@davidfetter I'd say the same about your tone.

@davidfetter I'd say the same about your tone. Lighten up, Francis.

What the heck is so controversial about forcing kids to stow their phones during the school day? As if school can compete w/ social media and everything else competing for their attention w/ dark patterns. I'm surprised this isn't more common.

It can't be a shock to find kids actually learn better and are overall happier and healthier when they're *forced* to remain separate from their mobile devices for the better part of a day.

https://www.washingtonpost.com/education/2024/12/20/schools-ban-cellphones-virginia-impact/

Spur has published a list of some 2,400+ IP addresses it sees being used (currently) by North Korean hackers posing as people applying for IT jobs in American and European companies.

Astrill VPN and Remote Worker Fraud - Spur

In our ongoing efforts to help organizations protect against fraud and abuse, we're excited to announce the free release of a comprehensive list of IP

Spur (spur.us)

"Recently, various intelligence and threat analysis teams have identified a concerning trend: North Korean state actors are infiltrating companies and organizations around the world in an attempt to facilitate the clandestine transfer of funds to support North Korea’s state apparatus. Specifically, these actors have favored the use of Astrill VPN to obscure their digital footprints while applying for remote positions."

"While it’s been several months since these articles were published, we continue to see reports from our customers of fraudulent remote worker campaigns originating from Astrill VPN IP addresses."

https://storage.googleapis.com/spur-astrill-vpn/astrill_vpn_ips_december_2024.txt

If your new IT employee suddenly is unreachable, you might have a problem.

@troed the victims i interviewed for that story all had used LP to store their crypto seed phrase, all had low number of iterations for their pwd hash, and had relatively low-entropy passwords.

In September 2023, I published a story about extensive research suggesting that thieves who'd obtained a copy of the encrypted LastPass vaults that were exposed in a 2022 data breach were successfully cracking access to some LastPass accounts, leading to a significant number of 7-figure+ cryptocurrency thefts.

Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach – Krebs on Security

(krebsonsecurity.com)

In the past week, the talented crypto crime researcher ZachXBT walked through how thieves have stolen another $5.36M from over 40 different crypto wallet addresses recently, and why it was likely tied to the LastPass breach.

Attention Required! | Cloudflare

(www.theblock.co)

In response to media coverage of ZachXBT's research, LastPass issued a statement that basically said all of the researchers who've connected high-dollar thefts to the LastPass breach are somehow barking up the wrong tree:

"A year has passed since initial claims surfaced alleging a link between certain cryptocurrency thefts and the 2022 LastPass security incidents,” LastPass Chief Secure Technology Officer Christofer Hoff said. “In that time, LastPass has investigated these claims and to date is not aware of any conclusive evidence that directly connects these crypto thefts to LastPass. Because we take any claims regarding the security of LastPass and our customers seriously, we continue to invite any security researchers who believe they may have evidence to contact the LastPass Threat Intelligence team.”

Taylor Monahan, lead product manager at MetaMask, is one of the researchers who's been most vocal about the apparent fallout from the LastPass breach. Tay's responses over on Hellsite to the LastPass statement are scathing.

x.com

X (formerly Twitter) (x.com)

Today's Risky Biz newsletter (thanks @campuscodi) has a really good analysis of the growing influencer problem to national security.

"China and Russia appear to have understood before everyone else the role social media influencers play in modern societies, and are using them as weapons against unprepared Western democracies.

Both autocratic regimes have passed strict laws regulating the online presence of social media personalities while at the same paying foreign influencers in covert operations designed to subvert and influence foreign societies and elections.

China passed a law at the end of last year mandating that social media influencers and bloggers with over 500,000 followers must list their legal names on their profiles.

Similarly, in Russia, the Kremlin passed a law this year requiring any online personality with over 100,000 followers to register with the country's internet watchdog by the start of next year.

The two countries now have firm control over their social media landscape through the new laws, as well as their national firewall and internet censorship systems.

The crackdown is both the normal response from two paranoid autocratic regimes fearing they might lose control of their societies, but also a means of self-defense.

On the flipside, both countries have used opaque networks of companies to pay and weaponize influencers in other countries to promote their political agendas.

A Recorded Future report published last week concluded China has established over 100 so-called international communication centers (ICCs) across the country since 2023. The centers are tasked with running news websites that push Chinese-friendly propaganda and criticize democratic countries in various areas of the globe. The ICCs have also assembled "networks of thousands of foreign influencers" that get paid to push the same narratives inside the borders of other countries in posts that are designed to look as genuine as possible. Australian think tank ASPI also published a report on this."

https://news.risky.biz/r/8aeee661?m=ebb10ba8-118c-4ebb-aa1e-761703373571

@blogdiva The whole terror charge is going to backfire on them. Seems like an unnecessarily higher burden of proof.

@gary_alderson I this meme

@mistressmelissa @steveriggins IDK. is it a phishing site? I've seen that onion url mentioned on the forums going back quite a ways

@steveriggins That's what I said!

Remember kids: Only users lose drugs.

BTW you have to admire their payment options: All the credit card logos have slashes through them, as if at one time they were fine with taking MasterCard for a gram of heroin, but now they only take bitcoin.

Not entirely sure why the MGM Grand darknet market has Krebs On Security mentioned and linked at the bottom of their homepage, but there it is.

Maybe it was meant as a service to their buyers and sellers. They seem to really care about the security of their (drug) users. I can truly say I've never seen a crime site tell me it's freaking bonkers to go around with javascript enabled until now.

But hey, on the bright side -- if I ever wanted to start phishing MGM Grand vendors, it might not be that hard.

Published another "breadcrumbs" piece today, this one tracing the source of a cloud service that resells a cracked version of the Acunetix web app vulnerability scanner that is being used to compromise tens of thousands of websites and steal gobs of data.

"Cybercriminals are selling hundreds of thousands of credential sets stolen with the help of a cracked version of Acunetix, a powerful commercial web app vulnerability scanner, new research finds. The cracked software is being resold as a cloud-based attack tool by at least two different services, one of which KrebsOnSecurity traced to an information technology firm based in Turkey."

https://krebsonsecurity.com/2024/12/web-hacking-service-araneida-tied-to-turkish-it-firm/

@beardedtechguy @riskybiz I am, according to him, Chris's "brother from another mother." I still get hate mail for him from the election deniers. Great show here, as always.

Saw this in the Risky Biz newsletter today. Seems like CISA should do a better job of highlighting important work like this more before they're shunted into some border control agency.

"The US Cybersecurity and Infrastructure Security Agency has sent out 2,131 pre-ransomware activity notifications to US organizations throughout the year.

The notifications were sent via a program named the Pre-Ransomware Notification Initiative (PRNI), which CISA launched in March of 2023.

The program uses tips received from the private sector to detect early ransomware activity and notify potential targets before their data is stolen or encrypted.

In its 2024 Year In Review report, CISA says the PRNI has sent out 3,368 notifications since its inception. Almost two-thirds of these were sent in 2024, as the program appears to have matured and gained the industry's trust."

https://risky.biz/RBNEWS376/

@obivan I don't believe so. If you have a Google account, you can test this on your own by going to a computer that has never logged into your account before, and try to recover access to your account. You can get it to send you one of these prompts.

"Tony told KrebsOnSecurity that in the weeks following the theft of his 45 bitcoins, he became so consumed with rage and shame that he was seriously contemplating suicide. Then one day, while scouring the Internet for signs that others may have been phished by Daniel, he encountered Griffin posting on Reddit about the phone number involved in his recent bitcoin theft.

Griffin said the two of them were initially suspicious of each other — exchanging cautious messages for about a week — but he decided Tony was telling the truth after contacting the FBI agent that Tony said was working his case. Comparing notes, they discovered the fake Google security alerts they received just prior to their individual bitcoin thefts referenced the same phony “Google Support Case ID” number."

@troed Yeah. There certainly are a lot of cases where we as security people say, oh, that's silly, or they should have known better. And it's true that Google never called anyone, and they really don't. That said, what I tend to find in these sad stories is that people make a series of decisions or assumptions that they never revisit.

Today's story features interviews with two recent cryptocurrency heist victims (one who lost > $4.5M) who were hit by the same scammers. The fraudsters used:

-Google Assistant to automate outgoing calls to victims warning of a security incident with their account, and to press 1 to speak to a rep;

-An email from google.com warning about an email hacking incident, including the name and phone number of the Google rep who will be calling. The alerts were sent via Google Forms, which makes them come from google.com.

-Victims were convinced someone had taken over their accounts when they received an alert pop up on their mobile from Google, asking if they were trying to recover access to their account. By this time, the victims were convinced they were talking with Google, and clicked "yes, it's me" trying to recover access:

How to Lose a Fortune with Just One Bad Click

Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click “yes” to a Google prompt on his mobile device.

https://krebsonsecurity.com/2024/12/how-to-lose-a-fortune-with-just-one-bad-click/