Small business identity theft increases amid COVID closures
Identity thieves who specialize in running up unauthorized lines of credit in the names of small businesses are having a field day with all of the closures and economic uncertainty wrought by the COVID-19 pandemic. An aggressive business ID theft ring has spent years targeting small businesses across the country and is now pivoting toward using that access for pandemic assistance loans and unemployment benefits.
- Data analytics firm, Dun & Bradstreet, reports a 258% spike in the crime in 2020 and the firm has said that so far this year it has received over 4,700 tips and leads where business identity theft or malfeasance are suspected.
- Targeting both active and inactive businesses and hackers typically start by looking up public ownership records often available through a state’s Secretary of State website. From there, they identify the officers and owners of the company, acquire their Social Security and Tax ID numbers, if available on dark web forums and other sources online.
- To prove ownership over the hijacked firms, they hire low-wage image editors to help fabricate and/or modify a number of official documents tied to the business — including tax records and utility bills.
- The scammers frequently file phony documents with the Secretary of State’s office in the name(s) of the business owners, but include a mailing address that they control. They also create email addresses and domain names that mimic the names of the owners and the company to make future credit applications appear more legitimate, and submit the listings to business search websites, such as yellowpages.com.
- After the bogus profiles are approved by Dun & Bradstreet, the hackers wait a few weeks or months and then start applying for new lines of credit in the target business’s name at stores like Home Depot, Office Depot and Staples. Then they go on a buying spree with the cards issued by those stores.
- Usually, the first indication a victim has of being targeted is when the debt collection companies start calling.
New hacking toolkit makes cybercrime easy even for inexperienced hackers
Ransomware-as-a-Service (RaaS) is a cybercrime operation model that monetizes the development of new ransomware programs by selling pre-packaged malware “toolkits” to cybercriminals, and sometimes even profiting off of the ransom. While the RaaS is not new, the programs were typically deployed by more experienced users. The Dharma RaaS operation hopes to change that by making it easy for even wannabe cybercriminals to get into the ransomware business.
- Dharma is offering a toolkit to amateur hackers that does almost everything for them.
- Affiliates are responsible for compromising victims and deploying the ransomware.
- As part of this model, the developers earn between 30-40% of any ransom payments, and the affiliates make the rest.
- The toolkit is a PowerShell script that, when run, allows the attacker to download and execute a variety of tools from a mapped Remote Desktop shared folder.
- For an inexperienced hacker, this toolkit contains all of the programs that the affiliate needs to steal passwords, spread to other machines on a network, and ultimately deploy the ransomware.
Data leak sites are increasing as a cybercrime trend
Since the operators of Maze ransomware began publicly leaking stolen filesas a means of punishing victims who do not pay a ransom demand other operations were quick to follow suit and began creating their own data leak sites. Avaddon ransomware is the latest cybercrime operation to launch a data leak site.
- These sites are designed to scare victims into paying a ransomware under threat that their files will be leaked to the public.
- If publicly released, data stolen as part of a ransomware attack could expose sensitive and confidential financial information, personal information of employees, and client data.
- At this time, there is only one entry on their site, where they leaked 3.5MB of documents stolen from a construction company.
- According to BleepingComputer.com, the use of data leak sites is a tactic that is not going away, and corporate victims should treat ransomware attacks as a data breach. The attackers are hoping that the extra costs associated with reporting and mitigating a data breach and the potential reputational harm may push more victims into paying the ransom.
City of Lafayette, CO pays $45,000 ransom to decrypt files
On July 27th, the City of Lafayette suffered a ransomware attack that impacted their phone services, email, and online payment reservation systems. Lafayette paid $45,000 after the city's devices were encrypted and they were unable to restore necessary files from backup.
- While financial data was recoverable from backups, after weighing the costs, the City decided to pay a $45,000 ransom to an unknown ransomware operation to receive a decryption tool to recover other encrypted files.
- The city does not believe any data was stolen and that credit card info was not stored on their servers, but to be safe, advised residents and employees to monitor their accounts for suspicious activity.
- While it is unknown which ransomware operation attacked the city, they were fortunate with such a low ransom demand, which is usually hundreds of thousands to millions of dollars for a decryption key.
Hacked data broker accounts fuel phony COVID loans and unemployment claims
A group of thieves thought to be responsible for collecting millions in fraudulent small business loans and unemployment insurance benefits from COVID-19 economic relief efforts gathered personal data on people and businesses they were impersonating by leveraging several compromised accounts at a little-known U.S. consumer data broker.
- A group of scammers was sharing highly detailed personal and financial records on victims via a free web-based email service that allows anyone who knows an account’s username to view all email sent to that account without the need of a password.
- The group appears to consist of several hundred individuals who collectively have stolen tens of millions of dollars from U.S. state and federal treasuries via phony loan applications with the U.S. Small Business Administration (SBA) and through fraudulent unemployment insurance claims made against several states.
- Many consumer records they shared carried a notation indicating they were cut and pasted from the output of queries made at Interactive Data LLC, a Florida-based data analytics company.
- Interactive Data, also known as IDIdata.com, markets access to a “massive data repository” on U.S. consumers to a range of clients, including law enforcement officials, debt recovery professionals, and anti-fraud and compliance personnel at a variety of organizations.
RansomEXX ransomware infiltrates multinational tech giant
Business technology giant Konica Minolta was hit with a ransomware attack at the end of July that impacted services for almost a week.
- On July 30th, 2020, customers began reporting that Konica Minolta's product supply and support site was not accessible and was displaying an outage message.
- The site remained down for almost a week, and customers stated that they could not get a straight answer as to what was causing the outage.
- Like other enterprise-targeting ransomware operations, RansomEXX is human-operated, which entails threat actors compromising a network, and over time, spreading to other devices until they gain administrator credentials.
- Once they gain admin rights and access to the Windows domain controller, the attackers deploy the ransomware on the network and encrypt all of its devices.
- The ransomware operation does not appear to steal data before encrypting devices, but it’s possible the RansomEXX operators may adopt this tactic as the operation grows.
Amazon Alexa vulnerabilities could expose user data
Security researchers with software developer, Check Point, have identified a series of vulnerabilities that potentially opened the gate for a variety of attacks targeting Alexa, Amazon’s virtual assistant.
- The attacks involved a Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting (XSS) bugs identified on Amazon and Alexa subdomains, which eventually allowed the researchers to perform various actions on behalf of legitimate users.
- Successful exploitation of these vulnerabilities could not only allow an attacker to retrieve the personal information and voice history of an Alexa user, as well as their voice history, but also to install applications (“skills”) on the user’s behalf, list installed skills, or remove them.
- To carry out an attack, a hacker would need to create a malicious link that directs the user to amazon.com, send it to the victim, and trick them into clicking it. The attacker would need code-injection capability on the destination page.
- The security researchers note that while Amazon does not record banking login credentials, an attacker can access users’ interaction with the banking skill and grab their data history. Usernames and phone numbers can also be retrieved, based on the installed skills.
- Amazon was alerted on the discovered vulnerabilities and has already addressed them. The company has security mechanisms in place to prevent malicious skills from being published to its store.