New breakthroughs in combatting tech support scams

This is an article from Microsoft that i thought was intresting..

On Nov. 27 and 28, over 100 local India law enforcement officials from Gurgaon and Noida raided 16 call center locations identified as engaged in tech support fraud by Microsoft, resulting in 39 arrests so far. These call center operations fraudulently represented themselves as affiliated with a number of respected companies including Microsoft, Apple, Google, Dell and HP.  The New York Times reports that Senior Superintendent of Police Ajay Pal Sharma stated “the scammers had extracted money from thousands of victims, most of whom were American or Canadian.” Microsoft alone has received over 7,000 victim reports associated with these 16 locations from over 15 countries.

Anyone may receive an unwanted phone call or experience a pop-up window on your device with a “warning” that your computer has a problem requiring immediate tech support. These messages are often very convincing and use scare tactics to entice consumers into contacting a fraudulent “tech support” call center. Call center operators typically encourage the victim to provide remote access to their device for “further diagnosis” before charging the victim a fee – typically between $150 – $499 – for unnecessary tech support services. In addition to losing money, victims leave their computer vulnerable to other attacks, such as malware, during a remote access session.

This latest raid comes just six weeks after the successful raid operation by the Delhi Cyber Crime Cell of 10 call center locations resulting in the arrest of 24 individuals and the seizure of substantial evidence including call scripts, live chats, voice call recordings and customer records from tech support fraud operations. The case was also registered by the Delhi Cyber Crime Cell on the basis of a complaint by Microsoft.

 

 

Tech support fraud operations typically involve multiple entities including those engaged in marketing, payment processing and call centers. Recent law enforcement successes in India build on a solid track record of global law enforcement taking action to combat the multiple layers of tech support fraud supported by referrals from Microsoft and other industry partners. For example, the U.S. Federal Trade Commission and multiple partners announced 16 separate civil and criminal enforcement actions against tech support fraudsters in May 2017 as part of “Operation Tech Trap.”  And, in June 2017, the City of London Police announced the arrest of four individuals engaged in computer software services fraud.
Our work to partner with law enforcement agencies in addressing this problem is driven by a combination of technology and action taken by our customers. In 2014, Microsoft launched an online “report a scam” portal to enable victims to share their tech support fraud experiences directly with our Digital Crimes Unit team. The reports have been a critical starting point for our international investigations and referrals. Our data analytics and innovation team has added additional tools to proactively hunt and pull data from approximately 150,000 suspicious pop-ups daily targeting millions of people and use machine learning to identify those related to tech support fraud.
In addition to making referrals to law enforcement based on this data, we are building what we learn about cybercriminals’ behavior into improved products and services for consumers. Microsoft has built-in protection in Windows 10 which includes more security features, safer authentication and ongoing updates delivered for the supported lifetime of a device. Windows Defender delivers comprehensive, real-time protection against software threats across email, cloud and the web. The SmartScreen filter, built into Windows, Microsoft Edge and Internet Explorer, helps protect against malicious websites and downloads, including many of those frustrating pop-up windows. People who have experienced tech support scams should know they aren’t alone, but there are steps you can take to identify and help defend yourself against criminals looking to impersonate legitimate companies. According to our recently released 2018 global survey, three out of five consumers have experienced a tech support scam in the previous 12 months. Although this reflects movement in the right direction, and a 5-point reduction since 2016, these scams persist and successfully target people across all ages and geographies. The best thing you can do to help protect yourself from fraud is to educate yourself. If you receive a notification or call from someone claiming to be from a reputable software company, here are a few key tips to keep in mind:

• Be wary of any unsolicited phone call or pop-up message on your device.
• Microsoft will never proactively reach out to you to provide unsolicited PC or technical support. Any communication we have with you must be initiated by you.
• Do not call the phone number in a pop-up window on your device and be cautious about clicking on notifications asking you to scan your computer or download software. Many scammers try to fool you into thinking their notifications are legitimate.
• Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer.
• If skeptical, take the person’s information down and immediately report it to your local authorities

 

Starwood Guest Reservation Database Security Incident - Marriott

30 November 2018

Marriott values our guests and understands the importance of protecting personal information. We have taken measures to investigate and address a data security incident involving the Starwood guest reservation database. The investigation has determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018. This notice explains what happened, measures we have taken, and some steps you can take in response.

On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information. Marriott reported this incident to law enforcement and continues to support their investigation. We have already begun notifying regulatory authorities.

Go here for more information

Major Online Ad Fraud Operation

National Cyber Awareness System:

 

TA18-331A: 3ve – Major Online Ad Fraud Operation

11/27/2018 12:09 PM EST

 

Original release date: November 27, 2018

Systems Affected

Microsoft Windows

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window.

Description

Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Patrol-hijacked IP addresses. 

Boaxxe/Miuref Malware

Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs.

Kovter Malware

Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser.

Impact

For the indicators of compromise (IOCs) below, keep in mind that any one indicator on its own may not necessarily mean that a machine is infected. Some IOCs may be present for legitimate applications and network traffic as well, but are included here for completeness.

Boaxxe/Miuref Malware

Boaxxe malware leaves several executables on the infected machine. They may be found in one or more of the following locations:

• %UserProfile%\AppData\Local\VirtualStore\lsass.aaa
• %UserProfile%\AppData\Local\Temp lt;RANDOM>.exe
• %UserProfile%\AppData\Local lt;Random eight-character folder name> lt;original file name>.exe

The HKEY_CURRENT_USER (HKCU) “Run” key is set to the path to one of the executables created above.

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run lt;Above path to executable>\

Kovter Malware

Kovter malware is found mostly in the registry, but the following files may be found on the infected machine:

• %UserProfile\AppData\Local\Temp lt;RANDOM> .exe/.bat
• %UserProfile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 lt;RANDOM> lt;RANDOM FILENAME>.exe
• %UserProfile%\AppData\Local lt;RANDOM> lt;RANDOM>.lnk
• %UserProfile%\AppData\Local lt;RANDOM> lt;RANDOM>.bat

Kovter is known to hide in the registry under:

• HKCU\SOFTWARE lt;RANDOM> lt;RANDOM>

The customized CEF browser is dropped to:

• %UserProfile%\AppData\Local lt;RANDOM>

The keys will look like random values and contain scripts. In some values, a User-Agent string can be clearly identified. An additional key containing a link to a batch script on the hard drive may be placed within registry key:

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

There are several patterns in the network requests that are made by Kovter malware when visiting the counterfeit websites. The following are regex rules for these URL patterns:

• /?ptrackp=\d{5,8}
• /feedrs\d/click?feed_id=\d{1,5}&sub_id=\d{1,5}&cid=[a-f0-9-]*&spoof_domain=[\w\.\d-_]*&land_ip=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
• /feedrs\d/vast_track?a=impression&feed_id=\d{5}&sub_id=\d{1,5}&sub2_id=\d{1,5}&cid=[a-f\d-]

The following is a YARA rule for detecting Kovter:

rule KovterUnpacked {
  meta:
    desc = "Encoded strings in unpacked Kovter samples."
  strings:
    $ = "7562@3B45E129B93"
    $ = "@ouhKndCny"
    $ = "@ouh@mmEdctffdsr"
    $ = "@ouhSGQ"
  condition:
    all of them
}

Solution

If you believe you may be a victim of 3ve and its associated malware or hijacked IPs, and have information that may be useful to investigators, submit your complaint to www.ic3.gov and use the hashtag 3ve (#3ve) in the body of your complaint.

DHS and FBI advise users to take the following actions to remediate malware infections associated with Boaxxe/Miuref or Kovter:

• Use and maintain antivirus software. Antivirus software recognizes and protects your computer against most known viruses. Security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your antivirus software up-to-date. If you suspect you may be a victim of malware, update your antivirus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
• Avoid clicking links in email. Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser. (See Avoiding Social Engineering and Phishing Attacks.)
• Change your passwords. Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords.)
• Keep your operating system and application software up-to-date. Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches and Software Updates for more information.)
• Use anti-malware tools. Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The U.S. Government does not endorse or support any particular product or vendor.
• ESET Online Scanner
• F-Secure
• Malwarebytes
• McAfee
• Microsoft Safety Scanner
• Norton Power Eraser
• Trend Micro HouseCall

References

• DOJ Press Release
• ewhitehats White Paper on Kovter Malware
• ewhitehats: THE HUNT FOR 3VE
• Google Security Blog: Industry collaboration leads to takedown of the “3ve” ad fraud operation

There are many frameworks that you can use to protect a company infrastructure

They are many different approaches to helping a company look at protection of assets and data for a repeatable process.

There is Cobit by ISACA, COBIT stands for Control Objectives for Information and Related Technology. It is a framework created by the ISACA (Information Systems Audit and Control Association) for IT governance and management. It was designed to be a supportive tool for managers—and allows bridging the crucial gap between technical issues, business risks, and control requirements. You can learn about COBIT here.

The National Institute of Standards and Technology  (NIST) SP 800 The NIST SP 800 documents are a series of publications put forth by the National Institute of Standards and Technology (NIST), which is a non-regulatory agency of the United States Department of Commerce. The SP 800 series was established in 1990 and has grown quite a bit since then, encompassing a large, in-depth, and ever-growing set of computer security documents seen by many as industry leading. Additionally, the NIST SP 800 documents have been well-known to many professionals within the field of information technology - particularly that of information security -as they gained additional recognition with the Federal Information Security Management Act of 2002, known as FISMA. You can see the SP 800 files here.

Cybersecurity Framework Version 1.1 CSF. This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk.  The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. You can learn about CSF here.

The ISO/IEC 27000 family of standards helps organizations keep information assets secure. Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties. ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS). There are more than a dozen standards in the 27000 family, you can see them here.

Most of us know about MITRE CVE’s who sole purpose is to provide common vulnerability identifiers called “CVE Entries.” CVE does not provide severity scoring or prioritization ratings for software vulnerabilities. However, while separate, the CVSS standard can be used to score the severity of CVE Entries.        

One you might not know about is MITRE ATT&CK™

MITRE also has the ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.  With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge. You can find out more here.

Windows 10 shortcuts

Keyboard shortcuts are keys or combinations of keys that provide an alternative way to do something that you’d typically do with a mouse.

Copy, paste, and other general keyboard shortcuts

Press this key	To do this
Ctrl + X	Cut the selected item
Ctrl + C (or Ctrl + Insert)	Copy the selected item
Ctrl + V (or Shift + Insert)	Paste the selected item
Ctrl + Z	Undo an action
Alt + Tab	Switch between open apps
Alt + F4	Close the active item, or exit the active app
Windows logo key  + L	Lock your PC
Windows logo key  + D	Display and hide the desktop
F2	Rename the selected item
F3	Search for a file or folder in File Explorer
F4	Display the address bar list in File Explorer
F5	Refresh the active window
F6	Cycle through screen elements in a window or on the desktop
F10	Activate the Menu bar in the active app
Alt + F8	Show your password on the sign-in screen
Alt + Esc	Cycle through items in the order in which they were opened
Alt + underlined letter	Perform the command for that letter
Alt + Enter	Display properties for the selected item
Alt + Spacebar	Open the shortcut menu for the active window
Alt + Left arrow	Go back
Alt + Right arrow	Go forward
Alt + Page Up	Move up one screen
Alt + Page Down	Move down one screen
Ctrl + F4	Close the active document (in apps that are full-screen and let you have multiple documents open at the same time)
Ctrl + A	Select all items in a document or window
Ctrl + D (or Delete)	Delete the selected item and move it to the Recycle Bin
Ctrl + R (or F5)	Refresh the active window
Ctrl + Y	Redo an action
Ctrl + Right arrow	Move the cursor to the beginning of the next word
Ctrl + Left arrow	Move the cursor to the beginning of the previous word
Ctrl + Down arrow	Move the cursor to the beginning of the next paragraph
Ctrl + Up arrow	Move the cursor to the beginning of the previous paragraph
Ctrl + Alt + Tab	Use the arrow keys to switch between all open apps
Alt + Shift + arrow keys	When a group or tile is in focus on the Start menu, move it in the direction specified
Ctrl + Shift + arrow keys	When a tile is in focus on the Start menu, move it into another tile to create a folder
Ctrl + arrow keys	Resize the Start menu when it's open
Ctrl + arrow key (to move to an item) + Spacebar	Select multiple individual items in a window or on the desktop
Ctrl + Shift with an arrow key	Select a block of text
Ctrl + Esc	Open Start
Ctrl + Shift + Esc	Open Task Manager
Ctrl + Shift	Switch the keyboard layout when multiple keyboard layouts are available
Ctrl + Spacebar	Turn the Chinese input method editor (IME) on or off
Shift + F10	Display the shortcut menu for the selected item
Shift with any arrow key	Select more than one item in a window or on the desktop, or select text in a document
Shift + Delete	Delete the selected item without moving it to the Recycle Bin first
Right arrow	Open the next menu to the right, or open a submenu
Left arrow	Open the next menu to the left, or close a submenu
Esc	Stop or leave the current task

 

Windows logo key keyboard shortcuts

Press this key	To do this
Windows logo key	Open or close Start
Windows logo key  + A	Open Action center
Windows logo key  + B	Set focus in the notification area
Windows logo key  + C	Open Cortana in listening mode Notes This shortcut is turned off by default. To turn it on, select Start  > Settings  > Cortana, and turn on the toggle under Let Cortana listen for my commands when I press the Windows logo key + C. Cortana is available only in certain countries/regions, and some Cortana features might not be available everywhere. If Cortana isn't available or is turned off, you can still use search.
Windows logo key  + Shift + C	Open the charms menu
Windows logo key  + D	Display and hide the desktop
Windows logo key  + Alt + D	Display and hide the date and time on the desktop
Windows logo key  + E	Open File Explorer
Windows logo key  + F	Open Feedback Hub and take a screenshot
Windows logo key  + G	Open Game bar when a game is open
Windows logo key  + H	Start dictation
Windows logo key  + I	Open Settings
Windows logo key  + J	Set focus to a Windows tip when one is available. When a Windows tip appears, bring focus to the Tip.  Pressing the keyboard shortcuts again to bring focus to the element on the screen to which the Windows tip is anchored.
Windows logo key  + K	Open the Connect quick action
Windows logo key  + L	Lock your PC or switch accounts
Windows logo key  + M	Minimize all windows
Windows logo key  + O	Lock device orientation
Windows logo key  + P	Choose a presentation display mode
Windows logo key  + R	Open the Run dialog box
Windows logo key  + S	Open search
Windows logo key  + T	Cycle through apps on the taskbar
Windows logo key  + U	Open Ease of Access Center
Windows logo key  + V	Cycle through notifications
Windows logo key  + Shift + V	Cycle through notifications in reverse order
Windows logo key  + X	Open the Quick Link menu
Windows logo key  + Y	Switch input between Windows Mixed Reality and your desktop
Windows logo key  + Z	Show the commands available in an app in full-screen mode
Windows logo key  + period (.) or semicolon (;)	Open emoji panel
Windows logo key  + comma (,)	Temporarily peek at the desktop
Windows logo key  + Pause	Display the System Properties dialog box
Windows logo key  + Ctrl + F	Search for PCs (if you're on a network)
Windows logo key  + Shift + M	Restore minimized windows on the desktop
Windows logo key  + number	Open the desktop and start the app pinned to the taskbar in the position indicated by the number. If the app is already running, switch to that app.
Windows logo key  + Shift + number	Open the desktop and start a new instance of the app pinned to the taskbar in the position indicated by the number
Windows logo key  + Ctrl + number	Open the desktop and switch to the last active window of the app pinned to the taskbar in the position indicated by the number
Windows logo key  + Alt + number	Open the desktop and open the Jump List for the app pinned to the taskbar in the position indicated by the number
Windows logo key  + Ctrl + Shift + number	Open the desktop and open a new instance of the app located at the given position on the taskbar as an administrator
Windows logo key  + Tab	Open Task view
Windows logo key  + Up arrow	Maximize the window
Windows logo key  + Down arrow	Remove current app from screen or minimize the desktop window
Windows logo key  + Left arrow	Maximize the app or desktop window to the left side of the screen
Windows logo key  + Right arrow	Maximize the app or desktop window to the right side of the screen
Windows logo key  + Home	Minimize all except the active desktop window (restores all windows on second stroke)
Windows logo key  + Shift + Up arrow	Stretch the desktop window to the top and bottom of the screen
Windows logo key  + Shift + Down arrow	Restore/minimize active desktop windows vertically, maintaining width
Windows logo key  + Shift + Left arrow or Right arrow	Move an app or window in the desktop from one monitor to another
Windows logo key  + Spacebar	Switch input language and keyboard layout
Windows logo key  + Ctrl + Spacebar	Change to a previously selected input
Windows logo key  + Ctrl + Enter	Open Narrator
Windows logo key  + Plus (+)	Open Magnifier
Windows logo key  + forward slash (/)	Begin IME reconversion
Windows logo key  + Ctrl + V	Open shoulder taps

 

Command Prompt keyboard shortcuts

Press this key	To do this
Ctrl + C (or Ctrl + Insert)	Copy the selected text
Ctrl + V (or Shift + Insert)	Paste the selected text
Ctrl + M	Enter Mark mode
Alt + selection key	Begin selection in block mode
Arrow keys	Move the cursor in the direction specified
Page up	Move the cursor by one page up
Page down	Move the cursor by one page down
Ctrl + Home (Mark mode)	Move the cursor to the beginning of the buffer
Ctrl + End (Mark mode)	Move the cursor to the end of the buffer
Ctrl + Up arrow	Move up one line in the output history
Ctrl + Down arrow	Move down one line in the output history
Ctrl + Home (History navigation)	If the command line is empty, move the viewport to the top of the buffer. Otherwise, delete all the characters to the left of the cursor in the command line.
Ctrl + End (History navigation)	If the command line is empty, move the viewport to the command line. Otherwise, delete all the characters to the right of the cursor in the command line.

 

Dialog box keyboard shortcuts

Press this key	To do this
F4	Display the items in the active list
Ctrl + Tab	Move forward through tabs
Ctrl + Shift + Tab	Move back through tabs
Ctrl + number (number 1–9)	Move to nth tab
Tab	Move forward through options
Shift + Tab	Move back through options
Alt + underlined letter	Perform the command (or select the option) that is used with that letter
Spacebar	Select or clear the check box if the active option is a check box
Backspace	Open a folder one level up if a folder is selected in the Save As or Open dialog box
Arrow keys	Select a button if the active option is a group of option buttons

 

File Explorer keyboard shortcuts

Press this key	To do this
Alt + D	Select the address bar
Ctrl + E	Select the search box
Ctrl + F	Select the search box
Ctrl + N	Open a new window
Ctrl + W	Close the active window
Ctrl + mouse scroll wheel	Change the size and appearance of file and folder icons
Ctrl + Shift + E	Display all folders above the selected folder
Ctrl + Shift + N	Create a new folder
Num Lock + asterisk (*)	Display all subfolders under the selected folder
Num Lock + plus (+)	Display the contents of the selected folder
Num Lock + minus (-)	Collapse the selected folder
Alt + P	Display the preview panel
Alt + Enter	Open the Properties dialog box for the selected item
Alt + Right arrow	View the next folder
Alt + Up arrow	View the folder that the folder was in
Alt + Left arrow	View the previous folder
Backspace	View the previous folder
Right arrow	Display the current selection (if it's collapsed), or select the first subfolder
Left arrow	Collapse the current selection (if it's expanded), or select the folder that the folder was in
End	Display the bottom of the active window
Home	Display the top of the active window
F11	Maximize or minimize the active window

 

Virtual desktops keyboard shortcuts

Press this key	To do this
Windows logo key  + Tab	Open Task view
Windows logo key  + Ctrl + D	Add a virtual desktop
Windows logo key  + Ctrl + Right arrow	Switch between virtual desktops you’ve created on the right
Windows logo key  + Ctrl + Left arrow	Switch between virtual desktops you’ve created on the left
Windows logo key  + Ctrl + F4	Close the virtual desktop you're using

 

Taskbar keyboard shortcuts

Press this key	To do this
Shift + click a taskbar button	Open an app or quickly open another instance of an app
Ctrl + Shift + click a taskbar button	Open an app as an administrator
Shift + right-click a taskbar button	Show the window menu for the app
Shift + right-click a grouped taskbar button	Show the window menu for the group
Ctrl + click a grouped taskbar button	Cycle through the windows of the group