Russian cybercrime suspect arrested in $1m ransomware conspiracy

By Paul Ducklin

Here’s a cybercrime conspiracy story with a difference.

When we write about network-wide ransomware attacks where a whole company is blackmailed in one go, two burning questions immediately come up:

• How much money did the crooks demand?
• Did the victim pay up?

The answers vary, but as you have probably read here on Naked Security, modern ransomware criminals often use a two-pronged extortion technique in an attempt to maximise their asking price.

First, the crooks steal a trove of company files that they threaten to make public or to sell on to other crooks; then they scramble the data files on all the company’s computers in order to bring business to a halt.

Pay up the blackmail money, say the crooks, and they will not only “guarantee” that the stolen data will never be passed on to anyone else, but also provide a decryption program to reconstitute all the scrambled files so that business operations can resume.

Recent reports include an attack on fitness tracking company Garmin, which was allegedly blackmailed for $10m and did pay up, though apparently after wangling the amount down into the “multi-million” range; and on business travel company CWT, which faced a similar seven-figure demand and ended up handing over $4.5m to the criminals to get its business back on the rails.

In contrast, legal firm Grubman Shire Meiselas & Sacks faced a whopping $42m ransomware extortion demand but faced it down, likening the crooks to terrorists and refusing to pay a penny.

More recently, US liquor giant Brown-Forman took a similar stance, refusing to deal with criminals after its network was infiltrated.

Read more at https://nakedsecurity.sophos.com/2020/08/27/russian-cybercrime-suspect-arrested-in-1m-ransomware-conspiracy/

Fake Android notifications – first Google, then Microsoft affected

By Paul Ducklin

If you’re a Google Android user, you may have been pestered over the past week by popup notifications that you didn’t expect and certainly didn’t want.

The first mainstream victim seems to have been Google’s own Hangouts app.

Users all over the world, and therefore at all times of day (many users complained of being woken up unnecessarily), received spammy looking messages.

The messages didn’t contain any suggested links or demand any action from the recipient, so there was no obvious cybercriminal intent.

Indeed, the messages did indeed look like some sort of test – but by whom, and for what purpose?

The four exclamation points suggested someone of a hackerish persuasion – perhaps some sort of overcooked “proof of concept” (PoC) aimed at making a point, sent out by someone who lacked the social grace or the legalistic sensitivity of knowing when to stop.

Read more at https://nakedsecurity.sophos.com/2020/08/28/fake-android-notifications-first-google-then-microsoft-affected/

“Chrome considered harmful” – the Law of Unintended Consequences

By Paul Ducklin

An excellent article appeared last week on the APNIC blog.

Researched and written by Matthew Thomas of Verisign, the article is entitled Chromium’s impact on root DNS traffic, and it has raised some important issues amongst the Chromium browser development community relating to a feature in the browser code that’s known as the Intranet Redirect Detector.

To explain.

APNIC is the Asia Pacific Network Information Centre, headquartered in Brisbane, Australia, one of five internet number registries around the world.

These Regional Internet Registries (RIRs) look after global IP number allocations, maintain definitive internet domain name databases for their regions, and generally concern themselves with the health of the global internet.

As you can imagine, anything that upsets the balance of the internet – from spamming and cybercrime to misconfigured servers and badly-behaved network software – is of great concern to the RIRs.

The root DNS servers form the heart of the global Domain Name System, which automatically converts human-friendly server names such as nakedsecurity.sophos.com into network numbers that computers can use to send and receive traffic, such as 192.0.66.200 (that was our IP number when I looked it up today, as shown below).

As you can imagine, any unnecessary load on the root DNS servers could slow down internet access for all of us, by stretching out the time taken convert names to numbers, something that our browsers need to do all the time as we click from link to link online.

Chromium, as you almost certainly know, is a Google open-source project that produces the software at the core of many contemporary browsers, notably Google’s own Chrome Browser, which accounts for the majority of web traffic these days on laptops and mobile phones alike.

Chromium is also used in many other browsers, including Vivaldi, Brave and – recently, at least – Microsoft Edge. (Of today’s mainstream browsers, only Safari and Firefox aren’t based on a Chromium core.)

Read more at https://nakedsecurity.sophos.com/2020/08/26/chrome-considered-harmful-the-law-of-unintended-consequences/