Call center phishing, bogus burrito bait. Zoombombing settlement. Amazon's GDPR fine.

Summary

By the CyberWire staff

At a glance.

BazaCall: call center phishing.
That email was not from Chipotle.
Settlement reached in Zoombombing case.
Amazon's record GDPR fine.

BazaCall scam dupes victims into infecting their own machines.

The Hacker News explains that a call center phishing operation dubbed BazaCall is luring targets into unwittingly installing BazaLoader malware. The victim receives an email warning they’ll be charged for a fictitious subscription unless they call a specified number. Once connected with the call center, the victim follows the operator’s step-by-step instructions to supposedly halt the subscription, not realizing they’re actually installing BazaLoader, a C++-based downloader with the ability to deploy ransomware and steal private data from infected machines. By relying on human cooperation, the operation evades malware security software designed to detect traditional automated attacks. Researchers at Proofpoint add, “BazaCall campaigns highlight the importance of cross-domain optics and the ability to correlate events in building a comprehensive defense against complex threats.”

One seafood burrito, extra phishing.

Fast-casual food chain Chipotle saw its email abused after an intruder infiltrated the burrito emporium's marketing email account, Bleeping Computer reports. After hijacking the account, the attacker used it to send phishing emails in an attempt to convince recipients to visit credential-harvesting sites mimicking Microsoft and the United Services Automobile Association. The use of a legitimate address allowed the emails, which appeared to come from “Microsoft 365 Message center,” to go undetected by security software. Email solutions firm Inky explained, “Almost everyone has a Microsoft account, and logins there can lead to all kinds of interesting data, including other logins, trade secrets, financial details, and other intelligence.”

Zoom reaches settlement in EU Zoombombing lawsuit.

Zoom, the teleconferencing giant that became a literal household name after the pandemic-fueled remote working boom, has agreed to pay an $85 million settlement to resolve a lawsuit revolving around Zoombombing, Reuters reports. The plaintiffs claim that by sharing personal data with Facebook, Google, and LinkedIn, Zoom allowed hackers to disrupt meetings with unwelcome content like pornography and racist language. The preliminary settlement, in which Zoom also agreed to upgraded security measures, is awaiting approval from California US District Judge Lucy Koh. Koh stated that Zoom is "mostly" immune for Zoombombing under Section 230 of the federal Communications Decency Act, which protects online platforms from responsibility for user content, and Zoom has denied any wrongdoing.

Amazon hit with largest fine in GDPR history.

Amazon has been fined 746 million euros, or about $887 million, the largest fine ever imposed under the General Data Protection Regulation, by Luxembourg’s privacy regulator the CNPD. As the Wall Street Journal details, the penalty is the result of alleged advertising privacy violations. Amazon has stated it will appeal in court, claiming “The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.” EU privacy regulators disagree, and Luxembourg received at least one complaint from a regulator that felt the fine should be even higher.

Selected Reading

Phony Call Centers Tricking Users Into Installing Ransomware and Data-Stealers (The Hacker News) A new fake call center campaign, BazaCall, tricks victims into installing BazaLoader malware, which is designed to steal data and deploy ransomware.

Google Play Protect detects only 31% of Android stalkerware (Atlas VPN) Data presented by the Atlas VPN research team reveals that Android’s internal Google Play Protect service detects only 31% of stalkerware threats.

Identity Breach Report Finds New COVID-19 Cyber Vulnerabilities, Increase in Exposures for Energy & Telecom Sectors/Executives, and COVID Items for Sale on Dark Market According to Constella Intelligence (PR Newswire) Today, Constella Intelligence ("Constella"), a leader in Digital Risk Protection and Identity Threat Intelligence, released their 2021 Identity...

Chipotle’s marketing account hacked to send phishing emails (BleepingComputer) Hackers have compromised an email marketing account belonging to the Chipotle food chain and used it to send out phishing emails luring recipients to malicious links.

NHS Highland Covid data breach was 'human error' (Strathspey Herald) Patients received information for other patients on the backs of their vaccination letters

A New Map Shows the Inescapable Creep of Surveillance (Wired) The Atlas of Surveillance shows which tech law enforcement agencies across the country have acquired. It's a sobering look at the present-day panopticon.

Germany's Constitutional Court Ponders Whether Government Users Of Zero-Day Surveillance Malware Have A Duty To Tell Software Developers About The Flaws (Techdirt.) As Techdirt has reported previously, the use of malware to spy on suspects -- or even innocent citizens -- has long been regarded as legitimate by the German authorities. The recent leak of thousands of telephone numbers that may or may not be victims...

Department of Justice Statement on SolarWinds Update (US Department of Justice) In a statement issued January 6, 2021, the Department of Justice acknowledged that the global SolarWinds incident involved intrusion into the Department’s Microsoft O365 email environment and that this activity constituted a major incident under the Federal Information Security Modernization Act (FISMA).

DOJ says SolarWinds hack impacted 27 US attorneys' offices (The Record by Recorded Future) The Russian hackers who orchestrated the SolarWinds supply chain attack pivoted to the internal network of the US Department of Justice, from where they gained access to Microsoft Office 365 email accounts belonging to employees at 27 state attorneys' offices, the DOJ said in a statement on Friday afternoon.

Amazon Hit With Record EU Privacy Fine (Wall Street Journal) The fine, which Amazon disclosed Friday in a securities filing, was issued two weeks ago by Luxembourg’s privacy regulator and accompanied by an order to revise certain business practices that Amazon didn’t specify.

Zoom reaches $85 mln settlement over user privacy, 'Zoombombing' (Reuters) Zoom Video Communications Inc (ZM.O) agreed to pay $85 million and bolster its security practices to settle a lawsuit claiming it violated users' privacy rights by sharing personal data with Facebook, Google and LinkedIn, and letting hackers disrupt Zoom meetings in a practice called Zoombombing.