Select Page
Someone Snuck a Card Skimmer Into Costco to Nab Shopper Data

Someone Snuck a Card Skimmer Into Costco to Nab Shopper Data

This week, security researchers from Google uncovered a so-called watering hole attack that indiscriminately targeted Apple devices in Hong Kong. Hackers compromised media and pro-democracy websites in the region to distribute malware to any visitors from an iPhone or Mac, placing a backdoor that let them steal data, download files, and more. Google didn’t attribute the campaign to any specific actor, but did note that “the activity and targeting is consistent with a government-backed actor.” The incident echoes the 2019 revelation that China had targeted thousands of iPhones in a similar manner—at the time, a wake-up call that iOS security isn’t as infallible as it’s perceived.

The Justice Department also announced its most significant ransomware enforcement actions yet, arresting one alleged hacker associated with the notorious REvil group and seizing $6.1 million of cryptocurrency from another. There’s still a long way to go to rein in the broader ransomware threat, but showing that law enforcement can actually extract a consequence is an important start. 

If you’ve noticed that TikTok is pushing you to connect more with friends and family—rather than limiting your feed to talented and engaging strangers—you’re not alone. The platform has taken some unprecedented steps in recent months to figure out who your friends are in real life, raising concerns about both privacy and whether TikTok’s changes will undermine what makes the social network so appealing in the first place.

Lastly, at this week’s RE:WIRED conference we spoke with Jen Easterly, director of the Cybersecurity and Information Security Agency, about the challenges she and the US government as a whole face from increasingly sophisticated adversaries. Having come up through the ranks via the NSA and the Pentagon, Easterly is used to offensive cyber operations. Her job now? Play some defense. Preferably, she says, with the help of the broader hacker community.

And there’s more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.

You may normally associate card-skimmer attacks—which impersonate credit card readers to steal your payment info—with ATMs and gas pumps, to the extent that you think of them at all. But recently someone placed a card-skimming device in a Costco warehouse, of all places. An employee discovered the interloping equipment during a “routine check,” according to a report from BleepingComputer. The company has informed people whose credit card info may have been stolen. It’s a good reminder to double-check where you stick your plastic—or stick with NFC payments.

Earlier this week, Robinhood disclosed a “security incident” in which a hacker used social engineering to access an email list of 5 million people, the full names of 2 million people, and the name, date of birth, and zip codes of 310 people. Motherboard went on to report that the attackers had in fact accessed internal tools that could have let them disable two-factor authentication for users, log them out of their accounts, and view their balance and trading information. Robinhood says that customer accounts weren’t tampered with, but that doesn’t help much with the fact that they apparently could have been quite easily.

Spyware manufacturer NSO Group has been no stranger to controversy lately, and was recently placed on the US Entity List because it allegedly “developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.” Now, researchers at the nonprofit Frontline Defenders say they’ve found the company’s Pegasus malware on the phones of six Palestinian activists. They couldn’t definitively tie the origin of the malware to a specific country or organization, but the incident is just the latest in a long line of surveillance malware being used where it expressly shouldn’t.

More Great WIRED Stories

The Biggest Ransomware Bust Yet Might Actually Make an Impact

The Biggest Ransomware Bust Yet Might Actually Make an Impact

In early July, heading into the holiday weekend, a ransomware attack against the IT management firm Kaseya incapacitated hundreds of businesses, their data encrypted by the notorious REvil ransomware group. Now, US authorities have announced a development as unprecedented as the incident itself: The alleged perpetrator, a Ukrainian national, was arrested in October and is currently awaiting extradition from Poland.

Ransomware gangs have operated with relative impunity over the last few years, in part because so many of them are based in Russia and the Kremlin has steadfastly turned a blind eye. Monday’s Department of Justice announcement, though, shows that the hybrid approach law enforcement has landed on can work. The arrest and pending extradition of 22-year-old Yaroslav Vasinskyi shows that officials are capable of apprehending key players when they slip up. And another major announcement, the seizure of $6.1 million in alleged ransomware payments received by Russian national Yevgeniy Polyanin, shows that authorities can disrupt their targets even when they can’t take them into custody.

“Vasinskyi’s arrest demonstrates how quickly we will act alongside our international partners to identify, locate, and apprehend alleged cybercriminals no matter where they are located,” Attorney General Merrick Garland said at a press conference on Monday. “Ransomware attacks are fueled by criminal profits; that is why we are not just pursuing individuals responsible for those attacks. We are also committed to capturing their illicit profits and returning them whenever we can to the victims from whom they were extorted.”

The indictments against Vasinskyi and Polyanin don’t go into great detail. Vasinskyi allegedly became involved with REvil most recently in December 2019, when he responded to an advertisement on a Russian hacker forum seeking ransomware affiliates. The people who write ransomware code often make what are essentially franchise deals for their hacking tools in exchange for a cut of the proceeds—the McDonald’s model for cybercrime. Vasinskyi is accused of carrying out the attack on Kaseya, which in turn spread to a number of the company’s customers through software updates. Ultimately, the attack impacted as many as 1,500 businesses. 

Polyanin, who is 28 years old, is also accused of deploying REvil ransomware against multiple victims. The indictment alleges that he was responsible, at least in part, for a ransomware spree that targeted a large number of local Texas government agencies in August 2019. Polyanin, who lives in Russia, is still at large but is thought to have links to 3,000 ransomware attacks that have collectively attempted to extort at least $13 million from victims.

“This is great news all the way around,” says Allan Liska, an analyst for the security firm Recorded Future. “It reminds ransomware actors that they aren’t safe, even in Russia. ‘If we can’t arrest you, we’ll take your money.’ Even ransomware actors have to use services outside of Russia sometimes, and that’s where law enforcement has power.”

Combined with recently announced sanctions from the Treasury Department and a reward from the State Department for information about the notorious DarkSide ransomware actors, the Justice Department’s action on Monday reflects the Biden administration’s “whole of government” ransomware mantra.

1.8 TB of Police Helicopter Surveillance Footage Leaks Online

1.8 TB of Police Helicopter Surveillance Footage Leaks Online

“It’s a crystal-clear example of why mass surveillance makes our society less safe, not more safe,” says Evan Greer, deputy director of the digital rights group Fight for the Future, of the data leak. “Both corporations and governments are terrible at safeguarding the sensitive data that they collect.”

Police drones have gotten a lot of attention lately, because they represent a new generation of aerial vehicles capable of particularly stealthy surveillance and new types of behavior, including flying indoors. In contrast, law enforcement agencies have used helicopters in aerial surveys and monitoring for decades. But the footage released by DDoSecrets illustrates how effective helicopter-mounted cameras can be at capturing extremely sharp and detailed video close to the ground. Helicopters can also carry heavier surveillance equipment than what can be affixed to basic quadcopters or other types of low cost drones.

“People think of police helicopters as traffic copters, but they’re so much more than that,” DDoSecrets’ Best wrote. “They carry technology that lets police watch people who have no idea they’re being watched. It’s important for people to understand what police technology is already capable of and what it could be capable of soon. There can’t be informed discussions or decisions otherwise.”

Such broad use of helicopter surveillance augments privacy advocates’ concerns about drones. UAVs are much cheaper and easier to purchase and operate than helicopters and can still be outfitted with an extensive array of sensors.

“Camera and zoom tech is getting cheaper and lighter all the time,” says Matthew Feeney, director of the Cato Institute’s Project on Emerging Technologies. “We need to always think of aerial vehicles like drones as a platform for other surveillance tools including cameras, stingrays, thermal imaging, and facial recognition software.”

In the case of the leaked helicopter video, DDoSecrets’ Best notes that much of the footage is time-stamped from 2019 and that retention limits should be a crucial priority for police departments. Similar discussions have come up about the need for deletion policies when dealing with police body cam footage. It’s possible that some of the leaked helicopter footage was retained because it is still relevant to an active investigation, but many of the files capture hours in real time and focus on disparate, seemingly unconnected activity, places, and people.

Privacy advocates particularly emphasize the stakes of securing aerial police surveillance data given that such footage could be valuable in a number of ways for stalkers, attackers seeking materials for blackmail, domestic or foreign terrorist groups, or those conducting espionage operations.

Some of the leaked Dallas and Atlanta footage reflects the types of uses you might expect from police helicopters: crowd surveillance over stadium parking lots on game day, for example, or officers pulling a car over. But other scenes in the footage have a more aimless, roving quality.

“I haven’t heard specifically about helicopters being used in this way,” Fight for the Future’s Greer says. “It’s totally unsurprising, but it is alarming. At least in an urban setting, you think of police helicopters showing up when there’s something specific going on, but anecdotally you also hear about them being used for intimidation purposes, like flying really low over neighborhoods where residents are predominantly people of color.”

In Minneapolis, for example, residents have consistently reported intense police helicopter traffic overhead ever since the protests and riots in summer 2020 that followed George Floyd’s death. And though helicopters are a familiar technology, their use in law enforcement surveillance comes with long-standing privacy concerns. In 2004, a New York Police Department helicopter scoping out an unpermitted mass evening bicycle ride in Manhattan captured almost four minutes of night-vision-enabled footage of a couple having sex on a secluded penthouse terrace.

More Great WIRED Stories

The SolarWinds Hackers Are Looking for Their Next Big Score

The SolarWinds Hackers Are Looking for Their Next Big Score

The endless cybercriminal cat and mouse game continued this week with a collaborative international law enforcement operation, Dark HunTor, that resulted in 150 arrests of alleged dark web vendors plus seizure of $31.6 million in cash and cryptocurrency and 230 kilograms of drugs. The action focused on sellers who had hawked their wares on the dark web marketplace DarkMarket, which German police shuttered in January. Meanwhile, ransomware gangs continued their rampage. The Russian group Grief, seemingly a front for the sanctioned ransomware gang Evil Corp, claimed to have hit the National Rifle Association this week. The apparent incident is the latest in a string of attacks in which victims have to consider the potential ramifications of violating sanctions if they want to pay their way out.

British digital identity company Yoti says its machine learning-based image analysis tool can predict the ages of people between 6 and 60. The tool could be used to enforce age minimums on platforms and keep kids safer online, but it raises questions about just how much digital surveillance is too much. Blind and vision-impaired individuals have once again won a DMCA exemption that allows them to break digital rights management protections on ebooks and create accessible versions. But the exemption is still temporary, and advocates will need to fight to win it again in three years. They say the measure should be permanent.

Google’s Pixel 6 and 6 Pro have some advanced security features, thanks to their Tensor processors, the first Pixel system-on-a-chip to be custom-built by Google. If you need some security tips for Windows instead, though, we’ve rounded up 11 of the most important settings to focus on. Plus, we’ve got updated recommendations if you’re looking for a trustworthy VPN.

And there’s more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.

The Russian SVR foreign intelligence service hacking group known as Nobelium and Cozy Bear has been targeting a new wave of international IT companies embedded in the global supply chain, according to a warning from Microsoft this week. As it infamously did with the network management services firm SolarWinds in 2020, the group looks to compromise key—but often relatively obscure—tech companies as an inconspicuous springboard to attack the target company’s own customers. This time, Tom Burt, Microsoft vice president of customer security and trust, says that Nobelium is going after managed cloud services providers and tech resellers. Burt says Nobelium has been prolific all summer. Between July 1 and October 19 the company informed 609 customers that they had been attacked 22,868 times by the group—roughly the same number of attacks Microsoft saw from Cozy Bear in the three previous years combined. Burt adds, though, that all of this recent targeting had a “success rate in the low single digits.”

“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling— now or in the future—targets of interest to the Russian government,” Burt wrote. Spies gonna spy.

A hack on Tuesday targeting gas stations in Iran knocked out virtually every subsidized payment terminal at pumps for days, leading to long lines and upheaval. “There should be serious readiness in the field of cyberwar, and related bodies should not allow the enemy to follow their ominous aims,” said Iranian president Ebrahim Raisi. No one has claimed responsibility for the attack and Raisi did not attribute it, but he indicated that he believes anti-Iranian actors were behind the assault. During the attack, payment terminals reportedly read “cyberattack 64411,” a reference to a religious hotline run by Supreme Leader Ayatollah Ali Khamenei’s office. The number “64411” also showed up in a July attack on Iran’s national railroad.

Europol announced the arrest of 12 people on Friday with alleged links to ransomware attacks on corporations and critical infrastructure that apparently impacted more than 1,800 people in 71 countries. Law enforcement from eight countries collaborated on the action and seized more than $52,000 in cash, five luxury vehicles, and a slew of electronic devices. The attacks used an array of ransomware, including LockerGoga, MegaCortex, and Dharma.

A bug in the medical records app Docket exposed the data of New Jersey and Utah residents vaccinated against Covid-19. The two states specifically endorsed the app, which lets people download a digitally signed version of their paper vaccination card. Like other “vaccine passports,” Docket lets users access their immunization record as a visible card or a scannable QR code. The vulnerability let anyone access other users’ QR codes and corresponding personal data. This included names, dates of birth, and immunization information like date of vaccination and brand used. TechCrunch discovered the bug on Tuesday and notified the company that day. Docket said within hours that it had fixed the bug by making server-level changes. The company is in the process of reviewing its logs to see whether anyone visibly abused the flaw before its disclosure.

More Great WIRED Stories

An Apparent Ransomware Hack Puts the NRA in a Bind

An Apparent Ransomware Hack Puts the NRA in a Bind

On Wednesday, the Russian ransomware group Grief posted a sample of data that it claimed was stolen from the National Rifle Association. Dealing with ransomware is a pain under any circumstances. But Grief presents even more complications, because the group is connected to the notorious Evil Corp gang, which has been subject to US Treasury sanctions since December 2019. Even if you decide to pay Grief off, you could face serious penalties. 

The US government has been increasingly aggressive about imposing sanctions on cybercriminal groups, and in recent months the White House has hinted that other ransomware actors may soon be blacklisted. And as these efforts ramp up, they’re shaping the approaches of ransomware actors and victims alike.

The NRA has not confirmed the attack nor the validity of the purported stolen documents, which researcher say include materials related to grant applications, letters of political endorsement, and apparent minutes from a recent NRA meeting. It appears, they add, that the NRA was hit with ransomware late last week or over the weekend, which lines up with reports that the organization’s email systems were down.

On Friday, Grief removed the NRA posting from its dark web site. Brett Callow, a threat analyst at antivirus company Emsisoft, cautions against reading too much into that development. Delistings can indicate that a payment took place, but can also simply mean that the group has entered negotiations with the victims, who in turn may be buying time to investigate the situation and formulate a response plan. Attackers will also occasionally abandon an extortion attempt if the incident is drawing too much attention from law enforcement.

More interesting, perhaps, is Grief itself, which most researchers agree is just one of many fronts for Evil Corp. Given the murky web of ransomware actors and their malware, some researchers believe that Grief is a spinoff group rather than Evil Corp itself. Analysts look at attackers’ methods and infrastructure, including indicators like encryption file format and distribution mechanisms, to uncover links. In the case of Grief, the group has technical similarities to other Evil Corp–linked entities like DoppelPaymer, and uses the Dridex botnet—historically Evil Corp’s signature product.

“Grief has been operating slowly and steadily for some time,” Callow says. “What we’ve seen is Evil Corp cycling through various brands in order to either trick companies into paying, not realizing that they’re dealing with a sanctioned entity, or perhaps to provide them with plausible deniability.”

Ransomware experts note that sanctions have not stopped Evil Corp from attacking targets and getting paid. But they do seem to have impacted the group’s operations, forcing the hackers to factor sanctions into how they present themselves and what they communicate to victims. 

“It’s interesting. We don’t often see ransomware actors pretending to be other groups, because you want to make sure you get paid,” says Allan Liska, an analyst for the security firm Recorded Future. “If you’ve been hit by Conti or Lockbit, you know you’ve been hit by Conti or Lockbit. So I think that indicates a change in behavior because of the sanctions. DoppelPaymer, Grief, and several other ransomware strains and groups are tied to Evil Corp.”