"brian krebs"

Your phone is a crimewave in your pocket, and it's all the fault of greedy carriers and complicit regulators

Insider attacks, cell-site simulators, SIM-swap attacks, thriving markets in super-cheap, fine-grained location data, robocalls, fictitious coverage maps, and more: does the fact that all this terrible shit keeps happening, and only gets worse, mean that mobile companies and the FCC just don't give a fuck if your mobile phone is a crime wave you carry around with you on your pocket? Read the rest

PSA: Digital scammers will try to scam you

I got a fun reminder last night that there a lot of greasy people out there doing a whole lot of greasy shit unto others. Last night, I was taken on a walk down memory lane: I received an email with an old password I used to use in the subject line. Here's what was inside. I've removed the  password from the mix, for obvious reasons:

_________ is yoũr passphrasęs. Lets get right to the point. No person has paid me to check about you. You do nŏt know me and you're mŏst likely wondęrİng why you're getting this e-mail?

İ installed a softwāre on thę adũlt vidęo clips (porno) web-site and gũess what, yoũ visited this site to have fun (yŏu know what i mean). While yŏu were vİęwing vidęŏ clİps, yŏur internet browsęr startęd working as a RDP that has a kęy logger which prŏvided me with āccessİbİlity to your screen ās well as cām. Jũst aftęr thāt, my software gāthered all yoũr cŏntacts from your Messenger, socİal networks, as well ās e-maİlaccount. after thāt i created ā video. 1st part shows the video yoũ were vİewing (you've got a nice tastę lmao), ānd nęxt part displays the ręcordİng ŏf your web cām, yea its yoũ.

Yŏũ actually hāvę two diffęręnt possİbilities. Shall we explŏre these types ŏf choices in āspęcts:

First optİon is tŏ neglect this messāgę. in thİs case, i ām going to sęnd your vęry own video to each one of yoũr contacts and also yoũ can easİly İmāgine ręgarding the humiliātİŏn you will definitely get.

Read the rest

Real estate title insurance company exposed 885,000,000 customers' records, going back 16 years: bank statements, drivers' licenses, SSNs, and tax records

First American Financial Corp is a Fortune 500 company that insures titles on peoples' property; their insecure website exposed 885,000,000 records for property titles, going back 16 years, including bank accounts (with scanned statements), Social Security numbers, wire transaction receipts, scanned drivers' licenses, tax records, mortgage records, etc -- when notified of the error, the company (which employs 18,000 people and grossed more than $5.7B last year) closed the misconfiguration. Read the rest

Notorious forum for account-thieves hacked, login and messages stolen and dumped

OG Users is a forum for people who steal login credentials for online services, mostly to sell desirable login-names for popular services like Instagram; it attained notoriety when Motherboard's Lorenzo Franceschi-Bicchierai linked the forum to an epidemic of SIM-swapping attacks; a few months later, the Reply All podcast devoted an episode to the forum. Read the rest

Leaked FBI memo warns banks of looming "unlimited ATM cashout"

When scammers get inside of the networks of financial institutions, they sometimes stage "cashouts" where they recruit confederates around the world to all hit ATMs at the same time with cards tied to hacked accounts and withdraw the maximum the ATMs will allow; but the wilier criminals first disable the anti-fraud and withdrawal maximum features in the banks' systems, enabling confederates to drain ATMs of all the cash they contain. This is called an "unlimited cashout." Read the rest

A data-broker has been quietly selling realtime access to your cellphone's location, and they suck, so anyone could get it for free

Last week, the New York Times revealed that an obscure company called Securus was providing realtime location tracking to law enforcement, without checking the supposed "warrants" provided by cops, and that their system had been abused by a crooked sheriff to track his targets, including a judge (days later, a hacker showed that Securus's security was terrible, and their service would be trivial to hack and abuse). Read the rest

Equifax lets identity thieves raid "frozen" credit reports through its shady, obscure secondary credit bureau

If you've had your identity stolen or if you're worried about having been doxxed by Equifax, you can freeze your credit record, and then Equifax, Experian, Trans Union and Innovis will block any requests to access your credit report. Read the rest

The .cm typosquatters accidentally exposed their logs, revealing the incredible scale of typojacking

.cm is the top-level domain for Cameroon, and the major use-case for .cm domains is typosquatting -- registering common .com domains as .cm domains (like microsoft.cm or apple.cm), in the hopes of nabbing traffic from users who fatfinger while typing a domain, and sometimes serving them malware or directing them to scams. Read the rest

Eight months ago, Panera Bread was warned that they were leaking up to 7 million customers' data. They fixed it yesterday. Kinda.

On August 2, 2017, security researcher Dylan Houlihan contacted Panera Bread to warn them that their customer loyalty website had a serious defect that allowed attackers to retrieve the names, email and physical addresses, birthdays and last-four of the credit cards for up to seven million customers. Read the rest

Man discovers he has been impersonated on Amazon by a money-launderer selling $555 "books" full of computer-generated word salad

Amazon reported to the IRS that Patrick Reames had made $24,000 selling books on its Createspace self-publishing platform, but Patrick Reames never got a dime of that money; it appears that a money-launderer who had Reames's Social Security Number used a fake book to cash out money from stolen credit cards by buying the garbage book repeatedly and pocketing the 70% from each sale. Read the rest

Hoaxer with a history of fake bomb threats SWATs and murders a random bystander over a $1.50 Call of Duty bet

Swatting is the practice of tricking police SWAT teams into storming your victim's home by phoning in fake hostage situations; it's especially prominent among cybercriminals, gamers and was a favored tactic of Gamergater trolls. Read the rest

Mirai's creators plead guilty, reveal that they created a DDoS superweapon to get a competitive edge in the Minecraft server industry

Last year, the Mirai botnet harnessed a legion of badly secured internet of things devices and turned them into a denial of service superweapon that brought down critical pieces of internet infrastructure (and even a country), and now its creators have entered guilty pleas to a Computer Fraud and Abuse Act federal case, and explained that they created the whole thing to knock down Minecraft servers that competed with their nascent Minecraft hosting business. Read the rest

Once you have a student's name, birthday and SSN, the US Department of Education will give you EVERYTHING else

The US Department of Education's Free Application for Federal Student Aid program requires any student applying for federal aid for college or university to turn over an enormous amount of compromising personal information, including current and previous addresses, driver's license numbers, Green Card numbers, marital details, drug convictions, educational history, tax return details, total cash/savings/checking balances, net worth of all investments, child support received, veterans' benefits, children's details, homelessness status, parents details including SSNs, and much, much more. Read the rest

Equifax will give your salary history to anyone with your SSN and date of birth

Equifax division TALX has a product called The Work Number, where prospective employers can verify job applicants' work history and previous salaries (it's also used by mortgage lenders and others): you can create an account on this system in anyone's name, provided you have their date of birth and Social Security Number. The former is a matter of public record, the latter is often available thanks to the many breaches that have dumped millions of SSNs (the latest being Equifax's catastrophic breach of 145,000,000 Americans' data). Read the rest

Equifax has terrible information security practices, and that resulted in multiple breaches

Equifax's world-beating breach of 143 million Americans' sensitive personal and financial information was the result of the company's failure to patch a two-month-old bug in Apache Struts, despite multiple reports of the bug being exploited in the wild. Read the rest

First known US example of a gas-pump skimmer that uses SMS to exfiltrate data

This credit-card skimmer was removed from a New York gas pump; it uses components scavenged from a cellular phone and a T-Mobile SIM to send the credit card details it harvests to its owners, who can retrieve them from anywhere in the world. Read the rest

And now, a 5-minute ad for a service that lets you start your own ransomware "business"

Philadelphia is a crimeware-as-a-service business that sells a highly customizable ransomware package for budding entrepreneurs who want to dabble in crime. Read the rest

Next page

:)