Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label data compromised. Show all posts

Cybercriminals Exploit X Gold Badge, Selling Compromised Accounts on Dark Web

 A recent report highlights the illicit activities of cybercriminals exploiting the "Gold" verification badge on X (formerly Twitter). Following Elon Musk's acquisition of X in 2022, a paid verification system was introduced, allowing regular users to purchase blue ticks. Additionally, organizations could obtain the coveted gold check mark through a monthly subscription. 

Unfortunately, the report reveals that hackers are capitalizing on this feature by selling compromised accounts, complete with the gold verification badge, on dark web marketplaces and forums. CloudSEK, in its findings, notes a consistent pattern of advertisements promoting the sale of accounts with gold verification badges. 

These advertisements were not limited to dark web platforms but were also observed on popular communication channels such as Telegram. The exploitation of the gold verification badge poses a significant risk, as cybercriminals leverage these compromised accounts for phishing and scams, potentially deceiving unsuspecting users. 

This underscores the ongoing challenges in maintaining the security and integrity of online verification systems in the evolving landscape of cyber threats. CloudSek found some ads by just searching on Google, Facebook, and Telegram using words like "Twitter Gold buy." They saw dark web ads, and some were even on Facebook. People were selling X Gold accounts, and the price depended on how popular the account was. 

CloudSek's report said that some ads named the companies for sale, and the cost ranged from $1200 to $2000. This shows that hackers think they can make real money by selling accounts with the gold badge, based on how well-known and followed they are. It's a clear way cybercriminals make cash by selling compromised accounts on the dark web, showing why they do it. 

On the Dark web, a source from CloudSek managed to obtain a quote for 15 inactive X accounts, priced at $35 per account. The seller went a step further, offering a recurring deal of 15 accounts every week, accumulating a total of 720 accounts annually. 

It's noteworthy that the responsibility of activating these accounts with the coveted "gold" status lies with the purchaser, should they choose to do so. This information underscores the thriving market for inactive accounts and the potential volume of compromised assets available for illicit transactions.

Data Breach Incident Affects Several Las Vegas Valley Hospitals


In another cybersecurity incident in Las Vegas, cyber actors have targeted several Las Vegas Valley hospitals which may have resulted in the compromise of their patients’ sensitive information. 

The hospitals, part of the Valley Health System, include Centennial Hills, Desert Springs, Spring Valley, Summerlin, and Valley.

“So big question, how many people does it affect?” says Shannon Wilkinson, Chief Executive Officer for Tego Cyber.

Wilkinson runs a firm based in Las Vegas, that deals with cyber threats, he adds, “There’s one thing that I recommend that everybody does, and that is if you are not actively trying to get a loan, or get credit cards, or buy a car. Lock your credit.”

ESO, the company that suffered the data breach, is a third-party vendor that supplies software and other services to Valley Health's emergency medical services. One of the major concerns in regards to the breach is the timeline of when ESO detected the breach and when this news reached the online audience and the ones affected.

With respect to the issue, Valley Health System stated, “Letters were mailed to potentially affected individuals beginning on December 12, 2023.”

ESO notes that the firm detected the incident around September 28, following which they notified their “business associate” of the issue on October 27. 

Wilkinson stated that if hospitals have to shut down systems, these breaches may have an impact on patient care.

He notes that there is a direct link between hospital mortality and ransomware attacks, which target cyberspace, indicating that following a cyberattack like this, hospitals witness a rise in the death rate. However, Valley Health System confirms that the breach has not affected its emergency care. 

ESO further notes that it has taken all measures to prevent the data from getting leaked further. Moreover, ESO shared details of the measures that the victims of their data breach can take. 

ESO informs that the affected individual can contact its helpline between the hours of 9:00 a.m. to 6:30 p.m. Eastern Time, Monday through Friday, excluding holidays. The company has urged the data breach victims to call ESO’s helpline at (866) 347-8525 with their queries, or even to confirm if they were affected.  

Lyca Mobile Suffers Data Breach: Customers’ Personal Data Compromised


UK-based mobile virtual network operator (MVNO) running under EE network infrastructure – Lyca Mobile, has recently confirmed that it has suffered a cyberattack, resulting in unauthorized access to its customers’ personal data. 

Apparently, the cyberattack has affected millions of customers worldwide, with the exception of individuals in the United States, Australia, Ukraine, and Tunisia. On September 30, Lyca Mobile learned of the intrusion and took immediate measures, including isolating and shutting down the vulnerable systems.

The company further confirmed that it has reported the issues to security experts, and an investigation is ongoing. 

Lyca Mobile’s Update 

Lyca Mobile stressed in its official statement its commitment to minimize customer damage and pledged continued efforts to securely restore affected services. 

The company has informed the appropriate regulatory authorities and is working closely with them. Lyca Mobile cautioned impacted users to be on the lookout for any unusual activity and to take extra precautions to protect their information. 

The measures include resetting Lyca Mobile passwords, especially in case the user is using more than one account. Also, the company has urged online users to be cautious of unsolicited emails or any form of communication that asks for personal or financial information.

"Be suspicious of unsolicited requests for your personal or financial details. If you receive an e-mail which you're not sure about, treat it with caution, or if you have been a victim of fraud or cyber crime, contact your bank immediately and you should report this to the police," the company said in the statement.

"The security of your personal information is very important to us. As our investigation progresses, we will consider whether we need to take any further steps to help protect that information. While we hope to bring all of our systems back online as soon as possible, we are doing so carefully to minimize any further issues," it added.

The data compromised in the breach include identification information, such as names, addresses, and contact details, and interactions with customer service, recorded for up to 60 days. 

Also, the online accounts include information of customer’s credit card information, where Lyca Mobile records the last four digits and expiration date, with the full number encrypted for enhanced security. However, the company does not retail the 3-digit CVV code.

Additionally, the issue has disrupted the operation of Lyca Mobile’s number porting functionality, temporarily preventing PAC code issuing. The company stated that it is attempting to resolve this problem and fully restart all services.  

MGM Resorts Refuse to Pay Ransom Following the Cyberattack


Cyberattack struck MGM Resorts have apparently refused the ransom demands made by the attackers.

According to a report by the Wall Street Journal, this decision was made late Thursday. On the same day, the company also published a regulatory filing, revealing further details of the breach.

MGM Resort Attack

MGM Resort is a premier hospitality and casino giant, that operates on a global scale with establishments in more than a dozen cities, including Las Vegas. Applications for internet betting are also available. The company's most recent fiscal year saw more than $13 billion in revenue.

In September, the company experienced a high-profile cyberattack, resulting in a disruption in its operations. Following the intrusion, there were protracted disruptions of the company's resorts' slot machines, ATMs, and other systems. Employees reportedly had to use pen and paper to check guests in.

In its Thursday regulatory filing, the company noted that the hackers had acquired the personal data of “some” customers, who had used its services before March 2019. This data included customers’ contact details, gender, dates of birth, and license numbers. A "limited" number of Social Security and passport numbers were also stolen by the hackers.

The company has not yet revealed the exact number of affected customers. However, they confirm that no bank details or payment card information has been compromised. Also, the hackers did not target the company’s Cosmopolitan of Las Vegas resort. 

As per the filing, hackers had stolen the private information of the company’s customers and claimed that the breach would cost them roughly $100 million. Less than a tenth of that amount was spent on costs related to fixing the breach. In its report, MGM Resorts revealed how little it spent on "remedial technology consulting, legal, and advisory services."

The company adds that to remediate the issue, it will cover the expenses with its cybersecurity insurance. But it did issue a warning that the "full scope of the costs and related impacts of this issue has not been determined."

The incident resulted in a drop in occupancy at MGM Resorts' Las Vegas properties, with occupancy reaching 88% in September as opposed to 93% a year earlier, according to the company's filing. MGM Resorts anticipates doing better this month, with internal forecasts predicting occupancy levels in October will reach 93%, which would represent a decline of only 1% from last year.

However, the company assures that it will have a financial boost in its fourth quarter, all because of the Formula One event scheduled next month in Las Vegas. MGM Resorts confirmed that they do not expect the breach to “have a material effect on its financial condition and results of operations for the year.”  

Vinomofo: Online Wine Retailer Faces Major Data Breach, Compromises Customers' Personal Data

 

Online wine-selling company Vinomofo has recently experienced a major data breach. The data breach that affected more than 600,000 of its customers worldwide, could potentially be a threat to customers' personal data, compromising their information including name, gender, date of birth, email address, and phone numbers. 
 
As per the initial investigation of the security incident, the customer’s personal data that was accessed by an “unauthorised third party” was stolen via a testing platform. The testing platform was not linked to Vinomofo’s live website, the company stated.  
 
“Vinomofo experienced a cybersecurity incident where an unauthorised third party unlawfully accessed our database on a testing platform that is not linked to our live Vinomofo website,” the chief executive, Paul Edginton, stated in the emails directed to the customers. 
 
Vinomofo later confirms that the risk to its customers was “low” since other customer information such as passports, financial information, credit card details, and driver’s licenses were not accessed. 
 
“Vinomofo does not hold identity or financial data such as passports, driver’s licences or credit cards/bank details. While no passwords, identity documents or financial information were accessed, the database includes other information about customers and members.” Edington added. 
 
Reportedly, the company detected signs of the breach on September 27, and upon learning of the signs, the company collaborated with a cybersecurity firm as a preventive measure and alerted the government.  
 
However, the notifications were sent out to the customers only after the investigation “established unlawful access of a Vinomofo database did occur”, says the company spokesperson. 
 
On being asked by an anonymous customer about when the breach occurred and exactly which data has been stolen, the company’s spokesperson said no further information would be released.  
 
“In the interests of the privacy of our customers and partners, and to reduce the risk of attempts by scammers to target them, we are not publicly releasing any further details about the incident,” he further added. 
 
Vinomofo has reportedly informed the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commission (OAIC) about the incident.  
 
It added that it is currently collaborating with cyber security experts like IDCARE to look into the issue and reinforce its security system. 
 
Vinomofo has now been contacting customers via emails after the data breach was confirmed, in order to alert them of the increased scam activities. 

The emails provide customers with information explaining how to avoid potential scams and data breach that targets victims via fake emails and text messages. As an additional precautionary measure, the company has also recommended users change their Vinomofo account passwords regardless of whether they have been a part of the breach.

Disneyland's Official Handles Hacked to Take Revenge

 

Disneyland Resort’s Instagram and Facebook pages have been compromised on Thursday by a self-proclaimed “super hacker” who posted a number of posts that included foul language and racist slurs. A Disneyland spokesperson said that the accounts “were compromised early this morning.” The posts have since been removed. 

“We worked quickly to remove the reprehensible content, secure our accounts, and our security teams are conducting an investigation,” the spokesperson said in a statement. 

Following the incident, The Los Angeles Times reported that the hacker named “David Do,” claimed that he was taking his “revenge” on Disneyland workers who had allegedly insulted him. 

“I am a super hacker that is here to bring revenge upon Disneyland [...] Who’s the tough guy now Jerome?” one of the posts read. The hacker also uploaded posts in which he was claiming to have “invented” COVID-19 and suggested he was working on a new variant of the “COVID20” virus. 

The culprit posted overall four posts on Disneyland’s Instagram account before 5 am PT, according to a post on the Disneyland blog

Disneyland's Facebook and Instagram handles were temporarily taken down shortly after the officials found out the posts on live and were brought back online after the cybersecurity team removed the posts. However, the park’s other social media handles and pages were not compromised. 

“It’s not known how this person managed to gain access to the Disneyland Instagram account. Was it a stranger hack or a previous employee with access to the logins? We worked quickly to remove the reprehensible content, secure our accounts and our security teams are conducting an investigation,” Disneyland said in an update to the post today.

What TrickBot Tells Us About The Future of Malware

 

Malware is quickly evolving and operating at increasingly advanced levels of infectiousness and evasiveness. In the present cyberspace landscape, malicious groups possess highly advanced skilled developers, decentralized, corporate-like operations, and partnerships with other cybercriminal groups that provide them worldwide access which means more victims, and more backup plans. 

TrickBot gang is one such example of popular malware that is hitting world organizations constantly, as per the observations made by IBM Security X-Force over the years. Recently, IBM Security X-Force published its year’s Threat Intelligence Index, in which it was noted that TrickBot was one of 2021’s most active threat groups, also known as ITG23, and Wizard Spider. 

TrickBot is a recognized banking Trojan that victimizes businesses and consumers for their data, such as banking information, personally identifiable information (PII), account credentials, and bitcoins data. 

It has been observed by The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) that continued targeting by spearphishing campaigns employing TrickBot are taking place in North America. Reportedly, an advanced cybercriminals group is luring victims, via phishing emails, with a traffic breach phishing scheme to download TrickBot. 

Additionally, what makes ITG23 more acute and resilient to disruptions and shutdowns is its highly modular malware, it can adapt to any network it finds itself in. Also, the group has the collective shares infrastructure, and support functions, IT teams, recruiters, and even human resources to make things easier for them. 

Originally discovered in 2016, TrickBot was an online banking fraud Trojan that surfaced with other Trojans namely Qakbot, Dridex Zeus, and Gozi. However, ITG23 soon expanded its operations as follows:

• Stealing credentials, data, and personal information 
• Installing backdoors within the network to enable remote access 
• Elevating account privileges to expand access to the compromised network 
• Disabling antivirus tools or other cybersecurity measures, such as Windows Defender 
• Modifying itself to avoid detection  
• Downloading and installing other malware or ransomware to carry out secondary attacks, the most common of which involve Ryuk or Conti ransomware 

In the report, the IBM Security X-Force has observed some defenses to spot malware and lateral movement to safeguard networks from malware attacks and these defenses include behavioral-based antimalware detection, intrusion detection, prevention solutions (IDPs), endpoint detection and response (EDR), and a security information and event management (SIEM) system.