At a glance.
- Omicron phishbait.
- Data scraping incident reported.
- Mitto AG under investigation.
Omicron used as phishbait in university email scams.
Cybercriminals are using rising concerns regarding the new Omicron COVID-19 variant as bait in phishing campaigns targeting North American universities. As colleges have been increasing testing for students, faculty, and staff, researchers at Proofpoint have detected Omicron-related scams involving thousands of emails targeting dozens of colleges. The messages include links to spoofed university login portals, with the aim of tricking victims into handing over their credentials. In some campaigns, threat actors even tried to harvest multi-factor authentication (MFA) credentials by mimicking MFA providers like Duo. WPMI reports that in November approximately 40,000 University of Toronto community members received phishing emails from cybercriminals masquerading as the school’s “COVID-19 Support Team” (which doesn’t exist). And the University at Buffalo Police warned of a scam involving emails claiming to provide COVID-19 testing results. This is nothing new, as fraudsters have been using the virus as bait since the beginning of the pandemic, but with the new variant and an increase in travel due to the holidays, cybersecurity experts are urging universities to be vigilant.
Report: Gravatar user data scraped.
Security alert company HaveIBeenPwned says hackers exposed the data of over 100 million users of Avatar creation platform Gravatar last year, but Gravatar denies that any breach occurred. User notifications sent by HaveIBeenPwned claim that the email addresses, usernames, and real names of users were scraped and published in a hacking community. Search Engine Journal explains that while a scrape, which only impacts public data, is technically not a breach, it’s possible that Gravatar’s data handling procedures made their users’ info more vulnerable to exposure. The researcher who discovered the issue says email addresses were being stored in MD5 format, which provides only minimal protection, and claims that Gravatar had “virtually no rate limiting,” meaning a scraper bot could attempt to access millions of user profiles without detection. Gravatar responded on Twitter, “Gravatar was not hacked. Our service gives you control over the data you want to share online.” Troy Hunt of HaveIBeenPwned retorted, “The argument of ‘well, it's public data anyway’ is a view held by the minority. The vast majority of people consistently say ‘I didn't expect my data to be used in this way and I'm unhappy it's now out there and being passed around in this format.’”
Swiss tech company under investigation for alleged surveillance operation.
Switzerland’s federal data protection and information commissioner is conducting an investigation of Swiss automated text message provider Mitto AG amidst allegations that an employee sold access to Mitto’s networks to governments seeking to track individuals’ mobile phones. A Bloomberg News investigation conducted in collaboration with the London-based Bureau of Investigative Journalism found that between 2017 and 2018, the company’s co-founder and chief operating officer Ilja Gorelik provided surveillance-technology companies access to Mitto’s networks. Mitto, which boasts such high-profile clients as Google, Twitter, LinkedIn, and TikTok, previously denied any involvement in the surveillance business and conducted its own internal investigation, stating the company would “take corrective action if necessary.” The Swiss commissioners office stated, “As a first step, it will ask Mitto AG to comment and will also contact the mobile network operators in Switzerland.”