Vimeo freezes accounts after malware hunts for logins, coronavirus map app infected with evil code, and more

Roundup We hope everyone is staying healthy and safe. It's time for another Reg roundup of security news you may have missed.

Hackers raid coronavirus-hit cruise operator, lift people's personal data

Carnival, operator of coronavirus-hit Princess Cruises as well as the Holland America Line, admitted this month it was hacked between April and July last year.

The intruders swiped, from staff email accounts no less, customer info including names and addresses; Social Security numbers; government-issued ID, such as passport numbers and driver’s license numbers; credit card and financial account information; and health-related information.

Cryptocurrency led cops to alleged mastermind of sexual-assault web exchange

Dutch citizen Michael Rahim Mohammad, 32, has been charged with owning and operating Dark Scandals, a public-facing and Tor-hidden website through which warped netizens shared 2,000 videos of adults being raped, child sexual abuse, and similar assaults.

According to prosecutors in a federal district court in the US capital, Mohammad, aka Mr Dark, required his customers to produce and upload their own sickening videos before being granted access to the dark-web site, or by transferring money to a cryptocurrency address Mohammad controlled.

It was the latter of those two methods that eventually led Homeland Security and IRS investigators and police in Europe to Mr Dark and his operation, it is claimed. The IRS's chief crime-fighter Don Fort described the site's contents as "the most disgusting I’ve encountered in 30 years of law enforcement."

Vimeo says account info taken from infected user PCs

Video sharing site Vimeo believes a malware infection has targeted some of its user accounts for theft.

Register reader David Smith told us that he received a notification from Vimeo that his account had been accessed by a stranger and frozen. This was unusual as Smith said the account was not connected to any other service, and used a unique randomly-generated password, ruling out a credential-stuffing attack and third-party data leak.

We reached out to Vimeo, and the service said it believes Smith, like others, may have been infected with malware that was targeting Vimeo accounts in particular.

"We became aware of a list of compromised email and password combinations captured from malware. We ran these credentials through our system to see if they matched those of any of our users," Vimeo said.

"In cases where there were matches, we took the proactive step of resetting account passwords and notifying users. Based upon the information we have, it is likely that the user’s credentials were compromised due malware."

Users who get similar notifications should, of course, run a thorough antivirus scan and then change their passwords.

Trail of Bits blasts Voatz app

The mobile app at the center of the Iowa Democratic Caucus voting debacle was even more bug-ridden than first thought.

A probe by experts at Trail of Bits found that the Voatz app contained scores of potentially serious exploitable flaws.

"Our security review resulted in seventy-nine (79) findings," the biz reported. "A third of the findings are high severity, another third medium severity, and the remainder a combination of low, undetermined, and informational severity."

Comcast leaks 'unlisted' phone numbers

Some 200,000 customers in the US who had paid Comcast to keep their numbers private now have a bone to pick with the cable giant after it inadvertently make the numbers public on its Ecolisting director service for months last year.

Comcast is said to be offering the exposed customers $100m worth of credits.

US county hit by ransomware

In a show of particularly bad timing, the Durham County government in North Carolina was hit earlier this month by a ransomware infection.

Telly news station WRAL reports that the county had to shut down some of its network and office phone systems to stop the spread of the malware infection. Fortunately, essential services like 911 and public information lines, as well as utility bill payment portals, were not impacted by the infection.

Man gets four years for Snapchat threats

A man from Texas is going to be spending a few years behind bars for menacing people on social networks.

The Eastern Texas District Court sentenced 23-year-old Rahul Ramesh Joshi to 48 months in prison after he was found to have used multiple accounts across a number of services, including Snapchat, to threaten at least five women.

Microsoft takes down Necurs botnet

One of the larger cybercrime botnets is being dismantled in a takedown effort spearheaded by Microsoft.

The Redmond giant says its security team is working with local authorities in 35 countries to takedown Necurs, a massive botnet believed to have as many as nine million PCs under its control.

The botnet is used to send out huge volumes of spam (with some infected PCs producing millions of emails each month) and has also been distributing trojans and banking malware as well.

Deer.io alleged owner arrested

The alleged operator of a popular dark market service has reportedly been caught by the Feds.

It is said the owner of deer.io, a site that had hosted a number of smaller markets trading in stolen account credentials, was arrested in New York and is now awaiting trial.

During its seven year run, it is estimated that the site trafficked in some $17m worth of stolen logins.

Coronavirus maps used to spread malware

It happens every time, without fail: a major catastrophic event occurs, and some enterprising scumbag uses the public panic to get malware out. The COVID-19 coronavirus is no exception.

Reason Security reports that a crook has embedded info-stealing malicious code into an application billing itself as a coronavirus infection map.

Netizens looking for information about the deadly pandemic are tricked into downloading and running the Windows software, only to find themselves infected with a trojan that harvested their cookies and account logins.

"The new malware activates a strain of malicious software known as AZORult. AZORult is an information stealer and was first discovered in 2016. It is used to steal browsing history, cookies, ID/passwords, cryptocurrency and more," Reason reports.

"It can also download additional malware onto infected machines. AZORult is commonly sold on Russian underground forums for the purpose of collecting sensitive data from an infected computer."

EU's Entso-E reports office network attack

The European Network of Transmission System Operators, an electric utility industry group, said hackers were recently able to infect systems and gain access to its internal network.

Fortunately, this was just an office network, and no industrial systems or intellectual property were ever at risk.

"It is important to note that the ENTSO-E office network is not connected to any operational TSO system," the group said.

"Our TSO members have been informed and we continue to monitor and assess the situation." ®