California Passes New Privacy Bill, Election Malspam Campaign, and an Online Cybercrime Data Fire Sale

Your Weekly Cybersecurity News Roundup

Byte Sized News has gone to video! Check out the newest episode in video form below. Don’t worry though, you can still read the transcript below if you prefer to get your news in text-form.

As always, this series isn’t intended to provide readers with details on every story and topic but rather to fill busy professionals in on the most compelling developments in the field.

Learn more about PlexTrac and the platform we provide to security professionals here.

California Votes to Strengthen Privacy Laws

Our first story from the week, one from InfoSecurity Magazine, directly relates to this week’s election.

California has voted to toughen their state’s privacy laws, which further enhances consumers’ rights over how their personal data is used by organizations. Proposition 24 was passed by 56% of the vote on a night when Americans also went to the polls to elect their new President.

The proposition will usher in the California Privacy Rights Act (or CPRA), which is designed to close off loopholes in the California Consumer Privacy Act (CCPA) which came into force at the start of this year. The main changes from this bill include the following:

  • Tripling the fines for violations involving info on those under the age of 16
  • New rights for consumers to tell businesses not to use certain categories of information, like health, finances, race, etc.
  • And finally, making it clearer that “do not sell” orders include data shared between companies.

The CPRA also created the California Privacy Protection Agency, a new enforcement body tasked with imposing fines for corporate negligence resulting in theft of consumers’ data, like emails and passwords.

To read more about this story, click the first link below!

Why Paying to Delete Stolen Data is Bonkers

Our second story from the week is an insightful one from Krebs on Security. The article focuses on ransomware and the idea of paying to have stolen data deleted.

It’s really hard as a professional to trust an attacker’s word on deleting your data for money. This gut feeling is backed up by new data showing that those who pay up for data deletion may see some or all of the data published anyway. These findings come in a report from this week by Coveware, a company that specializes in helping firms recover from ransomware attacks.

Coveware says that nearly half of all ransomware cases they deal with now include the threat to release exfiltrated data. Coveware also states it has ample evidence of victims seeing some or all of their stolen data published after paying to have it deleted; in other cases, the data gets published online before the victim is even given a chance to negotiate for the data.

So, what is a victim supposed to do in the case of a successful ransomware attack?

The company advises its clients to never pay a data deletion ransomware, but rather to engage with competent privacy attorneys, perform thorough investigations into what data was stolen, and notify affected customers of the breach as soon as possible.

To read the full story from Krebs on Security, click the second link below!

34 Million Records from 17 Companies Up for Sale in Cybercrime Forum

Our next story from the week comes to us from Threatpost and details an online cybercrime forum that houses 34 million records from 17 different companies.

This diverse set group of companies, which includes a Brazilian adaptive-learning platform, an online grocery service in Singapore, and a cold-brew coffee company, are caught up in a giant data fire sale.

According to reports, this data appeared online late last week, and the theft seems to be the work of a singular person or hacker group. The affected companies include the following:

  • Apps-builder.com
  • Athletico in Brazil
  • Cermati, an Indonesian financial firm
  • Clip, a card-reader company in Mexico
  • com
  • Eatigo
  • com
  • Fantasy Cruncher, a fantasy sports tool
  • Game24h
  • Geekie
  • Invideo, an online video-maker tool
  • Katapult, a lease-to-own furniture company
  • RedMart
  • Toddycafe, a cold-brew coffee company
  • W3layouts
  • Wedmegood, an Indian wedding planning service, and
  • Wongnai

This latest incident continuous the sporadic trend of massive data dumps showing up online, which is usually a follow-up on phishing and account take-over efforts.

To read the full story from Threatpost, click the third link below!

Researchers Uncover New Malspam Campaign Exploiting #Election2020 Controversy

Our fourth story from the week also comes to us from InfoSecurity Magazine and details a new Malspam campaign designed to exploit controversies surrounding the ongoing 2020 U.S. election.

This news comes to us by Malwarebytes, a cybersecurity firm. Their research and development team said that this campaign delivers malicious attachments by exploiting doubts about the legitimacy of the election process. This comes as the United States waits on for results in several key battleground states, including Georgia, North Carolina, Pennsylvania, and Nevada, in addition to more controversy in the “decided” states of Michigan and Wisconsin.

I am sure all of you know about the current tensions in our country, so I won’t share too many details. However, I will share that threat actors pounded on the opportunity to exploit these tensions with the development of this new Malspam campaign. Threat actors sent emails containing a zip file named ElectionInterference.zip.

This is an Excel spreadsheet designed to appear as a DocuSign file, and users are tricked into allowing macros to ‘decrypt’ the document, which subsequently downloaded a malicious payload onto their machine. Once executed, the QBot Trojan can steal and exfiltrate data from its victims and grab emails that will be used as part of later Malspam campaigns.

To read the full story from InfoSecurity Magazine, click the fourth link below!

$100 Million Botnet Scheme Earns Russian Man 8 Years in Prison

Our last story from the week comes to us from Cyberscoop and details a $100 million botnet scheme that earned a Russian man eight years in prison.

A U.S. judge sentenced a Russian national to eight years earlier this week for his role in stealing personal and financial information via a botnet conspiracy aimed to generate mass amounts of money. Prosecutors announced the sentence for Aleksandr Brovko on Monday. Brovko pled guilty to conspiracy to commit bank and wire fraud back in February.

According to the U.S. Department of Justice, from 2007-2019 Brovko collaborated with other cybercriminals to turn data troves harvested by botnets into cash. Brovko’s specific role was to write software scripts to go through botnet logs and conduct data searches to extract highly sensitive personal information and online banking credentials. In addition to this, he also scouted out the value of compromised accounts to determine whether they’d be worth using to conduct fraud.

Overall, Brovko possessed and trafficked more than 200,000 “unauthorized access devices,” a term used to describe credit cards, mobile identification numbers, and other means to transfer funds.

To read the full story from Cyberscoop, click the fifth link below!

Check Out Our Latest Posts