At a glance.
- Canada Revenue Agency sustains credential-stuffing attacks.
- Guests at Ritz London victims of social engineering.
- Maze dumps Canon data.
- Blackbaud incident update.
- Personal relations management software?
Canada Revenue Agency suspends online services after a data breach.
Two distinct credential-stuffing attacks compromised about 5500 Canada Revenue Agency (CRA) accounts, CTV reports. The attackers were able to fraudulently obtain government services using stolen personal information. In addition to suspending online services generally, CRA has disabled the affected accounts. The agency hopes to restore services some time today; it has yet to offer specific guidance for how affected citizens ought to recover their accounts or take other steps to protect their identity.
Guests at Ritz Hotel in London conned into giving up paycard details.
Fraudsters posing as hotel employees called guests at London's Ritz Hotel who'd made restaurant reservations and inveigled their victims into giving them their credit card information in order "to confirm" their reservation. The BBC says the crooks spoofed the hotel's number, and the victims unwarily but not perhaps unreasonably accepted the caller ID as a sign that the calls were legitimate. The scammers said the guests' initial card had been declined, and asked them for a second card, which some provided. The scam had a second stage: when the victims' banks detected unusual charges, the scammers called back, spoofed the banks' phone number, and asked the victims to read the security code the bank had sent them. This was represented as an additional layer of security.
Ilia Kolochenko, founder & CEO of web security company ImmuniWeb, emailed comment on the incident:
“Guests of the luxury hotel are wealthy people, oftentimes, virtually without a limit on their credit cards. Despite multilayered defense and transaction verification mechanisms available for high net worth individuals, many of them lack technical knowledge and can be easily lured into expensive mistakes. Some VIP clients may enjoy generous protection against fraudulent credit card charges but not all banks offer them, moreover, there is a multitude of other avenues to profiteer from the alleged breach or extort money from the victims.
"Furthermore, investigation of the alleged Ritz breach may take years, and will unlikely provide the victims with any compensation proportional to their losses unless they may convincingly prove causation, damage and the Ritz’s negligence while protecting their data. Instead, a penny settlement will likely be reached prior to protracted and exorbitantly expensive litigation with uncertain outcomes for the victims. As to the GDPR sanctions, if any, they will likely depend on other circumstances and will probably take into account the rapidly growing crisis in the hotel industry.”
One lesson to take from the incident: it can be fatally easy to regard caller ID as a form of authentication, but it is not: it's too easy to spoof.
Maze dumps Canon data.
Canon appears not to have satisfied its blackmailers with the ransom they demanded, and so the Maze gang has been releasing stolen data online, according to BleepingComputer. The data do not appear to include any personal information, as had initially been feared. Andrea Carcano, co-founder of Nozomi Networks, emailed comments on the incident:
”Unfortunately this attack underscores the sophistication of the Maze ransomware – and its continued proliferation. Maze has been around since 2019. It’s quite unique in the way the operation is managed, its scale, and the sheer number of organizations that have become its victims.
"Evidence suggests that it operates under an affiliate model, which explains the diversity in its targets as well as the heterogeneity in TTPs employed to successfully compromise its victims.
"While originally spread through exploit kits and emails with malicious attachments, it has evolved to follow new trends and recently began to be deployed post-compromise. The post-compromise deployment approach gives the attackers time to perform lateral movement in the network and maximize the potential impact by exfiltrating and encrypting specific assets.”
The Blackbaud breach afflicts more not-for-profits.
Information concerning donors continues to find its way into the wrong hands. The Eastern Press reports that the East Anglia Children's Hospice has been a recent victim of data theft stemming from the Blackbaud breach.
Blood type, astrological sign...
How private should the sign you were born under be? (By that we mean astrological signs, like Aquarius or Capricorn, not physical signs like "Saint Mary's Hospital" or "Big Dawg's Bail Bonds".) According to Forbes, the upcoming version of Microsoft Office for Mac will store lots of new kinds of personal information on your contacts, including not only astrological sign, but blood type, age, and interests as well. The potential utility of most of this is easy to imagine: it could remind you, for example, when to send a birthday card, that someone likes forget-me-nots as opposed to hydrangeas, that they were graduates of Indiana University of Pennsylvania and not Indiana University, and so on. It's CRM for the personal life. It's also easy to imagine the uses to which the ill-intentioned could put such material, should a device be breached or lost, as Forbes also points out.