Charlotte’s County Refuses to Pay Hackers $23,000

A new strain of ransomware called LockCrypt, possibly from from Iran or Ukraine, disables some government computers in Mecklenburg County, N.C. Officials will rebuild its files from backups.

Cyber criminals took a second swing at Mecklenburg County, N.C., government on Thursday after officials rejected a demand for money after a ransomware attack, the Charlotte Observer reports. The follow-up attempts to hold the county hostage over illegally encrypted data came just hours after County Manager Dena Diorio said she’d decided against paying a hacker ransom. Instead of agreeing to pay criminals, she said  the county will rebuild its system applications and restore files and data from backups.

As the county’s IT staff worked to recover from the first cyberattack, Diorio said, they discovered more attempts to compromise computers and data on Thursday. The county blocked employees from being able to open attachments generated by DropBox and Google Document. “The best advice for now is to limit your use of emails containing attachments, and try to conduct as much business as possible by phone or in person,” she said. The county learned of the problem this week after an employee opened a malicious “phishing” email and accessed an attached file that unleashed a widespread problem inside the county’s network of computers and information technology. Information was encrypted or locked, keeping employees at the county from accessing operating systems and files. The person or people responsible for the infiltration then demanded the county pay two bitcoins, or about $23,000, in exchange for a release of the locked data. The county refused to pay. Experts attributed the attack to a new strain of ransomware called LockCrypt originated from Iran or Ukraine.


Russian Cybercriminal Gets 14 Years in $50M Fraud Case

Roman Valeryevich Seleznev (alias “Track2,” “Bulba” and “Ncux”) was sentenced by federal judges in the Northern District of Georgia and in the District of Nevada for his role in an online marketplace that traded in identity theft and credit card fraud. He pled guilty to racketeering and conspiracy to commit bank fraud.

A Russian national was sentenced on Thursday for his role in an online marketplace that traded in identity theft and credit card fraud, costing its victims over $50 million in damages. Roman Valeryevich Seleznev (alias “Track2,” “Bulba” and “Ncux”) was sentenced by federal judges in the Northern District of Georgia and in the District of Nevada after pleading guilty to racketeering and conspiracy to commit bank fraud, according to a statement by the Department of Justice. He was ordered to pay a restitution of over $53 million.

Selznev admitted to being involved in an online criminal marketplace, which in his own admission, was an “Internet-based, international criminal enterprise whose members trafficked in compromised credit card account data and counterfeit identifications and committed identity theft, bank fraud, and computer crimes,” according to the DOJ. Selznev also ran his own automated website where he sold compromised credit card account data and counterfeit I.D.s. The website did so much business that customers could “search for the particular type of credit card information they wanted to buy, add the number of accounts they wished to purchase to their “shopping cart” and upon check out, download the purchased credit card information.” Payments were deducted from an account funded through L.R., an online digital currency payment system. Last year, Selznev was sentenced to 27 years for his role in a scheme to “hack into point-of-sale computers to steal and sell credit card numbers to the criminal underworld.”


FBI Fails to Notify Targets of Russian Hackers

The FBI didn’t tell scores of U.S. officials that Russian hackers were trying to break into their personal Gmail accounts despite having evidence for at least a year that the Kremlin had targeted them, the Associated Press reports. Nearly 80 interviews with Americans targeted by Fancy Bear, a Russian government-aligned cyberespionage group, turned up only two cases in which the FBI had provided a heads-up.

The FBI failed to notify scores of U.S. officials that Russian hackers were trying to break into their personal Gmail accounts despite having evidence for at least a year that the Kremlin had targeted them, the Associated Press reports. Nearly 80 interviews with Americans targeted by Fancy Bear, a Russian government-aligned cyberespionage group, turned up only two cases in which the FBI had provided a heads-up. Even senior policymakers discovered they were targets only when the AP told them, a situation some described as bizarre and dispiriting. “It’s utterly confounding,” said Philip Reiner, a former director at the National Security Council, who was told by the AP that he was targeted in 2015. “You’ve got to tell your people. You’ve got to protect your people.” The FBI declined to discuss its investigation into Fancy Bear’s spying campaign, but said,  “The FBI routinely notifies individuals and organizations of potential threat information.”

Three people familiar with the matter said the FBI has known for more than a year the details of Fancy Bear’s attempts to break into Gmail inboxes. A senior FBI official said that the bureau was overwhelmed by the sheer number of attempted hacks. “It’s a matter of triaging to the best of our ability the volume of the targets who are out there,” he said. AP reporters spent two months going through a hit list of Fancy Bear targets provided by the cybersecurity firm Secureworks. The AP has reported on how Fancy Bear worked in close alignment with the Kremlin’s interests to steal tens of thousands of emails from the Democratic Party . The hacking campaign disrupted the 2016 U.S. election and cast a shadow over the presidency of Donald Trump, whom U.S. intelligence agencies say the hackers were trying to help . The Russian government has denied interfering in the election.


Uber Paid Hackers $100K to Conceal Data Breach

Company fires its chief security officer, says it will notify owners of the affected accounts. The New York State Attorney General is investigating.

Uber Technologies Inc. said it paid hackers $100,000 in an effort to conceal a data breach affecting 57 million accounts a year ago, a disclosure that adds to a string of scandals and legal problems for the world’s most highly valued startup, the Wall Street Journal reports. The ride-hailing firm fired its chief security officer and his deputy for their roles in the breach and for covering it up. In addition to the names, emails and phone numbers of millions of riders, about 600,000 drivers’ license numbers were accessed. Uber said financial information such as credit cards and Social Security numbers weren’t taken. Uber said it identified the hackers and “obtained assurances” they had destroyed the stolen data.

The San Francisco company said it would notify owners of the affected accounts in the coming days. While the scale of the breach pales in comparison with disclosures from Yahoo Inc. and Equifax Inc., Uber’s attempts to keep it quiet raise questions about whether officers still at the company were part of the effort. The New York State Attorney General’s office has opened an investigation into the breach. “None of this should have happened, and I will not make excuses for it,” said Chief Executive Dara Khosrowshahi. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.” Valued at $68 billion, Uber has a reputation for pushing the limits of the law in its pursuit of dominating the ride-hailing market.


After Hacks, A Dozen States Buy Cybercrime Insurance

Insurers pick up the cost of investigating and restoring data, notifying those whose information may have been compromised, providing legal and public relations services and credit monitoring. Utah pays $230,000 a year for $10 million in cyber coverage, with a $1 million deductible.

As the threat from hackers and cybercriminals intensifies, a growing number of states are buying cyber insurance to protect taxpayers, Stateline reports. “It’s expensive. It’s a big budget item for us. But it’s absolutely worth it,” said Michael Hussey, Utah’s chief information officer. “You’re seeing breaches now that cost companies and states millions and millions of dollars.” More than a dozen states have cyber insurance policies, which cover losses and expenses if a computer network is hacked. Insurers pick up the cost of investigating and restoring data, notifying those whose information may have been compromised, providing legal and public relations services and credit monitoring.

Utah first bought a policy in 2015, three years after a Department of Health server data breach exposed 780,000 residents’ personal information to hackers. The state spent millions of dollars to deal with the aftermath, including paying for credit monitoring and legal fees and conducting a security assessment of all state servers. Utah pays $230,000 a year for $10 million in cyber coverage and has a $1 million deductible. After massive data breaches like those involving Yahoo last year and Anthem the year before, many businesses have scrambled to buy cyber insurance. Last year, insurers wrote $1.35 billion in premiums, a 35 percent jump from 2015, says Fitch Ratings. A survey of state information officers this year found that 38 percent reported having some type of cyber insurance, compared with 20 percent in 2015. Hackers and cybercriminals have taken aim at state and local government networks, which contain information such as Social Security, bank account and credit card numbers on millions of people and businesses. Online activists have hijacked government computer systems, defaced websites, and hacked into data or email and released it online.


Cybercriminals Infiltrating E-Mail Networks to Divert Large Customer Payments

There’s a new criminal tactic involving hacking an e-mail account of a company that handles high-value transactions and diverting payments. Here it is in real estate: The scam generally works like this: Hackers find an opening into a title company’s or realty agent’s email account, track upcoming home purchases scheduled for settlements — the pricier the better — then assume…

There's a new criminal tactic involving hacking an e-mail account of a company that handles high-value transactions and diverting payments. Here it is in real estate:

The scam generally works like this: Hackers find an opening into a title company's or realty agent's email account, track upcoming home purchases scheduled for settlements -- the pricier the better -- then assume the identity of the title agency person handling the transaction.

Days or sometimes weeks before the settlement, the scammer poses as the title or escrow agent whose email accounts they've hijacked and instructs the home buyer to wire the funds needed to close -- often hundreds of thousands of dollars, sometimes far more -- to the criminals' own bank accounts, not the title or escrow company's legitimate accounts. The criminals then withdraw the money and vanish.

Here it is in fine art:

The fraud is relatively simple. Criminals hack into an art dealer's email account and monitor incoming and outgoing correspondence. When the gallery sends a PDF invoice to a client via email following a sale, the conversation is hijacked. Posing as the gallery, hackers send a duplicate, fraudulent invoice from the same gallery email address, with an accompanying message instructing the client to disregard the first invoice and instead wire payment to the account listed in the fraudulent document.

Once money has been transferred to the criminals' account, the hackers move the money to avoid detection and then disappear. The same technique is used to intercept payments made by galleries to their artists and others. Because the hackers gain access to the gallery's email contacts, the scam can spread quickly, with fraudulent emails appearing to come from known sources.

I'm sure it's happening in other industries as well, probably even with business-to-business commerce.

EDITED TO ADD (11/14): Brian Krebs wrote about this in 2014.


Equifax CEO Retires, Weeks After Massive Data Breach

Richard Smith, 57, had led the firm since 2005 and was widely admired on Wall Street. He had been under the spotlight since news broke of an Equifax data breach that exposed the personal information of as many as 143 million people.

The chairman and chief executive of Equifax, Richard F. Smith, retired on Tuesday in the aftermath of a major data breach that exposed the personal information of as many as 143 million people, says the New York Times. Two other top Equifax executives — the chief information officer and the chief security officer — stepped down on Sept. 14. Equifax, based in Atlanta, said this month that hackers had exploited an unpatched flaw in its website software to extract names, Social Security numbers, birth dates, addresses and other information about millions of people. The company faced a blistering outcry from lawmakers and the public for failing to protect the sensitive data and for a response that many found lackluster.

Smith, 57, had been the chairman and chief executive of Equifax Inc. since 2005. He joined the company after a 22-year career at General Electric that included top executive positions in the conglomerate’s insurance, leasing and asset-management divisions. Before the data breach at Equifax, Smith was widely admired on Wall Street for developing new products and increasing sales. Equifax had revenue of $3.1 billion last year, up from $1.4 billion the year he took over. Federal authorities, led by the F.B.I., have opened a criminal investigation into the cyberattack on Equifax. More than 30 state attorneys general have begun investigations into the breach, and federal lawmakers from both parties have requested information from Equifax and called for hearings on what went wrong.


Equifax Hackers Get Personal Data of 143 Million People

Atlanta-based credit reporting agency said hackers exploited a “website application vulnerability” and got sensitive personal data including Social Security numbers, birth dates, and home addresses.

The credit reporting agency Equifax said hackers gained access to sensitive personal data — Social Security numbers, birth dates and home addresses — for up to 143 million people. The Washington Post calls it a major cybersecurity breach at a firm that serves as one of the three major clearinghouses for Americans’ credit histories. Equifax said the breach began in May and continued until it was discovered in late July. It said hackers exploited a “website application vulnerability” and obtained personal data about British and Canadian consumers as well as Americans. Social Security numbers and birth dates give those who possess them the ingredients for identity fraud and other crimes.

Equifax also lost control of an unspecified number of driver’s licenses, along with the credit card numbers for 209,000 consumers and credit dispute documents for 182,000 others. The company said it did not detect intrusions into its “core consumer or commercial credit reporting databases.” “The type of information that has been exposed is really sensitive,” said Beth Givens of the Privacy Rights Clearinghouse, a consumer advocacy group based in San Diego. “All in all, this has the potential to be a very harmful breach to those who are affected by it.” Equifax, based in Atlanta, is working with law enforcement on an investigation of the breach and has hired an independent cybersecurity research firm to assess the scope of the intrusion.


‘Phone Hijackings’ Rise as Hackers Steal Mobile Numbers

Hackers are finding a lucrative market in stealing mobile phone numbers and resetting passwords on every account that uses the number as a security backup. the Federal Trade Commission had reports of 2,658 incidents as of January 2016.

Hackers have discovered that mobile phone numbers are easy to steal. In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers, the New York Times reportsOnce they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup, as services like Google, Twitter and Facebook suggest. A wide array of people have complained about being successfully targeted, including a Black Lives Matter activist and the chief technologist of the Federal Trade Commission. The commission’s own data shows that the number of so-called phone hijackings has been rising. In January 2013, there were 1,038 such incidents reported; by January 2016, that number had increased to 2,658.

One user of virtual currency said hackers changed the password on his virtual currency wallet and drained about $150,000.  “Everybody I know in the cryptocurrency space has gotten their phone number stolen,” said Joby Weeks, a Bitcoin entrepreneur. The attackers appear to be focusing on anyone who talks on social media about owning virtual currencies or anyone who is known to invest in virtual currency companies, such as venture capitalists. The attacks are exposing a vulnerability that could be exploited against almost anyone with valuable emails or other digital files. Last year, hackers took over the Twitter account of Black Lives Matter leader DeRay Mckesson by first getting his phone number. In cases involving digital money aficionados, the attackers have held email files for ransom — threatening to release naked pictures in one case, and details of a victim’s sexual fetishes in another.


Do Criminal Defendants Have Web Rights?

A Supreme Court ruling in June overruled the conviction of a sex offender for violating his probation after posting on Facebook. But that opens up a new legal minefield over limitations on internet access for anyone convicted of a crime, warns a Washington, DC attorney.

Court-imposed web restrictions applied to criminal defendants may be going the way of dial-up internet service.

In June, the Supreme Court issued a unanimous ruling in Packingham v. North Carolina that invalidated a state law banning registered sex offenders from accessing websites that could facilitate direct communications with minors.

While the majority opinion and concurrence seems grounded in—and specific to—sex offender restrictions, the evolving communications technology that operates in cyberspace today suggests that the ruling will have an impact on attempts to restrict web access for all criminal defendants in state or federal courts.

Lester Packingham pleaded guilty to having sex with a 13-year-old girl when he was 21. Eight years after his conviction, Lester bragged on Facebook about a happy day in traffic court, using the screen name of J.R. Gerrard, and exclaiming:

“Man God is Good! How about I got so much favor they dismissed the ticket before court even started? No fine, no court cost, no nothing spent…Praise be to GOD, WOW! Thanks JESUS!”

A police officer tracked down court records, obtained a search warrant, and correctly identified “J.R.” as an alias for Lester Packingham.

He was subsequently convicted of violating a North Carolina statute that prohibits convicted sex offenders from using social-networking websites, such as Facebook and Twitter. The unanimous Supreme Court opinion, written by Justice Anthony Kennedy, reversed the conviction on First Amendment free speech grounds.

According to Kennedy, the North Carolina statute was too broad, in that it effectively prevented sex offenders from accessing the “vast democratic forums of the Internet” that serve as principal sources of information on employment opportunities, current events, and opinions or ideas that have no connection to criminal plans or the potential victimization of children.

Justice Samuel Alito agreed, pointing out that the statute’s definition of social networking sites would in effect encompass even Amazon, the Washington Post, and WebMD—all of whom provide opportunities for visitors to connect with other users. In his concurrence, he noted that states were entitled to draft narrower, and constitutionally valid, restrictions because of their legitimate interest in thwarting recidivist sex offenders.

But it’s not at all clear that a state legislature can follow Justice Alito’s guidance and sufficiently narrow its sights on offender/child communication to the point where the law has its intended effect, while still passing constitutional muster.

There may undoubtedly be pedophiliac versions of Tinder or which could fit the definitions of sites where access can be restricted without harm to First Amendment protections. But today’s internet does not lend itself easily to such narrow definitions. Even mainstream sites like The Washington Post or Amazon could be considered portals that might be compromised by criminal behavior. Such sites encourage the kind of user engagement that, while they may not be fairly called a “chat room,” is close enough to a “bulletin board” to bring us right back into the perils of North Carolina’s now-invalidated law.

And what of the defendants facing internet restrictions for reasons other than molestation or child pornography violations?

There are numerous defendants who are bounced off the internet as a condition of probation or supervised release because the internet was an instrumentality for their crimes. For instance, internet-based fraud, identity theft, or using pro-terrorism websites to construct weapons or murderous plans, are all offenses that have led judges to impose some form of web restriction on defendants.

Web restrictions for these defendants are now also in play in a post-Packingham world.

The intention of the judges seeking to restrict web access in these cases is understandable. They want to remove potential tools of victimization from the hands of convicted criminals. But the Supreme Court’s recognition of the vast, evolving and multi-purpose nature of today’s internet has brought legitimate First Amendment considerations into almost every web-limiting decision.

We may soon see that the only web restrictions that are lawful and practically enforceable are ones stemming from the defendant volunteering to withdraw from the net—likely because of the perceived trade-off between more time in jail and the judge’s comfort level as to assurances that re-victimization by internet will not occur when the defendant is returned to the community.

In the meantime, Packingham may shape the battlefield when web-restricted defendants are alleged to have violated parole or probation by visiting websites. Judges facing considerably more ominous violations than Lester’s on-line celebration of beating a traffic ticket may find that website-messaging technology and powerful First Amendment concerns leave them with little recourse but to ban outright all attempts to restrict access.

To some, this may be an uncomfortably high price to pay for web freedom.

On a practical level, technology has largely out-paced the now-antiquated view that the Internet can be surgically sliced into “safe” websites and “unsafe” ones, and the unanimity of Packingham suggests that the Court did not struggle much with its rationale.

While the absence of web-restrictions would lead to the release of offenders to the community with an unavoidable dose of discomfort with their access to computers, it may also result in judges finding themselves increasingly satisfied with lengthy prison terms because of the lack of a satisfactory, less-restrictive condition of supervised release.

So, somewhat ironically, the next Lester Packingham may find himself spending more time in prison because of his inability to convince a judge that self-restraint on the computer can adequately replace judicially-imposed restraints.

Perhaps the safer bet here is on technology – that some program, some application, or some web-alternative pops up in the future and revitalizes the possibility of judges restricting web access without violating First Amendment rights.

James Trusty

James Trusty is a Member at Ifrah Law, PLLC, where he leads the White Collar Practice Group. He was formerly Chief of the Department of Justice Organized Crime & Gang Section, and has spent 27 years serving as either a local or federal prosecutor. He also teaches criminal Justice courses at University of Maryland (Shady Grove). He welcomes comments from readers.