Spoofing Test and Trace. Third-party apps in G Suite Marketplace ask for a lot.

Summary

By the CyberWire staff

At a glance.

Spoofing Test and Trace to collect personal information.
Third-party apps in the G Suite Marketplace request extensive permissions.

Test and Trace spoofed to gather personal information.

The pandemic continues to provide the bait for phishing campaigns. In the UK the NHS’s Test and Trace system will soon be contacting people who may have been exposed to COVID-19 in an effort to forestall a second wave of infection. The National Health Service says that if you’re called, you “will not be asked to provide any passwords, bank account details or PIN numbers.” Nor will you be asked to download anything. But, Infosecurity Magazine points out, the Test and Trace callers may ask for “full name, date of birth, sex, NHS Number, home postcode and house number, telephone number and email address,” and that’s a nice beginning for subsequent spearphishing and identity fraud. So people should expect the scams to begin.

Since junk phone calls now seem to constitute about the same fraction of calls that junk mail does in your mailbox, it’s not surprising to read in the Register that such attempts are already in progress. It’s easy to spoof SMS and caller line identification, and you can’t rely on those as indications that call is genuine. And follow links in an SMS message purporting to lead to official COVID-19 alerts only at your peril.

Third-party apps in the G Suite Marketplace want a lot of permission...

ZDNet reports that researchers at Two Six Labs have taken a look at the permissions third-party Google apps listed on the G Suite Marketplace requested, and they've found that those permissions amount to an incipient "privacy scandal." Their report outlines their approach. At the beginning of January they used an automated script to install all the 1392 applications listed in the G Suite Marketplace. 405 of them failed to install (for various reasons), and of the 987 apps they were able to install, 889 of these required access to user data that initiated a request for permission. 481 of those applications asked for permission to communicate with some external service. This of course would connect the user's Drive and Gmail to that external service. And the G Suite Marketplace review process seemed not to be keeping intrusive apps out. It takes between four and eight weeks to review apps that make "restricted" API calls and interact with Drive or Gmail data. Until an app is verified, only 100 installations are supposed to be allowed, but the researchers found that many more than 100 users were in fact able to install unverified apps.

The researchers suggest one bit of human engineering that might improve user security awareness: have the apps ask for permission on first use as opposed to on installation. It's been found that this helps users recognize over-intrusive applications they might otherwise allow in.

Selected Reading

G Suite Marketplace primed for a privacy scandal, researchers warn (ZDNet) G Suite apps that have access to Drive and Gmail data found communicating with undisclosed external services.

Experts: #COVID19 Test and Trace Could Lead to Phishing Deluge (Infosecurity Magazine) Experts: #COVID19 Test and Trace Could Lead to Phishing Deluge. Spoofed text messages in particular raise major concerns

Contact-tracer spoofing is already happening – and it's dangerously simple to do (Register) I'm from the government, and I'm here to help you and your friends

Michigan State hit by ransomware threatening leak of student and financial data (EdScoop) A blog associated with the NetWalker malware posted screenshots of file directories and a student’s passport, saying the files will be published if a ransom is not paid.

Ransomware attack causes system outage at telecom firm (Business Insurance) South Africa-based telecommunications firm Telkom SA SOC Ltd. suffered a ransomware attack, which led to outages across of its several systems.

Financial data of 70 lakh BHIM users compromised says cyber security company, NPCI denies claim (Moneycontrol) The company stated it reached out to the website’s developers on May 5 and then approached India’s cybersecurity authority – Computer Emergency Response Team (CERT-In) on May 22, after which the breach was closed.

Why your voice is your new password (InsiderPro) Google now lets some users verify purchases using voice alone. It’s just the beginning. Welcome to the future of biometric ID and verification.