Why Phone Numbers Stink As Identity Proof

2 days 11 hours ago
Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they've become de facto identities. At the same time, when you lose control over a phone number -- maybe it's hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments -- whoever inherits that number can then be you in a lot of places online.
BrianKrebs

Ad Network Sizmek Probes Account Breach

6 days 14 hours ago
Online advertising firm Sizmek Inc. [NASDAQ: SZMK] says it is investigating a security incident in which a hacker was reselling access to a user account with the ability to modify ads and analytics for a number of big-name advertisers. In a recent posting to a Russian-language cybercrime forum, an individual who's been known to sell access to hacked online accounts kicked off an auction for "the admin panel of a big American ad platform." "You can add new users to the ad system, edit existing ones and ad offers," the seller wrote. The starting bid was $800.
BrianKrebs

Patch Tuesday, March 2019 Edition

1 week ago
Microsoft on Tuesday pushed out software updates to fix more than five dozen security vulnerabilities in its Windows operating systems, Internet Explorer, Edge, Office and Sharepoint. If you (ab)use Microsoft products, it's time once again to start thinking about getting your patches on. Malware or bad guys can remotely exploit roughly one-quarter of the flaws fixed in today's patch batch without any help from users.
BrianKrebs

Insert Skimmer + Camera Cover PIN Stealer

1 week 2 days ago
Very often the most clever component of your typical ATM skimming attack is the hidden pinhole camera used to record customers entering their PINs. These little video bandits can be hidden 100 different ways, but they're frequently disguised as ATM security features -- such as an extra PIN pad privacy cover, or an all-in-one skimmer over the green flashing card acceptance slot at the ATM. And sometimes, the scammers just hijack the security camera built into the ATM itself.
BrianKrebs

MyEquifax.com Bypasses Credit Freeze PIN

1 week 4 days ago
Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don't already have an account at the credit bureau's new myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.
BrianKrebs

Hackers Sell Access to Bait-and-Switch Empire

2 weeks 1 day ago
Cybercriminals are auctioning off access to customer information stolen from an online data broker behind a dizzying array of bait-and-switch Web sites that sell access to a vast range of data on U.S. consumers, including DMV and arrest records, genealogy reports, phone number lookups and people searches. In an ironic twist, the marketing empire that owns the hacked online properties appears to be run by a Canadian man who’s been sued for fraud by the U.S. Federal Trade Commission, Microsoft and Oprah Winfrey, to name a few.
BrianKrebs

Booter Boss Interviewed in 2014 Pleads Guilty

2 weeks 5 days ago
A 20-year-old Illinois man has pleaded guilty to running multiple DDoS-for-hire services that launched millions of attacks over several years. The plea deal comes almost exactly five years after KrebsOnSecurity interviewed both the admitted felon and his father and urged the latter to take a more active interest in his son's online activities.
BrianKrebs

Crypto Mining Service Coinhive to Call it Quits

2 weeks 6 days ago
Roughly one year ago, KrebsOnSecurity published a lengthy investigation into the individuals behind Coinhive[.]com, a cryptocurrency mining service that has been heavily abused to force hacked Web sites to mine virtual currency. On Tuesday, Coinhive announced plans to pull the plug on the project early next month.
BrianKrebs

Former Russian Cybersecurity Chief Sentenced to 22 Years in Prison

3 weeks ago
A Russian court has handed down lengthy prison terms for two men convicted on treason charges for allegedly sharing information about Russian cybercriminals with U.S. law enforcement officials. The men -- a former Russian cyber intelligence official and an executive at Russian security firm Kaspersky Lab -- were reportedly prosecuted for their part in an investigation into Pavel Vrublevsky, a convicted cybercriminal who ran one of the world's biggest spam networks and was a major focus of my 2014 book, Spam Nation.
BrianKrebs

Payroll Provider Gives Extortionists a Payday

3 weeks 3 days ago
Payroll software provider Apex Human Capital Management suffered a ransomware attack this week that severed payroll management services for hundreds of the company's customers for nearly three days. Faced with the threat of an extended outage, Apex chose to pay the ransom demand and begin the process of restoring service to customers.
BrianKrebs

New Breed of Fuel Pump Skimmer? Not Really

3 weeks 5 days ago
Fraud investigators say they've uncovered a sophisticated new breed of credit card skimmers being installed at gas pumps that is capable of relaying stolen card data via mobile text message, thereby enabling fraudsters to collect it from anywhere in the world. One interesting component of this criminal innovation is a small cellphone and Bluetooth-enabled device hidden inside the contactless payment terminal of the pump, which appears to act as a Bluetooth hub that wirelessly gathers card data from multiple compromised pumps at a given filling station.
BrianKrebs

A Deep Dive on the Recent Widespread DNS Hijacking Attacks

1 month ago
The U.S. government — along with a number of leading security companies — recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private companies. But to date, the specifics of exactly how that attack went down and who was hit have remained shrouded in secrecy. This post seeks to document the extent of those attacks, and traces the origins of this overwhelmingly successful cyber espionage campaign back to a cascading series of breaches at key Internet infrastructure providers.
BrianKrebs

Bomb Threat Hoaxer Exposed by Hacked Gaming Site

1 month ago
Federal authorities this week arrested a North Carolina man who allegedly ran with a group of online hooligans that attacked Web sites (including this one), took requests on Twitter to call in bomb threats to thousands of schools, and tried to frame various online gaming sites as the culprits. In an ironic twist, the accused -- who had fairly well separated his real life identity from his online personas -- appears to have been caught after a gaming Web site he frequented got hacked.
BrianKrebs

Patch Tuesday, February 2019 Edition

1 month 1 week ago
Microsoft on Tuesday issued a bevy of patches to correct at least 70 distinct security vulnerabilities in Windows and software designed to interact with various flavors of the operating system. This month's patch batch tackles some notable threats to enterprises -- including multiple flaws that were publicly disclosed prior to Patch Tuesday. It also bundles fixes to quash threats relevant to end users, including critical updates for Adobe Flash Player and Microsoft Office, as well as a zero-day bug in Internet Explorer.
BrianKrebs

Email Provider VFEmail Suffers ‘Catastrophic’ Hack

1 month 1 week ago
Email provider VFEmail has suffered what the company is calling "catastrophic destruction" at the hands of an as-yet unknown intruder who trashed all of the company's primary and backup data in the United States. The firm's founder says he now fears some 18 years' worth of customer email may be gone forever.
BrianKrebs

Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions

1 month 1 week ago
A highly targeted, malware-laced phishing campaign landed in the inboxes of multiple credit unions last week. The missives are raising eyebrows because they were sent only to specific anti-money laundering contacts at the credit unions, and many credit union sources say they suspect the non-public data may have been somehow obtained from the National Credit Union Administration (NCUA), an independent federal agency that insures deposits at federally insured credit unions.
BrianKrebs

More Alleged SIM Swappers Face Justice

1 month 2 weeks ago
Prosecutors in Northern California have charged two men with using unauthorized SIM swaps to steal and extort money from victims. One of the individuals charged allegedly used a hacker nickname belonging to a key figure in the underground who's built a solid reputation hijacking mobile phone numbers for profit. According to indictments unsealed this week, Tucson, Ariz. resident Ahmad Wagaafe Hared and Matthew Gene Ditman of Las Vegas were part of a group that specialized in tricking or bribing representatives at the major wireless providers into giving them control over phone numbers belonging to people they later targeted for extortion and theft.
BrianKrebs

Crooks Continue to Exploit GoDaddy Hole

1 month 2 weeks ago
Godaddy.com, the world's largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy's fix hasn't gone far enough, and that scammers likely still have a sizable arsenal of hijacked GoDaddy domains at their disposal.
BrianKrebs

250 Webstresser Users to Face Legal Action

1 month 2 weeks ago
More than 250 customers of a popular and powerful online attack-for-hire service that was dismantled by authorities in 2018 are expected to face legal action for the damage they caused, according to Europol, the European Union's law enforcement agency. In April 2018, investigators in the U.S., U.K. and the Netherlands took down attack-for-hire service WebStresser[.]org and arrested its alleged administrators. Prior to the takedown, the service had more than 151,000 registered users and was responsible for launching some four million attacks over three years. Now, those same authorities are targeting people who paid the service to conduct attacks.
BrianKrebs

Three Charged for Working With Serial Swatter

1 month 3 weeks ago
The Justice Department has filed criminal charges against three U.S. men accused of swatting, or making hoax reports of bomb threats or murders in a bid to trigger a heavily armed police response to a target's address. Investigators say the men, aged 19 to 23, all carried out the attacks with the help of Tyler Barriss, a convicted serial swatter whose last stunt in late 2018 cost an Oklahoma man his life. FBI agents on Wednesday arrested Neal Patel, 23, of Des Plaines, Ill. and Tyler Stewart, 19 of Gulf Breeze, Fla. The third defendant, Logan Patten, 19, of Greenwood, Mo., agreed to turn himself in. The men are charged in three separate indictments with conspiracy and conveying false information about the use of explosive devices.
BrianKrebs
Checked
6 hours 56 minutes ago
In-depth security news and investigation
Subscribe to Krebs on Security feed