4 Stolen Health Databases Reportedly for Sale on Dark Web

4 Stolen Health Databases Reportedly for Sale on Dark Web

View original article from Data Breach here.

A hacker is reportedly selling on the dark web copies of databases stolen from three unidentified U.S. healthcare organizations and one unnamed health insurer containing data on nearly 10 million individuals for prices ranging from about $96,000 to $490,000 in bitcoin for each database.

The hacker taking credit, who calls himself "thedarkoverlord," is operating on the TheRealDeal dark web marketplace and is offering to sell "a unique one-off copy" of each of the databases, according to dark net news reporting website DeepDotWeb and other news sites. Some of the data being offered for sale appears to be old, according to news reports.

The hacked data being sold, according to DeepDotWeb, Databreaches.net and other media sites, includes:

• A database containing plaintext data of 9.3 million individuals from a large, unidentified U.S. health insurer, which the apparent hacker told Databreaches.net was "retrieved using a zero day within the RDP protocol that gave direct access to this sensitive information;"
• A database containing plaintext data of 397,000 patients of a healthcare organization based in Georgia, which was "retrieved from an accessible internal network using readily available plaintext usernames and passwords," the hacker toldDeepDotWeb;
• A database containing plaintext data of 210,000 patients from a healthcare provider operating in the central and Midwestern region of the U.S., which the hacker claims "was retrieved from a severely misconfigured network using readily available plaintext usernames and passwords."
• A database containing data of 48,000 patients of a Farmington, Mo.-based healthcare organization, which the hacker claims "was retrieved from a Microsoft Access database within their internal network using readily available plaintext usernames and passwords.

Media website The Daily Dot, which says it examined TheRealDeal listings for the three healthcare organization databases, reports that among the data being sold are patients' names, dates of birth, addresses, phone numbers and Social Security numbers.Databreaches.net reports the insurance database includes similar information.

DeepDotWeb reports that the self-proclaimed hacker, over an encrypted Jabber conversation, told the news site he used "an exploit in how companies use RDP [remote desk protocol]. So it is a very particular bug. The conditions have to be very precise for it."

The hacker is selling each of the databases for prices ranging from 151 to 750 bitcoins, according to various news reports. DeepDotWeb says the hacker provided it with images of the three hacked databases from healthcare organizations, with all the identifiable information redacted "so the target company can remain anonymous for now."

The hacker also left a note on the dark web that appears to indicate that the attacker attempted to extort payments from the healthcare entities before putting the data up for sale on the dark web, according to DeepDotWeb.

"Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come," the hacker warns, according to the DeepDotWeb report.

Monetizing a security breach by asking for "hush money" is a classic ploy, says researcher Stephen Cobb of security services firm ESET. "If the attacker gains access to a sensitive database, his top three options to make money are to ransom it, sell it on the black market or simply ask for money to keep quiet," he says. "In this case it looks like the hush money request did not work out, hence the offer for sale."

The sale of health information on the dark web is commonplace, research organizations and law enforcement agencies have confirmed in numerous reports, notes Mac McMillan, CEO of the security consultancy CynergisTek .

"Once information has been stolen, it can be resold over and over again, which is why healthcare information is so valuable and at the same time so dangerous - it's not perishable."

So, if an entity is breached and data stolen, "there is a good chance it will be sold," McMillan says.

Organizations that get a warning from hackers or other third-parties about their stolen data purportedly being for sale on the dark web should immediately conduct a forensics examination to determine whether the report is accurate and the data is authentic and contact law enforcement authorities, McMillan says.

To prevent this kind of data theft, McMillan advises healthcare entities to "eliminate passwords as a single factor for authentication, encrypt your data and employ data loss protection [technology] to identify other instances of the information, like the Access database, and stop the exfiltration of the information."

But it's not only breaches involving hacker attacks that can result in health data being sold on the dark web, warns Ann Paterson, senior vice president and program director of the non-profit coalition Medical Identity Fraud Alliance.

"While MIFA doesn't delve into the dark web, we don't take for granted that lost data, whether through malicious hacking or inadvertent loss such as a lost laptop, is immune to being sold on the dark web. Such cases are not surprising, since those who work in this area understand that selling protected health information is lucrative - it's one of the drivers why this type of crime is growing."

Paterson advises healthcare entities that experience PHI data loss to work with law enforcement and cyber investigators to try to determine if the data has made its way to the dark web. "However, this is often difficult to determine, since data may not be advertised immediately after the loss happens. Fraudsters often 'sit' on the data for a while before attempting to sell it."

Consumers also need to become more educated about the details of medical identity theft and fraud to understand how they might be affected when their PHI is compromised, she says.

"As a society, many of us are experiencing 'data breach fatigue' and may not be paying as close attention to the potential fraud threats when we've been part of a breach. This is dangerous, since there are plenty of indications that PHI is being bought and sold forfraudulent purposes."

And although the owners of the three healthcare databases reportedly being sold on the dark web haven't yet been publicly identified, affected healthcare organizations can often recognize if any of their stolen data is showing up on the dark web, McMillan says. "These records should be an exact match for ones in someone's system," he says. "They should be able to search their system and match them."

But Cobb says confirming the source of stolen data appearing for sale on the dark web can be complicated.

"This can be quite difficult, given that records for one patient may be in dozens of databases belonging to different participants in the highly complex U.S. healthcare delivery and reimbursement system," he says. "Sometimes the seller will reveal the data structure or the database software in which the records were stored, but again, this is not necessarily conclusive, since many institutions use the same software. If a seller has logs of the breach activity, this would be more conclusive, but the seller might not have these and may not be the original breach [source]."

And the same data may be breached numerous times, by multiple attackers, using either the same or different attack vectors, Cobb notes, "particularly if the target organization is not closely monitoring for attacks."

Keep your information safe

Tech Tip Tuesday: Outlook Permission Levels

Outlook Permission Levels

Outlook has many different permission levels for sharing parts of your account, such as your tasks or calendar. These levels are the same throughout all parts of Outlook.

Full

Full permission means the user can Read, Edit, and Delete a file or folder. The following three Permission Levels allow the granted person to delete files in the folder you give them access to. Use with caution.

• Owner - This grants FULL permission to the selected folder. Typically a bad idea.
• Publishing Editor - This also grants FULL permission to the selected folder, but it does not change who "owns" the folder. Be careful when using this option (useful if other people need to organize your folder)
• Editor - This grants FULL permission, except for the ability to create new folders. Good for basic calendar sharing. 

Edit/Delete

The following two Permission Levels allow the granted person to edit/delete only files they have created.

• Publishing Author - Similar to Publishing Editor, except the granted user cannot delete files (or appointments) you have created.
• Author - Similar to Editor, except the granted user cannot delete files (or appointments) that you have created.

Minimal Access

The following four Permission Levels grant minimal access to your folder.

• Nonediting Author - The user can create items (not folders), but cannot edit anything. They can delete items that they have created.
• Reviewer - The user can see folders, but not sub-folders.
• Contributor - The user can create items.
• None - The user has no permissions (That is why the Default user is setup with the Permission Level: None).

Download PDF version of this tech tip.

LinkedIn: Notice of Data Breach

From LinkedIn on the data breach:

Notice of Data Breach

You may have heard reports recently about a security issue involving LinkedIn. We would like to make sure you have the facts about what happened, what information was involved, and the steps we are taking to help protect you.

What Happened?

On May 17, 2016, we became aware that data stolen from LinkedIn in 2012 was being made available online. This was not a new security breach or hack. We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since that breach.

What Information Was Involved?

Member email addresses, hashed passwords, and LinkedIn member IDs (an internal identifier LinkedIn assigns to each member profile) from 2012.

What We Are Doing

We invalidated passwords of all LinkedIn accounts created prior to the 2012 breach that had not reset their passwords since that breach. In addition, we are using automated tools to attempt to identify and block any suspicious activity that might occur on LinkedIn accounts. We are also actively engaging with law enforcement authorities.

LinkedIn has taken significant steps to strengthen account security since 2012. For example, we now use salted hashes to store passwords and enable additional account security by offering our members the option to use two-step verification.

What You Can Do

We have several dedicated teams working diligently to ensure that the information members entrust to LinkedIn remains secure. While we do all we can, we always suggest that our members visit our Safety Center to learn about enabling two-step verification, and implementing strong passwords in order to keep their accounts as safe as possible. We recommend that you regularly change your LinkedIn password and if you use the same or similar passwords on other online services, we recommend you set new passwords on those accounts as well.

For More Information

If you have any questions, please feel free to contact our Trust & Safety team at tns-help@linkedin.com. To learn more visit our official blog.

Cyber security in 2016 - Are YOU protecting yourself?

Check out this special report from our local news source!

Cyber Secure in an Information Age

Source: KMIZ
May 19, 2016

Tech Tip Tuesday: Password Protect Documents with Microsoft Office

Password Protect Documents with Microsoft Office
Microsoft Office lets you encrypt your Office documents, allowing no one to even view the file unless they have the password. Modern versions of Office use secure encryption that you can rely on–assuming you set a strong password. 

How Secure Is Microsoft Office’s Password Protection? 

There are two big things you need to watch out for. First, only passwords that fully encrypt the document are secure. Office also allows you to set a password to “Restrict Editing” of a file–in theory, allowing people to view a file but not edit it without a password. This type of password can be easily cracked and removed, allowing people to edit the file. Also, Office’s encryption only works well if you’re saving to modern document formats like .docx. If you save to older document formats like .doc–which are compatible with Office 2003 and earlier–Office will use the older, not-secure version of the encryption. 

How to Password Protect an Office Document
1. Open the document to password protect 

2. Click File in the top left corner on the menu 

3. Make sure you’re on the Info page

  

4. Click Protect Document 

• The button is only named “Protect Document” in Microsoft Word, but it’s named something similar in other apps. Look for “Protect Workbook” in Microsoft Excel and “Protect Presentation” in Microsoft PowerPoint. In Microsoft Access, you’ll just see a an “Encrypt with Password” button on the Info tab. The steps will otherwise work the same.

5. Select Encrypt with Password 

• If you only want to restrict editing of the document, you can choose “Restrict Editing” here, but as we said, that is not very secure and can easily be bypassed. You’re better off encrypting the entire document, if you can.

6. Enter the password you want to encrypt the document with 

• You’ll lose access to the document if you ever forget your password, so keep it safe! Microsoft advises you write down the name of the document and its password and keep it in a safe place.

7. Click OK 

8. The next time you open the document the password window will pop up to unlock the document. 

Click here to view or download the PDF of this tech tip.

New evil android phishing trojans empty your bank account

May 12, 2016

Infragard warned that the FBI has identified two Android malware families, SlemBunk and Marcher, actively phishing for specified US financial institutions’ customer credentials. The malware monitors the infected phone for the launch of a targeted mobile banking application to inject a phishing overlay over the legitimate application’s user interface.

The malware then displays an indistinguishable fake login interface to steal the victim’s banking credentials. According to cyber threat industry reports, both malware families have targeted foreign financial institutions since 2014, gradually broadening the list to include Western banks, and offered the malware for lease or purchase, respectively, in underground forums. At least as of December 2015, the malware expanded its configuration to include the Android package names of US financial institutions.

SlemBunk apps masquerade as common, popular applications and stay incognito after running for the first time. They have the ability to phish for and harvest authentication credentials when specified banking and other similar apps are launched. 

Users will only get infected if the malware is sideloaded or downloaded from a malicious website. Newer versions of SlemBunk were observed being distributed via porn websites. Users who visit these sites are incessantly prompted to download an Adobe Flash update to view the porn, and doing so downloads the malware.

What To Do About IT

To protect your users from these threats, here is something you can cut/paste and email to all your employees, whether they have Android or iPhones. Feel free to edit:

"Internet bad guys are constantly improving their criminal software for Android smartphones. The last few months they have moved into sophisticated evil apps that steal the user name and password of your mobile banking apps. If you have an iPhone, keep reading - some of this applies to you too. 

Google monitors for criminal apps on the Google Play app store and kicks out malicious apps, but other websites do not. Please remember to:

1. Never download apps from other websites (this is called a "sideload").
2. Keep your device updated with the latest version of the Operating System, both phones and tablets.
3. Do not tap (click) on text messages that you did not expect or are suspicious. True for iPhones too!
4. To prevent malware infections, do not use your phone to surf inappropriate sites as the risks are very high on those sites.

In short, on your workstation, your tablet or your smartphone... Think Before You Click!"

KnowBe4 has a specific training module called Mobile Device Security. This 15-minute module specializes in making sure your employees understand the importance of Mobile Device Security. They will learn the risks of their exposure to mobile security threats so they are able to apply this knowledge in their day-to-day job.

Find out how affordable this is for your organization and be pleasantly surprised.

Article by Stu Sjouwerman, KnowBe4
View original article here

Thousands of taxpayers affected by W-2 Phishing attacks this year

May 2, 2016

Thousands of taxpayers have been impacted by a wave of Phishing attacks targeting W-2 records, with more than sixty organizations reporting such incidents in the first half of the year.

By taking advantage of the trust relationships that exist within a given company; these attacks have resulted in at least $2.3 billion in losses over the last three years.

Business Email Compromise / Correspondence attacks (BEC attacks) aren't overly clever, but they're effective. A person with authority is impersonated, and a lower-level staffer is asked to share W-2 records or related payroll information. That's all there is to it.

Because the request looks and feels legitimate, the employee usually complies, but there have been a few cases where the scam was flagged before any damage could be done.

Last month, Jonathan Sander, vice president at Lieberman Software, remarked to Salted Hash that the common theme in each successful attack is also the reason why the success rate should be zero.

"The employee shouldn’t have been able to access that much data without some sort of oversight kicking in. The fact that a single employee, for any reason, could grab so much data and simply send it to anyone, regardless of who they think that person is, is a scary prospect when you stop to think about it. Of course, you can also ask why an employee would be fooled into thinking that an executive would be making such a sweeping request," Sander said.

In the first quarter of 2016, at least 41 organizations were victimized by BEC attacks, but that number is closer to 70 when additional disclosures are counted. Some organizations were successfully hit earlier in the year, but only just recently discovered the problem, delaying notification.

On April 25, GoldKey | PHR, a hotel management company that controls a large part of the rooms on Virginia Beach,disclosed that W-2 information was compromised on February 29, but this fact wasn't discovered until April 3. The cause of the breach was listed as a "criminal Phishing email" and impacted at least 3,000 people.

Also on April 25, NetBrain Technologies Inc., a network visualization firm based in Burlington, Massachusetts, said someone posed as a company executive and requested 2015 W-2 data on March 3. The documents were delivered as asked, impacting all employees.

On April 12, the Girl Scouts of Gulfcoast Florida disclosed that on March 17, someone impersonated the author of the notice itself, Betsy Laughlin, the Director of Finance, and requested 2015 W-2 records. Because the request was spoofed to appear as if she sent it, the employee who received it didn't hesitate.

On April 26, Michels Corporation, a contractor based in Brownsville, Wisconsin, disclosed that a company executive was impersonated by a scammer, requesting 2015 W-2 records. The incident occurred on April 16, and impacted more than 5,000 current and former employees.

With a low barrier of entry to launch such a campaign, and an even lower overhead, criminals show no signs of slowing when it comes to targeting W-2 information. Even if the stolen data isn't used immediately, it can be compiled and sold for a number of different uses.

"If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees," IRS Commissioner John Koskinen said in a statement issued earlier this year with a memo warning about the rise in BEC attacks.

Many of the firms that have disclosed these incidents report that employees have detected tax fraud, which seems to be the ultimate goal in these attacks. Since 2015, the FBI says there has been a 270-percent increase in the number of identified victims and exposed losses.

Article by Steve Ragan, Senior Staff Writer, CSO

View original article here: http://www.csoonline.com/article/3064214/security/thousands-of-taxpayers-affected-by-w-2-phishing-attacks-this-year.html 

Payment via iTunes? Red flag it’s a scam

Millions of consumers use iTunes to purchase and listen to their favorite music. Unfortunately, scammers are always on the lookout for new ways to get paid for their swindles, and some have latched on to the popular music service as a new way of bilking consumers. No, they’re not looking for the new Adele album. Instead, they’re focused on the iTunes gift cards that are sold by retailers across the country.

NCL has recently received an increasing number of complaints from consumers who report that they’ve lost money after a fraudster asked them for payment via an iTunes gift card as a part of a scam. We’ve seen this happen in the context of fake online loans (where the consumer is instructed to pay for "application and processing fees," for example) and bogus car buying (e.g., cheap car advertised online, payment requested for "insurance" or "shipping".) We’ve also seen reports of scammers demanding payment via iTunes gift cards in fake debt scams and impersonator scams (also known as “grandparent” scams.)

Here’s how the scam works: First, the scammer instructs the consumer to go to a retailer (such as a grocery or drugstore) and purchase and load an iTunes gift card with hundreds of dollars. The scammer then instructs the consumer to provide the 16-digit code on the back of the card (after the buyer scratches or peels off the label) to the scammer via email or text message. Once this is done, the funds on the card are quickly depleted by the scammer and the consumer victim is left with a worthless piece of plastic. The scammer may ask for additional funds (again, paid for via iTunes gift card) for other bogus “fees.” This often continues until the victim catches on and refuses further payment.

A complaint we received recently from a consumer in California is typical of the scam:

“I saw an ad for a 2008 Honda Civic LX for $2,500. For such a price, I was interested so I contacted the seller through the website. She responded the next day and said I would be able to pay her through a third party. I ended up receiving an email which I thought was from Apple Pay. It seemed legitimate so I followed the instructions on the invoice, bought $2,500 worth of iTunes cards and sent an email with the cards and the receipts. I thought it was proof of purchase and I got a confirmation email, so I thought everything was alright. Then a day later I got an email asking for $1,000 for insurance purposes and the same method of payment so I sent it over. When I did not get a confirmation email I got concerned and emailed the owner and she said the car was being shipped. After that, I didn't hear anything more.”

There’s a thriving black market for stolen iTunes gift codes sold at steep discounts. This enables scammers to turn those stolen codes into cash before the victim catches on. Here are some tips to help you spot these scams and avoid getting added to a scammer’s playlist:

1. If you are asked to pay for a product or service via an iTunes gift card (even if it’s associated with another Apple payment product like Apple Pay) it’s a scam.
2. Do not give out the code on the back of an iTunes gift card to anyone. This code is all that’s needed to drain the card of all its value.
3. If you want to send an iTunes gift to someone, the safest way to do it is via the iTunes app (on iOS devices like iPhones or iPads) or the iTunes desktop program. Instructions on sending iTunes gifts are available here.
4. If you’ve already purchased the card and provided the code to someone you think is a scammer, contact Apple immediately viahttps://getsupport.apple.com/ to see if they can cancel the card before funds get depleted.

Have you been a victim of an iTunes gift card scammer? We want to know! You can file a complaint at Fraud.org via our secure online complaint form. We’ll share your complaint with our network of more than 90 law enforcement and consumer protection agency partners who can and do put fraudsters behind bars.

Source: http://www.fraud.org/

Article: http://www.fraud.org/itunes_alert?utm_campaign=05_16_alert&utm_medium=email&utm_source=ncl

Shred Event TODAY!

Did you know...
There's a 1-in-33 chance you'll have your identity stolen in the next year.

Shred Event
Thursday April 28 - TODAY!
1:00pm - 3:00pm
Main Circle Drive by the Launer breezeway

This week for our Tech Tip Tuesday, we're focusing on making sure you're secure!

Check it out here.