7th Edition

Drugs without hugs, TikTok to NoTok, and shady car companies.

Ricky Dailey
March 19, 2024

At any given time, 4.1 million sites are infected with malware. If a site feels sketchy, it probably is.

A quiet week this week…NOT. The one thing about InfoSec is that the breaches, vulnerabilities, and exploits keep on coming. On the menu this week:

Drugs without hugs: an exit scam with a twist
This week’s can’t miss: vulnerabilities, ransomware, and data leaks
Bannin’ TikTok: a youngin’s worst nightmare
Might have missed: gaming Finals hacked, and surprise surprise, LockbitSupp is back
‘Insuring’ nothing is private: car companies and data brokers
Pups N’ Stuff: a new take on Cool Sh*t Corner

Big News

An Irish goodbye? Nah, it’s just an exit scam and extortion attempt

Welp, criminals gonna criminal. In a not-so-surprising turn of events, Incognito Market, essentially an eBay for narcotics buyers and sellers, has run an exit scam with millions of their customer’s money. To top it off, they’re now extorting anyone who has used the market to buy or sell narcotics by threatening to make their data public unless they pay a ransom.

What happened: A few days after the Incognito Market administrators drained all the funds from the site, they posted a message with the details of the extortion. They have listed tiers of payments from $100 to $20,000 to have their customer’s data removed before the database of chats, transactions, and other info is publicly leaked. Incognito appears to have been planning this for a while as they stored all ‘encrypted’ chats that users thought were private.

Why is it important: In dark markets like this, it’s typical for money to be held in escrow while transacting. It provides the buyer and seller some protection from being scammed by each other. While it can help protect the buyer and seller, that puts the market in the position to hold large amounts of cryptocurrency. It’s become common for these markets to run exit scams, but the extortion cherry on top is unique.

The other side: This feels very ransomware-y. Ransomware groups typically operate in a similar model. They steal your data and encrypt it, so if you’re able to recover the data, they still threaten to leak it publicly to make you pay the ransom. The exit scam seems like an accepted risk for drug dealers. Not being a drug dealer myself, I’m not sure of the economics of having to pay $20,000 in blackmail money and the effect that has on profits, but I can imagine….it’s not good.

The takeaway: I can’t believe I have to say this, but buying illegal narcotics is already risky, and still is when you do it online. Every dark market that has existed has either been shut down by law enforcement or run an exit scam. It’s not a question of if something happens, but when.

tl;dr: Darket market steals users’ money, then extorts users’ for $100 to $20,000. Next? Who knows. Probably a public posting of its users’ data.

More: GrahamCluley | KrebsOnSecurity | Bitcoin.com

Can’t Miss

Breaches, vulns, and more.

United Healthcare: The payment processing company, Change Healthcare, is testing its last major system restoration nearly a month after it was taken down in a Ransomware attack that affected 94% of the country’s pharmacies. And, there was certainly drama.
Phobos: The ransomware group is aggressively targeting critical infrastructure in the US. Oh, cool. We haven’t had enough groups targeting our ‘well-protected’ critical infrastructure.
Phishing: a new phishing campaign, dubbed Operation PhantomBlu, is using a modified version of the legit NetSupport remote access tool. The attackers are leveraging a salary-themed phishing email to gain an initial foothold, which is, uh, just mean.
ATT: A string of terrible, horrible, no good, very bad weeks for the telco company. This time, a group has leaked over 70 million records, allegedly taken from ATT in 2021. It includes SSNs, DOBs, addresses, emails, and phone numbers. But it’s all good, ATT claims it’s ‘several years old’ and not from them, cause ya know, SSNs and DOBs change every year.
Fortinet: In a surprise to no one, Fortinet is warning its customers of another critical RCE ‘flaw’. CVE-2024-48788 allows attackers to execute code and commands with system administration-level permission. Patch it!
Fujitsu: The technology company announced that it had found malware on its systems and that the personal information of its customers had been stolen. No word yet on what type of data, which is very encouraging. cough NOT cough.

Deja Vu - Another potential TikTok ban in an election year

For the non-hip, TikTok is all the rage. It’s one of the first Chinese social media apps to take hold outside its own country’s users. The short-form, easily editable videos that make TikTok popular, have been copied by every social media app at this point.

What happened: Last Wednesday, the United States House of Representatives passed a bill to either ban or force TikToks parent company to sell off its US-based business.

Why is it important: The primary issue driving this ban is the concern that the US’s 150 million TikTok users could be susceptible to data requests by the Chinese Government, mass propaganda campaigns supporting Chinese interests, election interference, or spyware operations. That’s not considering the data privacy issues that are already rife in the social media industry, and TikTok is a big violator.

The other side: While it’s a big move for a bipartisan bill (we don’t see those much anymore), TikTok has been in the crosshairs before. Like we’ve been saying, if the US would develop real data privacy laws that it could enforce, this might have been an easier path to resolution.

The takeaway: If this all feels familiar, it’s because it is. In 2020, the Trump administration wanted to force a similar situation. There were rumors that Microsoft was in talks to purchase the US TikTok business from ByteDance, TikTok’s parent company. Given the passage in the House and the current administration’s statement it would sign off, we’ll see if this one makes it farther.

tl;dr: Another attempted TikTok ban, more government support, more potential to pass.

More: NewYorkTimes | AssociatedPress | Axios

^{Tip of the week}

When granting apps access to your device files or data, always chose the least amount required.

Might have missed

Data Privacy: The CEO of Onerep[.]com, a data privacy company that helps you remove your personal information from 200 people search sites, was found to also own many of those search sites.
APEX Legends: EA suspended the Finals for the APEX Legends tournament when a hacker was able to compromise the game clients in multiple rounds of the tournament and deploy hacks for that player. Now, it’s just the cheaters behind the scenes.
Russian Sanctions: Russia has laid sanctions on hundreds of Americans, primarily journalists, researchers, and government officials, including several journalists who report on cybersecurity. It’s due to their Russia-phobic agendas according to the Kremlin.
Elderly Scammin: A campaign targeting elderly Android users has been seen to send a fake wedding invite, which in turn, installs malware on their device. That’s just mean.
Lockbit: The leader of the ransomware-as-a-service group was interviewed, and boy was he cocky. But is he really so different from us? He vowed to work until his death, beat the competition, and stated his love for cats. Cats aren’t my numero uno but to each their own.
Volt Typhoon: The US government is still trying to piece together all of the disparate hacking operations that the Chinese APT group was carrying out against US infrastructure. Spoiler alert: our systems are old and unsecured, this will take a while.

Off Track

Before you ask, yes I put this in ‘Off Track’ to be punny.

Here we are again. Another data brokerage story. Another tale of an industry using data in questionable ways without providing clear information on how. This time, it’s your car. A recent article by The New York Times details how companies like GM are selling your data to data brokers.

What happened: Internet-connected cars have been sending owners driving info to data brokers, in this case, LexisNexis, who then, in turn, provide the data about drivers to insurance companies. Some customers are seeing their insurance premiums go up, or being all-out denied coverage, based on data about driving habits even if they’ve never had an accident, been at fault for one, or have any driving tickets.

Why is it important: In some cases, it’s being found that drivers of these vehicles are not enabling the smart driving features, but are being tracked anyway. On top of that, when they are opting in, there is no mention of data sharing with third parties as part of the T’s & C’s. In this case, its GM’s OnStar Smart Driver feature that appears to be the culprit, but not the only manufacturer doing this.

The other side: While some data from driving habits can help drive efficiencies in how cars are used, this is reminiscent of the ‘pre-existing conditions’ medical issues of the past. Before 2008, when the GINA Act came out, if someone was found through genetic testing to carry a cancer gene, they could be denied coverage. Drivers are being denied coverage based on data they didn’t choose to share.

The takeaway: Until the US decides to get a hold of the data privacy issues we have, this will continue to be an issue that multiple industries will take advantage of.

tl;dr: Automakers are tracking drivers, with and without consent, then sending it to insurance brokers who use it to drive up rates.

More: NewYorkTimes | CarAndDriver | FoxBusiness

Pups N’ Stuff

A slight change to our normal programming, we’re rebranding ‘Cool Sh*t Corner’. Why you ask? Well, pups are more fun, and I want to get YOU, the audience, more involved. I’ll kick this week off with a dog near and dear to my heart: Captain.

He’s not great at securing, but he’s well-versed in solar power. Just look at him charge himself up.

Thanks for reading this week’s edition. If you have feedback or advice, want to submit a dog, or just hate everything you see? Hit this link!