At a glance.
- Instagram hijacking campaign reported.
- Brazil's LGPD approaches.
- Class action suit filed against Blackbaud for ransomware incident.
Instagram hijacking, again, this time by smishing.
Trend Micro reported this morning that another campaign designed to hijack high-profile Instagram accounts is in progress. Like an earlier series of attacks, the hackers in this case are Turkish-speaking.
The earlier attacks had used email. Phishing emails ask users to confirm their account to receive a “verified” badge. Should they click the “Verify Account” button the email presents, they’re taken to a page that’s set up to harvest the victims’ email address, credentials, and date of birth. Upon harvesting these, the threat actors have all the details they need to modify the information for recovering a stolen account.
The current round uses text messages instead of emails. The message tells the recipient that a recent post of theirs contains copyrighted material, that the copyright holder has complained, and that the recipient’s account will be deleted. The text message, however, offers the recipient the opportunity to appeal their account’s imminent cancellation. A link in the message takes the victim to an “appeal form.” Filling it out gives up the victim’s credentials, and then redirects the victim to a page that redirects them to their own homepage, lending the appearance of a successful “appeal.” The criminals use the stolen credentials to change the email associated with the victim’s account, and from that point on they have the control they’re looking for.
Multifactor authentication should help protect accounts. So should prudent skepticism, in this case aided by poorly written, non-native English usage.
Brazil's data privacy regime closer to taking effect.
Cooley has an account of Brazil's Lei Geral de Proteção de Dados (LGPD), the country's equivalent of Europe's GDPR. Subject to Presidential approval, Brazil's Senate has passed a resolution that would give the LGPD immediate effect. The LGPD applies to any natural person or legal entity that processes personal data that either (1) pertains to individuals located in Brazil, (2) are collected in Brazil, (3) are processed in Brazil, or (4) are processed for the purpose of offering goods or services in Brazil. Like the GDPR, the LGPD applies globally, but it exempts data processed by an individual for purely personal purposes, or for information used exclusively for journalism, art, or academic purposes. It also exempts data processing for, as Cooley explains, "national security, national defense, public safety or criminal investigation or punishment activities."
Blackbaud faces US class action lawsuit.
The NonProfit Times reports that a class action suit has been filed against Blackbaud, the provider of CRM services to the not-for-profit and educational sectors, in the United States District Court District of South Carolina. The plaintiffs allege that the ransomware attack Blackbaud sustained has caused its customers “ascertainable losses in the form of out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.” Blackbaud disputes this, saying, "Blackbaud disagrees with the allegations and intends to demonstrate they are without merit."