Aleksei Burkov, a 29-year-old Russian hacker, on Thursday pleaded guilty to multiple criminal charges for running two illegal websites that helped cyber criminals commit more than $20 million in credit card fraud.

The first website Burkov operated was an online marketplace for buying and selling stolen credit card and debit card numbers—called Cardplanet—which roughly hosted 150,000 payment card details between the years 2009 and 2013.

Cardplanet marketplace offered stolen payment card details for anywhere between $2.50 and $10 a card, depending on the card type, country of origin, and the availability of card owner information.

The carding website even offered a paid service that allowed buyers to instantly verify if a stolen payment card were still valid.

“Many of the cards offered for sale belonged to U.S. citizens. The stolen credit card data from more than 150,000 compromised payment cards was allegedly sold on Burkov’s site and has resulted in over $20 million in fraudulent purchases made on U.S. credit cards,” the Department of Justice said in an old press release.

The majority of such stolen credit cards are obtained using illegal means such as phishing and the use of banking malware, malicious software implanted into cash registers at the stores, leaked databases, and hacked financial account passwords.

Besides Cardplanet, Burkov also masterminded a separate invite-only forum website for elite cybercriminals where they advertised stolen personal identity information, malicious software, and other illegal services, like money laundering and hacking services.

“To obtain membership in Burkov’s cybercrime forum, prospective members needed three existing members to “vouch” for their good reputation among cybercriminals and to provide a sum of money, normally $5,000, as insurance,” the Department of Justice said on Thursday.

“These measures were designed to keep law enforcement from accessing Burkov’s cybercrime forum and to ensure that members of the forum honored any deals made while conducting business on the forum.”

images from Hacker News

If you have ever contacted Microsoft for support in the past 14 years, your technical query, along with some personally identifiable information might have been compromised.

Microsoft today admitted a security incident that exposed nearly 250 million “Customer Service and Support” (CSS) records on the Internet due to a misconfigured server containing logs of conversations between its support team and customers.

According to Bob Diachenko, a cybersecurity researcher who spotted the unprotected database and reported to Microsoft, the logs contained records spanning from 2005 right through to December 2019.

In a blog post, Microsoft confirmed that due to misconfigured security rules added to the server in question on December 5, 2019, enabled exposure of the data, which remained the same until engineers remediated the configuration on December 31, 2019.

Microsoft also said that the database was redacted using automated tools to remove the personally identifiable information of most customers, except in some scenarios where the information was not the standard format.

“Our investigation confirmed that the vast majority of records were cleared of personal information in accordance with our standard practices,” Microsoft said.

However, according to Diachenko, many records in the leaked database contained readable data on customers, including their:

• email addresses,
• IP addresses,
• Locations,
• Descriptions of CSS claims and cases,
• Microsoft support agent emails,
• Case numbers, resolutions, and remarks,
• Internal notes marked as “confidential.”

“This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services,” Microsoft said.

By having real sensitive case information and email addresses of affected customers in hand, the leaked data could be abused by tech-support scammers to trick users into paying for non-existent computer problems by impersonating Microsoft support representatives.

“The absence of Personally Identifiable Information in the dump is irrelevant here, given that technical support logs frequently expose VIP clients, their internal systems and network configurations, and even passwords. The data is a gold mine for patient criminals aiming to breach large organizations and governments,” COO of ImmuniWeb Ekaterina Khrustaleva told The Hacker News.

“Worse, many large companies and not only Microsoft have lost visibility of their external attack surface, exposing their clients and partners to significant risks. We will likely see a multitude of similar incidents in 2020.”

KnowBe4’s Data-Driven Defense Evangelist Roger Grimes also shared his comment and experience with The Hacker News, saying:

“Having worked for Microsoft for 15 years, 11 years as a full-time employee, I’ve seen firsthand how much they try to fight scenarios like this. There are multiple layers of controls and education designed to stop it from happening. And it shows you how hard it is to prevent it 100% of the time. Nothing is perfect. Mistakes and leaks happen. Every organization has overly permissive permissions. Every! It’s just a matter of if someone outside the organization discovers it or if someone takes advantage of it.”

“In this case, as bad as it is, it was discovered by someone who didn’t do malicious things with it. Sure, the data, sitting unprotected, could have also been used by the bad guys, but so far, no one has made that case or provided evidence that it has been used maliciously,” Grimes added.

“Anyone can have a mistake. The most important question is how the mistake happened and how to prevent it from happening next time, and if any others could have happened from the same set of circumstances.”

As a result of this incident, the company said it began notifying impacted customers whose data was present in the exposed Customer Service and Support database.

images from Hacker News

The iPhone of Amazon founder Jeff Bezos, the world’s richest man, was reportedly hacked in May 2018 after receiving a WhatsApp message from the personal account of Saudi crown prince Mohammed bin Salman, the Guardian newspaper revealed today.

Citing unnamed sources familiar with digital forensic analysis of the breach, the newspaper claimed that a massive amount of data was exfiltrated from Bezos’s phone within hours after he received a malicious video file from the Saudi prince.

The mysterious file was sent when crown prince Salman and Bezos were having a friendly WhatsApp conversation, and it’s ‘highly probable’ that it exploited an undisclosed zero-day vulnerability of WhatsApp messenger to install malware on Bezos’s iPhone.

“The forensic analysis found that within hours of receipt of the MP4 video file from the Crown Prince’s account, massive and (for Bezos’ phone) unprecedented exfiltration of data from the phone began, increasing data egress suddenly by 29,156 per cent to 126 MB. Data spiking then continued undetected over some months and at rates as much as 106,032,045 per cent (4.6 GB) higher than the pre-video data egress baseline for Mr. Bezos’ phone of 430KB,” the report says.

The Guardian said it didn’t know what data was extracted from the phone, but the hack happened almost 9 months before an American tabloid newspaper published intimate photos and messages sent by Bezos, disclosing his extramarital affair that leads to a divorce from his wife of 25 years.

Though the tabloid newspaper claimed it was tipped off about the affair by the estranged brother of Bezos’s secret girlfriend, the new evidence suggests, with moderately high confidence, that the leak is linked to the hack of Bezos’s phone.

images from Hacker News

Imagine receiving an email from US VP Mike Pence’s official email account asking for help because he has been stranded in the Philippines.

Actually, you don’t have to. This actually happened.

Pence’s email was hacked when he was still the governor of Indiana, and his account was used to attempt to defraud several people. How did this happen? Is it similar to how the DNC server was hacked?

Email hacking is one of the most widespread cyber threats at present. It is estimated that around 8 out of 10 people who use the internet have received some form of phishing attack through their emails. Additionally, according to Avanan’s 2019 Global Phish Report, 1 in 99 emails is a phishing attack.

BitDam is aware of how critical emails are in modern communication. BitDam published a new study on the email threat detection weaknesses of the leading players in email security, and the findings command attention. The research team discovered how Microsoft’s Office365 ATP and Google’s G Suite are allegedly critically weak when dealing with unknown threats. Also, their time-to-detect (TTD) can take up to two days since their first encounter with unknown attacks.

How Leading Security Systems Prevent Attacks

Email security systems address cyber threats by scanning links and attachments to determine if they are safe or not.

They can then automatically block links and prevent download or execution of file attachments. In most cases, to identify threats, security systems compare the scanned files or links to a database of threat signatures. They employ reputation services or a threat hunting protocol that monitors possible attacks based on threat data from various sources.

Links or attachments that are deemed safe on the initial scan are not always safe, though. There are many instances when security systems fail to filter threats because they have not updated their threat databases yet. Because of this, gaps in detection exist. There can be up to three detection gaps in a typical security system. These gaps represent vulnerabilities or opportunities for email attacks to penetrate.

There are security systems that take advantage of artificial intelligence to make threat learning and detection automatic and more efficient. They use data from previous attacks and the corresponding actions of the network administration or computer owner to come up with better judgments for the succeeding incidents.

images from Hacker News

Citrix has finally started rolling out security patches for a critical vulnerability in ADC and Gateway software that attackers started exploiting in the wild earlier this month after the company announced the existence of the issue without releasing any permanent fix.

I wish I could say, “better late than never,” but since hackers don’t waste time or miss any opportunity to exploit vulnerable systems, even a short window of time resulted in the compromise of hundreds of Internet exposed Citrix ADC and Gateway systems.

As explained earlier on The Hacker News, the vulnerability, tracked as CVE-2019-19781, is a path traversal issue that could allow unauthenticated remote attackers to execute arbitrary code on several versions of Citrix ADC and Gateway products, as well as on the two older versions of Citrix SD-WAN WANOP.

Rated critical with CVSS v3.1 base score 9.8, the issue was discovered by Mikhail Klyuchnikov, a security researcher at Positive Technologies, who responsibly reported it to Citrix in early December.

The vulnerability is actively being exploited in the wild since last week by dozens of hacking groups and individual attackers—thanks to the public release of multiple proofs-of-concept exploit code.

According to cyber security experts, as of today, there are over 15,000 publicly accessible vulnerable Citrix ADC and Gateway servers that attackers can exploit overnight to target potential enterprise networks.

FireEye experts found an attack campaign where someone was compromising vulnerable Citrix ADCs to install a previously-unseen payload, dubbed “NotRobin,” that scans systems for cryptominers and malware deployed by other potential attackers and removes them to maintain exclusive backdoor access.

images from Hacker News