breaking the rules and penalises them. Ricochet adds some perks into the mix for people who aren’t cheating, whenever someone up to no good joins a gaming session.

As an example, if I’m using an aim-bot to assist me in scoring cheap kills and I join your Call of Duty server, I won’t just be instantly kicked out. Two things will happen:

1. Mitigations are deployed to help regular players not lose unfairly to cheaters like me, running round with aim-bots and wall hacks.. The already existing “Damage Shield” disables critical damage applied to non-cheating individuals. This means I can do everything in my power to win, but it almost certainly won’t be enough thanks to the second thing that happens.
2. The new feature called “Cloaking” kicks in, which combined with the Damage Shield will scupper my chances of victory forever. This is because, hilariously, all other players vanish from view. I can’t see their characters, their bullets, or even hear the noises they make. Essentially, I’ll be twirling around in an empty space, firing bullets that do no damage. The best is yet to come. From the FAQ:

“Legitimate players, however, can see cheaters impacted by Cloaking and can dole out in-game punishment. Similar to Damage Shield, Cloaking gives legitimate players a leg up on cheaters.”

That’s nothing to brag about: Shaming cheater out of gaming

Exploiters in games traditionally love bragging rights. Anything to score a cheap win is acceptable, and bragging rights arising from that is one of the reasons people continue to do it.

Many common anti-cheat methods exist which involve loading up tools prior to game launch, seeing if anything is running which shouldn’t be, and then simply preventing a cheater from joining in the first place.

From experience, people just load up another game and try it there instead until they’re allowed in.

This system is a curious remix of more typical anti-cheat tactics. Not only are the developers accepting that cheats will eventually end up in a session somehow, they’re also obtaining valuable game data in real-time as to how the cheats react to this approach.

Can you imagine the embarrassment when other players in the session upload incredibly funny clips of cheaters helplessly spinning into walls and firing guns at lamp posts to YouTube or stream it on Twitch? It’s possible the threat of this alone will deter some people from that level of social shaming. Nobody’s cool factor can survive an encounter like that.

No stopping the ban train

Conscious of controversy surrounding anti-cheat tools, the developers have reassured players several times. The Ricochet system only operates when playing, and it isn’t always running when playing. It also shuts down when the game is closed.

I don’t know for sure how many anti-cheat tools actually do run outside of a game being active. I suspect it’s not many, but it is good to see an organisation being very clear about what additional software needed to run a game does (and does not) do.

With 54,000 new account bans added to the 90,000 in March, the gamble seems to have paid off. We can expect to see more slightly weird and unusual approaches to shutting down cheaters in games. Letting them run free in a gaming hamster maze while both regular players and developers observe at their expense? This is simply too good an opportunity to pass up.

The post Call of Duty cheats can expect embarrassment with new anti-cheat feature appeared first on Malwarebytes Labs.

Emotet threat actors resumed their email spam campaign on Monday after stopping it late last week to fix a bug.

The bug—a flaw in how Emotet is installed onto a system after a victim opens a malicious email attachment—forced the actors to prematurely halt their campaign.

Emotet is spammed around in emails claiming to contain invoices, forms, or payment details. The attachment is a password-protected ZIP file with a shortcut link file (has the .LNK extension) inside pretending to be a Word document file.

Normally, once users double-click the file, Emotet is loaded into memory, steals email addresses to use in future campaigns, and drops a payload, usually another malware like ransomware or Cobalt Strike. However, the bug happened immediately after the attachment was clicked.

You see, double-clicking the file sets off a chain. A command looks for a string hidden in the .LNK file containing code written in Visual Basic. This code is then appended to a new VBS file before executing that file. But, the shortcut file a command statically calls to does not match the actual name of the attached shortcut file. For example, the command code calls for “Password2.doc.lnk”, but the attached file itself is named “INVOICE 2022-04-22_1033, USA.doc”. This error breaks the infection chain.

Cryptolaemus (@Cryptolaemus1) has provided a more technical explanation in this Twitter thread:

Emotet’s current use of .LNK files as attachments is a tried-and-tested tactic that can bypass antivirus detection and Mark-of-the-Web (MOTW) “marking.” Mark of the Web is a Windows feature that determines the origin of a file downloaded from the Internet.

Our Threat Intelligence Team has seen APT threat actors use .LNK files in their attack campaigns (the Higaisa APT comes to mind). It’s no surprise that other cybercriminal groups have adopted this. Proponents of Emotet and IcedID were just some of them.

Emotet has been revolutionizing its way of reaching victims during its years of activity. Historically, it was spread via malicious Windows App Installer packages and malformed Word documents. Emotet is a sophisticated and versatile Trojan, which has been used by other criminal groups to drop their own malware, causing multiple system infections. Some of the files it drops are QBot, QakBot, TrickBot, and Mimikatz (a legitimate tool used to steal credentials).

BleepingComputer shared a list of attachment names the new Emotet email spam campaign is using, courtesy of Cofense, a security company specializing in email security:

• ACH form.zip
• ACH payment info.zip
• BANK TRANSFER COPY.zip
• Electronic form.zip
• form.zip
• Form.zip
• Form – Apr 25, 2022.zip
• Payment Status.zip
• PO 04252022.zip
• Transaction.zip

If you have received any emails bearing attachments with the above names, it would be wise to delete them immediately to prevent the risk of accidentally opening the attachment.

Stay safe out there!

The post Emotet fixes bug in code, resumes spam campaign appeared first on Malwarebytes Labs.

Google will soon be giving European countries a “Reject All” button in the Search and YouTube cookie consent banner.

This change, which was revealed by Google’s Product Manager for Privacy, Safety & Security Sammit Adhya in a blog post, has already been rolled out in France and will be cascaded to the rest of the European Economic Area, the UK, and Switzerland. Adhya didn’t provide a date on the cascade.

From the Adhya’s post:

“In the past year, regulators who interpret European laws requiring these banners, including data protection authorities in France, Germany, Ireland, Italy, Spain and the UK, have updated their guidance for compliance. We’re committed to meeting the standards of that updated guidance and have been working with a number of these authorities.”

With directions from France’s Commission Nationale de l’Informatique et des Libertés (CNIL), Google finished a redesign of its cookie banner and changed the infrastructure behind how it handles cookies.

CNIL slapped Google with a $170M (€150M) fine for the confusing language in its cookie consent banners earlier this year. CNIL also found the asymmetry of letting users accept all tracking cookies with one click but allowing them to painstakingly untick individual options to reject them all as “unlawful.” Because the average user typically doesn’t want to bother doing this, they are left with no choice but to click “Accept all”—a win for Google’s business.

France has a strong case for declaring Google’s cookie consent behavior. In a 2019 study conducted by academics at Ruhr University Bochum (Germany) and the University of Michigan (USA), researchers found that European consumers think that most cookie consent notices are meaningless or manipulative.

Adhya implied that this could be the first step for Google to change the way cookies work on its sites. He said he knew the implications of these changes and how they impact other sites and content creators who conduct business online.

“We believe this update responds to updated regulatory guidance and is aligned with our broader goal of helping build a more sustainable future for the web. We believe it is possible both to protect people’s privacy online and to give companies and developers tools to build thriving digital businesses.”

The post “Reject All” cookie consent button is coming to European Google Search and YouTube appeared first on Malwarebytes Labs.

You’ve likely only seen cybercrime insurance primarily mentioned in relation to attacks on businesses. Most commonly, it’s cited with regard to ransomware attacks in the workplace, or associated data loss. Some folks think the mere presence of insurance simply encourages more attacks, and is hurting more than it’s helping. Now we have another string to the bow to consider. Personal insurance plans are slowly becoming a more visible and talked about topic.

A brave new world, or same-old same-old?

I’m fascinated to see talk of personal cyber insurance, in an area dominated by business.

The plans referenced in the article are for people seeking cyber insurance in India. It provides personal cover in a manner somewhat similar to contents insurance for the items in your home. The major difference is losing your digital items due to online shenanigans, as opposed spilling orange juice on your TV.

Premiums are based on how much you have to lose, and tailoring types of cybercrime to your package needs. If you make a lot of financial transactions online, that’ll bump the cost of the plan up too.

A transactional offering

Some of the exclusions listed are fairly eye-catching. For example, you’ll pay a higher premium the more online transactions you engage in. Despite this, losses incurred through cryptocurrency aren’t included which could be a deal breaker for many people. The Indian Government has floated the idea of banning cryptocurrency on at least one occasion, but eventually moved to a less aggressive regulatory approach at the end of 2021.

While it makes sense that insurers will be cautious around such rapidly changing stances, it’s no real consolation to cryptocurrency fans.

Some cyber threats listed may not have realistic or obtainable legal solutions in some countries, but they will in others. For people not in the latter group, an additional insurance safety blanket might be very useful.

A helping hand against online stalking

There’s some solid defence against people harassing others online in the policy types mentioned. For example, expenses are covered to prosecute people found to be stalking/bullying you online. So far, so good.

This same cover which provides legal fees to prosecute stalkers also provides the insured with costs against invasion of privacy.

So many examples of cyber insurance only ever focus on the technical aspects of online crime, or ransomware backups. It’s nice to see a more human aspect working its way into the mix. In some countries, the rules are fairly stacked against people and aren’t necessarily conducive to tackling online harassment. Knowing there’s a bit of backup to help with this kind of situation may itself make harassers think twice.

From add-on to standalone

Seeing cyber insurance as a standalone package for individuals is rather novel. In the UK at least, most—if not all—cyber offerings I’ve seen are add-on packages to regular insurance policies. For example, one major insurer offers it across all their insurance tiers and it covers the usual issues like ransom, fraud, restoration of systems, defamation and so on. Unlike the India-centric policy above, identity theft is included by default in regular, non-cyber packages.

The standalone offerings I’ve seen usually ask you to contact them to arrange a premium, as opposed to having a default one-size-fits all price. Some include monitoring customer data for breaches, including issuing alerts when necessary. Others seem to fall into more traditional areas of cover, offering to replace or repair damaged devices and recover data.

I’ve seen a few offer 24/7 cyber-helplines, credit reports, and “ransom monies” made available in ransomware cases. Some insurers have grey areas related to working from home, or just flat out refuse to cover it. All this, without the added complexity of business insurance and the question of whether it’s right to pay out to ransomware authors in the first place.

Drawing insurance lines in the sand

It’s a bit of a tumultuous time for insurers in the digital realm as they try to define what, exactly, is or isn’t up for coverage. Real world insurers use act of God policies, not covered by insurance. Cyber insurers are quickly coming up with their own non-coverable issues.

Then there’s the thorny problem of insurance companies themselves being juicy targets for attackers. I’m fairly certain they don’t have to look for decent cyber insurance quotes from competitors themselves. It’s still a very odd thing to think about in an industry still figuring out its role where rogues costing their customers money don’t play by the rules.

The post What’s happening in the world of personal cyber insurance? appeared first on Malwarebytes Labs.

We’ve received several emails over the last couple of days which follow the classic 419 mail scam method. Titled “URGENT BUSINESS PROPOSAL!!!”, the mail reads as follows:

Greetings,

I am Mukhtar M. Hussain. I got your contact information from a reputable business/professional directory. I'm working with HSBC Berhad Malaysia as one of the Senior Vice Presidents. I am writing you this memo, because I have an urgent BUSINESS PROPOSAL for you that will benefit both of us and it’s urgent.

For more details, write me on my personal contact e-mail on: {redacted}

Yours Sincerely,

Mukhtar Malik Hussain.

The mail the scammers want you to reply to is different to the mail it came from. They’re also trying to make the mail look more respectable by using the name of an actual person.

People naturally suspicious of the mail will go looking in search engines, and seeing this is a real person may be enough to convince them to reply. It’s worth noting that this is also a short mail by typical scam standards, but will become incredibly involved should you continue with it.

We were curious to see what the next stage of the scam was, so we replied and then waited to see what would come back. What we received was an even shorter email and a PDF attachment.

Attention,

Find attached the urgent BUSINESS PROPOSAL. I await your correspondence.

Best regard,

Mukhtar Malik Hussain

The PDF we received does not appear to be infected. The scammer is probably just trying their best to keep the meat of the attack away from non-curious individuals.

The document says that a bank customer died, and the bank appointed our contact to hand out the inheritance. If it’s not done in time, it goes to the Malaysian government despite them having moved the money to a “secret” account similar to Swiss banking.

Recipients have 21 days to complete the fund transfer. Despite the document hitting about 1,800 words in length, all it asks for is name in full, current address, and telephone number in order to “harmonise my records”. It’s very likely that the scammers will continue to ask for more information, including bank account number, should contact continue.

They close with the usual warning of not telling anyone:

Please observe this instruction religiously, again note I am a family man; I have a wife and children’s I send you this mail not without a measure of fear as to what the consequences, but I know within me that nothing ventured is nothing gained and that success and riches never come easy or on a platter of gold. This is the one truth I have learnt from my private banking clients. Do not betray my confidence. If we can be of one accord, we should plan a meeting soon.

So all I require from you is your consent and solemn confidentiality on this from you as it shall remain our secret forever. Deals like this take place every day in the banking world and the reason you never hear about them is because they never fail.

As good as it sounds, nothing in the mail scheme is true. You run the risk of losing all your money, or becoming a money mule, or both should you proceed.

As you’re reading this on a security site, it’s likely you’ve seen lots of these before and you’re well aware of the scam. But it doesn’t take a minute to talk to the less security-aware people in your life about this and other scams. Warn them, and help keep them safe online.

The only thing to do in this situation is report the message for spam, block the sender, and go about your day.

Stay safe!

The post “URGENT BUSINESS PROPOSAL!!!” 419 scammer wants your help to move someone’s inheritance appeared first on Malwarebytes Labs.

So Elon Musk is buying Twitter, and you can be sure that scammers are making the most of this news.

As Elon Musk spends most of the week in the headlines, so pop up Elon Musk-themed scams—and it looks like they may be ramping up.

We witnessed a flurry of replies from the man himself in response to someone making a comment.

Sadly, it isn’t him but rather an army of bots, all bearing the same current profile picture of the Tesla CEO as his official Twitter account.

All of the URLs in their responses are shortened. No matter which one a user clicks, they all lead to the same website. You may be surprised when you see what it is.

Musk must have taken the leap into longform blogging and is now a Medium author. He’s also off to a flying start with fewer than 5,326 claps on his first post. However, pulling at the page threads reveals more than the creator may have been bargaining for.

The page claims that Musk is doing an “official” ETH (Ethereal) and BTC (Bitcoin) giveaway. This giveaway aims to hand out a significant amount of BTC, ETH, and DOGE (Dogecoin) to winning participants. Appealing—if you’re a big cryptocurrency user.

Everything about the page is intended to convince the visitor that it’s all genuine, down to the numerous comments from “Medium users” saying they received their funds.

We checked all of the profiles in the replies. With one exception—an account seemingly posting spam blogs—all of them lead to the official Medium front page, 404 pages, or suspended profiles.

This isn’t very reassuring. When we checked out the three links for the “giveaways,” it gets worse. Here’s a familiar face:

Tesla 100 000 ETH Giveaway!

To verify your address, just send from 0.5 to 100 ETH to the address below and get from 5 to 1000 ETH back!

Regular readers will recognize this design, as it’s similar to the landing page we covered concerning a fictional space marathon Tesla giveaway.

While this setup throws ETH and DOGE into the mix, it’s notable that the maximum donation suggested through BTC has increased. In contrast, the fake marathon giveaway asked visitors to send between 0.02 to 1 BTC.

Donations via DOGE and ETH coins are no joke either. For the former, it asks for amounts between 2,000 and 100,000 DOGE coins, hoping to get 20,000 to 1,000,000 back. That’s worth $276 to $13,801, with participants wishing to receive between $2,769 and $13,846 (based on rates at time of writing).

For the latter, it asks for between 0.5 to 100 ETH coins with a promised return of 5 to 1,000 ETH. That’s between $1,425 and $285,045 with a significant return of $14,252 to an extraordinary $2,850,458 (based on rates at time of writing).

We don’t know if whoever runs these sites is also responsible for the space marathon, but the giveaway page seems easy to reuse as a template. Scammers on this one appear to be a lot more ambitious than the space marathon people ever were.

The BTC address flags up across several spam or warning databases. One particular report is interesting, in which it claimed the address was involved in ransomware and appeared to be from a victim who claims to have recovered their money in “less than 48 hours”.

The report says:

Good work deserves recommendation... i lost over 2.3 BTC on Instagram bitcoin scam.. Right about 2 weeks after my ordeal with them I tried using the recommendation from someone on one of the comment section {redacted}. I was able to get all my money back in less than 48 hours. Contact {redacted} to recover all your stolen bitcoins free of charge.

Visiting the URL in the comment opens a non-HTTPs site claiming it is the Internet Crime Complaint Center (IC3), asking visitors to submit their name, address, phone number, email, transaction date, and “proof of payment”.

If you’ve lost funds to the relevant BTC address, we suggest contacting the official IC3 site or the closest equivalent in your region. As for the many, many Elon Musk-themed Bitcoin giveaways, we advise you to ignore them.

What’s noticeable with these is that the scammers are creative in their ways to get you on board. These aren’t effort-free generic sites, and they’re just off the wall enough to make Elon Musk fans think they’re the real deal.

Stay vigilant, and stay safe!

The post Elon Musk-themed cryptocurrency scam uses fake Medium as the promotion site appeared first on Malwarebytes Labs.

The GHT Coeur Grand Est has become a victim of a cyberattack on the hospital centers of Vitry-le-François and Saint-Dizier. The hospital’s administration has warned [French] that data have been exfiltrated and might be used for phishing in the future.

As a consequence, the GHT Cœur Grand Est has cut all incoming and outgoing internet connections from its franchises in order to protect and secure information systems and data.

GHT Coeur Grand Est

The GHT (Groupements Hospitaliers de Territoire) Coeur Grand Est is a group of nine hospitals in the Northeast of France (around Bar-le-Duc). Together they employ some 6,000 healthcare professionals and serve around 300,000 inhabitants of the region. Most of the hospitals within the GHT network operate their own IT infrastructure, but they do share certain resources. The stolen data come from the hospital centers of Vitry-le-François (Marne) and Saint-Dizier (Haute-Marne).

The attack

On April 19, staff discovered a network breach in the systems of the GHT. During that breach, the attackers managed to copy essential administrative data. As a result, the GHT decided to cut all incoming and outgoing internet connections until the situation was resolved.

The applications and software used internally on a daily basis were not affected by the attack and remain operational, but certain services like making online appointments aren’t possible at the moment. The computerized patient file system is fully functional.

The hospitals said the IT team is working to assess and identify the damage and, as quickly as possible, re-establish secure links with the outside world. The information flows that come from outside, mainly lab results, are handled in old-fashioned paper format or, as was done years ago, by fax.

Vigilance

The GHT has warned customers to be vigilant, saying there is no guarantee that the exfiltrated files will not be shared and used by malicious people.

GHT customers should stay on the lookout for targeted phishing attempts and scams that may look more trustworthy because the scammers have information you wouldn’t expect them to have.

• Pay attention to the sender of messages, even if they appear to be an official sender.
• Be careful with attachments. Don’t open them until you verified the origin.
• Never respond to a request for confidential information, in particular banking information.
• Pay attention to the content and wording of the message received. Phishing attempts often introduce some kind of urgency by scaring the receiver or putting time pressure behind the response.
• Be wary of phone calls or texts from unknown numbers.

Stolen data for sale

While the hospital center’s announcement doesn’t contain any attribution clues, Bleeping Computer spotted a new entry on Industrial Spy’s website, a new marketplace for stolen data.

Industrial Spy is a dark web platform that promotes itself as a marketplace for buying corporate data that contain sensitive information like schematics, financial reports, trade secrets, and client databases.

In this case, however, Industrial Spy isn’t offering anything that could draw the attention of a competitor. Instead, the data set exposes patient data among other administrative documents. The threat actors claim that the stolen personal data of patients includes social security numbers, passport scans, banking information, email addresses, and phone numbers.

Stay safe, everyone!

The post Hospitals taken offline after cyberattack appeared first on Malwarebytes Labs.