Who's leaving Amazon S3 buckets open online now? Cybercrooks, US election autodialers

Hundreds of thousands of voter records and contact info spilled


Security biz Kromtech has unearthed two more embarrassing – and potentially dangerous – cases of groups leaving mass data caches unguarded on the public internet.

In the first case, the culprit was an improperly configured AWS S3 bucket owned and operated by Robocent, a political robocalling company based in Virginia Beach, VA.

According to Kromtech head of comms Bob Diachenko, the storage bucket contained 2,594 files, including the audio files to be used in robocalls to voters and spreadsheets containing hundreds of thousands of US voters' contact details.

These records included voters' names, addresses, year of birth, phone number, political affiliation, and demographic info such as ethnicity and education level, all pieces of data that would be valuable to use in a spear phishing or social engineering scam.

Unfortunately, Diachenko said, it gets worse. It appears other sites have already collected and indexed the exposed data.

"What's more disturbing is that company’s self-titled bucket has been indexed by GrayhatWarfare, a searchable database where a current list of 48,623 open S3 buckets can be found," Diachenko explained.

The second case exposed by Kromtech could land a few people behind bars, if convicted, of course.

bucket

Millions of scraped public social net profiles left in open AWS S3 box

READ MORE

Researchers uncovered an exposed mongoDB instance that contained both credit card numbers and payment details. A bit more digging lead the researchers to a dump of Facebook and stolen email account data and info from freemium games that offer in-app purchases through virtual currency.

Eventually, the researchers were able to piece together what was going on. The stolen credit cards were being combined with the lifted data to set up Apple IDs on hundreds of jailbroken iPhones that could then be automated to create user accounts on installations of the free-to-play games. The fake game accounts then purchased in-app currency for the games and were re-sold to other players for cryptocoins or real-world currency.

In other words, the scammers were using fake game accounts on jailbroken phones to launder money from the stolen payment cards via the freemium games, and the criminals operating the scam had left the entire operation wide open to the public by not securing the database.

Kromtech said it had reported all of its findings to the US Department of Justice so that a criminal investigation could be opened. ®

Similar topics

Narrower topics


Other stories you might like

  • DigitalOcean tries to take sting out of price hike with $4 VM
    Cloud biz says it is reacting to customer mix largely shifting from lone devs to SMEs

    DigitalOcean attempted to lessen the sting of higher prices this week by announcing a cut-rate instance aimed at developers and hobbyists.

    The $4-a-month droplet — what the infrastructure-as-a-service outfit calls its virtual machines — pairs a single virtual CPU with 512 MB of memory, 10 GB of SSD storage, and 500 GB a month in network bandwidth.

    The launch comes as DigitalOcean plans a sweeping price hike across much of its product portfolio, effective July 1. On the low-end, most instances will see pricing increase between $1 and $16 a month, but on the high-end, some products will see increases of as much as $120 in the case of DigitalOceans’ top-tier storage-optimized virtual machines.

    Continue reading
  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading

Biting the hand that feeds IT © 1998–2022