Author: Suman Raj

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language.

Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the VirusTotal platform for at least 2 weeks after its initial submission. As of the time of writing, the new sample is still only detected by 14 out of the 60+ AV providers represented in the platform.

RansomExx is operated by the DefrayX threat actor group (Hive0091), which is also known for the PyXie malware, Vatet loader, and Defray ransomware strains. The newly discovered ransomware version is named RansomExx2 according to strings found within the ransomware and is designed to run on the Linux operating system. The group has historically released both Linux and Windows versions of their ransomware, so it is likely that a Windows version is also in the works.

RansomExx2 has been completely rewritten using Rust, but otherwise, its functionality is similar to its C++ predecessor. It requires a list of target directories to encrypt to be passed as command line parameters and then encrypts files using AES-256, with RSA used to protect the encryption keys.

The Rust programming language has been steadily increasing in popularity among malware developers over the course of the past year, thanks to its cross-platform support and low AV detection rates. Like the Go programming language, which has experienced a similar surge in usage by threat actors over the past few years, Rust’s compilation process also results in more complex binaries that can be more time-consuming to analyse for reverse engineers.

Several ransomware developers have released Rust versions of their malware including BlackCat, Hive, and Zeon, with RansomExx2 being the most recent addition. X-Force has also analysed an ITG23 crypter written in Rust, along with the CargoBay family of backdoors and downloaders.

Analysis

The newly identified RansomExx2 sample has MD5 hash 377C6292E0852AFEB4BD22CA78000685 and is a Linux executable written in the Rust programming language.

Notable source code path strings within the binary indicate that the ransomware is a variant of RansomExx and likely named RansomExx2.

/mnt/z/coding/aproject/ransomexx2/ransomexx/src/parallel_iter.rs ransomexx/src/ciphers/aes256_impl.rs ransomexx/src/footer.rs ransomexx/src/logic.rs ransomexx/src/ransom_data.rs

The website operated by the ransomware group has also been updated with the page title now listed as ‘ransomexx2’.

Figure 1 — A screenshot of the ransomware group’s website showing the page title configured as ‘ransomexx2’

Overall, the functionality of this ransomware variant is very similar to previous RansomExx Linux variants.

The ransomware expects to receive a list of directory paths to encrypt as input. If no arguments are passed to it, then it does not encrypt anything. The following command line format is required by the ransomware in order to execute correctly.

<ransomexx2_sample> –do <target_path_to_encrypt> [<additional_paths_to_encrypt> (optional)]

Upon execution, the ransomware iterates through the specified directories, enumerating and encrypting files. All files greater than or equal to 40 bytes are encrypted, with the exception of the ransom notes and any previously encrypted files.

Each encrypted file is given a new file extension. It is common for RansomExx ransomware file extensions to be based on a variation of the target company name, sometimes followed by the numbers such as ‘911’ or random characters.

A ransom note is dropped in each directory where file encryption occurs. The ransom note is named:

!_WHY_FILES_ARE_ENCRYPTED_!.txt

The contents of this note are as follows:

Hello! First of all it is just a business and the only thing we are interested in is money. All your data was encrypted. Please don’t try to modify or rename any of encrypted files, because it can result in serious data loss and decryption failure. Here is your personal link with full information regarding this accident (use Tor browser): http://rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion/<victim_id>/

Files are encrypted using AES-256 and a randomly generated key. The AES key is itself encrypted using RSA and a hardcoded public key, and appended to the end of the encrypted file. As a result of this encryption method, the corresponding RSA private key, held by the attacker, would be required to decrypt the files.

The following RSA public key was used in the analysed sample:

—–BEGIN PUBLIC KEY—– MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnU8bw0DQKJjkX1QWFUM8 o52NWkUNz4zvrGRJEwhGpJZ99ho0A/BqG5kK7X9pq3GOICD3+6g928JBo6d/3cNM Ql5lS0LaZN3bxgiNPCWFEnYjLAagRMmi8unfZmGLjc3DDKT62Q0hrI86s1zB3ZhX 6biNhXmwMaKEenpuqRBzGDqmIP9Uc9jK75SqF9T7nK1L9j+nKhYqWpeRDjDuvYPY XHdstU0TN/OmKvPosiQaIrcIs2MNQXP7rLtMbr9knJucwLymCkF+IpMky/NTKt3u DR+OJZZMSbmWCBATmz7P9E9Vp8jwrLzhMzEgs0G8yeseMQ2ZpZEm+MKabqkro74M xldocxoK2AL51ZE8c5TLYGOYbG2PAsdk/rlyRDk1diI07mCw/R4RlPcJRFDJO1eF b1A8yp6pQjD7rg+Y38b0Z8AZzmf3aKj2B8sHOtKoNR8hKJQRtWhqKAgpQtsJY81/ 2SaMLdU7yOqY34QWrGwiRei1WoJKzeyMvJjzmbTbYQYePxlbWeoV/fJ0P0IboYPH iZ+WzXGG5Cxf7+zfZiCrbZuMqgCZdqc6ntQRcZqvw66a2Pxx4dO8AmGmxIJNzDnK lA6CHTwDeH7BgzYDD3IJxA7ofAAzqpw8H2eyRxsqLKTI2SAnmFqk85xpxWptmhOS BshihPaOu5a2ZXaPDeg6Lw8CAwEAAQ== —–END PUBLIC KEY—–

Elements such as RSA key, file extension, and the ransomware note name and contents, are encrypted within the binary and decrypted by xoring the encrypted data with an equal-sized key.
Conclusion
X-Force assesses it is highly likely that more threat actors will experiment with Rust going forward. RansomExx is yet another major ransomware family to switch to Rust in 2022 (following similar efforts with Hive and Blackcat). While these latest changes by RansomExx may not represent a significant upgrade in functionality, the switch to Rust suggests a continued focus on the development and innovation of the ransomware by the group, and continued attempts to evade detection.

Researchers spotted a new evasive malware, tracked as KmsdBot, that infects systems via an SSH connection that uses weak credentials.

Akamai Security Research discovered a new evasive Golang-based malware, tracked as KmsdBot, that infects systems via an SSH connection that uses weak login credentials.

The malware was employed in cryptocurrency mining campaigns and to launch denial-of-service (DDoS) attacks. KmsdBot supports multiple architectures, including Winx86, Arm64, and mips64, x86_64, and does not stay persistent to avoid detection.

The malicious code was used in attacks targeting multiple sectors including the gaming industry, technology industry, and luxury car manufacturers. The first DDoS attack observed by Akamai targeted a gaming company named FiveM, which allows gamers to host custom private servers for Grand Theft Auto Online. The malware employed specific targeted attacks along with generic Layer 4 and Layer 7 attacks.

“we found an interesting log entry: A cryptominer with distributed denial-of-service (DDoS) functionality tailored to the gaming industry. It’s not often we see these types of botnets actively attacking and spreading, especially ones written in Golang.” reads the post published by Akamai. “The targets range from gaming companies to luxury car brands to security companies — this malware is almost erratic with regard to its targets.”

The analysis of the ksmdx sample reveals functions to perform scanning operations, software updates and crypto mining activities.

Once a system has been infected, the ksmdx binary notifies the C2 that by sending it an HTTP POST request with the notification of ‘Bruh Started:’.

The bot downloads a list of login credentials to use when it scans for open SSH ports.

When analyzing the cryptomining activity, the experts noticed that operators used crypto wallets allegedly chosen randomly to contribute to various mining pools.

The bot does implement its own functionality to launch cryptomining activity, however, it is actually launching a renamed xmrig binary.

“This botnet is a great example of the complexity of security and how much it evolves. What seems to have started as a bot for a game app has pivoted into attacking large luxury brands. What’s new is how it infects — via an SSH connection that uses weak login credentials.” concludes the report. “The good news is that the same techniques we recommend to keep most organizations’ systems and networks secure still apply here.

• Don’t use weak or default credentials for servers or deployed applications.
• Ensure you’re keeping those deployed applications up-to-date with the latest security patches, and check in on them from time to time.
• Use public key authentication for your SSH connections. This is the best way to prevent this type of system compromise.”

Venezuelan cardiologist allegedly tied to cybercrime scams through multiple OpSec mistakes

A cardiologist turned alleged malware developer has been charged with creating the Thanos ransomware builder.

Moises Luis Zagala Gonzalez, 55, a citizen of France and Venezuela who resides in Ciudad Bolivar, Venezuela, engaged in attempted computer intrusions and conspiracy to commit computer intrusions, according to a US criminal complaint that was unsealed on Monday (May 16).

Zagala is alleged to have both sold and leased ransomware packages he developed to cybercriminals.

He is also accused of training would-be attackers on how to use his wares to extort victims, and subsequentially boasted about successful attacks, according to US prosecutors.

RaaS platform

The self-taught part-time programmer allegedly designed several ransomware tools, malicious packages designed to encrypt files on a compromised systems before demanding extortionate payments in exchange for a decryption key.

Zagala developed a ransomware tool called ‘Jigsaw v.2’ before designing a more sophisticated private ransomware builder called Thanos, a reference to either the Marvel supervillain or the figure ‘Thanatos’ from Greek mythology, according to the DoJ.

The Thanos platform could be used to develop ransomware campaigns with custom ransom notes, features designed to frustrate security researchers and a “data stealer” facility that could be used to extract files from compromised systems.

Zagala allegedly profited from the ransomware-as-a-service (Raas) operation by licensing his software to other cybercriminals, obtaining payments in either cryptocurrency or fiat currencies.

The ransomware products and services allegedly offered by Zagala were advertised and marketed through online forums frequented by cybercriminals.

OpSec mistakes

A number of OpSec mistakes allowed investigators to identify Zagala as a suspect, the DoJ said.

In September 2020, an undercover FBI agent allegedly purchased a license for Thanos from Zagala and downloaded the software. In addition, an FBI informant spoke with Zagala about the possibility of establishing an affiliate program using Thanos, according to the DoJ filing.

In addition, Zagala is said to have publicly boasted about how an Iranian state-sponsored hacking group’s use of Thanos to attack Israeli companies.

The Thanos software was designed to make periodic contact with a server in Charlotte, North Carolina, to check on licences. This system was apparently linked back to Zagala.

Moreover, a Florida-based relative of Zagala was interviewed by law enforcement on May 3, 2022, and admitted that their PayPal account was used by Zagala to receive illicit funds.

According to the DoJ, the relative used an email address to contact Zagala that matched the registered email for malicious infrastructure associated with the Thanos malware.

Prosecutors do not state how much Zagala made from his alleged malfeasance, but if convicted the suspect faces up to five years’ imprisonment for attempted computer intrusion, and five years’ imprisonment for conspiracy to commit computer intrusions.

ZombieLoad 2, aka TSX Asynchronous Abort, is a new flaw that affects the latest Intel CPUs that could be exploited to launch TSX Speculative attack.

ZombieLoad 2, aka TSX Asynchronous Abort, is a new vulnerability tracked as CVE-2019-11135 that affects the latest Intel CPUs that could be exploited to launch TSX Speculative attack.

The flaw affects the Transactional Synchronization Extensions (TSX) feature in Intel processors, it could be exploited by a local attacker or malicious code to steal sensitive data from the underlying operating system kernel.

The ZombieLoad 2 attack also targets the speculative execution implemented in modern CPU to improve performance.

In the past months, security researchers devised several speculative -channel RIDL (Rogue In-Flight Data Load), Fallout, Microarchitectural Data Sampling (MDS attack), and ZombieLoad.

Unlike Meltdown, Spectre, and Foreshadow attacks, MDS attakes target CPU’s microarchitectural data structures.

News of the day is that a new version of the ZombieLoad attack was devised by researchers, it also impacts processors in the Intel Cascade Lake CPU family that are not impacted by other attacks.

The Zombieload 2 attack only affects CPU supporting the Intel TSX instruction-set extension, a condition that is true in all Intel CPUs manufactured since 2013.

The TSX feature allows improving performance by leveraging a hardware transactional memory, any operation on this memory doesn’t impact on the overall performance of the systems.

“The TSX Asynchronous Abort (TAA) vulnerability is similar to Microarchitectural Data Sampling (MDS) and affects the same buffers (store buffer, fill buffer, load port writeback data bus).” reads the security advisory published by Intel.

“Intel TSX supports atomic memory transactions that are either committed or aborted. When an Intel TSX memory transaction is aborted, either synchronously or asynchronously, all earlier memory writes inside the transaction are rolled back to the state before the transaction start. While an Intel TSX asynchronous abort (TAA) is pending, certain loads inside the transaction that are not yet completed may read data from microarchitectural structures and speculatively pass that data to dependent operations. This may cause microarchitectural side effects, which can later be measured to infer the value of the data in the microarchitectural structures.”

Experts discovered that aborting memory transactions may allow processes to compute the data found in other running processes, including operating system kernel data. An attacker could exploit the flaw to steal sensitive data, including passwords and encryption keys.

Facebook Implemented a New Whitehat Settings option to help bug hunters to analyze network traffic on Facebook, Messenger and Instagram Android applications.

You can enable the option from your own account for bug bounty purposes to detect server-side security vulnerabilities.

The new Whitehat Settings enables the security researchers to bypass Facebook’s Certificate Pinning security mechanism, reads the Facebook blog post.

Certificate pinning is a safe security measure to avoid the Man In Middle Attack to secure HTTPS connection. The method of pinning your trusted known certificate along with its fingerprint /serial number in a trusted store is called Certificate Pinning.

You can enable the Whitehat Settings option from the Facebook app, and the option is available only with Android client and not with iOS clients.

Settings within the Facebook for Android app

Recently Facebook increased the payout for security researchers to encourage them to find high impact Vulnerabilities. For account takeover, Facebook has a reward of up to $40,000.

Facebook recently announced that they stored hundreds of millions of user’s password in plain text instead of masking it as a human-readable format.

One of the zero-day flaws (CVE-2019-0797) patched this week by Microsoft has been exploited in targeted attacks by several threats groups, including FruityArmor and SandCat APT groups.

This week, Microsoft released Patch Tuesday Security Update for March 2019 that address 64 flaws, including two Windows zero-day vulnerabilities exploited in targeted attacks.

One of the flaws, tracked as CVE-2019-0808, was disclosed by Google’s Threat Analysis Group after it has observed targeted attacks exploiting the issue alongside a recently addressed flaw in Chrome flaw (CVE-2019-5786).

The second zero-day, tracked as CVE-2019-0797, was reported to Microsoft by experts at Kaspersky Lab, which states the issue has been exploited by several threat actors, including FruityArmor and SandCat APT groups.

FruityArmor is a cyber-espionage group that was first observed in 2016 while targeting activists, researchers, and individuals related to government organizations in Thailand, Iran, Algeria, Yemen, Saudi Arabia, and Sweden. Experts believe FruityArmor´s activity has been slowly increasing during the last two years, the group

In October 2018, FruityArmor exploited another Windows zero-day in targeted attacks aimed at entities in the Middle East.

The SandCat APT was discovered by Kaspersky Lab at the end of 2018 when the group used a flaw (CVE-2018-8611) addressed with security updates released by Microsoft in December.

The CVE-2018-8611 is a race condition that resides in the Kernel Transaction Manager, and most interesting, it could be used to escape the sandbox of the Chrome and Edge web browsers.

The vulnerability was reported to Microsoft by Kaspersky Lab that in two months reported other two Windows zero-days, CVE-2018-8453 and CVE-2018-8589, respectively exploited by FruityArmor and multiple threat actors in attacks mostly aimed at the Middle East.

SandCat was also using the FinFisher/FinSpy spyware and the CHAINSHOT malware,

“we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently.” reads the analysis published by Kaspersky Lab.

“In addition to CVE-2019-0797 and CHAINSHOT, SandCat also uses the FinFisher/FinSpy framework.”

At the time of writing, Kaspersky Lab does not have any information about the targets of the attacks involving the CVE-2019-0797.

The CVE-2019-0797 vulnerability is the fourth zero-day vulnerability actively exploited in recent months by Kaspersky.

Researchers at Menlo Labs uncovered a malicious email campaign targeting employees of banks and financial services companies abusing Google Cloud Storage.

The campaign targeted organizations in the US and the UK, the attackers have been abusing Google Cloud Storage to deliver payload.

The spam campaign uses messages including links that point to archivefiles such as .zip or .gz. Attackers attempt to trick victims into clicking on the malicious links. Threat actors hosted the malicious payloads on storage.googleapis.com, which is associated with Google Cloud Storage service. The payload belongs to the Houdini and QRat malware families.

With this attack scheme, threat actors are able to bypass security controls in place within targeted organizations.

“In all of these cases, the malicious payload was hosted on storage.googleapis.com, the domain of the Google Cloud Storage service that is used by countless companies. Bad actors may host their payloads using this widely trusted domain as a way to bypass security controls put in place by organizations or built into commercially security products.” reads the analysis published by security researchers at Menlo.

“It’s an example of the increased use of “reputation-jacking”—hiding behind well-known, popular hosting services to help avoid detection. “

These attackers likely used malicious links rather than malicious attachments because of the combined use of email and the web to infect victims with this threat. Many security solution are able to detect malicious attachments but identify malicious URLs only if they included in a blacklist.

The attackers leveraged two types of payloads to compromise the victims, VBS scripts and JAR files. Experts analyzed some malicious VBS scripts that were highly obfuscated and were likely created by one of the builder available in the cybercrime underground.

The experts analyzed three scripts which belong to the Houdini malware family. The codes were highly obfuscated with three nested levels of obfuscated VBScript and encoded using Base64 encoding. Researchers discovered that they used the same C2 domain (pm2bitcoin[.]com) and secondary C2 (fud[.]fudcrypt[.] com ).

Researchers noticed the same string “<[ recoder : houdini (c) skype : houdini-fx ]>” appears in the last level of obfuscated VBScript and all download a JAR file.

One of the files belongs to the Houdini/jRATmalware family, meanwhile other JAR files belong to the QRat malware family.

“The Financial Services vertical continues to be a very attractive target for attackers, and Remote Access Trojans (RATs) play an important role in gaining control over a compromised machine within an enterprise. Novel ways of gaining endpoint access are always being developed, and will continue to evolve.” Menlo Labs concludes.

“Financial Services companies can expect to be the target of even more sophisticated malware and credential phishing attacks,”

Today’s AI cannot replace humans in cybersecurity but shows promise for driving efficiency and addressing talent shortage, a new report by ProtectWise has shown.

Penetration of AI-enabled security products based on number of security alerts received on a typical day

Conducted by Osterman Research, the study explores usage trends and sentiments toward AI among more than 400 U.S. security analysts in organizations with 1000 or more employees.

Key takeaways

Nearly three quarters of respondents have already implemented at least one product that uses AI, but findings uncovered mixed results and a learning curve that needs to be addressed in order to use AI at higher levels of sophistication and effectiveness.

“A lot of hype and confusion exists around AI and its role in the cybersecurity industry,” said Gene Stevens, CTO, ProtectWise. “In its current state, AI is a tool for driving efficiencies and addressing staffing needs, but it is not going to replace human intelligence any time soon. AI is well positioned today to create machine-accelerated humans: an army of hunters and responders who use a wide array of expert systems to help unearth and prioritize critical threats. In the future, AI will only become more valuable as the industry develops products that improve ease of use and capitalize on AI’s efficiency differentiators.”

Top findings from the report include:

• AI is already widely adopted – AI has already established a strong foothold, with 73 percent of respondents reporting they have implemented security products that incorporate at least some aspect of AI. Most organizations find AI’s ability to improve the efficiency of security staff members and make investigation of alerts faster as top priorities. Organizations with a higher proportion of AI-enabled security products are larger than those with less AI, and they have larger security teams.
• Executives, not the people who manage security, are the biggest advocates for AI – Fifty-five percent of respondents suggested that the strongest advocates for AI-based security products in their organization are IT executives, while 38 percent identified non-IT executives as the biggest internal champion.
• AI is yielding some real benefits – Overall, 60 percent of organizations perceive that AI makes investigations of alerts faster and the same proportion consider that AI improves the efficiency of their security staff. Moreover, nearly one-half of organizations view AI as beneficial for automating initial triage and for optimizing threat identification.
• AI-powered security products are weighed down by mixed results post deployment – According to respondents: 46 percent agree that rules creation and implementation are burdensome; and 25 percent said that they do NOT plan to implement additional AI-enabled security solutions in the future
• There is still work to do. More than half of all respondents believe that: AI doesn’t stop zero-days and advanced threats (61 percent); it focuses more on malware than exploits (51 percent); it delivers inaccurate results (54 percent); it’s difficult to use (42 percent); and AI-based products are more expensive than traditional ones (71 percent). The most important differentiator for AI-enabled security products when compared to traditional security products is their ability to automatically block threats, while automatic remediation or isolation is viewed as the least important feature of AI-enabled products.

“All of these findings imply that AI is still in its early stages and we have yet to see its full potential,” said Michael Osterman, principal analyst of Osterman Research. “But AI-based products offer significant promise for improving the speed of processing alerts and that it might at least be a ‘silver-plated’ bullet in addressing the cybersecurity skills shortage.”

Ireland, France, Germany and UK Report Increases Since Privacy Law Took Effect

Privacy watchdogs in Europe say they are continuing to see an increase in data breach reports as well as privacy complaints.

See Also: Fraud Prevention for Banks: Top 10 Tech Requirements to Evaluate

That should be no surprise, because the EU on May 25 began enforcing its General Data Protection Regulation. Among its provisions, GDPR requires organizations that suffer a breach that may have exposed Europeans’ personal information to notify relevant authorities.

The number of data breach reports filed since GDPR went into effect has hit about 3,500 in Ireland, over 4,600 in Germany, 6,000 in France and 8,000 in the U.K.

GDPR also gives Europeans the ability to file class-action lawsuits against breached organizations, and some law firms have already been exploring these types of actions.

And under article 77 of GDPR – "Right to complain to a supervisory authority" – Europeans can also file complaints with regulators about organizations’ data protection practices, as they were also able to do before enactment of the new regulation. Regulators say these complaints have also been increasing.

Numerous national data protection authorities say they have seen an increase in both complaints as well as breach reports. But as information security expert Brian Honan has told Information Security Media Group, the increase in data breach reports does not mean there has been a surge in data breaches.

"What we are seeing is an increase in the reporting of the breaches that are happening," according to Honan, who heads Dublin-based cybersecurity firm BH Consulting. "So there is not necessarily an increase in the number of breaches since May 25, but rather we now have better visibility on data breaches."

Here’s a sample of what European privacy watchdogs have been seeing.

Ireland: DPC

Ireland’s DPA, the Data Protection Commission, tells ISMG that as of Monday, it’s received 2,476 complaints and 3,495 breach reports, although they involve both pre-GDPR and post-GDPR cases. "We have received complaints and breach notifications that relate to issues that occurred both post and pre-GDPR, and the pre-GDPR [before May 25] cases are therefore dealt with under the old legislation," says Graham Doyle, the head of communications.

Complaints:

• Total complaints received: 2,476
• GDPR applies: 1,575
• Old legislation applies: 901

Breach reports:

• Total breach reports: 3,495
• GDPR applies: 3,105
• Old legislation applies: 390

In 2017, the DPC received an average of 230 data breach reports and 220 complaints per month. Since GDPR came into effect, however, it’s seen a monthly average of 500 breach reports and 354 complaints.

"As you can see, there has been a significant increase in the volumes of both breaches and complaints to the DPC since May 25," Doyle says.

Germany: BfDI

Germany’s DPA, the Federal Commissioner for Data Protection and Freedom of Information, or BfDI, tells ISMG that as of Oct. 31, it received:

• Complaints: 1,914;
• Data breach notifications: 4,667.

In some cases, breach reports and complaints may be filed with any of the DPAs in Germany’s 16 federal states. As of Sept. 5, BfDI says the total numbers seen across all federal and state DPAs included:

• Complaints: 11,017;
• Data breach notifications: 6,156.

France: CNIL

France’s DPA, the Commission nationale de l’information et des libertés, aka CNIL, tells ISMG that since GDPR enforcement began on May 25, through Nov. 23, it has received:

• Data breach notifications: 1,000;
• Data protection complaints: 6,000.

In the first two months following GDPR going into effect, CNIL received an average of 27 data protection complaints per day, but since then, the average has risen to 36 per day.

United Kingdom: ICO

Earlier this month, the U.K.’s DPA, the Information Commissioner’s Office, said that it’s now seeing about 41 data breach reports get filed per day.

U.K. Information Commissioner Elizabeth Denham told a privacy conference in Wellington, New Zealand, on Dec. 5 that the ICO has seen the total number of data security complaints increase from 9,000 in the six months before GDPR took effect to 19,000 in the six months after.

Since May 25, the ICO also received more than 8,000 data breach reports,she said.

The ICO says the increase in complaints was expected because of the number of high-profile organizations that have been breached in recent months, including Currys, Marriott and Superdrug.

One-Stop Shop

While each of the 28 EU member nations has its own DPA, expect to hear much more from Ireland’s Data Protection Commissioner. That’s because it will be taking the lead on numerous high-profile privacy investigations since many U.S. technology giants – including Facebook, Microsoft, Twitter, and soon Google – having chosen the country as the sight of their European headquarters.

Under GDPR, non-EU organizations that have headquarters established in Europe can take advantage of a "one-stop shop" mechanism. This enables organizations that have a presence across different EU member nations to be subject to regulatory oversight by just one supervisory authority, rather than being subject to regulation by the supervisory authorities of each nation in which they have a business presence. The supervisory authority in the nation of the organization’s "main establishment" takes on the role of lead supervisory authority.

For any organization that doesn’t qualify for the one-stop-shop mechanism, but is the subject of a privacy complaint under GDPR, the data protection authority in whichever country where the complaint gets raised takes the lead if it determines that an investigation would be warranted.

First GDPR Fines Still to Come

Beyond bringing mandatory notifications for many types of breach to Europe, GDPR is also a big deal because of the potential penalties that regulators can impose on organizations that fail to take privacy seriously.

Organizations that violate GDPR face fines of up to 4 percent of their annual global revenue or €20 million ($22.7 million) – whichever is greater – as well as other potential sanctions, including losing their ability to process personal data.

Separately, organizations that fail to comply with GDPR’s reporting requirements also face fines of up to €10 million ($11.3 million) or 2 percent of annual global revenue.

Many regulators have been clear that they don’t plan to use the threat of massive GDPR fines punitively. But at the same time, organizations that fail to take Europeans’ privacy rights seriously, or worse, engage in criminal behavior and attempt to cover it up, may find themselves at the receiving end of a serious European privacy enforcement smackdown.

So far, regulators have yet to bring GDPR fines to bear on an organization that was breached since May 25. In general, DPAs’ investigations into major breaches tend to take about a year. So it’s a safe bet that any major GDPR penalties won’t be seen until mid-2019, at the earliest.

Fitness-tracking apps use dodgy in-app payments to steal money from unaware iPhone and iPad users.

Multiple apps posing as fitness-tracking tools were caught misusing Apple’s Touch ID feature to steal money from iOS users. The dodgy payment mechanism used by the apps is activated while victims are scanning their fingerprint seemingly for fitness-tracking purposes.

There are many apps that promise to assist users on the way to a healthier lifestyle. The bogus apps were, until recently, available in the Apple App Store. The apps were called “Fitness Balance app” and “Calories Tracker app”, and at first glance appeared to put users on the road to fitness – they could calculate the BMI, track daily calorie intake, or remind users to drink more water. These services, however, came with an unexpectedly hefty price tag, according to Reddit users.

After a user fires up any of the above mentioned apps for the first time, the apps request a fingerprint scan to “view their personalized calorie tracker and diet recommendations” (Figure 1). Only moments after the user complies with the request and places their finger on the fingerprint scanner, the apps then display a pop-up showing a dodgy payment amounting to 99.99, 119.99 USD or 139.99 EUR (Figure 2).

This pop-up is only visible for about a second, however, if the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams.

Based on the user interface and functionality, both apps are most likely created by the same developer. Users have also posted videos of “Fitness Balance app” and “Calories Tracker app” on Reddit.

Figure 1 – Scam apps in Apple’s App Store require users to scan their fingers for fitness tracking (Image source: Reddit)

Figure 2 – Dodgy payment popping up in “Fitness Balance app” and “Calories Tracker app” (Image source: Reddit)

If users refuse to scan their finger in “Fitness Balance app”, another pop-up is displayed, prompting them to tap a “Continue” button to be able to use the app. If they comply, the app tries to repeat the dodgy payment procedure.

Despite its malicious nature, the “Fitness Balance app” received multiple 5-star ratings, had an average rating of 4.3 stars and received at least 18 mostly positive user reviews. Posting fake reviews is a well-known technique used by scammers to improve the reputation of their apps.

Victims already reported both of these apps to Apple, which led to their removal from the market. Users even tried to directly contact the developer of “Fitness Balance app”, but only received a generic response promising to fix the reported “issues” in the upcoming version 1.1 (Figure 3).

Figure 3 – Users who directly contacted the developer received what seems to be an automatic reply

What can users do to avoid similar threats?

As Apple doesn’t allow security products in its App Store, users need to rely on the security measures implemented by Apple.

On top of that, ESET advises users to always read reviews by other users. As positive feedback is easily faked, negative reviews are more likely to reveal the true nature of the app.

iPhone X users can also activate an additional feature called “Double Click to Pay”, which requires them to double-click the side button (Figure 4) to verify a payment.

Figure 4 – The side button verification feature in premium iPhone X

Those who already fell victim to this scam can also try to claim a refund from the Apple App Store.