At a glance.
- Personalized smishing.
- Kids' smartwatch open to exploitation.
- Hacked security camera footage posted to adult sites.
- Data breach looks like an extortion gambit.
Personalized smishing campaign targets US victims.
A data theft campaign dubbed the “USPS texting scam” uses SMS-based phishing, or “smishing,” to take advantage of the public’s reliance on text notifications, reports Digital Shadows. The attacker sends a text message to the victim indicating that they have an urgent message awaiting them about a transaction with a popular retailer or service like Amazon or the US Postal Service. The text persuades the victim to click on a link, which redirects through a series of malicious domains used to fingerprint the target’s IP address, browser type, device brand and model, and internet service provider. The final destination is a phishing page, personalized using the aforementioned stolen info and disguised as a customer survey that promises a free gift upon completion. In order to claim the gift, the victim must submit personally identifiable information including address and credit card info. The ultimate goal of the operation is unclear, though the timing and the focus on US targets suggests the possibility of election tampering.
Kids’ smartwatch becomes spy camera.
Smartwatches designed for children have long been low-hanging fruit for hackers as the devices require easily exploitable two-way communication. Naked Security reports that Norwegian cyberthreat response company mnemonic has discovered a vulnerability in the Xplora smartwatch that could allow an attacker to turn the watch into a surveillance device. By downloading firmware from the watch, modifying the firmware to allow administrator access via USB, and then uploading the altered firmware, researchers were able to remotely command the device’s built-in camera to take a snapshot and upload the picture to the vendor’s cloud. Once notified by mnemonic about the issue, Xplora swiftly released a patch.
Security camera footage posted to adult sites.
AsiaOne reports that fifty-thousand home security cameras in Singapore have been hacked, with their stolen video shared online, appearing on various adult Internet sites. We heard from PJ Norris, senior systems engineer at Tripwire, who commented on the scope and effect of the kinds of vulnerabilities exploited in the incident. The first lesson to be reinforced is the risk of keeping default credentials in place on any home security devices:
“One of the most common ways of compromising a home security camera is to attempt to connect to the system using default username and passwords which are widely available. Hackers depend on home users not changing the passwords which allows them to compromise these devices.
"As our homes are becoming more connected to the outside world, it’s even more important now to change default settings on anything IoT (Internet of Things). Manufacturers are starting to take note by distributing these devices securely, however, you should never rely on the vendors for your personal security. Ensure you change the default credentials for cameras, door locks, smart devices and anything else that is connected to the internet.”
Data breach at Florida VAR.
CyberNews reports that Miami, Florida-based technology company Intcomex is the victim of a large-scale breach of nearly one terabyte of data. The lost data include credit cards, passport and license scans, payroll, financial documents, customer databases, employee information, and other personal data. Based on a message obtained by CyberNews from the attacker, the leak appears to be the result of a failed payment negotiation after a ransomware attack. The attacker leaked a chunk of the data onto a popular Russian hacking forum in two batches on separate dates in September, with the promise to release the remaining information in the future. According to a statement from Intcomex, the company has upgraded their security measures and is working with third-party cybersecurity experts and law enforcement to investigate the breach, but maintains that “services provided to our partners have not been impacted.”
Mark Bower, senior vice president with data security specialists comforte AG, sent us comments on the incident:
“Ransomware defense requires a multi-pronged approach. First, sensitive data has to be protected with modern techniques at an individual data field level so that when attacked, the theft yields nothing useful. The purpose here is to neutralize the risk of theft, and mitigate the risk of data being held hostage to a mass leakage event – like in this case. Modern data tokenization is an example of this and increasingly used to secure personal and regulated data like passport, license, tax ID, credit card and other data very efficiently and effectively.
"The second part is effective backup to ensure in the event of system lock out or attackers encrypting data and owning the key, that data can be recovered and restored – including the tokenized data into applications and data stores.
"The combination is a one-two punch defense, and effective at mitigating the threat of both business downtime and data privacy violations in response to an attack which has to be expected and planned for today.”