Notices by BrianKrebs (briankrebs@infosec.exchange)

Not a great omen.

U.S. Closes Its Kyiv Embassy, Warning of ‘Significant Air Attack’

The unusual alert came a day after Ukraine used American-made ballistic missiles to strike Russian territory for the first time.

I've also been thinking of telling my readers on LinkedIn that if they want to follow my rantings for the next month, they can do it over here.

I'm sick to death of people telling me I should be on this or that social network that's controlled by some billionaire wingnuts. I'm perfectly happy where I am. And I have a strong feeling that we're going to see something of a great migration here soon (fingers crossed).

Meantime, go ahead..say Bluesky one more time.

NVIDIA has been almost singlehandedly propping up tech stocks, and their stock price rose more than 4 percent yesterday ahead of today's earnings release. Wall St. seems to be using NVIDIA stock price as a barometer of ROI on all the AI investments. Guess we'll see.

To put the value of NVIDIA's stock price in perspective, its price is expected to swing at least 8 percent (one way or the other) in response to today's earnings release. Bloomberg writes: "That would equate to close to a $300 billion swing in market value — bigger than all but 25 companies in the S&P 500 Index. And according to strategists at Bank of America, the report carries more risk for the benchmark than the next Federal Reserve meeting or inflation data."

I did a radical thing when I finally upgraded from a really old iPhone 8 to a newer one: I didn't hardly install any apps on the new one. Mostly, I just wanted a fresh start, and it definitely was an adjustment b/c I had several time-waster games on there that were my go-to when I had some downtime. But after about two weeks of reflexively reaching for the phone to play some mindless game, I seem to have broken the habit and am finding that I'm happier and more productive without them. YMMV.

ICANN's proposal to go ahead with another round of gTLDs is a complete money grab, and another giant fraud, spam and scam turd for Internet users in general. I'm talking about tlds like .top, .work, .shop, .vip, etc.

New domains used for phishing, spam and scams account for an overwhelming share of customers of these new gTLDs, which often have rock-bottom prices -- especially for bulk registrations. Overall, new gTLDs tend to be a race to the bottom where the only way they can make a profit is to sell domains en masse, and the market for such demand skews massively towards scammers.

ICANN's proposal to ignore history and introduce another round of new gTLDs should be squashed by regulators. But it won't. Like the AI crap being crammed into everything these days whether you like it or not, ICANN is going to keep creating new gTLDs because it's been a huge cash cow for them.

https://newgtldprogram.icann.org/en/application-rounds/round2

@zleap I think most people could count themselves lucky if they were smart or intuitive enough to find someone who was capable of giving them solid advice on the market, as opposed to just chasing short-term gains.

Solid advice right now is adjust future investment dollars/returns more toward bonds, which have had a rough spell recently but almost certainly will do well soon when the market suffers the inevitable series of corrections.

I'm more than a little concerned that the recent election is going to pull a lot more people into investing in cryptocurrency -- most of whom probably are nowhere near as savvy as they need to be to avoid getting fleeced by scammers. I hear constantly from people who poured their savings or kids' college fund into crypto, only to see it all stolen when they clicked the wrong button or link.

You know what the typical answer is from the feds? We're drowning here. Just too many cases. These thefts are often $500K or more, and the frequency of them is rapidly increasing the monetary loss thresholds that would normally get law enforcement's attention.

Also, tons of people are now pouring money into the market, which is already vastly overpriced by almost any measure. Here are some sage words from a WSJ story today about how "investors are betting on a market melt-up:"

"One measure closely tracked by investors, the equity risk premium—or the gap between the S&P 500’s earnings yield and that of 10-year Treasurys—shrank close to zero, the lowest level since 2002, according to Dow Jones Market Data. That means the reward for owning stocks over bonds is dwindling."

“The market is awfully expensive to have a melt-up,” said Rob Arnott, the founder and chairman of Research Affiliates."

https://www.wsj.com/finance/investing/investors-are-betting-on-a-market-melt-up-3a007dd4

TIL that if you try to sign up for Tiktok by signing in with your existing Google account, for example, doing so requires you to allow sharing of your Twitter/X profile info (assuming you still have one) and account settings. You also give permission to the app to then follow and unfollow accounts for you, create and delete posts for you and engage with posts created by others.

I'm sure this is not news to a lot of people, but since I spend negligible amounts on time on either, it was to me. I'm still wondering how an attempt to create a Tiktok account with Google signin leads to an immediate prompt to share your Xitter profile. At this point in the process, I don't even have a TikTok account yet and they're already asking for permission to another account I may have. Absolutely nothing about this feels good.

This kind of shit is probably why I pinned this post so long ago:

https://infosec.exchange/@briankrebs/109880177018417627

In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and seeking publicity for several new money making schemes.

https://krebsonsecurity.com/2024/11/an-interview-with-the-target-home-depot-hacker/

This is by far and away the craziest story I have ever reported. The lede probably doesn't do it justice, but I promise this will be a fascinating (if not also entertaining) read. I'd frankly be amazed if some version of this story isn't made into a documentary or drama series:

A California man accused of failing to pay taxes on tens of millions of dollars allegedly earned from cybercrime also paid local police officers hundreds of thousands of dollars to help him extort, intimidate and silence rivals and former business partners, a new indictment charges. KrebsOnSecurity has learned that many of the man’s alleged targets were members of UGNazi, a hacker group behind multiple high-profile breaches and cyberattacks back in 2012.

https://krebsonsecurity.com/2024/09/crooked-cops-stolen-laptops-the-ghost-of-ugnazi/

Some top carding shops, including BriansClub and TopGame, mysteriously report problems topping up accounts. Then one of the customers on Topgame correctly figures out the site uses Cryptex.

The United States today unveiled sanctions and indictments against the alleged proprietor of Joker’s Stash, a now-defunct cybercrime store that peddled tens of millions of payment cards stolen in some of the largest data breaches of the past decade. The government also indicted and sanctioned a top Russian cybercriminal known as Taleon, whose cryptocurrency exchange Cryptex has evolved into one of Russia’s most active money laundering networks.

https://krebsonsecurity.com/2024/09/u-s-indicts-2-top-russian-hackers-sanctions-cryptex/

https://home.treasury.gov/news/press-releases/jy2616

https://www.justice.gov/usao-edva/pr/two-russian-nationals-charged-connection-operating-billion-dollar-money-laundering

https://www.state.gov/transnational-organized-crime-rewards-program-offers-for-two-russian-nationals-and-sanctions-on-illicit-russian-virtual-currency-exchanges-and-cybercrime-facilitator/

Heads up to Kia owners/potential buyers: Today, a group of independent security researchers revealed that they'd found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the internet-connected features of most modern Kia vehicles—dozens of models representing millions of cars on the road—from the smartphone of a car’s owner to the hackers’ own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.

https://www.wired.com/story/kia-web-vulnerability-vehicle-hack-track/

The audacity of Advanced Persistent Teenagers from The Com.

https://krebsonsecurity.com/2021/12/ny-man-pleads-guilty-in-20-million-sim-swap-theft/

If you happen to live in the United States, the consumer credit reporting bureau Experian is easily the shittiest company you will deal with as long as you have heartbeat. IRS? Hahaha. Experian will take your privacy and security. Seriously.

I just sometimes don't think I can do enough to call attention to the barbaric practices of Experian when it comes to letting their hapless and often reluctant "customers" manage their relationship with the Mother Ship.

I pointed out like 3 years ago that if you're a US citizen and you have instructed Experian to "freeze" your credit file so that ID thieves and other ne'er-do-wells can't just apply as you for credit wherever, that designation means absolutely squat because Experian will happily let anyone "become" you if they can supply your name, address, DOB, SSN and can successfully guess or answer 3 out of 4 multiple guess questions based entirely on public information.

This is still the case. I received an email this morning from another victim who had their freeze reversed at Experian.

Past reporting

https://krebsonsecurity.com/2022/07/experian-you-have-some-explaining-to-do/

https://krebsonsecurity.com/2023/11/its-still-easy-for-anyone-to-become-you-at-experian/

https://krebsonsecurity.com/2023/01/experian-glitch-exposing-credit-files-lasted-47-days/

https://krebsonsecurity.com/2023/01/identity-thieves-bypassed-experian-security-to-view-credit-reports/

https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/

Laying the groundwork for Stop the Steal 2024.

Georgia election board orders hand count of votes in US presidential contest

"Georgia's Republican-controlled state election board voted on Friday to require a labor-intensive hand count of potentially millions of ballots in November's election, a move voting rights advocates say could cause delays, introduce errors and lay the groundwork for spurious election challenges.

The hand count rule, passed in a 3-2 vote, will make Georgia the only state in the U.S. to implement such a requirement as part of the normal process of tabulating results, according to Gowri Ramachandran, the director of elections and security at New York University's Brennan Center for Justice, a left-leaning public policy institute."

https://www.reuters.com/world/us/georgia-election-board-may-order-hand-count-votes-us-presidential-contest-2024-09-20/

Yeah, because they've done such a bang-up job with Windows. I'm sure this will be fine.

https://www.washingtonpost.com/business/2024/09/20/microsoft-three-mile-island-nuclear-constellation/

Several folks here have already posted about this unusual malware attack via keyboard combinations and Windows PowerShell, but it still fills me with dread so I wrote about it:

Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. While it's unlikely that many programmers fell for this scam, it's notable because less targeted versions of it are likely to be far more successful against the average Windows user.

https://krebsonsecurity.com/2024/09/this-windows-powershell-phish-has-scary-potential/