Hackers Can Get into Pacemakers, Leak 700M Emails and Spoof the Taxman


It's just another crazy week in Threatwatch.

There's never a dull moment in cyberspace. Here's a roundup of what happened last week in Nextgov's Threatwatch, our regularly updated index of cyber incidents.

FDA Warnes Nearly a half Million Pacemakers Need Security Updates

The Food and Drug Administration on Monday warned about 465,000 pacemaker patients their medical devices could allow an unauthorized party to quickly deplete the device battery or adjust heart rates.

The agency does not recommend removing the devices and said no attacks of this flaw have been reported.

FDA said the security vulnerability affects certain models of the Abbott’s (formerly St. Jude’s) brand implantable pacemakers, devices which steady irregular heart beats with wires connected to hearts. The agency suggested patients with Accent, Anthem, Accent MRI, Accent ST, Assurity or Allure models should visit their doctors to determine whether they should apply the security patch—a process that takes about three minutes.

With any software update, there is a “very low risk” of malfunction, the alert said. Once installed, the FDA-approved update will require authentication from users trying to make changes.

700M Email Addresses Leaked By Spammer

A misconfigured spam server exposed more than 700 million email addresses and some passwords—though the number of real people’s emails addresses is likely lower.

It’s the largest data leak from a spammer, The Guardian reported, but many of the email addresses seem scraped from the internet or guessed by combining words with domain names. The data was available for anyone to download without credentials.

The data, however, appears to be from other previous breaches. Security researcher Troy Hunt told The Guardian that some of the emails and passwords match those from a LinkedIn breach from May 2016.

Ransomware Scam Spoofs FBI and IRS

The Internal Revenue Service on Monday warned of a ransomware scheme that pretends to be from both the IRS and the FBI.

The email features emblems from both agencies and implies the recipient owes taxes. The email encourages users to download an FBI questionnaire, but the link downloads malware that locks down the device’s data and demands payment to release it, according to the alert.

The alert suggests users do not pay the ransom and contact the FBI, the Internet Crime Complaint Center or forward IRS-themed schemes to phishing@irs.gov.

“People with a tax issue won’t get their first contact from the IRS with a threatening email or phone call," IRS Commissioner John Koskinen said in a statement.