1.3 billion records leaked: spam operator suffers data breach

1.3 billion records leaked: spam operator suffers data breach.
After a weekend of speculation, River City Media (RCM), an “illegal spam operation”, was revealed to be the victim of a data breach that affected a staggering 1.37 billion email accounts.
The data from this operation was discovered by ‘data breach hunter’ Chris Vickery, a security researcher for MacKeeper, who first teased the leak on Friday.
Data breach hunter The leak was first identified by Vickery last Friday.
In addition, Vickery uncovered 1.34 billion email accounts.
These are the accounts that receive spam, or what RCM calls offers.
Aadhaar, India’s biometrics database of its citizens, was also considered, as well as mainstream Chinese social media companies that have over 1 billion users.
The unexpected nature of this breach has caught many off guard.
There will be more information to follow.
Subscribe to the Daily Sentinel for updates on this story and all the latest cyber security news.

Be Aware of Key Changes in the Payment Industry

What can small businesses and merchants expect when it comes to how they get paid?
Following are three key trends we expect to see play out this year and into the next.
However, our research shows that with consumers, perceptions do matter: 87% of the consumers we surveyed said having a range of ways to receive money was important in making a business seem up to date.
By 2020, Sage research indicates, a significant faction of consumers fully expects to be using their smartphones much more when buying goods: 35% of consumers expect Apple Pay to be the most popular way to pay three years from now, and 28% think Samsung Pay will be the favored way to make purchases.
Security is still a big concern Americans lost $16.3 billion in fraudulent credit card transactions in 2015, according to payment industry publication the Nilson Report, and this figure is projected to more than double to $35 billion in 2020.
According to Sage research, PayPal, pre-paid cards, and gift vouchers are seen by consumers as the most secure methods of payment.
Peer-to-peer mobile payments are seen as one of the least safe ways to pay: 58% of people rate them as somewhat or highly insecure.
Many people are also unsure about Apple Pay and Samsung Pay, with 34% saying they are insecure.
Of the businesses we surveyed, 62% cited their bank as a source of finance over the last year; however, different types of crowdfunding are also becoming popular, with 53% saying that they would consider alternative funding in the future.
The Fintech revolution is driving major changes in the ways consumers pay and businesses get paid.

Gas stations working to protect customers from credit card fraud

Gas stations working to protect customers from credit card fraud.
Please install the latest Adobe Flash Player Plugin to watch this content.
They found three skimmer devices inside gas pumps across the city.
“They are clearly numbered, and we’re finding that they’re all related number wise, and right now the highest number that we found is 22,” said Sgt.
KRQE News 13 crews noticed gas stations like Circle K have put security stickers on their pumps, to let them know if someone’s been inside.
Circle K did not return our calls, but the move has been helpful in other states, like Ohio.
“If it catches somebody, I’m all for it.
“He’s safeguarding people that do use credit cards,” said Jasper.
The family owned Premier Gas and Food Mart does not allow customers to pay at the pump, at all.
They also provide full service to all handicap customers, pumping their gas, and taking their credit card inside for them.

Altona Police Chief Offers Fraud Prevention Tips

Altona Police Chief Offers Fraud Prevention Tips. “An ounce of prevention is worth a pound of cure,” according to Altona Police Chief Perry Batchelor who is offering up some tips on how we can all keep ourselves from becoming victims of fraud.
March is Fraud Prevention Month in Canada. “(Scammers are contacting people) through phone calls and threatening to put people in jail with warrants out for their arrest for being in arrears on their payments.
At one point there were a dozen reports of the scam made to the Altona Police Service in one day. “Where they’re sending out emails saying they’re from PayPal,” he explains, “letting you know that your accounts are at low capacity and you need to deposit some money into this account or enter your bank data.”
He says Altona Police Service also continues to get victims of the romance scam.
The Canadian Anti-Fraud Centre describes this particular scenario where an individual with false romantic intentions towards someone earns their affection and trust (sometimes with the promise of marriage) and then gains access to the victim’s money, bank account, credit cards or in some cases by getting the victims (usually unknowingly) to commit fraud on their behalf. “Through the romance scam thousands and thousands of dollars have been stolen out of the community, from our citizens,” commented Batchelor. “If you get a phone call or an email out-of-the-blue and you never started that transaction, don’t give that information out (because) it can come back to haunt you in the future.”

Consumer Reports to Begin Evaluating Products, Services for Privacy and Data Security

Consumer Reports to Begin Evaluating Products, Services for Privacy and Data Security.
These types of attacks “are probably happening to more and more people, and they don’t know anything about it,” Denman says.
The goal is to help consumers understand which digital products do the most to protect their privacy and security, and give them the most control over their personal data.
Here’s an overview of how this project came together and how these standards will work.
“All kinds of products and services collect consumer data and rely on software to work,” she says.
Our Privacy Standard—A Quick Overview What does our digital consumer-protection standard ask of companies?
The new standard also calls on companies to delete consumer data from their servers upon request, to protect personal data with encryption as the data is sent through the internet, and to be completely transparent about how personal consumer information is shared with other companies.
Check Out CR’s Guide to Privacy Illustration: Oliver Munday Built Through Partnerships We collaborated with three of the digital world’s most highly regarded leaders in the area of consumer protection: Disconnect, a company that makes digital tools consumers can use to block data-trackers and prevent other invasions of privacy; Ranking Digital Rights (RDR), a nonprofit research project that pores through privacy policies and other information that companies disclose to users; and Cyber Independent Testing Lab (CITL), a nonprofit software security-testing organization.
The standard should be easy enough for consumers without a technical background to understand, yet sophisticated enough to guide testing organizations such as Consumer Reports as we develop precise testing protocols.
To help support our work, please consider making a tax-deductible donation.

PayThink How to turn EMV’s ‘false sense of security’ into real safety

When the U.S. shifted to chip card technology, the goal was to lower in-person credit card fraud.
Now, chip cards have given consumers a false sense of security, not factoring in that the chip can do nothing to protect online purchases.
Online merchants have put their necks on the line more than anyone, and the need to overcompensate for the false sense of security on top of regular anti-fraud checkpoints is vital.
Do your research before you sign any contracts.
However, with these services, customers won’t complete the sale on your website, but rather on the third-party site.
Plus, if you’re ever having any issues with transactions, customer service might not be as efficient as if you chose a smaller company.
You’ll also want to make sure your firewall is properly configured.
You may even want to consider a two-step verification process, such as a security question on top of the login.
Lastly, tokenized systems can be your best friend when it comes to protection against credit card fraud.
If you’re still stuck on ways to increase security measures, or you want to know more about how chip cards affect your online transactions, talk to your payments processor about options.

Difficult-to-detect new malware hides in memory

Difficult-to-detect new malware hides in memory.
Researchers at Cisco Systems Inc.’s Talos threat research group have published a report on a scary new form of malware that’s difficult to detect.
Dubbed DNSMessenger, the malware uses Microsoft PowerShell scripts to hide itself and connect directly with a server using a victim’s Domain Name Service port.
It’s distributed as a Microsoft Word document spread through a phishing campaign, which attempts to appear like a known or reputable source.
Not surprisingly, there’s no content in the file and the second click instead executes the malicious script in the file, eventually leading to the victim’s computer being compromised.
But that’s where the similarities with usual malware ends.
Instead of writing the malicious code to the victim’s hard drive, the malware does everything in memory instead, making it difficult to detect.
What isn’t clear is exactly what sort of malicious commands the hackers are using the DNS backdoor to execute.
“Given the targeted nature of this attack, it is likely that the attackers would only issue active C2 commands to their intended target.” While HTTP and HTTPS gateways are regularly monitored by networks, the same can’t be said for DNS, and the hackers are well aware of this.
“It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc.

Menlo Security’s perspective: Addressing the Australian Notifiable Data Breaches Bill

Menlo Security’s perspective: Addressing the Australian Notifiable Data Breaches Bill.
Recently, the Parliament of Australia passed a bill requiring Australian organisations to disclose any data breach involving personally identifiable information (PII), including but not limited to tax file number information, credit card information, and credit eligibility information.
In this case, “reasonable” can include the type or sensitivity of the information, if the information is protected by one or more security measures – and if that security could be easily hacked, who could obtain the information, if the information has been encrypted or rendered useless or meaningless to the unauthorised person, and the depth of the potential harm to the individual or individuals.
Plus, if an organisation takes corrective action after a breach of PII has occurred that lessens the likelihood of lost or stolen information causing serious harm to affected individuals, the organisation is not required to report the data breach.
In these cases, Australia’s new Notifiable Data Breaches Bill gives the organisation up to 30 days to investigate whether a breach notification is even necessary.
So, if an organisation becomes aware of a breach of personal information or if they even believe a breach of PII is to have occurred, they must prepare a detailed statement laying out the specifics of the breach, and notify both the Australian Privacy and Information Commissioner and any individuals at risk of or affected by the actual or suspected data breach as soon as reasonably possible, or “practicable.” If it’s not possible to notify at-risk or affected individuals of a PII breach, the Bill requires that the organisation publish a statement on its website.
According to Australia’s Notifiable Data Breaches Bill, even personal information from anywhere in the world–held or used by an Australian organisation– that is at risk of or affected by a data breach must be handled in the same manner, as if the PII was from an Australian user.
Should an organisation fail to comply with the Bill and its notification requirements, there can be dire legal and financial consequences, in addition to costs to the business’s reputation, including “civil penalties for serious or repeated interferences of an individual’s privacy”, with a maximum penalty of AU$360,000 (US$276,000) for individuals and AU$1,800,000 (US$1.38 million) for businesses.
So, if you’re an Australian organisation that has over AU$3 million in annual revenue or is under AU$3 million in annual revenue but deals with tax IDs, credit cards, credit data, or even an individual whose business deals with the same, how can you be sure to protect your users – local and worldwide – from theft and hack of their personal information, and your company or yourself from the fines, bad press, reputation hits and ultimate loss of business and revenue a theft and hack of individuals’ personal information brings?
Isolation technology from Menlo Security can help.

What The Halting Of Data Security Rules Means For Broadband Companies

What The Halting Of Data Security Rules Means For Broadband Companies.
Broadband providers can now heave a sigh of relief that the FCC has heeded to their plea to halt data security rules adopted by the agency last year.
The FCC last Wednesday granted a stay petition in part to the 2016 Privacy Order adopted by the commission on Oct. 26, 2016.
Crippling Bottleneck Out Of The Way The privacy orders would have dealt a severe blow to high-speed ISPs such as AT&T and Verizon, which had pinned their hope on user data to serve targeted advertising.
Earlier, only phone and cable companies were subjected to some form of privacy protection rules.
What The Data Security Requirement Means The 2016 data security requirement currently temporarily repealed requires broadband internet access service, or BIAS, providers and other telecom carriers to take responsible measures to protect proprietary information of customers from unauthorized use, disclosure or access.
The petitioners also said they would have to bear substantial costs and burdens, complying with the new rules.
If the commission grants the pending petitions for reconsideration, the costs are non-recoverable, the petition said.
A Victory Of Sorts For Broadband Companies If the rule had taken effect, it would have seriously impaired the business model of ISPs and companies that have forged ties with them to source user data, according to a report on LAW360.com.
Benzinga does not provide investment advice.

Microsoft describes ransomware as ‘scary’

Microsoft describes ransomware as ‘scary’.
The manipulative type of malware, which takes people’s data hostage, saw a 752 per cent increase in 2016 Dubai: Japanese anti-virus developer Trend Micro’s annual cybersecurity report, released on Sunday, revealed a 752 per cent increase in ransomware, the software used by hackers to block data and then demand money to return it.
In a recent interview, Microsoft’s Cyril Voisin, Executive Security Advisor for the company’s Enterprise Cybersecurity Group in the Middle East and Africa, spoke about the growing threat from ransomware, and what could be done to combat it.
“We have seen victims among consumers — all operating systems, not just Microsoft’s.
But, more worryingly — we have also seen it in a hospital abroad,” he added.
They can evade protection measures like antiviruses, because they create new ransomwares all the time, and it takes at least 20 minutes for an antivirus solution to detect something it has never encountered before.” This delay means that, for those 20 minutes, if you are relying solely on an antivirus, you will not be protected.
So how do companies defend themselves against such attacks?
“It is important to not open attachments that are unsolicited, to not visit malicious websites and to make sure you have a backup,” Voisin said.
For Paula Januszkiewicz, a cybersecurity expert who has previously worked with Microsoft, Hewlett Packard and Orange, the biggest concern is how “ransomware is changing its tactics”.
“PowerShell can be used to encrypt data, which is the goal of ransomware — to scramble your data so it is useless to you, until you pay the attacker to release it.” Ultimately, according to Januszkiewicz, this is something that companies need to get better at defending themselves against.