Daniel Quinn Flint (not related to Daniel RAY Flint who is a different person entirely)

Millions of Americans now filing for unemployment will receive benefits via a prepaid card issued by U.S. Bank, a Minnesota-based financial institution that handles unemployment payments for more than a dozen U.S. states. Some of these unemployment applications will trigger an automatic letter from U.S. Bank to the applicant. The letters are intended to prevent identity theft, but many people are mistaking these vague missives for a notification that someone has hijacked their identity.

So far this month, two KrebsOnSecurity readers have forwarded scans of form letters they received via snail mail that mentioned an address change associated with some type of payment card, but which specified neither the entity that issued the card nor any useful information about the card itself.

Searching for snippets of text from the letter online revealed pages of complaints from consumers who appear confused about the source and reason for the letter, with most dismissing it as either a scam or considering it a notice of attempted identity theft. Here’s what’s the letter looks like:

My first thought when a reader shared a copy of the letter was that he recently had been the victim of identity theft. It took a fair amount of digging online to discover that the nebulously named “Cardholder Services” address in Florida referenced at the top of the letter is an address exclusively used by U.S. Bank.

That digging indicated U.S. Bank currently manages the disbursement of funds for unemployment programs in at least 17 states, including Arkansas, Colorado, Delaware, Idaho, Louisiana, Maine, Minnesota, Nebraska, North Dakota, Ohio, Oregon, Pennsylvania, South Dakota, Texas, Utah, Wisconsin, and Wyoming. The funds are distributed through a prepaid debit card called ReliaCard.

To make matters more confusing, the flood of new unemployment applications from people out of work thanks to the COVID-19 pandemic reportedly has overwhelmed U.S. Bank’s system, meaning that many people receiving these letters haven’t yet gotten their ReliaCard and thus lack any frame of reference for having applied for a new payment card.

Reached for comment about the unhelpful letters, U.S. Bank said it automatically mails them to current and former ReliaCard customers when changes in its system are triggered by a customer – including small tweaks to an address — such as changing “Street” to “St.”

“This can include letters to people who formerly had a ReliaCard account, but whose accounts are now inactive,” the company said in a statement shared with KrebsOnSecurity. “If someone files for unemployment and had a ReliaCard in years past for another claim, we can work with the state to activate that card so the cardholder can use it again.”

U.S. Bank said the letters are designed to confirm with the cardholder that the address change is valid and to combat identity theft. But clearly, for many recipients they are having the opposite effect.

“We encourage any cardholders who have questions about the letters to call the number listed on the back of their cards (or 855-282-6161),” the company said.

That’s nice to know, because it’s not obvious from reading the letter which card is being referenced. U.S. Bank said it would take my feedback under advisement, but that the letters were intended to be generic in nature to protect cardholder privacy.

“We are always seeking to improve our programs, so thank you for bringing this to our attention,” the company said. “Our teams are looking at ways to provide more specific information in our communications with cardholders.”

source https://krebsonsecurity.com/2020/05/meant-to-combat-id-theft-unemployment-benefits-letter-prompts-id-theft-worries/

A new email scam is making the rounds, warning recipients that someone using their Internet address has been caught viewing child pornography. The message claims to have been sent from Microsoft Support, and says the recipient’s Windows license will be suspended unless they call an “MS Support” number to reinstate the license, but the number goes to a phony tech support scam that tries to trick callers into giving fraudsters direct access to their PCs.

The fraudulent message tries to seem more official by listing what are supposed to be the recipient’s IP address and MAC address. The latter term stands for “Media Access Control” and refers to a unique identifier assigned to a computer’s network interface.

However, this address is not visible to others outside of the user’s local network, and in any case the MAC address listed in the scam email is not even a full MAC address, which normally includes six groups of two alphanumeric characters separated by a colon. Also, the IP address cited in the email does not appear to have anything to do with the actual Internet address of the recipient.

Not that either of these details will be obvious to many people who receive this spam email, which states:

“We have found instances of child pornography accessed from your IP address & MAC Address.
IP Address: 206.19.86.255
MAC Address : A0:95:6D:C7

This is violation of Information Technology Act of 1996. For now we are Cancelling your Windows License, which means stopping all windows activities & updates on your computer.

If this was not You and would like to Reinstate the Windows License, Please call MS Support Team at 1-844-286-1916 for further help.

Microsoft Support
1 844 286 1916”

KrebsOnSecurity called the toll-free number in the email and was connected after a short hold to a man who claimed to be from MS Support. Immediately, he wanted me to type a specific Web addresses into my browser so he could take remote control over my computer. I was going to play along for a while but for some reason our call was terminated abruptly after several minutes.

These kinds of support scams are a dime a dozen, unfortunately. They prey mainly on elderly and unsophisticated Internet users, walking the frightened caller through a series of steps that allow the fraudsters to take complete, remote control over the system. Once inside the target’s PC, the scammer invariably finds all kinds of imaginary problems that need fixing, at which point the caller is asked for a credit card number or some form of payment and charged an exorbitant fee for some dubious service or software.

What seems new about this scam is the child porn angle, which I’m sure will worry quite a few recipients. I say this because over the past few weeks, someone has massively started sending the same type of sextortion emails that first began in earnest in the summer of 2018, and incredibly over the past few days I’ve received almost a dozen emails from readers wondering if they should be concerned or if they should pay the extortion demand.

Here’s a hard and fast rule: Never respond to spam, and certainly not to any email that threatens some negative consequence unless you respond. Doing otherwise only invites more spammy and scammy emails. On the other hand, I fully support the idea of tying up this scammer’s toll-free number with time-wasting calls.

source https://krebsonsecurity.com/2020/05/tech-support-scam-uses-child-porn-warning/

Fresenius, Europe’s largest private hospital operator and a major provider of dialysis products and services that are in such high demand thanks to the COVID-19 pandemic, has been hit in a ransomware cyber attack on its technology systems. The company said the incident has limited some of its operations, but that patient care continues.

Based in Germany, the Fresenius Group includes four independent businesses: Fresenius Medical Care, a leading provider of care to those suffering from kidney failure; Fresenius Helios, Europe’s largest private hospital operator (according to the company’s Web site); Fresenius Kabi, which supplies pharmaceutical drugs and medical devices; and Fresenius Vamed, which manages healthcare facilities.

Overall, Fresenius employs nearly 300,000 people across more than 100 countries, and is ranked 258th on the Forbes Global 2000. The company provides products and services for dialysis, hospitals, and inpatient and outpatient care, with nearly 40 percent of the market share for dialysis in the United States. This is worrisome because COVID-19 causes many patients to experience kidney failure, which has led to a shortage of dialysis machines and supplies.

On Tuesday, a KrebsOnSecurity reader who asked to remain anonymous said a relative working for Fresenius Kabi’s U.S. operations reported that computers in his company’s building had been roped off, and that a cyber attack had affected every part of the company’s operations around the globe.

The reader said the apparent culprit was the Snake ransomware, a relatively new strain first detailed earlier this year that is being used to shake down large businesses, holding their IT systems and data hostage in exchange for payment in a digital currency such as bitcoin.

Fresenius spokesperson Matt Kuhn confirmed the company was struggling with a computer virus outbreak.

“I can confirm that Fresenius’ IT security detected a computer virus on company computers,” Kuhn said in a written statement shared with KrebsOnSecurity. “As a precautionary measure in accordance with our security protocol drawn up for such cases, steps have been taken to prevent further spread. We have also informed the relevant investigating authorities and while some functions within the company are currently limited, patient care continues. Our IT experts are continuing to work on solving the problem as quickly as possible and ensuring that operations run as smoothly as possible.”

The attack on Fresenius comes amid increasingly targeted attacks on healthcare providers who are on the front lines of responding to the COVID-19 pandemic. In April, the international police organization INTERPOL warned it “has detected a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response. Cybercriminals are using ransomware to hold hospitals and medical services digitally hostage, preventing them from accessing vital files and systems until a ransom is paid.

On Tuesday, the Department of Homeland Security‘s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert along with the U.K.’s National Cyber Security Centre warning that so-called “advanced persistent threat” groups — state-sponsored hacking teams — are actively targeting organizations involved in both national and international COVID-19 responses.

“APT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities,” the alert reads. “The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.”

Once considered by many to be isolated extortion attacks, ransomware infestations have become de facto data breaches for many victim companies. That’s because some of the more active ransomware gangs have taken to downloading reams of data from targets before launching the ransomware inside their systems. Some or all of this data is then published on victim-shaming sites set up by the ransomware gangs as a way to pressure victim companies into paying up.

Security researchers say the Snake ransomware is somewhat unique in that it seeks to identify IT processes tied to enterprise management tools and large-scale industrial control systems (ICS), such as production and manufacturing networks.

While some ransomware groups targeting businesses have publicly pledged not to single out healthcare providers for the duration of the pandemic, attacks on medical care facilities have continued nonetheless. In late April, Parkview Medial Center in Pueblo, Colo. was hit in a ransomware attack that reportedly rendered inoperable the hospital’s system for storing patient information.

Fresenius declined to answer questions about specifics of the attack, saying it does not provide detailed information or comments on IT security matters. It remains unclear whether the company will pay a ransom demand to recover from the infection. But if it does so, it may not be the first time: According to my reader source, Fresenius paid $1.5 million to resolve a previous ransomware infection.

“This new attack is on a far greater scale, though,” the reader said.

source https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware/

In many ways, the COVID-19 pandemic has been a boon to cybercriminals: With unprecedented numbers of people working from home and anxious for news about the virus outbreak, it’s hard to imagine a more target-rich environment for phishers, scammers and malware purveyors. In addition, many crooks are finding the outbreak has helped them better market their cybercriminal wares and services. But it’s not all good news: The Coronavirus also has driven up costs and disrupted key supply lines for many cybercriminals. Here’s a look at how they’re adjusting to these new realities.

FUELED BY MULES

One of the more common and perennial cybercriminal schemes is “reshipping fraud,” wherein crooks buy pricey consumer goods online using stolen credit card data and then enlist others to help them collect or resell the merchandise.

Most online retailers years ago stopped shipping to regions of the world most frequently associated with credit card fraud, including Eastern Europe, North Africa, and Russia. These restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe — derisively referred to as “reshipping mules” — to receive and relay high-dollar stolen goods to crooks living in the embargoed areas.

But apparently a number of criminal reshipping services are reporting difficulties due to the increased wait time when calling FedEx or UPS (to divert carded goods that merchants end up shipping to the cardholder’s address instead of to the mule’s). In response, these operations are raising their prices and warning of longer shipping times, which in turn could hamper the activities of other actors who depend on those services.

That’s according to Intel 471, a cyber intelligence company that closely monitors hundreds of online crime forums. In a report published today, the company said since late March 2020 it has observed several crooks complaining about COVID-19 interfering with the daily activities of their various money mules (people hired to help launder the proceeds of cybercrime).

“One Russian-speaking actor running a fraud network complained about their subordinates (“money mules”) in Italy, Spain and other countries being unable to withdraw funds, since they currently were afraid to leave their homes,” Intel 471 observed. “Also some actors have reported that banks’ customer-support lines are being overloaded, making it difficult for fraudsters to call them for social-engineering activities (such as changing account ownership, raising withdrawal limits, etc).”

Still, every dark cloud has a silver lining: Intel 471 noted many cybercriminals appear optimistic that the impending global economic recession (and resultant unemployment) “will make it easier to recruit low-level accomplices such as money mules.”

Alex Holden, founder and CTO of Hold Security, agreed. He said while the Coronavirus has forced reshipping operators to make painful shifts in several parts of their business, the overall market for available mules has never looked brighter.

“Reshipping is way up right now, but there are some complications,” he said.

For example, reshipping scams have over the years become easier for both reshipping mule operators and the mules themselves. Many reshipping mules are understandably concerned about receiving stolen goods at their home and risking a visit from the local police. But increasingly, mules have been instructed to retrieve carded items from third-party locations.

“The mules don’t have to receive stolen goods directly at home anymore,” Holden said. “They can pick them up at Walgreens, Hotel lobbies, etc. There are a ton of reshipment tricks out there.”

But many of those tricks got broken with the emergence of COVID-19 and social distancing norms. In response, more mule recruiters are asking their hires to do things like reselling goods shipped to their homes on platforms like eBay and Amazon.

“Reshipping definitely has become more complicated,” Holden said. “Not every mule will run 10 times a day to the post office, and some will let the goods sit by the mailbox for days. But on the whole, mules are more compliant these days.”

GIVE AND TAKE

KrebsOnSecurity recently came to a similar conclusion: Last month’s story, “Coronavirus Widens the Money Mule Pool,” looked at one money mule operation that had ensnared dozens of mules with phony job offers in a very short period of time. Incidentally, the fake charity behind that scheme — which promised to raise money for Coronavirus victims — has since closed up shop and apparently re-branded itself as the Tessaris Foundation.

Charitable cybercriminal endeavors were the subject of a report released this week by cyber intel firm Digital Shadows, which looked at various ways computer crooks are promoting themselves and their hacking services using COVID-19 themed discounts and giveaways.

Like many commercials on television these days, such offers obliquely or directly reference the economic hardships wrought by the virus outbreak as a way of connecting on an emotional level with potential customers.

“The illusion of philanthropy recedes further when you consider the benefits to the threat actors giving away goods and services,” the report notes. “These donors receive a massive boost to their reputation on the forum. In the future, they may be perceived as individuals willing to contribute to forum life, and the giveaways help establish a track record of credibility.”

Brian’s Club — one of the underground’s largest bazaars for selling stolen credit card data and one that has misappropriated this author’s likeness and name in its advertising — recently began offering “pandemic support” in the form of discounts for its most loyal customers.

It stands to reason that the virus outbreak might depress cybercriminal demand for “dumps,” or stolen account data that can be used to create physical counterfeit credit cards. After all, dumps are mainly used to buy high-priced items from electronics stores and other outlets that may not even be open now thanks to the widespread closures from the pandemic.

If that were the case, we’d also expect to see dumps prices fall significantly across the cybercrime economy. But so far, those price changes simply haven’t materialized, says Gemini Advisory, a New York based company that monitors the sale of stolen credit card data across dozens of stores in the cybercrime underground.

source https://krebsonsecurity.com/2020/04/how-cybercriminals-are-weathering-covid-19/

You may have heard that today’s phone fraudsters like to use use caller ID spoofing services to make their scam calls seem more believable. But you probably didn’t know that your bank may be making it super easy for thieves to impersonate the bank, by giving away information about recent transactions on your account via automated, phone-based customer support systems.

Last week, KrebsOnSecurity told the harrowing tale of a reader (a security expert, no less) who tried to turn the tables on his telephonic tormentors and failed spectacularly. In that episode, the people impersonating his bank not only spoofed the bank’s real phone number, but they were also pretending to be him in a separate call at the same time with his bank.

This foiled his efforts to make sure it was really his bank that called him, because he called his bank with another phone and the bank confirmed they currently were in a separate call with him discussing fraud on his account (however, the other call was the fraudster pretending to be him).

Shortly after that story ran, I heard from another reader — we’ll call him “Jim” since he didn’t want his real name used for this story — whose wife was the target of a similar scam, albeit with an important twist: The scammers were armed with information about a number of her recent financial transactions, which he claims they got from the bank’s own automated phone system just by spoofing her phone number.

“When they originally called my wife, there were no fraudulent transactions on her account, but they were able to specify the last three transactions she had made, which combined with the caller-ID had mistakenly earned her trust,” Jim explained. “After we figured out what was going on, we were left asking ourselves how the crooks had obtained her last three transactions without breaking into her account online. As it turned out, calling the phone number on the back of the credit card from the phone number linked with the card provided the most recent transactions without providing any form of authentication.”

Jim said he was so aghast at this realization that he called the same number from his phone and tried accessing his account, which is also at Citi but wholly separate from his spouse’s. Sure enough, he said, as long as he was calling from the number on file for his account, the automated system let him review recent transactions without any further authentication.

“I confirmed on my separate Citi card that they often (but not quite always) were providing the transaction details,” Jim said. “I was appalled that Citi would do that. So, it seemed the crooks would spoof caller ID when calling Citibank, as well as when calling the target/victim.”

The incident Jim described happened in late January 2020, and Citi may have changed its procedures since then. The company has not yet responded to requests for comment.

But in a phone interview with KrebsOnSecurity earlier this week, Jim made a call to Citi’s automated system from his mobile phone on file with the bank, and I could hear Citi’s systems asking him to enter the last four digits of his credit card number before he could review recent transactions.

The request for the last four of the customer’s credit card number was consistent with my own testing, which relied upon on a caller ID spoofing service advertised in the cybercrime underground and aimed at a Citi account controlled by this author.

In one test, the spoofed call let KrebsOnSecurity hear recent transaction data — where and when the transaction was made, and how much was spent — after providing the automated system the last four digits of the account’s credit card number. In another test, the automated system asked for the account holder’s full Social Security number.

PREGNANT PAUSES AND BULGING EMAIL BOMBS

Jim said the fraudster who called his wife clearly already knew her mailing and email addresses, her mobile number and the fact that her card was an American Airlines-branded Citi card. The caller said there had been a series of suspicious transactions, and proceeded to read back details of several recent transactions to verify if those were purchases she’d authorized.

Jim’s wife quickly logged on to her Citi account and saw that the amounts, dates and places of the transactions referenced by the caller indeed corresponded to recent legitimate transactions. But she didn’t see any signs of unauthorized charges.

After verifying the recent legitimate transactions with the caller, the person on the phone asked for her security word. When she provided it, there was a long hold before the caller came back and said she’d provided the wrong answer.

When she corrected herself and provided a different security word, there was another long pause before the caller said the second answer she provided was correct. At that point, the caller said Citi would be sending her a new card and that it had prevented several phony charges from even posting to her account.

She didn’t understand until later that the pauses were points at which the fraudsters had to put her on hold to relay her answers in their own call posing as her to Citi’s customer service department.

Not long after Jim’s spouse hung up with the caller, her inbox quickly began filling up with hundreds of automated messages from various websites trying to confirm an email newsletter subscription she’d supposedly requested.

As the recipient of several of these “email bombing” attacks, I can verify that crooks often will use services offered in the cybercrime underground to flood a target’s inbox with these junk newsletter subscriptions shortly after committing fraud in the target’s name when they wish to bury an email notification from a target’s bank.

‘OVERPAYMENT REIMBURSEMENT’

In the case of Jim’s wife, the inbox flood backfired, and only made her more suspicious about the true nature of the recent phone call. So she called the number on the back of her Citi card and was told that she had indeed just called Citi and requested what’s known as an “overpayment reimbursement.” The couple have long had their credit cards on auto-payment, and the most recent payment was especially high — nearly $4,000 — thanks to a flurry of Christmas present purchases for friends and family.

In an overpayment reimbursement, a customer can request that the bank refund any amount paid toward a previous bill that exceeds the minimum required monthly payment. Doing so causes any back-due interest on that unpaid amount to accrue to the account as well.

In this case, the caller posing as Jim’s wife requested an overpayment reimbursement to the tune of just under $4,000. It’s not clear how or where the fraudsters intended this payment to be sent, but for whatever reason Citi ended up saying they would cut a physical check and mail it to the address on file. Probably not what the fraudsters wanted, although since then Jim and his wife say they have been on alert for anyone suspicious lurking near their mailbox.

“The person we spoke with at Citi’s fraud department kept insisting that yes, it was my wife that called because the call came from her mobile number,” Jim said. “The Citi employee was alarmed because she didn’t understand the whole notion of caller ID spoofing. And we both found it kind of disturbing that someone in fraud at such a major bank didn’t even understand that such a thing was possible.”

SHOPPING FOR ‘CVVs’

Fraud experts say the scammers behind the types of calls that targeted Jim’s family are most likely fueled by the rampant sale of credit card records stolen from hacked online merchants. This data, known as “CVVs” in the cybercrime underground, is sold in packages for about $15 per record, and very often includes the customer’s name, address, phone number, email address and full credit or debit card number, expiration date, and card verification value (CVV) printed on the back of the card.

Dozens of cybercrime shops traffic in this stolen data, which is more traditionally used to defraud online merchants. But such records are ideally suited for criminals engaged in the type of phone scams that are the subject of this article.

That’s according to Andrei Barysevich, CEO and co-founder of Gemini Advisory, a New York-based company that monitors dozens of underground shops selling stolen card data.

“If the fraudsters already have the target’s cell phone number, in many cases they already have the target’s credit card information as well,” Barysevich said.

Gemini estimates there are currently some 13 million CVV records for sale across the dark web, and that more than 40 percent of these records put up for sale over the past year included the cardholder’s phone number.

Data from recent financial transactions can not only help fraudsters better impersonate your bank, it can also be useful in linking a customer’s account to another account the fraudsters control. That’s because PayPal and a number of other pure-play online financial institutions allow customers to link accounts by verifying the value of microdeposits.

For example, if you wish to be able to transfer funds between PayPal and a bank account, the company will first send a couple of tiny deposits — a few cents, usually — to the account you wish to link. Only after verifying those exact amounts will the account-linking request be granted.

JUST HANG UP

Both this and last week’s story illustrate why the only sane response to a call purporting to be from your bank is to hang up, look up your bank’s customer service number from their Web site or from the back of your card, and call them back yourself.

Meanwhile, fraudsters who hack peoples’ finances with nothing more than a telephone have been significantly upping the volume of attacks in recent months, new research suggests. Fraud prevention company Next Caller said this week it has tracked “massive increases in call volumes and high-risk calls across Fortune 500 companies as a result of COVID-19.”

“After a brief reprieve in Week 4 (April 6-12), Week 5 (April 13-19) saw call volume across Next Caller’s clients in the telecom and financial services sectors spike 40% above previous highs,” the company found. “Particularly worrisome is the activity taking place in the financial services sector, where call traffic topped previous highs by 800%.”

Next Caller said it’s likely some of that increase was due to numerous online and mobile app outages for many major financial institutions at a time when more than 80 million Americans were simultaneously trying to track the status of their stimulus deposits. But it said that surge also brought with it an influx of fraudsters looking to capitalize on all the chaos.

“High-risk calls to financial services surged to 50% above pre-COVID levels, with one Fortune 100 bank suffering a high-risk increase of 60% during Week 5,” the company wrote in a recent report.

source https://krebsonsecurity.com/2020/04/would-you-have-fallen-for-this-phone-scam/

Many of the same shadowy organizations that pay people to promote male erectile dysfunction drugs via spam and hacked websites recently have enjoyed a surge in demand for medicines used to fight malaria, lupus and arthritis, thanks largely to unfounded suggestions that these therapies can help fight the COVID-19 pandemic.

A review of the sales figures from some of the top pharmacy affiliate programs suggests sales of drugs containing hydroxychloroquine rivaled that of their primary product — generic Viagra and Cialis — and that this as-yet-unproven Coronavirus treatment accounted for as much as 25 to 30 percent of all sales over the past month.

KrebsOnSecurity reviewed a number of the most popular online pharmacy enterprises, in part by turning to some of the same accounts at these invite-only affiliate programs I relied upon for researching my 2014 book, Spam Nation: The Inside Story of Organized Cybercrime, from Global Epidemic to Your Front Door.

Many of these affiliate programs — going by names such as EvaPharmacy, Rx-Partners and Mailien/Alientarget — have been around for more than a decade, and were major, early catalysts for the creation of large-scale botnets and malicious software designed to enslave computers for the sending of junk email.

Their products do not require a prescription, are largely sourced directly from pharmaceutical production facilities in India and China, and are shipped via international parcel post to customers around the world.

In mid-March, two influential figures — President Trump and Tesla CEO Elon Musk — began suggesting that hydroxychloroquine should be more strongly considered as a treatment for COVID-19.

The pharmacy affiliate programs immediately took notice of a major moneymaking opportunity, noting that keyword searches for terms related to chloroquine were many times more popular than for the other mainstays of their business.

“Everyone is hysterical,” wrote one member of the Russian language affiliate forum gofuckbiz[.]com on Mar. 17. “Time to make extra money. Do any [pharmacy affiliate] programs sell drugs for Coronavirus or flu?”

The larger affiliate programs quickly pounced on the opportunity, which turned out to be a major — albeit short-lived — moneymaker. Below is a screenshot of the overall product sales statistics for the previous 30 days from all affiliates of PharmCash. As we can see, Aralen — a chloroquine drug used to treat and prevent malaria — was the third biggest seller behind Viagra and Cialis.

In mid-March, the affiliate program Rx-Partners saw a huge spike in demand for Aralen and other drugs containing chloroquine phosphate, and began encouraging affiliates to promote a new set of product teasers targeting people anxiously seeking remedies for COVID-19.

Their main promotion page — still online at about-coronavirus2019[.]com — touts the potential of Aralen, generic hydroxychloroquine, and generic Kaletra/Lopinavir, a drug used to treat HIV/AIDS.

On Mar. 18, a manager for Rx-Partners said that like PharmCash, drugs which included chloroquine phosphate had already risen to the top of sales for non-erectile dysfunction drugs across the program.

But the boost in sales from the global chloroquine frenzy would be short-lived. Demand for chloroquine phosphate became so acute worldwide that India — the world’s largest producer of hydroxychloroquine — announced it would ban exports of the drug. On Mar. 25, India also began shutting down its major international shipping ports, leaving the pharmacy affiliate programs scrambling to source their products from other countries.

India recently said it would resume exports of the drug, and judging from recent posts at the aforementioned affiliate site gofuckbiz[.]com, denizens of various pharmacy affiliate programs are anxiously awaiting news of exactly when shipments of chloroquine drugs will continue.

“As soon as India opens and starts mail, then we will start everything, so get ready,” wrote one of Rx-Partners’ senior recruiters. “I am sure that there will still be demand for pills.”

Global demand for these pills, combined with India’s recent ban on exports, have conspired to create shortages of the drug for patients who rely on it to treat chronic autoimmune diseases, including lupus and rheumatoid arthritis.

While hydroxychloroquine has long been considered a relatively safe drug, some people have been so anxious to secure their own stash of the drug that they’ve turned to unorthodox sources.

On March 19, Fox News ran a story about how demand for hydroxychloroquine had driven up prices on eBay for bottles of chloroquine phosphate designed for removing parasites from fish tanks. A week later, an Arizona man died and his wife was hospitalized after the couple ingested one such fish tank product in hopes of girding their immune systems against the Coronavirus.

Despite many claims that hydroxychloroquine can be effective at fighting COVID-19, there is little real data showing how it benefits patients stricken with the disease. The largest test of the drug’s efficacy against Coronavirus showed no benefit in a large analysis of its use in U.S. veterans hospitals. On the contrary, there were more deaths among those given hydroxychloroquine versus standard care, researchers reported.

source https://krebsonsecurity.com/2020/04/unproven-coronavirus-therapy-proves-cash-cow-for-shadow-pharmacies/

Many security-conscious people probably think they’d never fall for a phone-based phishing scam. But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening. Here’s how one security and tech-savvy reader got taken for more than $10,000 in an elaborate, weeks-long ruse.

Today’s lesson in how not to get scammed comes from “Mitch,” the pseudonym I picked for a reader in California who shared his harrowing tale on condition of anonymity. Mitch is a veteran of the tech industry — having worked in security for several years at a fairly major cloud-based service — so he’s understandably embarrassed that he got taken in by this confidence scheme.

On Friday, April 17, Mitch received a call from what he thought was his financial institution, warning him that fraud had been detected on his account. Mitch said the caller ID for that incoming call displayed the same phone number that was printed on the back of his debit card.

But Mitch knew enough of scams to understand that fraudsters can and often do spoof phone numbers. So while still on the phone with the caller, he quickly logged into his account and saw that there were indeed multiple unauthorized transactions going back several weeks. Most were relatively small charges — under $100 apiece — but there were also two very recent $800 ATM withdrawals from cash machines in Florida.

If the caller had been a fraudster, he reasoned at the time, they would have asked for personal information. But the nice lady on the phone didn’t ask Mitch for any personal details. Instead, she calmly assured him the bank would reverse the fraudulent charges and said they’d be sending him a new debit card via express mail. After making sure the representative knew which transactions were not his, Mitch thanked the woman for notifying him, and hung up.

The following day, Mitch received another call about suspected fraud on his bank account. Something about that conversation didn’t seem right, and so Mitch decided to use another phone to place a call to his bank’s customer service department — while keeping the first caller on hold.

“When the representative finally answered my call, I asked them to confirm that I was on the phone with them on the other line in the call they initiated toward me, and so the rep somehow checked and saw that there was another active call with Mitch,” he said. “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”

Mitch said his financial institution has in the past verified his identity over the phone by sending him a one-time code to the cell phone number on file for his account, and then asking him to read back that code. After he hung up with the customer service rep he’d phoned, the person on the original call said the bank would be sending him a one-time code to validate his identity.

Now confident he was speaking with a representative from his bank and not some fraudster, Mitch read back the code that appeared via text message shortly thereafter. After more assurances that any additional phony charges would be credited to his account and that he’d be receiving a new card soon, Mitch was annoyed but otherwise satisfied. He said he checked his account online several times over the weekend, but saw no further signs of unauthorized activity.

That is, until the following Monday, when Mitch once again logged in and saw that a $9,800 outgoing wire transfer had been posted to his account. At that point, it dawned on Mitch that both the Friday and Saturday calls he received had likely been from scammers — not from his bank.

Another call to his financial institution and some escalation to its fraud department confirmed that suspicion: The investigator said another man had called in on Saturday posing as Mitch, had provided a one-time code the bank texted to the phone number on file for Mitch’s account — the same code the real Mitch had been tricked into giving up — and then initiated an outgoing wire transfer.

It appears the initial call on Friday was to make him think his bank was aware of and responding to active fraud against his account, when in actuality the bank was not at that time. Also, the Friday call helped to set up the bigger heist the following day.

Mitch said he and his bank now believe that at some point his debit card and PIN were stolen, most likely by a skimming device planted at a compromised point-of-sale terminal, gas pump or ATM he’d used in the past few weeks. Armed with a counterfeit copy of his debit card and PIN, the fraudsters could pull money out of his account at ATMs and go shopping in big box stores for various items. But to move lots of money out of his account all at once, they needed Mitch’s help.

To make matters worse, the fraud investigator said the $9,800 wire transfer had been sent to an account at an online-only bank that also was in Mitch’s name. Mitch said he didn’t open that account, but that this may have helped the fraudsters sidestep any fraud flags for the unauthorized wire transfer, since from the bank’s perspective Mitch was merely wiring money to another one of his accounts. Now, he’s facing the arduous task of getting identity theft (new account fraud) cleaned up at the online-only bank.

Mitch said that in retrospect, there were several oddities that should have been additional red flags. For one thing, on his outbound call to the bank on Saturday while he had the fraudsters on hold, the customer service rep asked if he was visiting family in Florida.

Mitch replied that no, he didn’t have any family members living there. But when he spoke with the bank’s fraud department the following Monday, the investigator said the fraudsters posing as Mitch had succeeded in adding a phony “travel notice” to his account — essentially notifying the bank that he was traveling to Florida and that it should disregard any geographic-based fraud alerts created by card-present transactions in that region. That would explain why his bank didn’t see anything strange about their California customer suddenly using his card in Florida.

Also, when the fake customer support rep called him on Saturday, she stumbled a bit when Mitch turned the tables on her. As part of her phony customer verification script, she asked Mitch to state his physical address.

“I told her, ‘You tell me,’ and she read me the address of the house I grew up in,” Mitch recalled. “So she was going through some public records she’d found, apparently, because they knew my previous employers and addresses. And she said, ‘Sir, I’m in a call center and there’s cameras over my head. I’m just doing my job.’ I just figured she was just new or shitty at her job, but who knows maybe she was telling the truth. Anyway, the whole time my girlfriend is sitting next to me listening to this conversation and she’s like, ‘This sounds like bullshit.’”

Mitch’s bank managed to reverse the unauthorized wire transfer before it could complete, and they’ve since put all the stolen funds back into his account and issued a new card. But he said he still feels like a chump for not observing the golden rule: If someone calls saying they’re from your bank, just hang up and call them back — ideally using a phone number that came from the bank’s Web site or from the back of your payment card. As it happened, Mitch only followed half of that advice.

What else could have made it more difficult for fraudsters to get one over on Mitch? He could have enabled mobile alerts to receive text messages anytime a new transaction posts to his account. Barring that, he could have kept a closer eye on his bank account balance.

If Mitch had previously placed a security freeze on his credit file with the three major consumer credit bureaus, the fraudsters likely would not have been able to open a new online checking account in his name with which to receive the $9,800 wire transfer (although they might have still been able to wire the money to another account they controlled).

As Mitch’s experience shows, many security-conscious people tend to focus on protecting their online selves, while perhaps discounting the threat from less technically sophisticated phone-based scams. In this case, Mitch and his bank determined that his assailants never once tried to log in to his account online.

“What’s interesting here is the entirety of the fraud was completed over the phone, and at no time did the scammers compromise my account online,” Mitch said. “I absolutely should have hung up and initiated the call myself. And as a security professional, that’s part of the shame that I will bear for a long time.”

Further reading:

Voice Phishing Scams are Getting More Clever
Why Phone Numbers Stink as Identity Proof
Apple Phone Phishing Scams Getting Better
SMS Phishing + Cardless ATM = Profit

source https://krebsonsecurity.com/2020/04/when-in-doubt-hang-up-look-up-call-back/

The past few weeks have seen a large number of new domain registrations beginning with the word “reopen” and ending with U.S. city or state names. The largest number of them were created just hours after President Trump sent a series of all-caps tweets urging citizens to “liberate” themselves from new gun control measures and state leaders who’ve enacted strict social distancing restrictions in the face of the COVID-19 pandemic. Here’s a closer look at who and what appear to be behind these domains.

KrebsOnSecurity began this research after reading a fascinating Reddit thread over the weekend on several “reopen” sites that seemed to be engaged in astroturfing, which involves masking the sponsors of a message or organization to make it appear as thought it originates from and is supported by grassroots participants.

The Reddit discussion focused on a handful of new domains — including reopenmn.com, reopenpa.com, and reopenva.com — that appeared to be tied to various gun rights groups in those states. Their registrations have roughly coincided with contemporaneous demonstrations in Minnesota, California and Tennessee where people showed up to protest quarantine restrictions over the past few days.

Suspecting that these were but a subset of a larger corpus of similar domains registered for every state in the union, KrebsOnSecurity ran a domain search report at DomainTools [an advertiser on this site], requesting any and all domains registered in the past month that begin with “reopen” and end in “.com.”

That lookup returned approximately 150 domains; in addition to those named after the individual 50 states, some of the domains refer to large American cities or counties, and others to more general concepts, such as “reopeningchurch.com” or “reopenamericanbusiness.com.”

Many of the domains are still dormant, leading to parked pages and registration records obscured behind privacy protection services. But a review of other details about these domains suggests a majority of them are tied to various gun rights groups, state Republican Party organizations, and conservative think tanks, religious and advocacy groups.

For example, reopenmn.com forwards to minnesotagunrights.org, but the site’s WHOIS registration records (obscured since the Reddit thread went viral) point to an individual living in Florida. That same Florida resident registered reopenpa.com, a site that forwards to the Pennsylvania Firearms Association, and urges the state’s residents to contact their governor about easing the COVID-19 restrictions.

Reopenpa.com is tied to a Facebook page called Pennsylvanians Against Excessive Quarantine, which sought to organize an “Operation Gridlock” protest at noon today in Pennsylvania among its 68,000 members.

Both the Minnesota and Pennsylvania gun advocacy sites include the same Google Analytics tracker in their source code: UA-60996284. A cursory Internet search on that code shows it also is present on reopentexasnow.com, reopenwi.com and reopeniowa.com.

More importantly, the same code shows up on a number of other anti-gun control sites registered by the Dorr Brothers, real-life brothers who have created nonprofits (in name only) across dozens of states that are so extreme in their stance they make the National Rifle Association look like a liberal group by comparison.

This 2019 article at cleveland.com quotes several 2nd Amendment advocates saying the Dorr brothers simply seek “to stir the pot and make as much animosity as they can, and then raise money off that animosity.” The site dorrbrotherscams.com also is instructive here.

A number of other sites — such as reopennc.com — seem to exist merely to sell t-shirts, decals and yard signs with such slogans as “Know Your Rights,” “Live Free or Die,” and “Facts not Fear.” WHOIS records show the same Florida resident who registered this North Carolina site also registered one for New York — reopenny.com — just a few minutes later.

Some of the concept reopen domains — including reopenoureconomy.com (registered Apr. 15) and reopensociety.com (Apr. 16) — trace back to FreedomWorks, a conservative group that the Associated Press says has been holding weekly virtual town halls with members of Congress, “igniting an activist base of thousands of supporters across the nation to back up the effort.”

Reopenoc.com — which advocates for lifting social restrictions in Orange County, Calif. — links to a Facebook page for Orange County Republicans, and has been chronicling the street protests there. The messaging on Reopensc.com — urging visitors to digitally sign a reopen petition to the state governor — is identical to the message on the Facebook page of the Horry County, SC Conservative Republicans.

Reopenmississippi.com was registered on April 16 to In Pursuit of LLC, an Arlington, Va.-based conservative group with a number of former employees who currently work at the White House or in cabinet agencies. A 2016 story from USA Today says In Pursuit Of LLC is a for-profit communications agency launched by billionaire industrialist Charles Koch.

Many of the reopen sites that have redacted names and other information about their registrants nevertheless hold other clues, mainly based on precisely when they were registered. Each domain registration record includes a date and timestamp down to the second that the domain was registered. By grouping the timestamps for domains that have obfuscated registration details and comparing them to domains that do include ownership data, we can infer more information.

For example, more than 50 reopen domains were registered within an hour of each other on April 17 — between 3:25 p.m. ET and 4:43 ET. Most of these lack registration details, but a handful of them did (until the Reddit post went viral) include the registrant name Michael Murphy, the same name tied to the aforementioned Minnesota and Pennsylvania gun rights domains (reopenmn.com and reopenpa.com) that were registered within seconds of each other on April 8.

A Google spreadsheet documenting much of the domain information sourced in this story is available here.

No one responded to the email addresses and phone numbers tied to Mr. Murphy, who may or may not have been involved in this domain registration scheme. Those contact details suggest he runs a store in Florida that makes art out of reclaimed or discarded items, and that he operates a Web site design company in Florida.

However, various social media profiles tied to Mr. Murphy’s contact details suggest this persona may not present a complete picture. A Twitter account tied to Murphy’s email address promoted nothing but spammy paid surveys for years. And a Skype lookup on his phone number curiously returns a Russian profile under the name валентина сынах (translated as “Valentine Sons”).

As much as President Trump likes to refer to stories critical of him and his administration as “fake news,” this type of astroturfing is not only dangerous to public health, but it’s reminiscent of the playbook used by Russia to sow discord, create phony protest events, and spread disinformation across America in the lead-up to the 2016 election.

This entire astroturfing campaign also brings to mind a “local news” network called Local Government Information Services (LGIS), an organization founded in 2018 which operates a huge network of hundreds of sites that purport to be local news sites in various states. However, most of the content is generated by automated computer algorithms that consume data from reports released by U.S. executive branch federal agencies.

The relatively scarce actual bylined content on these LGIS sites is authored by freelancers who are in most cases nowhere near the localities they cover. Other content not drawn from government reports often repurpose press releases from conservative Web sites, including gunrightswatch.com, taxfoundation.org, and The Heritage Foundation. For more on LGIS, check out the 2018 coverage from The Chicago Tribune and the Columbia Journalism Review.

source https://krebsonsecurity.com/2020/04/whos-behind-the-reopen-domain-surge/

Security experts are poring over thousands of new Coronavirus-themed domain names registered each day, but this often manual effort struggles to keep pace with the flood of domains invoking the virus to promote malware and phishing sites, as well as non-existent healthcare products and charities. As a result, domain name registrars are under increasing pressure to do more to combat scams and misinformation during the COVID-19 pandemic.

By most measures, the volume of new domain registrations that include the words “Coronavirus” or “Covid” has closely tracked the spread of the deadly virus. The Cyber Threat Coalition (CTC), a group of several thousand security experts volunteering their time to fight COVID-related criminal activity online, recently published data showing the rapid rise in new domains began in the last week of February, around the same time the Centers for Disease Control began publicly warning that a severe global pandemic was probably inevitable.

“Since March 20th, the number of risky domains registered per day has been decreasing, with a notable spike around March 30th,” wrote John Conwell, principal data scientist at DomainTools [an advertiser on this site]. “Interestingly, legitimate organizations creating domains in response to the COVID-19 crisis were several weeks behind the curve from threat actors trying to take advantage of this situation. This is a pattern DomainTools hasn’t seen before in other crises.”

Security vendor Sophos looked at telemetry from customer endpoints to illustrate the number of new COVID-related domains that actually received traffic of late. As the company noted, one challenge in identifying potentially malicious domains is that many of them can sit dormant for days or weeks before being used for anything.

“We can see a rapid and dramatic increase of visits to potentially malicious domains exploiting the Coronavirus pandemic week over week, beginning in late February,” wrote Sophos’ Rich Harang. “Even though still a minority of cyber threats use the pandemic as a lure, some of these new domains will eventually be used for malicious purposes.”

CTC spokesman Nick Espinosa said the first spike in visits was on February 25, when group members saw about 4,000 visits to the sites they were tracking.

“The following two weeks starting on March 9 saw rapid growth, and from March 23 onwards we’re seeing between 75,000 to 130,000 visits per weekday, and about 40,000 on the weekends,” Espinosa said. “Looking at the data collected, the pattern of visits are highest on Monday and Friday, and the lowest visit count is on the weekend. Our data shows that there were virtually no customer hits on COVID-related domains prior to February 23.”

Milwaukee-based Hold Security has been publishing daily and weekly lists of all COVID-19 related domain registrations (without any scoring assigned). Here’s a graph KrebsOnSecurity put together based on that data set, which also shows a massive spike in new domain registrations in the third week of March, trailing off considerably over the past couple of weeks.

Not everyone is convinced we’re measuring the right things, or that the current measurements are accurate. Neil Schwartzman, executive director of the anti-spam group CAUCE, said he believes DomainTool’s estimates on the percentage of new COVID/Coronavirus-themed domains that are malicious are too high, and that many are likely benign and registered by well-meaning people seeking to share news or their own thoughts about the outbreak.

“But there’s the rub,” he said. “Bad guys get to hide amidst the good really effectively, so each one needs to be reviewed on its own. And that’s a substantial amount of work.”

At the same time, Schwartzman said, focusing purely on domains may obscure the true size and scope of the overall threat. That’s because scammers very often will establish multiple subdomains for each domain, meaning that a single COVID-related new domain registration could eventually be tied to a number of different scammy or malicious sites.

Subdomains can not only make phishing domains appear more legitimate, but they also tend to lengthen the domain so that key parts of it get pushed off the URL bar in mobile browsers.

To that end, he said, it makes perhaps the most sense to focus on new domain registrations that have encryption certificates tied to them, since the issuance of an SSL certificate for a domain is usually a sign that it is about to be put to use. As noted in previous stories here, roughly 75 percent of all phishing sites now have the padlock (start with “https://”), mainly because the major Web browsers display security alerts on sites that don’t.

Schwartzman said more domain registrars should follow the example of Los Angeles-based Namecheap Inc., which last month pledged to stop accepting the automated registration of website names that include words or phrases tied to the COVID-19 pandemic. Since then, a handful of other registrars have said they plan to manually review all such registrations going forward.

The Internet Corporation for Assigned Names and Numbers (ICANN), the organization that oversees the registrar industry, recently sent a letter urging registrars to be more proactive, but stopped short of mandating any specific actions.

Schwartzman called ICANN’s response “weak tea.”

“It’s absolutely ludicrous that ICANN hasn’t stepped up, and they will bear significant responsibility for any deaths that may happen as a result of all this,” Schwartzman said. “This is a CYA response at best, and dictates to no one that they should do anything.”

Michael Daniel, president of the Cyber Threat Alliance — a cybersecurity industry group that’s also been working to fight COVID-19 related fraud — agreed, saying more pressure needs to be applied to the registrar community.

“It’s really hard to do anything about this unless the registrars step up and do something on their own,” Daniel said. “It’s either that or the government gets involved. That doesn’t mean some [registrars] aren’t doing what they can, but in general what the industry is doing is nowhere near as fast as the bad guys are generating these domains.”

The U.S. government may well soon get more involved. Earlier this week, Senators Cory Booker (D-N.J.), Maggie Hassan (D-N.H.) and Mazie K. Hirono (D-Hawaii) sent letters to eight domain name company leaders, demanding to know what they were doing to combat the threat of malicious domains, and urging them to do more.

“As cybercriminals and other malevolent actors seek to take advantage of the Coronavirus pandemic, it is critical that domain name registrars like yours (1) exercise diligence and ensure that only legitimate organizations can register Coronavirus-related domain names and domain names referencing online communications platforms; (2) act quickly to suspend, cancel, or terminate registrations for domains that are involved in unlawful or harmful activity; and (3) cooperate with law enforcement to help bring to justice cybercriminals profiting from the Coronavirus pandemic,” the senators wrote.

source https://krebsonsecurity.com/2020/04/sipping-from-the-coronavirus-domain-firehose/

The Coronavirus has prompted thousands of information security professionals to volunteer their skills in upstart collaborative efforts aimed at frustrating cybercriminals who are seeking to exploit the crisis for financial gain. Whether it’s helping hospitals avoid becoming the next ransomware victim or kneecapping new COVID-19-themed scam websites, these nascent partnerships may well end up saving lives. But can this unprecedented level of collaboration survive the pandemic?

At least three major industry groups are working to counter the latest cyber threats and scams. Among the largest in terms of contributors is the COVID-19 Cyber Threat Coalition (CTC), which comprises rough 3,000 security professionals who are collecting, vetting and sharing new intelligence about new cyber threats.

Nick Espinosa, a self-described “security fanatic,” author and public speaker who’s handling communications for the CTC, said the group does most of its work remotely via a dedicated Slack channel, where many infosec professionals seem eager to counter the gusto with which the cybercriminal community has sought to profit by exacerbating an already difficult situation.

“A nurse or doctor can’t do what we do, and we can’t do what they do,” Espinosa said. “We’ve seen a massive rise in threats and attacks against healthcare systems, but it’s worse if someone dies due to a malicious cyberattack when we have the ability to prevent that. A lot of people are involved because they’re emotionally attached to the idea of helping this critical infrastructure stay safe and online.”

Using threat intelligence feeds donated by dozens of cybersecurity companies, the CTC is poring over more than 100 million pieces of data about potential threats each day, running those indicators through security products from roughly 70 different vendors. If at least 10 of those flag a specific data point — such as a domain name — as malicious or bad, it gets added to the CTC’s blocklist, which is designed to be used by organizations worldwide for blocking malicious traffic.

“For possible threats, meaning between five and nine vendors detect an indicator as bad, our volunteers manually verify that the indicator is malicious before including it in our blocklist,” Espinosa said.

Another Slack-based upstart coalition called the COVID-19 CTI League spans more than 40 countries and includes professionals in senior positions at such major companies as Microsoft Corp and Amazon.com Inc.

Mark Rogers, one of several people helping to manage the CTI League’s efforts, told Reuters the top priority of the group is working to combat hacks against medical facilities and other frontline responders to the pandemic, as well as helping defend communication networks and services that have become essential as more people work from home.

“The group is also using its web of contacts in internet infrastructure providers to squash garden-variety phishing attacks and another financial crime that is using the fear of COVID-19 or the desire for information on it to trick regular internet users,” wrote Reuters’ Joe Menn.

“I’ve never seen this volume of phishing,” Rogers told Reuters. “I am literally seeing phishing messages in every language known to man.”

Among the more mature organizations working to counter the threat from COVID-19 scammers is the Cyber Threat Alliance, a industry group founded in 2017 that counts among its members more than two dozen major cybersecurity firms that are all required to regularly share threat intelligence with other members.

“One thing we’re paying attention to in addition to phishing and malware attacks is anything targeting stuff involved in the pandemic response, such as the manufacturers of protective gear, testing kits, or hospitals,” CTA President Michael Daniel told KrebsOnSecurity. “One of those organizations getting hit with ransomware now would be really bad, and we want to make sure if we see that we’re alerting and working with law enforcement.”

Earlier this month, the international police network INTERPOL issued a warning to law enforcement in nearly 200 member countries, saying it had detected “a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response.”

The alert came after several top ransomware gangs pledged a moratorium on attacking hospitals and other care centers for the near future. Nevertheless, these group have continued to target companies on the periphery of the pandemic response, including virus testing labs, N95 mask production facilities, and companies engaged in vaccine research.

The CTC’s Espinoza said it would be a potentially fatal mistake to assume all cybercriminal groups might observe such a cease-fire.

“We might have independent criminal groups saying they won’t hit hospitals but they’ll hit everyone else, but that doesn’t prevent them from sending phishing emails and masquerading as the World Health Organization or the Centers for Disease Control,” he said. “These are people who have no problems locking out little old ladies out of their computers for 800 bucks, and of course there are state-sponsored hackers who love any opportunity to sow discord and disrupt things.”

SURVIVING THE PANDEMIC

The CTA’s Daniel said while it’s great to see so much voluntary collaboration between the cybersecurity industry, governments and law enforcement, he’s been thinking a lot lately about how to sustain these relationships and networks once the urgency of the pandemic subsides.

Formerly special assistant to President Obama and cybersecurity coordinator on the National Security Council, Daniel said he sees preserving and enhancing this information sharing effort post-COVID as one of the biggest policy issues facing the federal government over the next few years.

“Information sharing is easy to talk about, and hard to do in practice,” Daniel said. “I don’t use the term ‘public-private partnership’ because it’s been bandied about so much over the years that I don’t know what it means anymore. It’s probably best described as ‘working together on an operation.’”

What prevents private companies from working more closely and frequently with governments on operations to target cybercrime organizations and networks? Daniel said on the government side, there are real concerns that working with one or two particularly clueful or effective companies (versus all of them) might give the impression that the government is showing favoritism, or picking winners and losers in the market.

“But you have to do that to some extent because the truth is some companies matter in this space, and a lot don’t,” Daniel said. “The government has to accept that, determine what are the objective rules, and establish transparency so that [their efforts] aren’t seen as some secret club but as part of a normal process.”

Daniel said governments in general also need to get more comfortable sharing information about operations targeting specific crime groups in advance of those actions.

“The government has to figure out how to let the private sector in on some of the planning and preparation,” he said. “If you want [the cybersecurity industry’s] help against certain targets, you have to tell us who they are ahead of time. But this goes against how  governments operate in almost every way.”

On the private sector side are issues of how for-profit companies can closely collaborate with the government without being perceived as potentially compromising the privacy and security of their customers, or as simply an agent of the government.

“For companies, the question is how do you deal with the liability and other questions that come with that,” Daniel said. “These are very real impediments, and why I think we need to get past the endless discussions of public-private partnerships and start talking about what we can do to coordinate actions against these groups so we can have a more strategic impact on the adversary.”

source https://krebsonsecurity.com/2020/04/covid-19-has-united-cybersecurity-experts-but-will-that-unity-survive-the-pandemic/