Over the past few weeks, more than 130 million user records, allegedly collected from 14 company data breaches, have been put up for sale on numerous hacking forums. Bleeping Computer reported that the seller, a known data breach broker, claims all the stolen information comes from breaches that occurred in 2020. While the type of sensitive data varies within the records, all contain user names and hashed passwords. The seller informed Bleeping Computer that the databases range in costs from $100 to $1,100 each. Avast Security Evangelist Luis Corrons remarked, “Companies have to be especially cautious when managing users’ data, as regulations such as the GDPR can cost them millions if there is proof they did not take the necessary security measures to protect the information.”
As of yet, none of the 14 companies have confirmed that the breaches occurred. Four of the allegedly violated companies had suffered previous data breaches – HomeChef, Minted, Tokopedia, and Zoosk – but for the other ten, this would register as their first breach on record. Those companies are said to be DarkThrown, Efun, Fluke, Footters, JamesDelivery, KitchHike, KreditPlus, Playwings, Revelo, and Yotepresto. This eclectic mix of businesses include game sites, food delivery services, sports streaming, fashion, and loans. “Data breaches won’t stop happening,” said Corrons, “which is why users should never reuse passwords and always use 2FA where available to keep their online accounts safe.”
Google removes 25 credential-stealing apps
Once it confirmed that the alert from a cybersecurity firm was valid, Google removed 25 apps from the Google Play Store that hid Facebook credential-stealing malware. Collectively, the apps had been downloaded 2.34 million times, consisting of step counters, image editors, video editors, wallpaper apps, flashlight apps, file managers, and mobile games. ZDNet reported that the 25 apps were developed by the same threat actor, and that each contained malware that monitored when other apps on the device were opened. If the Facebook app was opened, the malware would place a phony overlay on the Facebook login page, sending off the credentials to its command and control center once the user entered them.
This week’s stat
The prison sentence a DDoS coder from Washington state received for “creating and operating multiple DDoS botnets made up of home routers and other networking and internet of things (IoT) devices.”
UCSF pays over $1 million in ransom
The Netwalker cybercriminal gang targeted the University of California at San Francisco with ransomware on June 1, demanding a $3 million ransom. A negotiator for the university communicated with the gang, imploring them to take down the cost in light of the university’s financial hardships as it’s been stretching resources to accommodate COVID-19 research. According to the BBC, negotiations went back and forth for a couple of days until an agreement was reached for $1.1 million. The FBI and Europol strongly advise against paying ransomware demands, arguing it encourages further attacks, but UCSF felt they had no choice. “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good,” the school told the BBC in a statement.
DDoS attacks jump 540 percent in 2020
Security researchers reported that DDoS attacks are experiencing a tremendous surge in 2020, the first quarter of the year seeing 540 percent more DDoS attacks than the fourth quarter of 2019. “DDoS” stands for “Distributed Denial of Services” and basically jams up a website’s function by overwhelming it with incoming web traffic. Attackers hijack other users’ systems and weaponize them into a botnet to carry out these attacks. The researchers’ report warns of a new DDoS trend called “invisible killer” attacks, which are concentrated attacks that fly under the radar due to being smaller and quicker than most DDoS incidents. “It’s imperative that internet service providers take the initiative to address any suspicious traffic – irrespective of size or quantity – to ensure customers don’t experience outages from DDoS attacks,” commented one of the researchers. More on this story at betanews.
This week’s quote
“Android devices are a prime target due to the number of people who own them, and the operating system is open-source code, which allows cybercriminals to discover exploits for their malware attacks.” James McQuiggan, security awareness advocate at KnowBe4, on the FakeSpy Android Malware being spread through postal service apps.
Fraud king pleads guilty to stealing hundreds of millions
The Infraud Organization, whose slogan was “In Fraud We Trust,” ran an illicit cybercriminal operation that sold malware, stolen identities, and poached financial data until it was dismantled in 2018 when the U.S. Justice Department indicted 36 of the organization’s affiliates and arrested 13 of them, including Sergey Medvedev, a 33-year-old Russian. This week, in a Nevada federal court, Medvedev pleaded guilty to racketeering and being a leader of Infraud. The DoJ holds Infraud responsible for $568 million in losses, claiming the organization’s endeavored to become the internet’s top spot for “carding,” which is buying things with stolen credit card data. You can read the full indictment of Medvedev at Cyberscoop.
This week’s ‘must-read’ on The Avast Blog
Wondering about the implications of the newest data breach? Read about the BlueLeaks data breach on The Avast Blog.
Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN. Get advertisers off your back and disguise your online identity for greater privacy with Avast AntiTrack.
*** This is a Security Bloggers Network syndicated blog from Blog | Avast EN authored by Avast Blog. Read the original post at: https://blog.avast.com/130m-user-records-for-sale-from-major-data-breaches-avast