According to the Daily Mail an undercover investigation in India has uncovered that some call center workers have been selling confidential information on nearly 500,000 Britons.
Undercover reporters from The Sunday Times met with two individuals who claimed to be IT workers who offered to provide them with 45 different types of data gathered from the victims.
Information offered up included names, addresses, phone numbers and credit card details (including CCV/CVV codes and expiration dates).
The reporters allege they could purchase the records for as little as 2 pence apiece ($0.03 USD). One of the
IT workersthieves bragged:
"These [pieces of data] are ones that have been sold to somebody already. This is Barclays, this is Halifax, this is Lloyds TSB. We’ve been dealing so long we can tell the bank by just the card number."more
With British students about to start another year at university, the last thing they probably want to hear is that there is a problem with a student loan.
But that’s precisely the camouflage that online scammers are using to steal personal information today.
An email, claiming to come from Directgov UK, tells students that there is a problem with the online account for their student loan, and they need to update their account urgently.
Here’s a typical spammed-out message we’ve seen in our traps:
Student Loan Update.
Dear Student Finance Customer.
We at HM Government noticed your Student loan online log in details is incorrect and need to be updated.
DOWNLOAD THE ATTACHMENT TO UPDATE YOUR ACCOUNT NOW
Inline Verification. Directgov UK.
Student Loan Update.html
Clicking on the HTML attachment is not a good idea, however, as it will urge you to enter your details which are then sent via a website to the phishers.
Sophos products block the message as spam, and block the webpage that the HTML form is attempting to post the personal information.
Remember to always be suspicious of unsolicited attachments. Also, I would hope that a good student would have noticed the grammatical mistake in the phisher’s email..
Anonymous, the loosely-knit hacktivist collective, is claiming to have got its hands on 8GB of “secret documents” from CNAIPIC, Italy’s cybercrime unit responsible for protecting the country’s critical IT infrastructure.
If it’s true that security at CNAIPIC has been breached by hackers, that would be a genuine concern as the group works with intelligence agencies around the world.
An Anonymous Twitter account announced the data breach, and links were posted up on Pastebin pointing to a selection of the stolen files, which included information related to various government departments around the world, including the US Department of Agriculture and Australia’s Ministry of Defence.
Documents about a number of private firms also appear to be included in the haul, which was claimed by The Legion of Anonymous Doom who are presumed to be a subgroup of Anonymous.
A message posted on the internet in poorly-written English claimed that there would be more information and files released in due course:
"This is a prerelease of a series we are going to make to reveal the biggest in history of European LE cyber operation Evidence exploitation and abuse. Thing's gonna get published and twittered all over anonymous and lulzsec community."
A screenshot of a list of all the files that had been compromised was posted on the internet, and included in a news report by The Hacker News. A small portion of it is reproduced below.
So, why is Anonymous apparently targeting the Italian cybercrime authorities?
Well, earlier this month, Italian police searched dozens of houses and charged suspects, in an investigation into the Italian branch of Anonymous – which is suspected of hitting government, business and media websites with denial-of-service attacks.
Inevitably there will be speculation that this is a counter-attack against the Italian authorities following the arrests.
A gang of hackers known as SwagSec announced at the tail end of last week that they had hacked into Lady Gaga’s UK website and made off with a database of names and email addresses of fans. To prove their point, they published the stolen data online.
The press reported that a source close to Lady Gaga said that she was:
"upset and hopes police get to the bottom of how this was allowed to happen"
If she was upset, she made no mention of the hack on her Twitter page, and posted no apology to her UK fans for the poor website security. She wasn’t, however, too upset to tweet about Emmy award nominations or to drop a line to Cher about doing a duet remix.
Although it’s right that the authorities should be informed regarding SwagSec’s illegal activities, there should surely be some recognition at Gaga HQ that perhaps the website was doing a lousy job at securing its fans’ information?
Lady Gaga’s record label, Universal, said it had confirmed that the hack had occurred and said that police had been informed:
"The hackers took a content database dump from http://www.ladygaga.co.uk and a section of email, first name and last name records were accessed. There were no passwords or financial information taken. We take this very seriously and have put in place additional measures to protect personally identifiable information. All those affected have been advised."
The risk to users who had their details compromised, of course, is that they could have been the subject of targeted attacks. Imagine how many of them might have opened an attachment or clicked on a link if they received an email claiming to be about free tickets for a Lady Gaga concert, or a sneak preview of her new video.
But although Universal says that it has contacted everyone who was affected – can they be confident that they know the extent of SwagSec’s hack? After all, the hack is claimed to have occurred weeks ago, but was only made public by SwagSec at the end of last week.
Wouldn’t it be more open and transparent to have a message to fans of the Lady Gaga UK website, telling them all what occurred. I went looking and couldn’t find anything to warn the wider array of Lady Gaga fans.
You may remember that the SwagSec hacking group defaced Amy Winehouse’s website earlier this month as well.
One wonders what eccentric female troubadour they will target next..
The international investigation into the notorious LulzSec hacking gang continues, with news that FBI agents have searched a house in Hamilton, Ohio.
According to local media reports, federal agents are said to have searched a teenager’s home in Jackson Road, Hamilton, although no-one was charged after the search warrant was served.
Whether the FBI was acting upon information gleaned from Ryan Cleary, the British teenager who was charged last week in relation to a series of denial-of-service attacks, is unclear.
However, there is speculation that US law enforcement officers may have been acting in part based upon information released by the LulzSec group earlier this group, outing members believed to have leaked the group’s private online chat logs.
A June 21st posting by LulzSec on PasteBin claimed to reveal the true identities of members who called themselves “m_nerva” and “hann”. Apparent real names and addresses were given for both individuals by LulzSec who said:
"These goons begged us for mercy after they apologized to us all night for leaking some of our affiliates' logs. There is no mercy on The Lulz Boat."
In m_nerva’s case, his address was listed by LulzSec as being in Hamilton, Ohio.
A tweet published at the same time as the information was posted indicated that there was little love between LulzSec members and the member they believed had snitched on them.
Hackers, eh? You just can’t trust ‘em..
With rival hackers apparently turning on each other, and with law enforcement agencies around the world on their tail, it certainly feels as if those who sailed on the Lulz Boat may not be quite so merry as they once were.
FOR LATEST NEWS ON SCAM, SPAM ALERTS, HACKING, TECHNOLOGY NEWS. PLEASE
The notorious LulzSec hacking group has published login passwords for almost 26,000 users of an x-rated porn website.
The hackers compromised the database of the hardcore website (called “Pron”), exposing not only the email addresses and passwords of over 25,000 members but also the credentials of 55 administrators of other adult websites.
Furthermore, LulzSec drew particular attention to various government and military email addresses (.mil and .gov) that appeared to have accounts with the porn website..
To add insult to injury, the LulzSec group called on its many recent Twitter followers to exploit the situation, by logging into Facebook with the email/password combinations and tell the victim’s Facebook friends and family about their porn habit.
It should go without saying that logging into someone else’s account without their permission is against the law in most countries around the world.
Fortunately, it’s reported that Facebook’s security team responded quickly to the threat – and reset the passwords for all of the accounts it had which matched the email addresses exposed. Of course, it’s still possible that those email address/password combinations are being used on other websites.
If anything should be a reminder to internet users of the importance of usingdifferent passwords for different websites, this should be it.
The danger is that once one password has been compromised, it’s only a matter of time before the fraudsters will be able to gain access to your other accounts and steal information for financial gain or, in this case, potential embarrassment.
If you believe there might be a chance that your username/password were exposed, or if you’re simply in the habit of using the same password for multiple websites – now is the time to change your habits.
By my count this is unlucky hack number 13 for Sony. A Lebanese hacker known as Idahc dumped another user database at Sony Europe containing approximately 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.
The attacker claims that he used standard SQL injection techniques to acquire the database. I think it is fair to say it appears that Sony has not learned anything from the previous 12 attacks.
SQL injection flaw? Check. Plain text passwords? Check. People’s personally identifiable information totally unprotected? Check.
Idahc is the same attacker who targeted the Canadian Sony Ericsson site in May, 2011. In his note on pastebin he states: “I was Bored and I play the game of the year : ‘hacker vs Sony’.” He posted the link to pastebin with the simple note “Sony Hacked: pastebin.com/OMITTED lol.”
If you are a database administrator (especially a Sony one) and want to avoid your sensitive data from ending up in the headlines I recommend you actually test your web applications for SQL vulnerabilities.
Contact me at : firstname.lastname@example.org
In a self-titled hack attack called “F**k FBI Friday” the hacking group known as LulzSec has published details on users and associates of the non-profit organization known asInfragard.
Infragard describes itself as a non-profit focused on being an interface between the private sector and individuals with the FBI. LulzSec published 180 usernames, hashed passwords, plain text passwords, real names and email addresses.
Where did the plain text passwords come from? Considering LulzSec was able to decrypt them it would imply that the hashes were not salted, or that the salt used was stored in an insecure manner.
One interesting point to note is that not all of the users passwords were cracked… Why? Because these users likely used passwords of reasonable complexity and length. This makes brute forcing far more difficult and LulzSec couldn’t be bothered to crack them.
In addition to stealing data from Infragard, LulzSec also defaced their website with a joke YouTube video and the text “LET IT FLOW YOU STUPID FBI BATTLESHIPS” in a window titled “NATO – National Agency of Tiny Origamis LOL”.
defaced website below…pics.proof.
Aside from defacing their site and stealing their user database, they tested out the users and passwords against other services and discovered many of the members were reusing passwords on other sites – an violation of FBI/Infragard guidelines.
LulzSec singled out one of these users, Karim Hijazi, who used his Infragard password for both his personal and corporate Gmail accounts according to the hackers.
They’ve published a BitTorrent with what they claim are nearly 1000 of Hijazi’s corporate emails and a IRC chat transcript that proclaims to be a conversation they had with him.
They also disclosed a list of personal information including his home address, mobile phone and other details.
It’s hard to say when these attacks will end, but a great start would be to carefully analyze your security practices and ensure that your data isproperly encrypted and to regularly scan your servers for vulnerabilities.
As for LulzSec? It appears they have declared war on one of the premier police forces in the world… Their fate remains a mystery.
Contact me at : email@example.com