Perpetual IT

In a brief yet fascinating press release, Europol just announced the arrest of an Italian man who is accused of “hiring a hitman on the dark web”.

According to Europol:

The hitman, hired through an internet assassination website hosted on the Tor network, was paid about €10,000 worth in Bitcoins to kill the ex-girlfriend of the suspect.

Heavy stuff, though Europol isn’t saying much more about how it traced the suspect other than that it “carried out an urgent, complex crypto-analysis.”

In this case, the word crypto is apparently being used to refer to cryptocurrency, not to cryptography or cryptanalysis.

In other words, the investigation seems to have focused on unravelling the process that the suspect followed in purchasing the bitcoins used to pay for the “hit”, rather than on decrypting the Tor connections used to locate the “hitman” in the first place, or in tracing the bitcoins to the alleged assassin.

Fortunately (if that is the right word), and as we have reported in the past, so-called dark web hitmen often turn out to be scammers – after all, if you’ve just done a secret online deal to have someone killed, you’re unlikely to complain to the authorities if the unknown person at the other end runs off with your cryptocoins:

Nevertheless, no victim targeted for murder via the dark web is ever going to take much comfort in the fact that their proposed assassin “might not have been real.”

And no one who is convicted of spending €10,000 on soliciting what they expect to be a murder can expect much sympathy from the court just because the hitman “could have been fake.”

Intriguingly, hitmen-for-hire were a feature of what is perhaps the best-known dark web investigation and prosecution ever – the arrest and conviction of Ross Ulbricht, founder and operator of the Silk Road online bazaar.

According to a US Department of Justice press release issued in early 2014:

Using the online moniker “Dread Pirate Roberts,” or “DPR,” Ulbricht controlled and oversaw every aspect of Silk Road, and managed a small staff of paid, online administrators who assisted with the day-to-day operation of the site. Through his ownership and operation of Silk Road, Ulbricht reaped commissions worth tens of millions of dollars […] Ulbricht even solicited six murders-for-hire in connection with operating the site, although there is no evidence that these murders were actually carried out.

One of those “hitmen” was, apparently, an undercover cop, but Ulbricht was never charged for this alleged hiring-of-hitmen activities.

There were more than enough serious charges against Ulbricht anyway, for which he received two life-means-life jail terms plus an extra 20 years.

What to do?

It’s hard to know how to offer advice in a case like this, where the fact that the suspect was not as anonymous as they had hoped turned out to be a very good thing, given the enormity of the allegations against him.

However, there are many perfectly legitimate reasons why you might want to use something like the Tor Browser, even if your purpose for being pseudo-anonymous online is as simple as wanting to browse the web without being tracked and traced as much as usual.

Just remember – as this case and the case of Ross Ulbricht remind us – that online anonymity only goes so far.

So, if you plan to use Tor for legitimate purposes, make sure you RTFM first, as we advise in the video above, lest you inadvertently make yourself more of a target for online crooks than before.

The Dutch Data Protection Authority (DPA) – the country’s data protection regulator – has fined online travel and hotel booking company Booking.com almost half a million Euros over a data breach.

Interestingly, the fine was issued not merely because there was a breach, but because the company didn’t report the breach quickly enough:

The Dutch Data Protection Authority (DPA) has imposed a €475,000 fine on Booking.com because the company took too long to report a data breach to the DPA. When the breach occurred, criminals obtained the personal data of over 4,000 customers. They also got their hands on the credit card information of almost 300 people

According to the report, the attack was conducted against hotels in the United Arab Emirates (UAE), using social engineering tricks over the telephone.

The crooks apparently called staff at 40 different hotels in the region and talked them into handing over login details for hotel accounts on the Booking.com system.

With these purloined logins, the crooks retrieved data about 4109 customers’ bookings, including at least those customers’ names, addresses and phone numbers.

However, the crooks also got hold of credit card data from 283 of those bookings, including 97 bookings where the CVV had been recorded as well.

The CVV is the security code (usually three digits) that’s printed at the end of the signature strip on the back of your card, but not stored digitally anywhere else, neither on the magstripe nor on the chip.

Loosely speaking, the payment card industry says that CVVs should not be saved to permanent storage at all, at least after a transaction is complete.

However, those codes frequently do get saved temporarily, assuming that the transaction isn’t processed immediately, leading to the risk of exposure if ever they are displayed or recovered later on.

The DPA also claims that the same criminals tried to extract personal data by calling up hotels and pretending to be from Booking.com itself, though it’s not clear if that part of the scam worked as planned.

What’s the risk?

Even without your credit card data, crooks who have the “gift of the gab”, and who know the precise details of a hotel stay you already booked, are in a prime position to scam you with a fake call, or even a bogus email phrased in the right way.

As Monqique Verdier, deputy chair of the DPA, pointed out in the Authority’s report:

By posing in emails or on the phone as hotel staff, they attempted to steal money from people. Such an approach can seem highly credible if the fraudster knows exactly when you made a booking and what room you booked, then asks you to pay for the nights in question. Large amounts of money can be stolen in this way.

After all, many of us will have had offers of this sort from legitimate companies such as car rental firms and hotels, where we get contacted ahead of a reservation we already, made, asking if we want to upgrade, or to extend our booking, or to pay in advance to get a cheaper rate, and so on.

How was it disclosed

The DPA report lists the timeline of this incident as follows:

• December 2018: Data breach started
• 13 January 2019: Booking.com became aware of the leak.
• 04 February 2019: Booking.com informed affected customers.
• 07 February 2019: Booking.com informed the Data Protection Authority.

Not good enough, says the DPA!

Companies have 72 hours to submit reports from the time they know that a breach has occurred, not 72 hours after customers have been notified.

By that metric, Booking.com should have reported to the DPA by 16 January 2021, 22 days earlier than it did:

Taking rapid action is essential, not least for the victims of the breach. After receiving a report the DPA can order a company to immediately warn those affected. This can prevent criminals having weeks in which to attempt to defraud customers.

What to do?

• Make sure your staff feel empowered to stand up to social engineers. Teach your staff that it’s perfectly acceptable to say, “No” to people who call up and try to trick, sweet-talk or scare them into revealing information that is supposed to be confidential. Why not get your staff to listen to our special-episode podcast with Rachel Tobac, a renowned social engineering expert? This podcast will give you the confidence and understanding to stick to our mantra of “if in doubt, don’t give it out.”
• Have somewhere for staff to report suspcious calls and messages. Most staff want to do the right thing when it comes to cybersecurity, so create a well-known internal email or phone number where they can report contacts that look phishy. Treat your users with respect and you can turn them into extra eyes and ears for your security team.
• Have a plan for what to do if the worst happens. It’s not admitting guilt or a sign of incompetence to make plans in case of a data breach, because won’t have time to plan afterwards! Even the DPA admits that “a data breach can occur anywhere, even if you have good precautionary measures in place. But in order to prevent harm to customers and future attacks, you have to report a breach on time.” Make sure you know what you need to do, just in case.

  WATCH NOW

  [embedded content]

  ---

Why Apple had to rush out a security update for iDevices. Two cryptographic security holes patched in OpenSSL. How PHP nearly got backdoored by crooks.

With Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.