Perpetual IT

Adult live-streaming site CAM4 has spilt millions of users’ private chats, emails, names, email addresses, sexual preferences, password hashes, IP addresses and more.

CAM4 is owned by the Irish company Granity Entertainment. A streaming site for amateurs to watch live, explicit performances, it offers customers the ability to buy virtual tokens if they want to tip performers or watch private shows. Started in 2007, at this point it’s paid out over USD $100 million in performer commissions.

The leak, now closed, was huge. It involved an unsecured Elasticsearch database that tipped the scales at over 7TB. The security team that found it – the researchers at Safety Detectives – isn’t sure whether the billions of records they came across belong to content providers or the customers who viewed their performances.

In a report published on Monday, Safety Detectives’s Jim Wilson said that the firm’s security team doesn’t know exactly how many users were involved, but the size of the breach is enormous.

They found nearly 11 billion – that’s billion, with a “B” – records, freely available for public view, lacking adequate security measures. The wealth of personally identifiable information (PII) in the unsecured records included:

• First and last names
• Email addresses
• Country of origin
• Gender preference and sexual orientation
• Device information
• Miscellaneous user details such as spoken language
• Usernames
• Payments logs including credit card type, amount paid and applicable currency
• User conversations
• Transcripts of email correspondence
• Inter-user conversations
• Chat transcripts between users and CAM4
• Token information
• Password hashes
• IP addresses
• Fraud detection logs
• Spam detection logs

The US accounted for the highest number of leaked records per country, with Brazil coming in second and Italy third. It’s tough to suss out a precise number for the exposed email records, Safety Detectives said, given that multiple entries were duplicated.

The database’s production logs date back to 16 March 2020. Among the spillage were some 11 million records that contained emails, with some entries containing multiple email addresses relating to users from multiple countries.

There were 26,392,701 entries with passwords hashes: some belonging to CAM4.com users and some from website system resources. A few hundred entries revealed full names, credit card types and payment amounts.

How crooks can use the data against us

Whenever an adult-themed site leaks data, the specter of extortion arises. That’s what happened after Ashley Madison, the hook-up site for adulterers, was breached in 2015, with the subsequent exposure of names, email addresses and sexual fantasies of nearly 40 million users.

The fallout was nasty and prolonged as the culprits kept turning the screws on victims they dismissed as “cheating dirtbags.” Unsurprisingly, blackmail attempts followed, as did at least one suicide confirmed as being linked to the breach.

Besides extortion, Safety Detectives suggests that the full names, emails and password hashes leaked by CAM4 might also lead to identity theft, phishing scams and website attacks.

The research team also noted that the availability of fraud detection logs “enables hackers to better understand how cybersecurity systems have been set up and could be used as an ideal verification tool for malicious hackers, as well as enabling a greater level of server penetration.”

The leak is now plugged. It’s unknown whether any malicious actors got their hands on the data while it was available. Let’s hope not: the world doesn’t need another Ashley Madison-esque flood of extortion attempts, broken marriages or suicides.

Latest Naked Security podcast

Developers use a number of ways to breed extensions like a bunch of spam bunnies in Google’s Chrome Web Store, which is the biggest extension catalog online.

For example, sometimes they stuff the store with multiple extensions that do the same thing. Like, say, wallpaper extensions that have different metadata but provide the exact same wallpaper when installed.

Well, those developers can say goodbye to that and a slew of other run-arounds: on Wednesday, Google banned them in a set of new rules for the Chrome Web Store, which it published as a new Chrome Web Store spam policy within its Developer Program Policies.

Here’s an FAQ about the new policy, and here’s the full list of what’s now verboten:

• Repetitive Content: No more copypasta! No more submitting multiple extensions that provide duplicate experiences or function. Besides the wallpaper example is data or format converters listed as multiple extensions – for example, Fahrenheit to Celsius, Celsius to Fahrenheit – that all direct the user to the same multi-format converter web page.
• Keyword Spam: Google’s no longer going to put up with blabby, redundant extensions: specifically, those with “misleading, improperly formatted, non-descriptive, irrelevant, excessive, or inappropriate metadata, including but not limited to the extension’s description, developer name, title, icon, screenshots, and promotional images.”In other words, don’t stuff the description full of keywords, including brand names. The maximum number you can repeat a keyword is now five. To provide a longer list of brands or websites, developers can provide a link for users or embed the list in one of the extension’s promotional screenshots. No irrelevant information, either: for example, a sports team wallpaper shouldn’t include team stats and history in the extension’s description.Make it clear and well-written, Google said, and leave out unattributed or anonymous user testimonials: they’re no longer allowed in extension descriptions.
• User Ratings, Reviews, and Installs: Developers are forbidden from manipulating their extensions’ placement in the Chrome Web Store by doing things like cooking up bogus downloads, reviews or ratings. That means you can’t review your own baby, and you can’t get reviews from other developers or people affiliated with the publisher.
• Functionality: Extensions now have to have some purpose besides installing or launching another app, theme, webpage, or extension.
• Notification Abuse: Google disallows extensions that bleat out spam, ads, promotions, phishing attempts or other types of unwanted messages.
• Message Spam: The new policy prohibits extensions that send messages on a user’s behalf without the user confirming the content or the recipients.

Beyond annoying, they can be dangerous

This is just the latest attempt to mop up the sprawling Chrome Web Store and the many ratty extensions that lurk in its aisles, some of which are not just spammy – they can also be malicious. For example, a few weeks ago, Google found itself sweeping out a collection of 49 malicious Chrome extensions that MyCrypto researchers had caught pickpocketing crypto wallets.

You can see where those nasty extensions could have inspired Google’s new extension spam policies: for one, some were rated up by a network of bogus reviewers dishing out fake 5-star reviews. The reviews were cursory and low-quality, such as “good,” “helpful app,” or “legit extension.”

As well, one of the extensions – MyEtherWallet – had the kind of repetitive language that Google’s now outlawed. Harry Denley, MyCrypto Director of Security, calls it “copypasta”, with the same review posted about 8 times and purportedly authored by different users. All of the reviews shared the same introduction into what Bitcoin is and an explanation of why the (malicious) MyEtherWallet was their preferred browser extension.

Before that, in February, Google abruptly yanked 500 Chrome extensions off its Web Store after researchers discovered they were stealing browsing data, pulling off click fraud and serving up malvertising. The extensions had installed themselves on millions of users’ computers.

At the time, our advice was to not assume that, just because an extension is hosted from an official web store, it’s safe to use.

Our advice:

• Install as few extensions as possible and, despite the above, only from official web stores.
• Check the reviews and feedback from others who’ve installed the extension.
• Pay attention to the developer’s reputation, how responsive they are to questions and how frequently they post version updates.
• Study the permissions they ask for (in Chrome, Settings > Extensions > Details) and make sure they’re in line with the extension’s features. Be suspicious if the permissions change.

Latest Naked Security podcast

Sick of staring at your quarantine-inflicted four walls? Wouldn’t you rather work out on your rowing machine with a professional, live rower as he zips along Boston’s Charles River?

You can, with an immersive, paid subscription service called Kinomap that will plop you into any of its 134,589 miles of cycling, running or rowing courses with videos taken of real-life athletes working out in areas around the world. It hooks up to your smart exercise machine so it can automatically adjust resistance and will show you glorious shots of the outdoors as you work out by yourself, with teams or with friends.

It sounds great, doesn’t it? Unfortunately, this isn’t an advertisement, which of course means that Kinomap has fallen flat on its workout-app face with a huge leak of users’ personally identifiable information (PII).

Security researchers at vpnMentor found Kinomap’s dribbly database during the firm’s ongoing web-mapping project. Its research team, led by Noam Rotem and Ran Locar, use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities, then examine each weakness for data leaks.

The project has uncovered all sorts of leaks: private photos from a photo app, people’s plastic surgery photos, and inmate and jail staff data spilled by a leaky prison app, to name a few examples.

On Tuesday, the vpnMentor researchers said that Kinomap’s database was lying around starkers, completely unsecured and unencrypted. You might have to pay for the subscription service to immerse you in forest greenery, but if you knew where to look, you wouldn’t need to pay anything at all to get at the 42 million Kinomap users’ records that the researchers found.

This is prime time for cybercrooks to be targeting exercise apps like Kinomap, they suggested, given that millions of people are staying at home due to the coronavirus pandemic.

Unable to access their usual forms of exercise, many people will be turning to apps like Kinomap to stay fit and upbeat during the crisis. Hackers will be aware of this and looking for opportunities to exploit the increased user numbers on apps without adequate data security in place.

The records seem to pertain to all Kinomap users, given that the data originated in countries across the world. Some of those countries prioritize citizens’ privacy, the researchers noted. That includes France, which is Kinomap’s home country and which has a vigilant watchdog for a data regulator.

Indeed, Kinomap users can most likely thank France’s National Data Protection Commission (CNIL) for getting this leaky database to shut up. That’s what vpnMentor figures, at any rate, given that Kinomap didn’t respond to its multiple contact attempts. It first found the babbling database on 16 March, tried to reach Kinomap on the 18th and again on the 30th, and reached out to CNIL on 31 March. vpnMentor didn’t hear back, but somebody fixed the leak around 12 April.

Before it got fixed, these are some of the types of data found in the plume of PII the database was exhaling:

• Full names
• Home country
• Email addresses
• Usernames for Kinomap accounts
• Gender
• Timestamps for exercises
• The date they joined Kinomap

The researchers said they also found personal data leaking more indirectly:

Many of the entries contained links to Kinomap user profiles and records of their account activity. Similar to social media accounts, Kinomap profiles can reveal considerable personal details about a user.

The leak could have enabled attackers to craft fraud schemes and other forms of online attack, they said. Phishing and identity fraud come to mind. So does potential account hijacking, given that many of the exposed records included access keys for Kinomap’s API. That access could have enabled attackers to take over Kinomap accounts and lock out the rightful owners.

What to do?

Kinomap users should keep an eye out for emails or text messages from scammers who might know your account history and your identity. They might use that info to craft a phishing campaign in which they imitate Kinomap and try to trick users into providing credit card info or access to their bank accounts

Attackers might also send an email with a rigged link that leads to malware if you click on it, thus infecting your phone, tablet or whatever device to which you’ve downloaded the Kinomap app.

Kinomap, being under General Data Privacy Regulation (GDPR) jurisdiction, should report the leak, vpnMentor says. The company told me that it’s been notified about a vulnerability that was “immediately fixed.” It’s asked for a third-party audit “to make sure everything is cleared and compliant with GDPR.”

Anybody with an internet-facing database should secure their servers, implement proper access rules, and slap some authentication on it before opening it to the internet.

Latest Naked Security podcast

Did you receive one of those “porn scam” emails in the past week or so?

Millions of people did – in fact, the number was probably more like tens or even hundreds of millions, with some Naked Security readers reporting phlegmatically that they’d had two, three and even five different flavours of scam in the past few days.

Even if you’ve never had a sextortion email sample of your own, you’re probably familiar with the “porn scam” scenario, where cybercrimals send a message out of the blue that says something along these lines:

• ATTENTION! We implanted malware on your computer, which means we have been keeping tabs on you, including grabbing your passwords and getting access to your accounts.
• We also used this malware to film you via your webcam and to take screenshots of your browser.
• We made a video of you on a porn site with the screenshots and the webcam footage side-by-side.
• Oh, and the clock is ticking, so pay us some money pretty darn quickly or we’ll send the video to your friends and family. (We know who they are, because we have your passwords, remember?)

The extortion demand is typically somewhere from $700 to $4000, payable to a Bitcoin address provided in the email.

The good news is that it’s all a bluff, because the crooks behind this scam don’t have malware on your computer, don’t have a video of you doing anything, don’t have screenshots of your browsing habits, and haven’t just stolen a list of your friends and family to send their non-existent video to.

The bad news is that this sort of email is extremely confronting, even if you don’t watch porn and don’t have a webcam, because blackmail is an odious and unsettling crime under any circumstances.

What makes it worse is that the crooks often include a password in the email as “proof” of their claim to have malware on your computer…

….and that password very often really is a password you once used, even if it’s a few years old now or for an account you’ve already closed.

In truth, the passwords sent out in these scams have typically been dredged up from old data breaches.

Although the password you see may have been your password once, the crooks didn’t get it from your computer recently. (Word of warning: if you are still using that password, or anything like it, on any online account, change it now!)

As you can imagine, once recipients of these emails realise it’s all a cruel and criminal hoax, and that some crook is simply preying on their fears, the pressure is off and they can relax.

Unanswered questions

But where do all these emails come from? Why can’t they be stopped? How many people end up paying? Where does the money go?

Our researchers at SophosLabs decided to find out.

By combing through five months’ worth of sextortion-spam data, they came up with some intriguing answers that you can read about in the latest SophosLabs report.

SophosLabs found that a very small proportion of recipients actually paid the blackmail demands, for what looks like just a few hundred victims worldwide over the five months of the research; but with the demands typically being in the range of $1000 to $2000 each, the crooks nevertheless made just shy of half a million dollars during this period.

Simply put: as well as intimidating and unnerving many millions of people around the globe with the offensive and scary nature of the email content, the crooks managed to pull in a cool $100,000 a month.

As to where the money went, you can find out more of the gory details in the report, but this diagram gives you an idea of how and where the crooks “reinvested” their ill-gotten gains:

As to where the emails came from, the answer is, for the most part, that these huge sextortion spam surges came from innocent users whose computers were infected with spam-sending malware known as bots (short for “computer robots”).

These infected “zombie computers” can be fed remotely by the crooks with lists of email addresses. Each bot in the so-called “robot network”, or botnet, will then send out its own burst of spam, independently of all the others.

That means that there is no single source of the spam; no single server that can be blocked; no country that is an obvious culprit; and that the spam blasts happen in parallel from all over the world at the same time, as the report reveals:

So if you’ve ever wondered why spam blasts are hard to shut down, and why there isn’t one service provider or email sender that can be identified and taken down to bring the problem under control, it’s because zombie networks present an ever-changing mix of countries, computers and IP numbers – as well as a dynamic supply of what is essentially free bandwidth to the crooks.

The best way you can help to stop these porn scammers from sending so much spam is to make sure that you aren’t infected with zombie malware yourself.

Remember: when it comes to spam, if you aren’t part of the solution, you’re part of the problem!

You may also find this video useful:

[embedded content]

By the way, if you’re looking for free anti-virus tools of the type we recommended in the video, you’ll find links in our Free Tools section below, from Sophos Home for Windows and Mac all the way to Sophos Antivirus for Linux.

Latest Naked Security podcast

Over the weekend, researchers at cybersecurity intelligence firm Cyble came across a database with 267m Facebook user profiles being sold on the Dark Web.

Looking to verify the records and add them to the firm’s breach notification service, the researchers bought it … for the grand total of £500.

That works out to USD $540 — or about 0.0002 cents — per record. The records held Facebook users’ IDs, which are unique, public numbers associated with specific accounts that can be used to figure out an account’s username and other profile info. The records also included full names, email addresses, phone numbers, timestamps for last connection, relationship status and age.

Fortunately, there were no passwords exposed, but the breach still forms a perfect tool kit for an email or text phishing campaign that looks like it’s coming from Facebook itself. If enough users get fooled into clicking on spearphishers’ rigged links, it could lead to the exposure of even more, and more valuable, data.

How did the data get leaked? In a blog post, Cyble said that it doesn’t know, but its researchers suspect that the records could have either come from a leak in Facebook’s developer API or from scraping: the automatic sucking up of publicly available data (like the kind people often publicly post on Facebook and other social networks).

It keeps popping up

The story doesn’t stop there, however. In fact, it doesn’t begin there, either. It turns out that this same database had been posted before; spotted by security researcher Bob Diachenko; taken down by the ISP hosting the page; reappeared, fattened up with another 42 million records in an Elasticsearch cluster on a second server; and then been destroyed by unknown actor(s) who replaced personal info with dummy data and swapped in database names labelled with this advice: “please_secure_your_servers”.

Diachenko partnered with the tech comparison site Comparitech on this work last month. Comparitech said that the database was exposed for nearly two weeks, available online with no password protection, before it was taken down.

The timeline

This is what happened when, Comparitech says:

• 4 December 2019: Database first indexed by search engines.
• 12 December 2019: The data was posted as a download on a hacker forum.
• 14 December 2019: Diachenko discovered the database and immediately sent an abuse report to the ISP managing the IP address of the server.
• 19 December 2019: Access to the database was removed.
• 2 March 2020: A second server containing identical records plus an additional 42 million was indexed by search engine BinaryEdge.
• 4 March 2020: Diachenko discovered the second server and alerted the hosting provider.
• 4 March 2020: The server was attacked and destroyed by unknown actors.

The initial breach exposed 267,140,436 records of what were mostly Facebook users in the US. Diachenko said that all of the records seemed to be valid. The same 267m records were exposed on the second server in March 2020, but this time, the exposure included an additional 42 million records, hosted on a US Elasticsearch server.

Comparitech said that 25 million of the new records contained similar information: Facebook IDs, phone numbers, and usernames. But 16.8 million of the new records had even more, including gender, email address, birth date and other personal data.

How did they get this data?

Both Cyble researchers and Diachenko aren’t sure how the breach happened, but both suggest that it could have been a hole in Facebook’s third-party developer API that existed before the platform restricted access to phone numbers. … or which lets crooks get at our user IDs and phone numbers even after Facebook restricted that access in the API.

Both Cyble and Diachenko say that alternatively, the records might have been harvested by scraping, which is a good reason why you might want to rethink how much data you’re publicly sharing on Facebook. In other words …

Stop exposing yourself!

The less PII you spread around, the less ammunition you give scammers to lure you into clicking on something dangerous in email or SMS text, or into telling them more than you should on the phone. The more scammers know about you, the more convincing they sound. All too often, the thinking of a would-be victim goes like this: “Hey, they know my birthdate and/or phone number and/or home address and/or fill in the blank. They must be legit!”

Be careful of unsolicited emails and texts — they might be phishing attempts. Here’s how to limit how much these con artists can glean about you from Facebook:

1. In Facebook, go to Settings & privacy.
2. Select See more privacy settings
3. Set all relevant fields to either Friends or Only me.
4. Set “Do you want search engines outside of Facebook to link to your profile?” to No.

There were no passwords involved in this breach, but it’s still a good opportunity to ensure you have a strong password on Facebook, and that you’re not reusing it (or any other passwords) on any other site.

This breach has already given attackers one piece of the authentication puzzle they need to hijack your accounts: namely, it exposed Facebook users’ email addresses. Once they know the email you use on Facebook, they can use it to search through lists of breaches that have included passwords. Then, they’ll plug login name/password combinations into other sites to see where else you’ve (re)-used those credentials. … All of which adds up to it being a truly bad idea to use a password twice.

Finally, if you’re not already securing your Facebook account with two-factor authentication (2FA), now is a good time to turn that on. It will keep your account from being hijacked if your credentials do get hacked, via this or other breaches. Even if attackers get your username and password, 2FA can prevent them from taking over your accounts. In Facebook, you can turn on 2FA by going to Settings > Security and login.

Latest Naked Security podcast