Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Technology

Inside the Massive Crime Industry That's Hacking Billion-Dollar Companies (wired.com) 47

Cybercriminals have breached dozens of major companies including AT&T, Ticketmaster and Hot Topic by exploiting "infostealer" malware that harvests login credentials from infected computers, an investigation has found. The malware, spread through pirated software and social media, has infected 250,000 new devices daily, according to cybersecurity firm Recorded Future. Russian developers create the malware while contractors distribute it globally, deliberately avoiding former Soviet states. Hot Topic suffered potentially the largest retail hack ever in October when attackers accessed 350 million customer records using stolen developer credentials. Google and Microsoft are racing to patch vulnerabilities, but malware makers quickly adapt to new security measures.
This discussion has been archived. No new comments can be posted.

Inside the Massive Crime Industry That's Hacking Billion-Dollar Companies

Comments Filter:
  • MFA (Score:5, Informative)

    by nuckfuts ( 690967 ) on Monday November 04, 2024 @02:11PM (#64919089)

    malware that harvests login credentials from infected computers

    This is why multi-factor authentication is a must these days. Even with stolen credentials, you can prevent unauthorized logins to your account.

    I used Duo [duo.com] for things like VPN connections, RDP logins, and web applications. It's free for up to 10 users.

    • You used a third party service to do MFA so you could add an additional party into your security situation who could get compromised and lead to compromise of your resources? Great plan there, sport.

      • You used a third party service to do MFA so you could add an additional party into your security situation who could get compromised and lead to compromise of your resources? Great plan there, sport.

        Feel free to describe your better solution to stolen credentials.

        • Feel free to describe your better solution to stolen credentials.

          Do your own MFA that doesn't depend on some fly by night free service that owes you nothing and has no responsibility for your security.

          • Re:MFA (Score:4, Informative)

            by nuckfuts ( 690967 ) on Monday November 04, 2024 @03:02PM (#64919259)

            Feel free to describe your better solution to stolen credentials.

            Do your own MFA that doesn't depend on some fly by night free service that owes you nothing and has no responsibility for your security.

            You are talking out of your ass. Duo Security is hardly a "fly by night free service". They are a subsidiary of Cisco, with over 25,000 customers in over 100 countries. Ya, I'm sure your home-rolled multi-platform MFA solution is way more secure.

            • Feel free to describe your better solution to stolen credentials.

              Do your own MFA that doesn't depend on some fly by night free service that owes you nothing and has no responsibility for your security.

              You are talking out of your ass. Duo Security is hardly a "fly by night free service". They are a subsidiary of Cisco, with over 25,000 customers in over 100 countries. Ya, I'm sure your home-rolled multi-platform MFA solution is way more secure.

              Would someone stop this shit? This is ridiculous. Duo probably sucks. You shouldn't use a service that someone named "nuckfuts" stealthily advertises on a free message board.

              • Would someone stop this shit? This is ridiculous. Duo probably sucks.

                You know what's ridiculous? People making pronouncements about things that they obviously know nothing about.

                You shouldn't use a service that someone named "nuckfuts" stealthily advertises on a free message board.

                Coming from a guy named "ihavesaxwithcollies".

                Furthermore, there was nothing "stealthy" about my comments, and I was not advertising it. I was recommending a service based on my own experience with it. And FWIW, my experience includes over 30 years as a Systems Administrator and security specialist.

                • You know what you're right. There was nothing stealthy about it. You are posting an advertisement for a shitty service on here.

                  Coming from a guy named "ihavesaxwithcollies".

                  Dumbass, I'm not the one selling shit on a free message board. No one cares what my name is.
                  I don't care if you're the pope of chili town. Talk is cheap and you're a disgusting shill.

                  • You know what you're right. There was nothing stealthy about it. You are posting an advertisement for a shitty service on here.

                    Not an advertisement. An endorsement. And not a shitty service, hence the endorsement. If you have no interest in recommendations from people who have actually used a product, feel free to ignore.

                    Dumbass, I'm not the one selling shit on a free message board.

                    Again. not selling anything.

                    No one cares what my name is.

                    Yet you started out with a criticism of my name.

                    Talk is cheap

                    As you so aptly demonstrate.

                    • Nuckfuts is ahead by 3 points, as I score it so far. More popcorn, please.

                      Of course, there IS the possibility that these two people aren't even people, but rather bots created by slashdot. Still it's a good show. There's also the possibility of one or both of these accounts being compromised and being used by illegal actors, because slashdot doesn't use 2-factor authentication to login.

                    • Nuckfuts is ahead by 3 points, as I score it so far. More popcorn, please.

                      Of course, there IS the possibility that these two people aren't even people, but rather bots created by slashdot. Still it's a good show.

                      Glad you're enjoying the show. I would normally have given up by now, but we can't always let stupidity win.

                      There's also the possibility of one or both of these accounts being compromised and being used by illegal actors, because slashdot doesn't use 2-factor authentication to login.

                      That is possible, since I only use MFA for things I care about.

              • Seriously - if you aren't familiar with Duo, then you probably don't actually work in tech.

                • Duo is one, but there's 2 others:

                  1) Microsoft Authenticator
                  2) Google Authenticator

                  Maybe some local chode-snake can correct me.

                  • Yup, and those are both TOTP (at least I know Google is and I'm pretty sure MS is) - so you can use a generic replacement instead.

                    I actually prefer TOTP because it's a standard, although my work uses Duo.

            • Oh, it's part of Cisco, the back door guys? Well that certainly makes it better.

              Wait no, that means you should have your head examined.

              • Oh, it's part of Cisco, the back door guys? Well that certainly makes it better.

                Wait no, that means you should have your head examined.

                My endorsement was of Duo, not Cisco. They built their reputation for 8 years before being acquired by Cisco. Are you suggesting their products immediately became insecure after acquisition? Feel free to reference any evidence for your assertion.

                Also, know your threats. When I deploy MFA for Remote Desktop connections, I'm not trying to thwart the capabilities of the NSA. I'm trying to thwart Russian ransomware gangs for the most part. If they have access to backdoors, then I guess I'm fucked. There will al

            • They are a subsidiary of Cisco, with over 25,000 customers in over 100 countries. Ya, I'm sure your home-rolled multi-platform MFA solution is way more secure.

              More secure than Cisco? Are you trying to say, with a straight face, that Cisco is secure? Cisco doesn't [arstechnica.com] believe in passwords [cisco.com].

              So from your recommendation, I would say avoid Duo Security for anything that matters. Oh, whoops [nist.gov].

              • I would say avoid Duo Security for anything that matters. Oh, whoops [nist.gov].

                Well, congratulations. You know how to Google for security vulnerabilities. However, did you bother to read the details?

                At the time of publication, this vulnerability affected the following Cisco Duo products if they had the offline access feature enabled:

                Duo Two-Factor Authentication for macOS
                Duo Authentication for Windows Logon and RDP

                Offline access, when enabled and configured, allows secure local logons to the macOS or Windows systems even when those systems are unable to contact the Duo cloud service.

                This means that if you had enabled "offline access", an attacker working from the console of your machine could log on with just a user name and password.

                The option for "offline access" exists because some System Administrators may not want to be locked out of the console on their own server because their Internet service happens to be down.

                If you deem this too risky, then don't enable "of

                • Well, congratulations. You know how to Google for security vulnerabilities.

                  Apparently you don't, otherwise you wouldn't say Cisco is secure.

                  • Well, congratulations. You know how to Google for security vulnerabilities.

                    Apparently you don't, otherwise you wouldn't say Cisco is secure.

                    At no point in this entire discourse did I assert that "Cisco is secure". If you want to disagree with something I wrote, feel free, but stop trying to put words in my mouth.

                    • Here you said that Cisco/Duo is more secure than a home-rolled solution [slashdot.org]. That is false.

                      Maybe Cisco is more secure than YOUR home-rolled solution, but you wouldn't recognize security if it hit you in the head.
                    • you wouldn't recognize security if it hit you in the head.

                      See this is why you're stupid. Need I explain? Yeah, of course I do, because you're stupid.
                      Hey, my guy, if something hits you in the head, it's NOT secure. So no one can recognize security by it hitting them in the head.

                    • Here you said that Cisco/Duo is more secure than a home-rolled solution [slashdot.org]. That is false. Maybe Cisco is more secure than YOUR home-rolled solution, but you wouldn't recognize security if it hit you in the head.

                      I did not say Cisco was more secure than your home-rolled solution. I said that Duo was. There is a difference between discussing one product and making a blanket statement about an entire company.

                      According to your logic, Duo's product became instantly insecure when Cisco acquired their company 6 years ago. Any moment now reports should start flooding in about how so many of their 25,000 customers are getting hacked.

                      Also, do tell me more about your home-rolled solution that's more secure.

                    • Nah I already linked to multiple vulns by these two groups. If you think they are secure, then you haven't actually looked at the available data, even after I linked to some of it.

                      And yes, I do think you are ignorant.
      • Uh, yea, that's how enterprise identity management/authentication kind of works
        • Kind of works is correct.

          Ask yourself, what does Google do when they want to do MFA? The answer isn't call someone else.

          • One of the richest tech companies in the world who markets their own IdP uses their own product? Wow. I'm so surprised.
  • Yes, the country that needs washing machine CPUs is a cyberglobal cybersecurity cyberthreat, cyberinvestigators cyberreport.
    Cyber!

    • 50000BTU_barbecue writes:

      Yes, the country that needs washing machine CPUs ...

      I detest the servo mechanisms in car vent actuators that replace a stiff wire. A $270 electronic device that breaks every 2 years is not an improvement over a $0.35 wire that lasts for (not kidding, did a 1934 Cord) 90 years with zero issues.

      Tech for the sake of Tech is just stupid.

    • On the one hand, those reports were ginned up, based on rumors at best and clearly intended to valorize the Ukraine war, as easily won against an incompetent and incapable opponents, and the demonstrate that American media cannot be trusted to discuss foreign nations, especially hostile ones, accurately.

      On the other hand, Russia absolutely is safe harbor for "hackers", due in no small part to the US overplaying its hand with sanctions, and Russia no longer even pretending to give a shit what people within t

    • The smaller the CPU is the more skill the programmer needs.

  • Only state sponsored actors have the resources to hack billion-dollar corporations. Think China, Russia,N Korea, Iran and the like. IMHO
    • by radicimo ( 33693 )

      Having spent time in the cybersecurity trenches, I disagree with your thesis. A reasonably endowed criminal gang could assemble a team of the caliber needed to *successfully* hack billion dollar corporations. Does state sponsored hacking happen. Yes it does, but with the exception of China (and perhaps Iran) not in the way you think it does. Maybe Russia does now, but in the past the government just turned a blind eye to hacking as long as it didn't target organizations inside the borders. North Korea and r

      • by ebh ( 116526 )

        You're so right about executives. Not only are they worried about this quarter's results above all else, they tend to be nontechnical, sometimes even the CTO. Unless they're smart (and humble) enough to listen to the people they hired to actually know and do this stuff, they're always going to be vulnerable to one-size-fits-all-and-cures-all "solutions" sold using slide decks full of buzzwords like "zero trust". (Yet the company is supposed to put 100% trust in the vendor!)

        • by radicimo ( 33693 )

          I'm glad someone here gets it. You must be Gen X like me. When I was younger, I was a lot more naive about root causes of these problems. After years of observation, I am just cynical ... but not naive. I'm proud of my accomplishments, and my former manager tells me that my security architecture still has not been hacked to this day. So I know it can be done.

          You nailed on the other reason I exited cybersecurity. The vendors selling snake oil and silver bullet solutions for millions of dollars. My life is to

    • calarndt writes:

      Only state sponsored actors have the resources to hack billion-dollar corporations.

      Remember that (vital infrastructure system) was found to expose internal SCADA controls to the internet using OEM default passwords. (Large cloud actor) had an internal compromise to their Active Directory system for over 8 years before they figured it out and it was a group of crooks.

      Remember, an attacker can attempt millions and millions of times and fail for one success as there are no consequences for the most part. While state actors are a threat, they are not the only one, nor the mos

  • Companies also have to do their own work to make sure that an intrusion is contained.

    Multinational corporations depend too much on a single site managing their entire worldwide network. Those that work there are often underpaid greenhorns too.

    Add to it that they are now handing over the entire user database into the hands of Microsoft. (Hello there). They are also throwing in many business applications into Azure, so now M$ holds them by the balls.

    Meanwhile VMware is now in control of local servers with tim

    • Not just contained, but detected early before they do enough damage that containment includes reputational damage mitigation. Canaries are great for this
  • In post Soviet Russia, stealing from sanctioned Western commerce is an excellent gig with commissions and bonus pay as well as exemption from serving in the infantry, The more Russia antagonizes the west, the better their business plan goes: their people can blame the west for hardships, while the oligarchs laugh all the way to the bank. Its much simpler to negotiate terms when you refuse to play by anyone else's rules..

  • ...this highly profitable & low-risk extortion, the worse this problem will get. The ransom money is paying for their R&D to get even better at gaining control of other people's computers. This is what "freedom" looks like in the real world.
  • He also pointed specifically to Microsoft Windows. “When you compare Windows with, say, Android, or with ChromeOS, or even macOS, those platforms have this strong application isolation.” Meaning, that malware has a harder time stealing data from other parts of the system. “We noticed on Windows, which was obviously a major platform for us, that these protections didn’t exist.”

It is better to travel hopefully than to fly Continental.

Working...