At a glance.
- Know your victim (your scam is more plausible that way).
- Data scraping social media.
- Park conveniently but at risk of your data.
- Library card data exposed.
- CERT-In warns about WhatsApp.
Amazon phishers display intimate target knowledge.
Amazon users are reporting that they’ve been targeted by phishing operations in which the scammers appear to know the victims a little too well, CIOL explains. Targets are receiving phone calls in which the cybercriminals claim they have access to the user’s account, and are able to prove this by accurately describing the account balance. In another scam, the attackers are able to identify the victim’s recent purchases, and claim that if the mark doesn’t confirm their account details, their order will be cancelled. The recent breach of supply chain automation startup Bizongo could be a potential source of the data leak, as Amazon is a Bizongo client.
Update on Facebook, LinkedIn and Clubhouse scraping incidents.
Social media giants Facebook, LinkedIn, and Clubhouse all suffered massive data leaks in recent weeks. The data of millions of users was posted on the dark web as the result of malicious data scraping, and BankInfo Security takes a closer look at all three incidents. With LinkedIn and Clubhouse, while it’s distressing that such large amounts of data were collected and published for free, all of the data gathered were already publicly available in the users’ profiles. However, in Facebook’s case, the exposed data includes phone numbers that were not routinely visible in the victims’ public profiles. Fortune explains that unlike a traditional data breach, the goal of scraping isn’t to gain unauthorized access to IT systems. Instead, scrapers use automated software to scan and collect data that is already publicly displayed on a website. While the activity is technically not illegal (in 2019 the US Court of Appeals for the Ninth Circuit determined that scraping doesn’t violate the Computer Fraud and Abuse Act), it allows attackers to compile massive datasets that can be used to create dossiers on individuals. Though corporations often have security tools in place to prevent scraping, many attackers disguise their IP addresses in order to evade detection.
And in the case of Facebook, the inclusion of phone numbers that would otherwise be private have led some experts to determine the incident more of a breach than a scrape. As Alon Gal of cybercrime intelligence firm Hudson Rock explained, “You basically have the phone number and public information of almost anyone who signed up to Facebook using a phone number, and a phone number in 2021 is a massive digital footprint that can be used to find information about you on the Internet.” This could explain why, as TechCrunch reports, data privacy advocacy group Digital Rights Ireland (DRI) has decided to sue Facebook. The suit cites article 82 of the General Data Protection Regulation, which states that individuals impacted by a breach have a “right to compensation and liability.” DRI has asked users to check to see if their data was exposed, and if so, to join the “mass action” lawsuit. Just last week, Ireland’s Data Protection Commission launched a probe into the incident after questioning Facebook Ireland, the social media giant’s EU headquarters. But if past experience is any indication, an investigation into a breach this massive is likely to take years, which could be why DRI Ireland is seeking a more immediate result.
Pittsburgh parkers (and others) exposed in ParkMobile breach.
The CyberWire noted last week that parking payment app ParkMobile experienced a data breach as a result of a third-party software vulnerability. TribLIVE reports that Go Mobile Pittsburgh, the official app of Pittsburgh’s Parking Authority, was impacted in the breach, exposing the data of 20 million of the app’s users. License plate numbers, email addresses, and encrypted passwords were among the data compromised.
Even reading can be risky? (If you check the book out, anyway.)
WRCB TV reports that a Tennessee library suffered a breach that compromised the data of about five thousand library card holders. As a result of the pandemic, the Chattanooga Library allowed card holders to renew their cards online. The renewal process required the submission of sensitive documents such as driver’s license info through a plugin created by software company Formidable, and it appears a software configuration issue was the cause of the breach. While the issue has been remedied, the data had reportedly been exposed since October 2020.
CERT-In identifies severe WhatsApp vulnerabilities.
The Tribune India reports that India’s Computer Emergency Response Team (CERT-In) has detected vulnerabilities of “high” severity in certain versions of popular instant messaging app WhatsApp. CERT-In is warning users with WhatsApp and WhatsApp Business for Android versions prior to v2.21.4.18 and WhatsApp and WhatsApp Business for iOS prior to v2.21.32 that the issues “could allow a remote attacker to execute arbitrary code or access sensitive information on a targeted system.” A WhatsApp spokesperson told Inc42, “As is typical of software products, we’ve addressed two bugs that existed on outdated software, and we have no reason to believe that they were ever abused.” The advisory urges users to update to the latest version of the app.