At a glance.
- Report: RailYatri breached.
- Universities and COVID-19 contact tracing.
- Bitcoin-speculation serves as privacy-threatening phishbait.
- Discount phones with preloaded adware and fleeceware.
- Update on Netsential BlueLeaks breach.
Alleged data breach at Indian rail travel market.
Inc42 and other sources report that RailYatri’s production server was breached on August 9. This is said to have resulted in the exposure of all the data on the server, including information belonging to about seven-hundred-thousand users. Names, email addresses, and partial paycard information is believed to have been compromised. Safety Detectives, which publicly reported the breach, maintains that the exposed data was much more extensive, including as it did not only names and email addresses, but also age, gender, physical addresses, mobile phone numbers, payment logs, itineraries and booking details, geolocation, and other information.
For its part, RailYatri denied that a production server was involved, and that the incident was minor and relatively brief. The Daily Swig says that the organization was notified of the incident by CERT-IN and took prompt steps to contain it.
University students wary of privacy protections in their institutions COVID-19 contact-tracing apps.
Some US colleges and universities plan to require that students enable COVID-19 contact-tracing apps before any return to campus. Many students have received this word with skepticism, the Wall Street Journal reports. It seems to be an instance of a more general concern about student privacy. The Journal quotes a Duke University professor of health policy, Donald Taylor, Jr.: “Covid-19 didn’t create problems of transparency for universities. It just made them more public.”
Phishing with Bitcoin bait.
Information Security reports the conclusions of researchers at the firm Abnormal Security that criminals are impersonating BTC Era, a widely used Bitcoin trading platform. Victims are phished with encouragement to send money to what they’re told will be an “investment.” The goal seems to be installation of malware as opposed to the direct theft of the old-fashioned advance-fee scam, and thus the immediate threat is of a breach of privacy as opposed to a direct assault on a victim's bank account.
The criminals use the entirely legitimate and widely used email marketing provider, Constant Contact, to distribute their phishing emails. This also makes it easier for them to reach a big contact list without having to craft and spoof persuasive sender email accounts. The phishing message includes a link helpfully placed so the investor can follow it and “create an account.” After multiple redirections, the investor winds up on a landing page that requests permission to show notifications. When the investor clicks “allow,” that enables adware to run on the now-infected device. The adware monitors user behavior and enables the criminals to spam from the victim machine.
Discount phones exact other costs.
An investigation by Secure-D and BuzzFeed concludes that discount Chinese phones sold for the most part in underdeveloped markets arrive in consumers' hands with adware and fleeceware pre-installed. Most of the users affected have been located in Africa. The phones most affected are Tecno W2s, an inexpensive device that goes for about $30 in Johannesburg. The Tecno W2 is produced by Shenzhen-based Transsion, which since entering the market in 2014 has become Africa’s leading seller of handsets.
Update on the BlueLeaks exposure of medical information.
The data exposed by BlueLeaks activists who hacked Netsential is now known to contain the names, addresses, dates of birth, and COVID-19 status of ordinary citizens, South Dakota's Department of Public Safety has disclosed. The Department also wants to be clear about where various responsibilities lie: "We have informed Netsential it has a responsibility under South Dakota law to notify you of the breach of your data, but Netsential has not confirmed it will do so. Given the sensitivity of your information, the Fusion Center is notifying you directly, so you receive notice even if Netsential fails to act. Please understand this notification does not relieve Netsential of its responsibility to provide its own notice to you, nor does it mean the Fusion Center or Department of Public Safety accepts legal responsibility for any claim that may arise from Netsential’s breach." Insurance Journal says the FBI is currently investigating.