News

Slider Revolution is a widely used premium WordPress plugin with over 9 million active users

Researchers from Zscaler ThreatLabz observed an uptick in the TeaBot Andoird banking Trojan, also known as Anatsa

Rapid7 warned that users of Justice AV Solutions (JAVS) Viewer v8.3.7 recording software are at high risk of stolen credentials and having malware installed

Get ready for Infosecurity Europe 2024 with these top five picks from Infosecurity Magazine to help you plan your visit

With most cyber-attacks still involving a non-malicious human element, it is clear that awareness training alone is insufficient, this is where human risk management comes into play

Every Child Online, a UK charity, tackles the digital divide and potential cybersecurity skills gap by offering free refurbished IT equipment to underprivileged children

585 IT/cybersecurity leaders working in manufacturing and production share their experiences, revealing new insights and five-year trends.

Quantum computers are probably coming, though we don’t know when—and when they arrive, they will, most likely, be able to break our standard public-key cryptography algorithms. In anticipation of this possibility, cryptographers have been working on quantum-resistant public-key algorithms. The National Institute for Standards and Technology (NIST) has been hosting a competition since 2017, and there already are several proposed standards. Most of these are based on lattice problems.

The mathematics of lattice cryptography revolve around combining sets of vectors—that’s the lattice—in a multi-dimensional space. These lattices are filled with multi-dimensional periodicities. The hard problem that’s used in cryptography is to find the shortest periodicity in a large, random-looking lattice. This can be turned into a public-key cryptosystem in a variety of different ways. Research has been ongoing since 1996, and there has been some really great work since then—including many practical public-key algorithms.

On April 10, Yilei Chen from Tsinghua University in Beijing posted a paper describing a new quantum attack on that shortest-path lattice problem. It’s a very dense mathematical paper—63 pages long—and my guess is that only a few cryptographers are able to understand all of its details. (I was not one of them.) But the conclusion was pretty devastating, breaking essentially all of the lattice-based fully homomorphic encryption schemes and coming significantly closer to attacks against the recently proposed (and NIST-approved) lattice key-exchange and signature schemes.

However, there was a small but critical mistake in the paper, on the bottom of page 37. It was independently discovered by Hongxun Wu from Berkeley and Thomas Vidick from the Weizmann Institute in Israel eight days later. The attack algorithm in its current form doesn’t work.

This was discussed last week at the Cryptographers’ Panel at the RSA Conference. Adi Shamir, the “S” in RSA and a 2002 recipient of ACM’s A.M. Turing award, described the result as psychologically significant because it shows that there is still a lot to be discovered about quantum cryptanalysis of lattice-based algorithms. Craig Gentry—inventor of the first fully homomorphic encryption scheme using lattices—was less impressed, basically saying that a nonworking attack doesn’t change anything.

I tend to agree with Shamir. There have been decades of unsuccessful research into breaking lattice-based systems with classical computers; there has been much less research into quantum cryptanalysis. While Chen’s work doesn’t provide a new security bound, it illustrates that there are significant, unexplored research areas in the construction of efficient quantum attacks on lattice-based cryptosystems. These lattices are periodic structures with some hidden periodicities. Finding a different (one-dimensional) hidden periodicity is exactly what enabled Peter Shor to break the RSA algorithm in polynomial time on a quantum computer. There are certainly more results to be discovered. This is the kind of paper that galvanizes research, and I am excited to see what the next couple of years of research will bring.

To be fair, there are lots of difficulties in making any quantum attack work—even in theory.

Breaking lattice-based cryptography with a quantum computer seems to require orders of magnitude more qubits than breaking RSA, because the key size is much larger and processing it requires more quantum storage. Consequently, testing an algorithm like Chen’s is completely infeasible with current technology. However, the error was mathematical in nature and did not require any experimentation. Chen’s algorithm consisted of nine different steps; the first eight prepared a particular quantum state, and the ninth step was supposed to exploit it. The mistake was in step nine; Chen believed that his wave function was periodic when in fact it was not.

Should NIST be doing anything differently now in its post–quantum cryptography standardization process? The answer is no. They are doing a great job in selecting new algorithms and should not delay anything because of this new research. And users of cryptography should not delay in implementing the new NIST algorithms.

But imagine how different this essay would be were that mistake not yet discovered? If anything, this work emphasizes the need for systems to be crypto-agile: to be able to easily swap algorithms in and out as research continues. And for using hybrid cryptography—multiple algorithms where the security rests on the strongest—where possible, as in TLS.

And—one last point—hooray for peer review. A researcher proposed a new result, and reviewers quickly found a fatal flaw in the work. Efforts to repair the flaw are ongoing. We complain about peer review a lot, but here it worked exactly the way it was supposed to.

This essay originally appeared in Communications of the ACM.

As Americans make their travel plans, scammers lie in wait. We’ve uncovered the top ten “riskiest” destinations for travel scams — places that turn up the most unsafe results when you look them up online.

That list features prominently in this year’s Safer Summer Holidays’ Travel Report, which also reveals some striking survey findings.

Before we get to our top ten list, a little context helps put it into perspective. Based on our survey, more than 25% of Americans have been affected by travel scams. These take several forms, and generally, they involve some mix of phony booking sites, bogus rental listings, and travel experiences that never materialize. Other tricks like phishing emails and messages round out the mix.

That stat stands as words to the wise as most people said they’re gearing up for travel. A good 85% of Americans said they’re hitting the road this year. Moreover, 45% of them said they plan on spending more on travel this year than last.

No doubt about it, vacationers and trip-takers should keep a sharp eye out for travel scams this year.

Here’s what travel scams look like today.

With those forms of travel scams in mind, this year’s survey of travelers revealed several striking stats.

Whether it happened this year or in years prior, these scams included:

• Providing their credit or bank card details on a fake site, which a scammer then used to make fraudulent payments (15%).
• Clicking on a link from an unknown source that was a scam or malicious (10%).
• Encountering manipulated photos of their holiday destination (8%).

Another 28% said they got hit with a scam when they arrived at their destination. Here’s what these scams looked like for travelers:

• 13% said they paid a deposit on accommodations that turned out not to exist or that had no record of their registration.
• 10% said they paid for an event or excursion where the provider never showed up.
• 9% said they put money down on an excursion which turned out completely unlike what was marketed.

The cost of travel scams.

How did all these scams add up? In all, we found that 32% of victims said they lost between $501-1000 in a single scam. Another 24% of victims said they lost $1,000 or more on a travel scam. Only a relatively small percentage of people said they lost nothing. Just 15%, a figure that shows just how successful travel scams can be.

This falls right in line with reports from the Federal Trade Commission (FTC). As published in their 2023 Data Book, more than 55,000 Americans reported a travel scam. The median loss — nearly $1,200 per case.[i] As always with FTC statistics, they only documented reported cases of fraud. The number of actual scams more than likely climbs higher than that.

The top ten riskiest online destinations for Americans when searching for travel.

Like the many other scams people come across online, several travel scams rely on sketchy links and sites. With that, further research helped us uncover which travel destinations have the highest amounts of sketchy links that turn up in search.

Using travel-related keywords like “discount,” “Airbnb,” “local cuisine,” and “tours,” we then paired them with a list of destinations. From that pairing, the following destinations returned more sketchy links than all others:

1. Berlin, Germany
2. Cyprus
3. London, England
4. Paris, France
5. Rio de Janeiro, Brazil
6. Bali, Indonesia
7. Azores, Portugal
8. Amalfi Coast, Italy
9. Bermuda
10. Machu Picchu, Peru

Booking any online travel calls for scrutiny and care. However, apparently scammers favor these destinations over others when targeting American travelers.

How to avoid falling for travel scams.

Trust a trusted platform.

That’s your best place to start. Book your vacation rental through a reputable outlet. Vacation rental platforms like Airbnb and VRBO have policies and processes in place that protect renters from scammers. The same goes for booking other travel needs above and beyond renting. Travel platforms such as Expedia, Priceline, Orbitz, and others have their own protections in place.

From there, you have several other ways you can avoid booking scams …

Look for signs of rental scams.

Do a reverse image search on the photos used in the property’s listing and see what comes up. It might be a piece of stock photography designed to trick you into thinking it was taken at an actual property for rent. (Scammers sometimes highjack photos of actual properties not for rent too. Some now use AI-generated images as well.) Also, read the reviews for the property. Listings with no reviews are a red flag.

Only communicate and pay on the platform.

The moment a host asks to communicate outside of the platform is another red flag. Scammers will try to lure you off the platform where they can request payment in forms that are difficult to recover or trace after you realize you’ve been scammed.

Moreover, paying for your rental outside the platform might also go against the terms of service, as in the case of Airbnb. Or, as with VRBO, paying outside the platform voids their “Book with Confidence Guarantee,” which offers you certain protections. Use the platform to pay and use a credit card when you do. In the U.S., the Fair Credit Billing Act allows you to dispute charges. Additionally, some credit cards offer their own anti-fraud protections that can help you dispute a billing.

Never pay with cryptocurrency, wire transfers, or gift cards.

If someone asks you to pay for your trip one of these ways. It’s a scam. Travel scammers prefer these payment methods because they’re exceptionally tough to track. Once that money gets sent, it’s likely exceptionally tough to get back.

Keep an eye out for phishing attacks.

Scammers use phishing emails and messages to trick travelers into revealing sensitive info or downloading malware onto their devices. As you book, look for unsolicited messages claiming to be from airlines, hotels, or financial institutions. Particularly if they ask for personal info or prompt you to click on suspicious links. When in question, contact the sender directly using official contact info from their official website.

Also, look into McAfee Scam Protection, included with our McAfee+ plans. It blocks links to scam sites that crop up in emails, messages, and texts. AI technology automatically scans the links and alerts you if it might send you to a scam site.

Let your bank and credit card companies know you’re traveling.

Give your bank and credit card companies a call before you head out. They have anti-fraud measures in place that look for unusual activity, such as when your card is used in a location other than somewhere relatively near your home. This can trigger a freeze, which can put you in a lurch if you’re looking to withdraw cash or make a payment. Contacting your bank and credit card companies before you travel can help prevent this.

Have an easy way to keep tabs on your accounts and credit.

Fraud can happen at any time, even when you’re out of town. A couple of things can help you nip it quickly before it takes a big bite out of your credit card or bank accounts. Transaction monitoring notifies you of any questionable activity in your credit cards or bank accounts. It can further alert you to any other questionable activity in your 401(k) plans, investments, and loans.

So, say that your debit card info got skimmed in a sketchy ATM or point-of-sale machine — you’ll get an alert if thieves try to make a purchase with it. From there, you can contact your bank and take the extra step of putting a security freeze in place to prevent further fraud. You can security freeze and transaction monitoring features in our McAfee+ plans as well.

Protect your identity.

Before you hop on a plane, train, or automobile, consider investing in identity protection. This way, you can head off any issues that might crop up when you should be enjoying yourself. For example, imagine losing your wallet. Immediately, a dark cloud of “what ifs” rolls in. What if someone’s running up charges on your cards? What if someone used your ID or insurance cards to impersonate you online? Not a great feeling any time, especially on vacation.

With identity theft coverage and restoration in place, you can recoup your losses and restore your identity if a thief damaged it in any way. Ours provides up to $2 million in coverage, along with lost wallet protection that cancels and replaces lost cards with little effort from you.

Top 10 ‘Riskiest’ Online Destinations Overview and Methodology

The research was conducted by McAfee Labs researchers between March 11th – 29th 2024, utilizing McAfee WebAdvisor to find risky URLs related to a range of popular holiday destinations. This includes web pages delivering malware threats, phishing, or scam content. Researchers queried country-specific search engines from the matching locations with a variety of holiday destination terms and calculated the percentage of risky URLs returned within the search results. The final result of “riskiest” online destinations means the cities and countries that are popular search subjects and therefore key targets for cybercriminals when creating phishing and other online scams.

[i] https://www.ftc.gov/system/files/ftc_gov/pdf/CSN-Annual-Data-Book-2023.pdf

 

The post The Top 10 Riskiest Online Destinations Revealed appeared first on McAfee Blog.

The U.S. Department of the Treasury today unveiled sanctions against three Chinese nationals for allegedly operating 911 S5, an online anonymity service that for many years was the easiest and cheapest way to route one’s Web traffic through malware-infected computers around the globe. KrebsOnSecurity identified one of the three men in a July 2022 investigation into 911 S5, which was massively hacked and then closed ten days later.

From 2015 to July 2022, 911 S5 sold access to hundreds of thousands of Microsoft Windows computers daily, as “proxies” that allowed customers to route their Internet traffic through PCs in virtually any country or city around the globe — but predominantly in the United States.

911 built its proxy network mainly by offering “free” virtual private networking (VPN) services. 911’s VPN performed largely as advertised for the user — allowing them to surf the web anonymously — but it also quietly turned the user’s computer into a traffic relay for paying 911 S5 customers.

911 S5’s reliability and extremely low prices quickly made it one of the most popular services among denizens of the cybercrime underground, and the service became almost shorthand for connecting to that “last mile” of cybercrime. Namely, the ability to route one’s malicious traffic through a computer that is geographically close to the consumer whose stolen credit card is about to be used, or whose bank account is about to be emptied.

In July 2022, KrebsOnSecurity published a deep dive into 911 S5, which found the people operating this business had a history of encouraging the installation of their proxy malware by any means available. That included paying affiliates to distribute their proxy software by secretly bundling it with other software.

That story named Yunhe Wang from Beijing as the apparent owner or manager of the 911 S5 proxy service. In today’s Treasury action, Mr. Wang was named as the primary administrator of the botnet that powered 911 S5.

“A review of records from network infrastructure service providers known to be utilized by 911 S5 and two Virtual Private Networks (VPNs) specific to the botnet operation (MaskVPN and DewVPN) showed Yunhe Wang as the registered subscriber to those providers’ services,” reads the Treasury announcement.

The sanctions say Jingping Liu was Yunhe Wang’s co-conspirator in the laundering of criminally derived proceeds generated from 911 S5, mainly virtual currency. The government alleges the virtual currencies paid by 911 S5 users were converted into U.S. dollars using over-the-counter vendors who wired and deposited funds into bank accounts held by Liu.

“Jingping Liu assisted Yunhe Wang by laundering criminally derived proceeds through bank accounts held in her name that were then utilized to purchase luxury real estate properties for Yunhe Wang,” the document continues. “These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats.”

The third man sanctioned is Yanni Zheng, a Chinese national the U.S. Treasury says acted as an attorney for Wang and his firm — Spicy Code Company Limited — and helped to launder proceeds from the business into real estate holdings. Spicy Code Company was also sanctioned, as well as Wang-controlled properties Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited.

Ten days after the July 2022 story here on 911 S5, the proxy network abruptly closed up shop, citing a data breach that destroyed key components of its business operations.

In the months that followed, however, 911 S5 would resurrect itself under a different name: Cloud Router. That’s according to spur.us, a U.S.-based startup that tracks proxy and VPN services. In February 2024, Spur published research showing the Cloud Router operators reused many of the same components from 911 S5, making it relatively simple to draw a connection between the two.

Spur found that Cloud Router was being powered by a new VPN service called PaladinVPN, which made it much more explicit to users that their Internet connections were going to be used to relay traffic for others. At the time, Spur found Cloud Router had more than 140,000 Internet addresses for rent.

Spur co-founder Riley Kilmer said Cloud Router appears to have suspended or ceased operations sometime this past weekend. Kilmer said the number of proxies advertised by the service had been trending downwards quite recently before the website suddenly went offline.

Cloud Router’s homepage is currently populated by a message from Cloudflare saying the site’s domain name servers are pointing to a “prohibited IP.”