Microsoft cracks down on tech support scams, 16 call centers raided

By Lisa Vaas

More than 100 Indian police swarmed 16 tech support scam call centers in Gurgaon and Noida last week, arresting 39 people for allegedly impersonating legitimate support reps for companies including Microsoft, Apple, Google, Dell and HP.

The day after the raids, which were carried out on Tuesday and Wednesday, Microsoft said that it has received over 7,000 victim reports from customers in more than 15 countries who’ve been ripped off by the call centers.

This is the second of two recent, big raids on Indian tech support scammers. In October, after Microsoft filed complaints about customers falling for pop-up messages that lied about their systems being infected with malware, Indian police raided 10 illegal call centers and arrested 24 alleged scammers.

In that second raid, law enforcement seized a wealth of evidence, including the call scripts, live chats, voice call recordings and customer records used to run the scams.

Typosquatting and malvertising

There are a few ways that people can fall prey to these swindlers, who get to people via both phone calls and pop-up windows. Last year, researchers at Stony Brook University rigged up a robot to automatically crawl the web searching for tech support scammers and to figure out where they lurk, how they monetize the scam, what software tools they use to pull it off, and what social engineering ploys they use to weasel money out of victims.

Read more at https://nakedsecurity.sophos.com/2018/12/03/microsoft-cracks-down-on-tech-support-scams-16-call-centers-raided/

Faster fuzzing ferrets out 42 fresh zero-day flaws

By Danny Bradbury

A group of researchers has found 42 zero-day flaws in a range of software tools using a new take on an old concept. The team, from Singapore, Australia and Romania, worked out a better approach to a decades-old testing technique called fuzzing.

A standard part of software testing involves developers placing inputs in software that they think might cause trouble. They then use scripts or tools to automatically run the program and test it with those inputs. They might test a web form that takes a first name as input for example, and ensure that it doesn’t allow a blank entry, or an entry that includes a command to manipulate a database.

This can be useful in ferreting out flaws, but it is difficult to make that comprehensive. Developers may not think of everything. And it gets even more complicated if you are uploading a sound file or a photograph. It’s far more difficult to produce testing data that might break the program, or even to know what that might look like.

Fuzzing programs fill that gap by automatically changing files and other inputs in many unpredictable ways. They can run thousands of different inputs against the program, often changing individual bits in each file that they present to it, to see if anything breaks.

There are three broad kinds of fuzzing.

Read more at https://nakedsecurity.sophos.com/2018/12/03/faster-fuzzing-ferrets-out-42-fresh-zero-day-flaws/

Marriott’s massive data breach – here’s what you need to know

By Mark Stockley

Marriott has today revealed that its Starwood guest reservation database has been subject to unauthorized access “since 2014”. The scope of the data breach is huge, covering nearly five years and approximately 500 million guests.

The company has created a website to deal with the breach at info.starwoodhotels.com (note that at the time of writing it redirects to answers.kroll.com).

Who’s affected?

The company warns that if you made a reservation at one of its Starwood brands in the last five years then you are at risk:

If you made a reservation on or before September 10, 2018 at a Starwood property, information you provided may have been involved.

According to Marriott, its Starwood brands include: Starwood branded timeshare properties, W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.

Read more at https://nakedsecurity.sophos.com/2018/11/30/huge-marriott-breach-puts-500-million-victims-at-risk/

Busted! DOJ exposes huge ad-fraud operation, eight charged

By John E Dunn

The US Department of Justice has charged eight men from Russia and Kazakhstan with running a vast ad-fraud scheme that milked a total of $36 million from advertisers.

Three of the accused – Aleksandr Zhukov, Sergey Ovsyannikov and Yevgeniy Timchenko – have been arrested in different countries pending extradition to the US, with Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, and Aleksandr Isaev still at large, an announcement said.

The fraud centered on two systems that resembled expertly crafted digital money trees.

Methbot

The first, which ran between September 2014 and December 2016, dubbed ‘Methbot’ by discoverers White Ops in 2016, was a 1,900-strong farm of datacentre servers rented to host 5,000 bogus websites.

Not only was the traffic to these sites fictitious – the gang went to some lengths to simulate real users visiting these domains from fake geographic locations – but the sites themselves were spoofed versions of real sites including CNN, the New York Times, CBS Sports, and Fox News.

Read more at https://nakedsecurity.sophos.com/2018/11/30/busted-doj-exposes-huge-ad-fraud-operation-eight-charged/

Prisoners allegedly posed as underage girls in $560K sextortion scam

By Lisa Vaas

Fifteen US prison inmates have been indicted for posting pictures of girls on dating sites and sextorting hundreds of military personnel who fell for the phony profiles after sending nude photos to their victims. To cap off the scam, the prisoners posed as the girls’ fathers and threatened to report them for disseminating child abuse imagery.

Law enforcement authorities held a press conference about the fraud ring in front of a state prison in Columbia, South Carolina, on Wednesday. According to a local paper, the Greenville News, authorities said that the prisoners had used contraband mobile phones to scam a total of 442 servicemen out of more than $560,000.

The indictments include charges of conspiracy to commit wire fraud, extortion and money laundering.

The bust was coordinated by a slew of law enforcement agencies, including from the military: the Naval Criminal Investigative Services (NCIS), US Army Criminal Investigations Command, US Air Force Office of Special Investigations, Department of Defense Criminal Investigative Services, IRS Criminal Investigative Services, the US Marshals Service, the South Carolina Department of Corrections, the South Carolina Law Enforcement Division and the US Attorney’s Office.

The prisoners allegedly used smuggled cellphones to log onto multiple dating websites and pretend to be 18- or 19-year-old girls. Court documents allege that after communicating with their victims, the inmates would eventually send nude photos to service members. Then, another prisoner would allegedly contact the marks, pretending to be an irate father and telling them that the “girl” they’d been communicating with was their underage daughter.

Read more at https://nakedsecurity.sophos.com/2018/11/30/prisoners-allegedly-posed-as-underage-girls-in-560k-sextortion-scam/

57m Americans’ details leaked online by another misconfigured server

By Danny Bradbury

Misconfigured Elasticsearch servers are the unwelcome gift that keeps on giving. The latest breach spilled personal details on 57 million Americans, according to reports this week.

Bob Diachenko, director of cyber risk research for security firm Hacken, said that the company found an exposed Elasticsearch server on the Shodan search engine, which scans for connected devices and open servers. It found at least three IP addresses with identical Elasticsearch clusters misconfigured for public access.

These instances, which held 73GB of data, had been publicly accessible on 14 November – which is when it was indexed by Shodan. However, it is unclear how long it had been online before that point, Diachenko said. Hacken discovered the instances on 20 November and the sites disappeared a couple of days later.

The service held data on almost 57 million US citizens, containing information including first and last name, employers, job title, email, address, state, ZIP code, phone number, and IP address. Another index of the same database included over 25 million business records, which held details on companies including employee counts, revenue numbers, and carrier routes.

Hacken couldn’t immediately identify the source of the leak, but Diachenko noted that one of the fields in the database was similar to those used by a marketing data company. He couldn’t reach their executives for comment, and the company took its website offline shortly before he blogged about the incident. However, this doesn’t necessarily mean that the company was the source of the leak. What’s scary is that this volume of records could be leaked online without anyone knowing for sure who’s responsible.

Read more at https://nakedsecurity.sophos.com/2018/11/30/57m-americans-details-leaked-online-by-another-misconfigured-server/