Why Phone Numbers Stink As Identity Proof

Credit to Author: BrianKrebs| Date: Sun, 17 Mar 2019 23:25:06 +0000

Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.

Read more

MyEquifax.com Bypasses Credit Freeze PIN

Credit to Author: BrianKrebs| Date: Fri, 08 Mar 2019 16:12:38 +0000

Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.

Read more

Hackers Sell Access to Bait-and-Switch Empire

Credit to Author: BrianKrebs| Date: Mon, 04 Mar 2019 22:11:33 +0000

Cybercriminals are auctioning off access to customer information stolen from an online data broker behind a dizzying array of bait-and-switch Web sites that sell access to a vast range of data on U.S. consumers, including DMV and arrest records, genealogy reports, phone number lookups and people searches. In an ironic twist, the marketing empire that owns the hacked online properties appears to be run by a Canadian man who’s been sued for fraud by the U.S. Federal Trade Commission, Microsoft and Oprah Winfrey, to name a few.

Read more

Crypto Mining Service Coinhive to Call it Quits

Credit to Author: BrianKrebs| Date: Wed, 27 Feb 2019 23:19:28 +0000

Roughly one year ago, KrebsOnSecurity published a lengthy investigation into the individuals behind Coinhive[.]com, a cryptocurrency mining service that has been heavily abused to force hacked Web sites to mine virtual currency. On Tuesday, Coinhive announced plans to pull the plug on the project early next month.

Read more

A Deep Dive on the Recent Widespread DNS Hijacking Attacks

Credit to Author: BrianKrebs| Date: Mon, 18 Feb 2019 13:51:01 +0000

The U.S. government — along with a number of leading security companies — recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private companies. But to date, the specifics of exactly how that attack went down and who was hit have remained shrouded in secrecy. This post seeks to document the extent of those attacks, and traces the origins of this overwhelmingly successful cyber espionage campaign back to a cascading series of breaches at key Internet infrastructure providers.

Read more

Crooks Continue to Exploit GoDaddy Hole

Credit to Author: BrianKrebs| Date: Mon, 04 Feb 2019 19:12:25 +0000

Godaddy.com, the world’s largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy’s fix hasn’t gone far enough, and that scammers likely still have a sizable arsenal of hijacked GoDaddy domains at their disposal.

Read more

Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

Credit to Author: BrianKrebs| Date: Wed, 23 Jan 2019 02:44:28 +0000

Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned. Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains registered through GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks which leverage dormant Web site names currently owned and controlled by some of the world’s most trusted corporate names and brands.

Read more

773M Password ‘Megabreach’ is Years Old

Credit to Author: BrianKrebs| Date: Thu, 17 Jan 2019 20:11:08 +0000

My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it “the largest collection ever of breached data found.” But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.

Read more

Secret Service: Theft Rings Turn to Fuze Cards

Credit to Author: BrianKrebs| Date: Thu, 10 Jan 2019 16:27:54 +0000

Street thieves who specialize in cashing out stolen credit and debit cards increasingly are hedging their chances of getting caught carrying multiple counterfeit cards by relying on Fuze Cards, a smartcard technology that allows users to store dozens of cards on a single device, the U.S. Secret Service warns.

Read more

Dirt-Cheap, Legit, Windows Software: Pick Two

Credit to Author: BrianKrebs| Date: Tue, 08 Jan 2019 15:00:33 +0000

Buying heavily discounted, popular software from second-hand sources online has always been something of an iffy security proposition. But purchasing steeply discounted licenses for cloud-based subscription products like recent versions of Microsoft Office can be an extremely risky transaction, mainly because you may not have full control over who has access to your data.

Read more

Apple Phone Phishing Scams Getting Better

Credit to Author: BrianKrebs| Date: Thu, 03 Jan 2019 19:21:40 +0000

A new phone-based phishing scam that spoofs Apple Inc. is likely to fool quite a few people. It starts with an automated call that display’s Apple’s logo, address and real phone number, warning about a data breach at the company. The scary part is that if the recipient is an iPhone user who then requests a call back from Apple’s legitimate customer support Web page, the fake call gets indexed in the iPhone’s “recent calls” list as a previous call from the legitimate Apple Support line.

Read more