Serbian hacker arrested: Dark Overlord
Serbian authorities yesterday announced the arrest of a Belgrade man for his alleged affiliation with The Dark Overlord, a malicious cyber threat actor known for extorting U.S. schools, hospitals and entertainment companies, often after stealing their data or content.
A press release published by Serbia's Ministry of Internal Affairs (MUP) refers to the suspect only by the initials "S.S.," but suggests that the individual may just be one individual in a much larger criminal network.
"The aim of the campaign was to uncover a large number of people who, using the name 'The Dark Overlord' on the internet, have been [gaining] unauthorized access to computer networks and data of at least 50 victims since June 2016, and have been [stealing] U.S. citizen information and personal data, including data on ownership and intellectual property, sensitive data on health insurance, treatment, and others," reads an English-translated version of the release.
Healthcare providers -- not hackers -- leak more of your data
Your personal identity may fall at the mercy of sophisticated hackers on many websites, but when it comes to health data breaches, hospitals, doctors offices and even insurance companies are oftentimes the culprits.
New research from Michigan State University and Johns Hopkins University found that more than half of the recent personal health information, or PHI, data breaches were because of internal issues with medical providers - not because of hackers or external parties.
"There's no perfect way to store information, but more than half of the cases we reviewed were not triggered by external factors - but rather by internal negligence," said John (Xuefeng) Jiang, lead author and associate professor of accounting and information systems at MSU's Eli Broad College of Business.
The research, published in JAMA Internal Medicine, follows the joint 2017 study that showed the magnitude of hospital data breaches in the United States. The research revealed nearly 1,800 occurrences of large data breaches in patient information over a seven years, with 33 hospitals experiencing more than one substantial breach.
For this paper, Jiang and co-author Ge Bai, associate professor at the John's Hopkins Carey Business School, dove deeper to identify triggers of the PHI data breaches. They reviewed nearly 1,150 cases between October 2009 and December 2017 that affected more than 164 million patients.
"Every time a hospital has some sort of a data breach, they need to report it to the Department of Health and Human Services and classify what they believe is the cause," Jiang, the Plante Moran Faculty Fellow, said. "These causes fell into six categories: theft, unauthorized access, hacking or an IT incident, loss, improper disposal or 'other.'"
After reviewing detailed reports, assessing notes and reclassifying cases with specific benchmarks, Jiang and Bai found that 53 percent were the result of internal factors in healthcare entities.
"One quarter of all the cases were caused by unauthorized access or disclosure - more than twice the amount that were caused by external hackers," Jiang said. "This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content."
While some of the errors seem to be common sense, Jiang said that the big mistakes can lead to even bigger accidents and that seemingly innocuous errors can compromise patients' personal data.
"Hospitals, doctors offices, insurance companies, small physician offices and even pharmacies are making these kinds of errors and putting patients at risk," Jiang said.
Of the external breaches, theft accounted for 33 percent with hacking credited for just 12 percent.
While some data breaches might result in minor consequences, such as obtaining the phone numbers of patients, others can have much more invasive effects. For example, when Anthem, Inc. suffered a data breach in 2015, 37.5 million records were compromised. Many of the victims were not notified immediately, so weren't aware of the situation until they went to file their taxes only to discover that a third-party fraudulently filed them with the data they obtained from Anthem.
While tight software and hardware security can protect from theft and hackers, Jiang and Bai suggest health care providers adopt internal policies and procedures that can tighten processes and prevent internal parties from leaking PHI by following a set of simple protocols. The procedures to mitigate PHI breaches related to storage include transitioning from paper to digital medical records, safe storage, moving to non-mobile policies for patient-protected information and implementing encryption. Procedures related to PHI communication include mandatory verification of mailing recipients, following a "copy vs. blind copy" protocol (bcc vs cc) as well as encryption of content.
"Not putting on the whole armor opened health care entities to enemy's attacks," Bai said. "The good news is that the armor is not hard to put on if simple protocols are followed."
Next, Jiang and Bai plan to look even more closely at the kind of data that is hacked from external sources to learn what exactly digital thieves hope to steal from patient data.
Michigan State University has been working to advance the common good in uncommon ways for 160 years. One of the top research universities in the world, MSU focuses its vast resources on creating solutions to some of the world's most pressing challenges, while providing life-changing opportunities to a diverse and inclusive academic community through more than 200 programs of study in 17 degree-granting colleges.
For MSU news on the Web, go to MSUToday. Follow MSU News on Twitter at twitter.com/MSUnews
10 Threats Lurking on the Dark Web
1. Doxing of VIPs
Dox: search for and publish private or identifying information about (a particular individual) on the Internet, typically with malicious intent. Dark Web and clear websites like Pastebin are a dumping ground for personal, financial, and technical information with malicious intent. While there's a sense that people know their personal info could be put out on the Dark Web, they don't always understand the full implications. The bad threat actors can aggregate a lot of open source information and use it to humiliate them. The lesson for everyone: Be careful what you share on social media because it can be used against you.
2. Payment Card Information for Sale
A robust economy exists for primary account numbers (PANs), bank identification numbers (BINs) and general payment card data on the Dark Web, where sellers update markets with new cards regularly – and sometimes daily. This has become an ongoing concern for retailers and any company that accepts credit cards. Today more companies are using automated tools so they can spot payment card fraud earlier in the process.
3. Guides for Opening Fraudulent Accounts
The Dark Web offers guides for sale containing detailed, step-by-step instructions on how to exploit or defraud an organization. There are entire online courses and even one-on-one tutorials available on how to become a cybercriminal, including how to launch a ransomware attack and how to create malware. The appearance of the guide has a dual impact: Fraudsters learn how to take advantage of an organization's systems and processes, and the criminals' attention becomes focused on the target company. Keep in mind that the fraudsters use freelancers the same way legitimate companies hire contractors. They also have access to automation and analytics tools.
4. W2s and Tax-Fraud Documents
Before tax season each year, there's a rush of activity on the Dark Web by fraudsters who have gathered compromised identity information to file fraudulent tax returns before the legitimate taxpayer can. These tax frauds are enabled by the sale of W2s and other tax fraud-specific documents, which can be tied back to the employers where those documents came from originally.
5. Employee User Name and Password Data
The Dark Web contains millions of plain-text user names and passwords stolen in various breaches. Just because your company may not have directly suffered a breach doesn't mean that employee user names and passwords are not being sold on the Dark Web, some of which can be leveraged to access databases and other organizational systems or assets. Because many users don't take care of their passwords properly, the reuse of user names and passwords remains quite prevalent. This means credentials stolen in a breach of one organization could very well be the same credentials and work for other organizations or sites. This could greatly expand the impact of the initial breach and put your organization at risk.
6. DDoS-for-Hire Services
In a DDoS (distributed denial-of-service attack) for hire, cybercriminals on the Dark Web rent out botnets to anyone wishing to use them to carry out distributed denial of service attacks against organizational websites for a small cost – sometimes as low as $5. While botnets are extremely hard to build without technical expertise, cybercriminals are making them readily available on the Dark Web. By harnessing the power of the growing number of vulnerable IoT devices to fire off data at specific Web targets, anyone on the Dark Web could use a botnet to drive a business completely offline until they decide to halt the attack – often leading to direct financial and customer loss, as well as a tarnished brand reputation because of unplanned downtime.
7. RDP Shops
The Remote Desktop Protocol (RDP) is a proprietary Microsoft solution that lets remote administrators access a PC – something wonderful for solving IT challenges, but potentially devastating in the wrong hands. The Dark Web contains dozens of shops selling stolen RDP systems, usually for very low prices, granting buyers remote access to hacked machines. Once criminals purchases access, they can obtain logins to a victim's computer system and essentially have full control. Criminals can use RDP as an entry point to enact ransomware attacks, send spam, create false security alerts, steal data, steal credentials, and even mine cryptocurrency.
It's also common practice for cybercriminals to try and crack RDP system logins by brute-forcing them with a password list. Even more frightening, RDP shops on the Dark Web are growing in size and abundance.
8. Supply Chain Threats
Companies should be aware of anything that has to do with organizations that are part of their supply chain management. Know your suppliers and organization you interact with, and be very aware when something related to them shows up on the Dark Web. That's because their breach can have a significant impact on your own business continuity. Be sure to check the Dark Web regularly for any chatter involving any of your leading suppliers or business partners.
9. Insider Access Scams
Companies should be on the lookout for insiders selling access to their accounts and databases on the Dark Web. Banks and technology companies are especially susceptible to this kind of fraud. The bad actors tend to be guarded in naming a company. They might say something like, "I have access to a large technology company," rather than name a company specifically.
10. Credential-Stuffing Tools
Credential-stuffing tools are pieces of software available on the Dark Web that let criminals load in stolen credentials that had been previously exposed there and then launch an attack. A criminal can use a credential-stuffing tool to gain access to popular websites, such as Amazon or eBay. Once they have access, they can cause major damage – anything from launching a ransomware attack to stealing databases and source code.