At a glance.
- BazaCall: call center phishing.
- That email was not from Chipotle.
- Settlement reached in Zoombombing case.
- Amazon's record GDPR fine.
BazaCall scam dupes victims into infecting their own machines.
The Hacker News explains that a call center phishing operation dubbed BazaCall is luring targets into unwittingly installing BazaLoader malware. The victim receives an email warning they’ll be charged for a fictitious subscription unless they call a specified number. Once connected with the call center, the victim follows the operator’s step-by-step instructions to supposedly halt the subscription, not realizing they’re actually installing BazaLoader, a C++-based downloader with the ability to deploy ransomware and steal private data from infected machines. By relying on human cooperation, the operation evades malware security software designed to detect traditional automated attacks. Researchers at Proofpoint add, “BazaCall campaigns highlight the importance of cross-domain optics and the ability to correlate events in building a comprehensive defense against complex threats.”
One seafood burrito, extra phishing.
Fast-casual food chain Chipotle saw its email abused after an intruder infiltrated the burrito emporium's marketing email account, Bleeping Computer reports. After hijacking the account, the attacker used it to send phishing emails in an attempt to convince recipients to visit credential-harvesting sites mimicking Microsoft and the United Services Automobile Association. The use of a legitimate address allowed the emails, which appeared to come from “Microsoft 365 Message center,” to go undetected by security software. Email solutions firm Inky explained, “Almost everyone has a Microsoft account, and logins there can lead to all kinds of interesting data, including other logins, trade secrets, financial details, and other intelligence.”
Zoom reaches settlement in EU Zoombombing lawsuit.
Zoom, the teleconferencing giant that became a literal household name after the pandemic-fueled remote working boom, has agreed to pay an $85 million settlement to resolve a lawsuit revolving around Zoombombing, Reuters reports. The plaintiffs claim that by sharing personal data with Facebook, Google, and LinkedIn, Zoom allowed hackers to disrupt meetings with unwelcome content like pornography and racist language. The preliminary settlement, in which Zoom also agreed to upgraded security measures, is awaiting approval from California US District Judge Lucy Koh. Koh stated that Zoom is "mostly" immune for Zoombombing under Section 230 of the federal Communications Decency Act, which protects online platforms from responsibility for user content, and Zoom has denied any wrongdoing.
Amazon hit with largest fine in GDPR history.
Amazon has been fined 746 million euros, or about $887 million, the largest fine ever imposed under the General Data Protection Regulation, by Luxembourg’s privacy regulator the CNPD. As the Wall Street Journal details, the penalty is the result of alleged advertising privacy violations. Amazon has stated it will appeal in court, claiming “The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.” EU privacy regulators disagree, and Luxembourg received at least one complaint from a regulator that felt the fine should be even higher.