Author Archives: Dave Whitelegg

Facebook Live Oyster Pearl Party Scams

Posted on by

A little off-topic but recently I’ve been asked so many times about the Pearl Parties live broadcasts appearing all over Facebook status walls. If you haven’t heard of Pearl Parties, they are sales broadcasts where the hosts entice viewers to buy sealed oysters which are opened live on the broadcast, any pearls found inside are sent to the buyer, and there always seems to be plenty of pearls found.

So after watching a few of these broadcasts, it becomes clear why these broadcasts are appearing all over Facebook, as the party hosts constantly offer the chance to win free oyster opening to all viewers that share the broadcast. After further investigation, it becomes even clearer these Pearl Party broadcasts aren’t the harmless fun the presenters insinuate but are scams.

Oysters Originate from the Far East & Individually Vacuum Packed


The oysters you see opened on the Facebook live broadcast are real enough, they are bought in wholesale by the oyster party, but the copious pearls discovered inside them aren’t quite as legit, rare and valuable as you might think. I have discovered two methods behind the high number pearls found inside them.  Either the freshwater oysters have been cultured, basically hacked and farmed into growing the pearls, or the oysters had the pearls inserted within them, after which they are dropped into a chemical bath to make them snap close, killing and preserving the oyster. With either method, the oysters individually vacuum packed before being shipped off from the Far East to the party hosts in bulk.

Cheap as Chips Oysters are bought in Bulk

On the Pearl Party broadcasts I observed, it cost £30 to £50 to open a batch of 5 oysters, which is a considerable markup from the direct online price of around £1 to £2 per oyster. Often the punters don’t get the chance to buy a set number of oysters to be opened in the hope of receiving any pearls found inside, as there is a random based game to be played to determine how many oysters are opened for their set payment. These games involve rolling a dice or spinning a wheel to decide the number oysters open, which in itself probably breaks gaming licensing laws in many countries. This game is part of the scam, it is used to make buyers think they have won something and disguise the fact are paying well over the odds for the low grade nearly worthless pearls they end up receiving.

Pearl Party Sales are similar to the Shopping Channels


 As the party host opens each oyster on the broadcast, they blag how wonderful the pearls look, using lightening and display techniques to make each pearl look as glamorous as possible, the same techniques employed the professionals on jewellery shopping channels, but with fibs. The reality is these pearls are nothing of the quality of actual rare high-value natural pearls. Some hosts will even measure, rate the colour and shape, and conclude a value for each pearl, which is always way more the buyer has actually paid, again all part of the con. If the host really thought the pearls were worth as much as they are saying, why on earth would they bother with the broadcast and just sell them directly themselves!

The host will also offer to set your pearls in jewellery, like earrings and necklaces, all for an extra cost of course.

I also found some hosts operate on behalf of companies in a pyramid-like scheme, where they pay a set amount in, oysters are supplied to them, the more they sell the more they rise up the pyramid ranks and the more money they make.

 So be warned, don’t participate in promoting these scams to your friends by sharing Pearl Party Facebook Live broadcasts. You’d think Facebook would do something about these types of illicit practices on their Facebook Live service, but apparently not. Given the lawless of Facebook Live, I think we can expect further scams of this nature in the near future. Continue reading Facebook Live Oyster Pearl Party Scams

Cyber Security Roundup for May 2017

Posted on by
The WannaCry ransomware outbreak within the NHS dominated the national media headlines earlier this month. Impacting 45 NHS sites in England and Scotland, the massive cyber attack led to cancelled operations and diversions of emergency medical services. The WannaCry outbreak was not just limited to the NHS, as thousands of computers were shut down at companies in almost 100 countries. After an initial infection via a phishing email and file encryption, the ransomware has the added ability to rapidly self-replicate, infecting other networked Windows computers without Microsoft’s March 2017 critical update (MS17-010) installed, this drove the swift spread of the malware within large organisations and across the world.

Debenhams had 26,000 customer personal details stolen through its flowers service website, which was operated on Debenhams behalf by a third party company. The data breach has been reported to the ICO.

With a year to ago until General Data Protection Regulation (GDPR) goes into law, there were several news reports stating UK businesses need to do more to prepare and highlighting the new data breach fines which could run into Billions for FTSE 100 companies.

If you live in Manchester, your computer is 4 times more likely to be infected with malware than elsewhere in the world according to statstics by Enigma Software Group.

Over in the United States, Brooks Brothers disclosed a major payment card breach, after an individual installed malicious software which captured credit card information within payment systems at locations across the USA and Puerto Rico for 11 months, a remind of the importance of PCI DSS compliance where businesses 

store, process and/or transmits credit/debit card data (cardholder data). 


Hackers stole a copy of Disney’s forthcoming Pirates of the Caribbean film, and tried to hold Disney ransom, Disney didn’t pay.

Interesting blog post by MacKeeper Security, on how cyber criminals are linking various stolen credential datasets to leverage access to systems.

And finally, it was another busy month of security update releases by Microsoft and Adobe, the WannaCry impact on the NHS is a stark warning to ensure all newly issued critical security updates are quickly applied

NEWS


AWARENESS, EDUCATION AND THREAT INTELLIGENCE

  1. Manchester 391% higher than the UK average
  2. London 129% higher than the UK average
  3. Derby 53% higher
  4.  Sheffield 45% higher
  5. Leicester 10% higher
  6. Nottingham 3% higher
  7. Liverpool 15% lower
  8. Southampton 32% lower
  9. York 43% lower
  10. Brighton 50% lower
  • Enhancements on Qakbot Malware to infect New Systems
  • Over 560 million Breached Account Credentials found in ‘Combo List’
  • Android Mobile Malware Campaigns hits 36.5M Downloads
  • EPS Processing Zero-Days Exploited by APT28 & Turla
  • APT32 targets Private Sector Organisations with an interest in Vietnam


    • REPORTS

    Continue reading Cyber Security Roundup for May 2017

    Cyber Security Roundup for April 2017

    Posted on by

    In April the National Cyber Security Centre (NCSC) briefed major UK businesses about a significant Chinese Cyber-Espionage Threat called APT10, also known as Stone Panda, which I have featured in a separate blog post – Detecting & Preventing APT10 Operation Cloud Hopper.


    The InterContinential Hotel Group, a hotel giant best known for the Crowne Park Plaza and Holiday Inn in the UK, reported data breaches within 12 of its hotels, however, Brian Krebs, the investigative journalist who first broke the story, reckons that there could be more than 1000 locations affected. A statement released on the hotel’s website says that the malware, which infected the hotels’ card payment systems, was identified between 29 September and 29 December 2016.


    Payday loan firm Wonga reported a data breach which may affect up to 245,000 of its UK customers. The information stolen includes names, addresses, phone numbers, bank account numbers and sort codes.

    A BBC Click investigation has thrown doubt on claims that the small, personal email server Nomx can provide “absolute security”. The BBC investigation started by taking the device apart to find that it was built around a £30 Raspberry Pi computer. As the operating system for the Pi sits on a removable memory card, Mr Helme was able to download the device’s core code so he could examine it closely and found they were about to crack the device’s simple passwords.

     There was the usual raft of security updates which fixed security vulnerabilities in April, with Microsoft patches causing the most stir with security researchers, some of whom suggested the firm had held back patching some of its products.

    News

    Awareness, Education and Threat Intelligence

    Reports

    • The 2017 Verizon Breach Investigations Report (DBIR) Released
      • 75% of data breaches are down to outsiders and a 25% are insiders
      • 73% are conducted for financial reasons with half involving organised crime.
      • 62% of breaches feature hacking, it still disappoints to see that 81% of hacking related breaches leveraged either stolen and/or weak passwords. Half of breaches included malware, but physical loss of devices is now down to just eight% and errors were a factor in 14% of breaches.
      • Ransomware rose 50% compared to last year and accounted for 72% of all malware incidents in the healthcare sector. 
      • Financial services are the most targeted sector at 24%, while healthcare accounts for 15%, the public sector close behind on 12% and the combined total of retail and accommodation accounting for 15% of breaches.

    Continue reading Cyber Security Roundup for April 2017

    Cyber Security Roundup for April 2017

    Posted on by

    In April the National Cyber Security Centre (NCSC) briefed major UK businesses about a significant Chinese Cyber-Espionage Threat called APT10, also known as Stone Panda, which I have featured in a separate blog post – Detecting & Preventing APT10 Operation Cloud Hopper.


    The InterContinential Hotel Group, a hotel giant best known for the Crowne Park Plaza and Holiday Inn in the UK, reported data breaches within 12 of its hotels, however, Brian Krebs, the investigative journalist who first broke the story, reckons that there could be more than 1000 locations affected. A statement released on the hotel’s website says that the malware, which infected the hotels’ card payment systems, was identified between 29 September and 29 December 2016.


    Payday loan firm Wonga reported a data breach which may affect up to 245,000 of its UK customers. The information stolen includes names, addresses, phone numbers, bank account numbers and sort codes.

    A BBC Click investigation has thrown doubt on claims that the small, personal email server Nomx can provide “absolute security”. The BBC investigation started by taking the device apart to find that it was built around a £30 Raspberry Pi computer. As the operating system for the Pi sits on a removable memory card, Mr Helme was able to download the device’s core code so he could examine it closely and found they were about to crack the device’s simple passwords.

     There was the usual raft of security updates which fixed security vulnerabilities in April, with Microsoft patches causing the most stir with security researchers, some of whom suggested the firm had held back patching some of its products.

    News

    Awareness, Education and Threat Intelligence

    Reports

    • The 2017 Verizon Breach Investigations Report (DBIR) Released
      • 75% of data breaches are down to outsiders and a 25% are insiders
      • 73% are conducted for financial reasons with half involving organised crime.
      • 62% of breaches feature hacking, it still disappoints to see that 81% of hacking related breaches leveraged either stolen and/or weak passwords. Half of breaches included malware, but physical loss of devices is now down to just eight% and errors were a factor in 14% of breaches.
      • Ransomware rose 50% compared to last year and accounted for 72% of all malware incidents in the healthcare sector. 
      • Financial services are the most targeted sector at 24%, while healthcare accounts for 15%, the public sector close behind on 12% and the combined total of retail and accommodation accounting for 15% of breaches.

    Continue reading Cyber Security Roundup for April 2017

    Checking for & Preventing APT10 Operation Cloud Hopper

    Posted on by
    There has been much concern over a state-sponsor threat known as APT10 Operation Cloud Hopper, also known as Stone Panda, after the UK National Cyber Security Centre (NCSC) recently spooked UK businesses and their suppliers about a Chinese threat actor posing a serious threat to IT Managed Service Providers (MPS) and their UK clients.   

    Overview of the Threat
    The APT10 campaign, known as Operation Cloud Hopper (a.k.a. CVNX, Stone Panda, MenuPass, and POTASSIUM), is believed to have been underway since 2014. There are intelligence reports which indicate the APT10 threat actor has significantly upscaled their capabilities and attack sophistication in early 2016. The APT10 Cloud Hopper campaign focuses on sending malware infected emails to staff working at IT Managed Service Providers (MPS), once executed the malware creates a backdoor which allows the attacker remote access to the MSP’s backend systems. From there the attackers are able to navigate the MSP network and identify external connections with the MSP clients, which are their actual targets. These network channels are then used to steal data from those clients, data which is packaged and exhilarated through the MSP remote connection. These backdoors are known to remain undetected for months, due to the use of tailored malware which is undetectable by anti-virus and security monitoring systems.
    So how do you know if your business has been infiltrated or is being attacked by APT10, aside from the NCSC informing you are a victim?
    PwC and BAE Systems have been assisting NCSC with APT10, have produced a list of known source IP addresses of the attackers, which can be imported into security monitoring solutions such as firewalls, IDS/IPS, proxy servers, content filtering and SIEM \ log management solutions. Any hits against these IP addresses would be highly concerning, in such scenarios I would recommend unplugging the network cable (and not powering off) all suspect systems, and then seeking help from external qualified and experienced digital forensic investigator if you don’t have one to hand in your business. There are other known APT10 IP addresses to be found within the NCSC CiSP forum, but you will have to sign up to get those here. https://www.ncsc.gov.uk/cisp
    PwC and BAE Systems have also provided an extract list of known APT10 malicious MD5 file hashes (unique identifier for the known malicious APT10 related files).These MD5 hash lists can be used to scan for the presence of known malicious APT10 files on servers and workstations. I recommend importing those file MD5 hash lists into a scanner, such as the Nessus Vulnerability Scanner, and scanning the entire IT estate on a regular basis if your business is an IT MSP.

    APT10 is Active and Here to Stay
    Keep an eye on the NCSC, PwC and BAE Systems for updates about the APT10 threat, as they are likely to provide updated lists of known associated IP addresses and further MD5 file hashes as more incidents are investigated and intelligence comes to their attention. Given this threat actor is said to be still active and is known to be operational for several years, don’t expect APT10 to be going away anytime soon. APT actually stands for Advanced ‘Persistant’ Threat. So if you are an IT MSP, it will be prudent to routinely check and update your lists of APT10 suspected IP addresses and MD5 file hashes to be monitored and regularly scanned.

    Most anti-virus and web filtering vendors worth their salt should now be aware of this threat and should be keeping up-to-date with the latest APT10 related malware and associated IP addresses and file hashes as well, but it is well worth asking them about their position. It goes without saying that it is paramount to keep all security prevention and monitoring systems bang up-to-date, as is performing regular external and internal network vulnerability scans, and monitoring and acting upon any signs of compromise.

    Continue reading Checking for & Preventing APT10 Operation Cloud Hopper

    Checking for & Preventing APT10 Operation Cloud Hopper

    Posted on by
    There has been much concern over a state-sponsor threat known as APT10 Operation Cloud Hopper, also known as Stone Panda, after the UK National Cyber Security Centre (NCSC) recently spooked UK businesses and their suppliers about a Chinese threat actor posing a serious threat to IT Managed Service Providers (MPS) and their UK clients.   

    Overview of the Threat
    The APT10 campaign, known as Operation Cloud Hopper (a.k.a. CVNX, Stone Panda, MenuPass, and POTASSIUM), is believed to have been underway since 2014. There are intelligence reports which indicate the APT10 threat actor has significantly upscaled their capabilities and attack sophistication in early 2016. The APT10 Cloud Hopper campaign focuses on sending malware infected emails to staff working at IT Managed Service Providers (MPS), once executed the malware creates a backdoor which allows the attacker remote access to the MSP’s backend systems. From there the attackers are able to navigate the MSP network and identify external connections with the MSP clients, which are their actual targets. These network channels are then used to steal data from those clients, data which is packaged and exhilarated through the MSP remote connection. These backdoors are known to remain undetected for months, due to the use of tailored malware which is undetectable by anti-virus and security monitoring systems.
    So how do you know if your business has been infiltrated or is being attacked by APT10, aside from the NCSC informing you are a victim?
    PwC and BAE Systems have been assisting NCSC with APT10, have produced a list of known source IP addresses of the attackers, which can be imported into security monitoring solutions such as firewalls, IDS/IPS, proxy servers, content filtering and SIEM \ log management solutions. Any hits against these IP addresses would be highly concerning, in such scenarios I would recommend unplugging the network cable (and not powering off) all suspect systems, and then seeking help from external qualified and experienced digital forensic investigator if you don’t have one to hand in your business. There are other known APT10 IP addresses to be found within the NCSC CiSP forum, but you will have to sign up to get those here. https://www.ncsc.gov.uk/cisp
    PwC and BAE Systems have also provided an extract list of known APT10 malicious MD5 file hashes (unique identifier for the known malicious APT10 related files).These MD5 hash lists can be used to scan for the presence of known malicious APT10 files on servers and workstations. I recommend importing those file MD5 hash lists into a scanner, such as the Nessus Vulnerability Scanner, and scanning the entire IT estate on a regular basis if your business is an IT MSP.

    APT10 is Active and Here to Stay
    Keep an eye on the NCSC, PwC and BAE Systems for updates about the APT10 threat, as they are likely to provide updated lists of known associated IP addresses and further MD5 file hashes as more incidents are investigated and intelligence comes to their attention. Given this threat actor is said to be still active and is known to be operational for several years, don’t expect APT10 to be going away anytime soon. APT actually stands for Advanced ‘Persistant’ Threat. So if you are an IT MSP, it will be prudent to routinely check and update your lists of APT10 suspected IP addresses and MD5 file hashes to be monitored and regularly scanned.

    Most anti-virus and web filtering vendors worth their salt should now be aware of this threat and should be keeping up-to-date with the latest APT10 related malware and associated IP addresses and file hashes as well, but it is well worth asking them about their position. It goes without saying that it is paramount to keep all security prevention and monitoring systems bang up-to-date, as is performing regular external and internal network vulnerability scans, and monitoring and acting upon any signs of compromise.

    Continue reading Checking for & Preventing APT10 Operation Cloud Hopper