Comment: Pirated-Entertainment Sites Are Making Billions From Ads
Websites and apps featuring pirated movies and TV shows make about $1.3 billion from advertising each year, including from major companies like Amazon.com Inc., according to a study. The piracy operations are also a key source of malware, and some ads placed on the sites contain links that hackers use to steal personal information or conduct ransomware attacks, according to the online safety nonprofit Digital Citizens Alliance and the anti-piracy firm White Bullet Solutions Ltd. While law enforcement officials have sought to stop some of the online criminality, the groups identified at least 84,000 illicit entertainment sites. The study underscores just how tough a problem piracy is for both Hollywood studios and companies that distribute digital ads. The situation has been compounded by the Covid-19 pandemic, which has left more people watching films and television shows over the web, where criminals have a greater chance of successfully targeting victims. More information: https://www.bloomberg.com/news/articles/2021-08-12/pirated-entertainment-sites-are-making-billions-off-of-ads; https://www.digitalcitizensalliance.org/clientuploads/directory/Reports/Breaking-Bads-Report.pdf
Experts reactions:
Paul Bischoff, privacy advocate at Comparitech (comparitech.com):
"As long as there is a free option, many people will ignore the risks of using a pirated video site. These sites are laden with malicious ads at every step, which drives revenue. Most of those ads wouldn't be allowed on more legitimate ad networks like Google's. Many of the sites don't even bother hosting video files and instead stream directly from the BitTorrent network, which saves on overhead. Furthermore, most of the sites are not hosted in the USA or its allies' countries, which makes them harder to take down from a law enforcement perspective.
As a user, these sites can seem preferable to other forms of piracy like torrenting. Even though they contain malicious ads, your IP address is not exposed to copyright trolls, which reduces the risk of legal consequences."
Chris Hauk, consumer privacy champion at Pixel Privacy (pixelprivacy.com):
"As mentioned in the Breaking Bads report, many of the ads on pirating sites are from Facebook, Google, and Amazon, These are companies that should have a vested interest in cracking down on piracy, due to some of their business model being aimed at selling or renting online access to films, music, and other types of content. As the reduction in Amazon-branded ads shows, it is possible for advertisers to at least partially control where their ads will appear around the internet. These advertisers need to crack down on advertising in the darker corners of the web, at least reducing some of the incentives bad actors have for creating pirating websites."
T-Mobile is actively investigating a data breach after a threat actor claims to have hacked T-Mobile's servers and stolen databases containing the personal data of approximately 100 million customers.
The alleged data breach first surfaced on a hacking forum over the weekend after the threat actor claimed to be selling a database for six bitcoin (~$280K) containing birth dates, driver's license numbers, and social security numbers for 30 million people.
More on the story here: https://www.bleepingcomputer.com/news/security/hacker-claims-to-steal-data-of-100-million-t-mobile-customers/
Ilia Kolochenko, Founder of ImmuniWeb and a member of Europol Data Protection Experts Network (bio below) reacts:
“Given that the offer seems to be new and unique, the price is very cheap: just 1 cent per victim. The records, which allegedly contain such extremely sensitive data as social security numbers and full histories of mobile phone usage, can be exploited to conduct targeted mobile attacks, social engineering, sophisticated phishing campaigns or financial fraud. Worse, the records reportedly encompass data from 2004 to 2021 and can cause extreme invasion of privacy or be used for blackmailing of wealthy victims.
"Based on the available technical information, it seems pretty likely that a supplier of T-Mobile could have unwittingly facilitated or caused the data breach. If so, it will be another grim reminder about the importance of Third-Party Risk Management (TPRM) programs and risk-based vendor vetting. From a legal viewpoint, if the information about the breach is confirmed, T-Mobile may face an avalanche of individual and class action lawsuits from the victims, as well as protracted investigations and serious monetary penalties from the states where the victims are based.
"Nonetheless, it would be premature to make conclusions before T-Mobile makes an official statement on the quantity and nature of the stolen data. The potential victims should refrain from panic and contact T-Mobile asking what type of intermediary support and compensation may be provided while the investigation is in progress. Some remediate actions, such as changing your driving license, may be time-consuming and costly, and I’d not precipitate here unless T-Mobile undertakes to cover the costs or confirm that the information was actually stolen.”
It has been reported that Accenture, a global IT consultancy giant has allegedly been hit by a ransomware cyberattack from the LockBit ransomware gang. Accenture is an IT giant known to serve a wide range of industries including automobiles, banks, government, technology, energy, telecoms, and many more. Valued at $44.3 billion, Accenture is one of the world's largest tech consultancy firms employing around 569,000 employees across 50 countries. A ransomware group known as LockBit 2.0 is threatening to publish files data allegedly stolen from Accenture during a recent cyberattack. The threat actors state that they will publish the data later today if a ransom is not paid.
The full story can be found here: https://www.bleepingcomputer.com/news/security/accenture-confirms-hack-after-lockbit-ransomware-data-leak-threats/
Commenting on this story is Steven Hope, CEO and co-founder of Authlogics:
"While the technical details of the Accenture attack are still unknown it does emphasise that anybody is a target. Ransomware is usually the result of an initial attack such as phishing, although this may have been a more straight forward “inside job”. Regardless of how this attack actually played out, which we should learn in the fulness of time, the number one way to prevent these and other prevalent attacks is to protect your credentials. This should involve modern password security processes (not complexity) with continuous breach database monitoring and/or passwordless MFA; if not who knows who could be next."
Expert comment: LockBit rolls out new capabilities, hits Accenture Following the LockBit ransomware attack on Accenture, please find below insight from Felipe Duarte, Security Researcher at Appgate. “Earlier this month, LockBit rolled out a new version of its ransomware. LockBit 2.0 implemented lots of additional features that made it even more dangerous. With the recent international efforts on fighting ransomware, those gangs are finding it difficult to advertise their malware in hacking forums. A few posts from this new version of LockBit were spotted on a few forums frequented by cyber crime gangs, but they were quickly removed. This version is currently advertised on a new version of their website. Our team got access to LockBit's deep-web site, where the ad is published along with data from victims that refused to pay the ransom. Among the advertised capabilities is a new dangerous feature to encrypt entire Windows domains through group policies. After infecting a domain controller, the malware creates new group policies and pushes them to every device connected on the network. Those policies disable antivirus protections and execute the ransomware. Additionally, LockBit seems to have copied a feature from Egregor ransomware, that after a successful infection, it sends to all connected printers a command to repeatedly print the ransom note. LockBit's new version also added a new strategy to acquire "affiliates". After encrypting a device, LockBit sets the wallpaper to a ransom note, claiming responsibility for the attack and pointing to the more detailed ransom note .txt file. Now the set wallpaper also contains a recruitment ad, promising millions of dollars to employees that provides them access to the company systems so they can launch a ransomware attack. According to the ad, the access can be a valid credential or even executing a threat attached in an e-mail. This strategy may seem unusual at first, but it's somewhat common for companies to get breached by employees. For example, in 2020, a Russian citizen living in USA was arrested after offering $1 million to a Tesla employee to deploy ransomware in Tesla's internal network. With Accenture being the latest high-profile victim of LockBit, it's clear that at least some of its new tactics are paying off. By adopting a Zero Trust methodology, a company can limit the damage an insider can cause. By assuming all access can be compromised, and that you always need to validate it, it's easier to detect malicious activity and isolate the affected perimeters in case of a breach. Zero Trust can also help in enabling access to only what an employee needs, limiting the systems an insider can damage.” |
More than $600m stolen in likely biggest cryptocurrency theft ever
It has been reported that more than $600 million has been stolen in what’s likely to be one of the biggest cryptocurrency thefts ever. Hackers exploited a vulnerability in Poly Network, a platform that looks to connect different blockchains so that they can work together. Poly Network disclosed the attack on Twitter and asked to establish communication with the hackers, and urged them to “return the hacked assets.”
More information can be found here: https://www.cnbc.com/2021/08/11/cryptocurrency-theft-hackers-steal-600-million-in-poly-network-hack.html; https://www.forbes.com/sites/jonathanponciano/2021/08/10/more-than-600-million-stolen-in-ethereum-and-other-cryptocurrencies-marking-one-of-cryptos-biggest-hacks-ever/
Commenting on this story:
Hank Schless, senior manager of security solutions at Lookout:
"Recently, cryptocurrency has found itself at the center of most data breach headlines. Decentralized finance (DeFi) has not only become a primary target for cybercriminals, and the cryptocurrencies that it supports are the primary payment method for attacks like ransomware.
Since cryptocurrency and blockchain are still relatively new technologies, they present an opportunity for threat actors to socially engineer targets. Crypto investors are constantly looking for an edge in the market or what the next big currency that’s going to explode in value. Attackers can use this thirst for information against users in order to get them to download malicious apps or share login credentials for legitimate trading platforms they use. The attacker could then use the malicious app to exfiltrate additional data from the device it’s on or take the login credentials they’ve stolen and try them across any number of cloud apps used for both work and personal life.
In order to increase the likelihood of success, attackers target users across both mobile devices and cloud platforms. For example, Lookout recently discovered almost 200 malicious cryptocurrency apps on the Google Play Store. Most of these apps advertised themselves as mining services in order to entice users to download them.
Crypto platform providers need to ensure that their employees are protected and don’t become conduits for cybercriminals to make their way into the infrastructure. Employees are constantly targeted by mobile phishing and other attacks that would give a cybercriminal a backstage pass to the company’s infrastructure. The risk of this happening can be reduced by implementing a powerful combination of a unified mobile threat defence (MTD) and cloud access security broker (CASB) solution that can protect the user on the endpoint and recognize anomalous activity indicative of a compromised employee account."
Felix Rosbach, product manager at comforte AG:
"New technology, old cybersecurity problems. While decentralized finance platforms and distributed ledgers in general come with the promise to increase trust and reduced dependencies on intermediaries, they are still new technology with its own dependencies, vulnerabilities and the need to be integrated and connected. Combine this with the value of the data affected – in this case blockchain tokens – being easily transferable to other wallets anonymously – you end up with a highly valuable target for attackers.
Every innovation comes with increased security risks due to fast go-to-market, potential misconfiguration, unpatched vulnerabilities. While this never should be a reason to stop innovation, security has to become a key requirement for any project. And in this case the transparency of the blockchain and blockchain analytics resulted in attackers returning stolen assets. If that will be the case for all affected assets is questionable though."