InfoSec Round-Up: November 22nd
Facebook Scammers, $2M in Stolen Crypto & Russian Cybercrime Surge
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
Ticketmaster Fined £1.25m
The UK’s Information Commissioners Office has fined Ticketmaster UK £1.25 million following a website infection that saw 9 million customers’ details skimmed by cyber-criminals.
The breach occurred in 2018, beginning in February though not detected until April, when the company was alerted by banks who noticed a corelation between Ticketmaster purchases and criminal activity being conducted soon after.
The cybercriminal gang, known as Magecart, is thought to have stolen personal information affecting 9.4 million customers, including 1.5 million in the UK.
According to the ICO investigation, Ticketmaster had failed to assess specific online risks, implement appropriate security measures, or identify the source of suggested fraudulent activity in a timely manner.
The ICO’s Deputy Commissioner, James Dipple-Johnstone stated on the matter, “When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. Ticketmaster should have done more to reduce the risk of a cyber-attack… The £1.25 million fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”
Scammers Expose 5.5GB Facebook Records
Researchers from vnpMentor have discovered an exposed 5.5GB database containing hundreds of thousands of Facebook users’ private data.
Compiled by unknown online scammers, the usernames, passwords and IP addresses contained within the database are thought to have been predominantly used in online Bitcoin scams.
Users were tricked into handing over login credentials via a phishing campaign that purported to allow users to reveal who has visited their online profiles.
Discovered by the security researchers in September, the data was left exposed for around four months, though was coincidentally wiped out by the Meow virus the day after it was found and has not since been accessible.
In the report, vnpMentor stated, “If you’re a Facebook user and think you’ve been a victim of this fraud, change your login credentials immediately. Furthermore, if you reused your Facebook password on any other accounts, change it immediately to protect them from hacking.”
Irish Crypto Thief Jailed
Conor Freeman, of Dublin, has been sentenced to 35 months in prison for the theft of over $2 million worth of cryptocurrency.
Identified by US Homeland Security, Mr Freeman pled guilty to stealing the funds as part of a SIM-swapping scam which bled multiple victims of their life savings; one victim loosing over $1.9 million alone.
Freeman’s co-conspirators in the thefts, who are also facing courts in the United States, exploited insiders of mobile phone carriers into swapping phone numbers to SIMs controlled by the group, allowing the criminals access to crypto wallets by intercepting 2FA codes.
When passing sentencing, Judge Martin Nolan noted “almost perfect mitigation”, with the accused entering a guilty plea, extensive co-operation with the investigation and no previous convictions.
Freeman’s defence described the cybercriminal as “very much a loner” who had retreated into an online world, hacking accounts not for the monetary gain but rather for the “thrill”.
Russia to Lose $44B to Cybercrime
According to estimates published by Russia’s largest bank, Sberbank, the Russian economy is expected to lose around $44 billion to cybercrime in 2020.
According to the source, with the shift to ‘online’ during the COVID-19 pandemic, cybercrime presents an increasing challenge to the economy; as well as suggesting the cost of cybercrime may double in 2021.
The deputy chairman of Sberbank’s executive board, stated on the matter, “on average, we have to deal with 26 billion cybersecurity events every day.” Data released by the Russian Interior Ministry further revealed that the number of crimes linked to bank cards had increased by 500% in 2020.
Speaking in 2019 on the rise in cybercrime in the region, Russia’s Minister of Internal Affairs Alexander Kolokoltsev stated: “In the last few years Internet crime has seen a 16-fold surge. This number is huge, despite the fact that crime in general is subsiding, felonies included.”
Thank you for reading this edition of InfoSec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
How to Write a Cyber Job Specification: Finding the Best Cybersecurity Talent. Cyber blog by Information Security Awareness solution provider Hut Six Security.
How to Build a Cyber Team - Top Points to Consider When Building Your Team. Blog by Information Security Awareness solution Hut Six Security.
What is GDPR Compliance UK? Understanding the General Data Protection Regulation and UK Compliance. Blog by Hut Six Security.
What is a DDoS attack and what should you do if you think you are experiencing one? Blog by Information Security Training provider Hut Six Security.
Does GDPR Apply to Individuals? How GDPR Relates to you Personally. Blog by Information Security Awareness Training provider Hut Six Security
Does GDPR Cover Paper Records? Paper Records and Data Protection Law blog by Information Security Awareness Training provider Hut Six Security.
How Secure is My Organisation? Knowing where you are, before knowing where to begin. Blog by Information Security Awareness solution Hut Six Security.
How Does Ransomware get on your Computer? Chances are that in the last few years you've heard the term "ransomware". Blog by Hut Six Security.
How to Audit Your Business for GDPR Compliance with a GDPR Business audit. Hut Six Security guest blog by https://reciprocitylabs.com/.
What is a Breach of Data Protection? The Data Protection Act - Personal Data Breaches, Reporting and Consequences. Blog by Hut Six Security