At a glance.
- Effects of AFTS ransomware attack ripple through US.
- Americans neglect identity theft protection.
- Apps script abused to steal card data.
Effects of AFTS ransomware attack ripple through US.
As the CyberWire noted yesterday, TechCrunch reported that data from the California Department of Motor Vehicles (DMV) was potentially compromised as the result of a ransomware attack on Automatic Funds Transfer Services (AFTS). Based out of Seattle, Washington, AFTS provides payment processing and address verification services for many organizations in the states of Washington and California and beyond, and as a result, the ransomware attack is likely to have far-reaching consequences. Bleeping Computer discovered that the attack was carried out on February 3rd by the Cuba ransomware gang, who claims they stole various financial and tax documents that they’ve already begun selling on their website on the dark web. The gang’s site welcome page, which boasts a picture of Fidel Castro, simply states “This site contains information about companies that did not want to cooperate with us. Part of the information is for sale and part is freely available. Have fun.” It is likely that if Cuba cannot find buyers for the AFTS data, they will release it for free. Since the breach, AFTS’s website has been shut down, bearing a message that it’s “unavailable due to technical issues.” So far, at least seven of AFTS’s clients have disclosed that their data was compromised in the breach. Among them are the local governments of several Washington cities, including Seattle, and it’s likely the list will grow in coming weeks.
Survey: Americans neglect protection against identity theft.
PropertyCasualty360 shares survey findings that show Americans, though aware of the ever-increasing threat of online identity theft, are not taking the necessary precautions to protect themselves. According to a Harris Poll conducted for the American Institute of CPAs (AICPA), more than half of Americans have increased their online shopping since the pandemic started, but only 30% have set up alerts to warn them when purchases are made without their card present, and less than half check their statements for unusual activity. Nearly 40% have used the same password across multiple sites, and one-third have never checked their credit report. Kim Hardy of the AICPA’s National CPA Financial Literacy Commission suggests that individuals regularly monitor their accounts for suspicious activity, conduct online shopping only on a home network, and be wary of any unsolicited communications requesting personal information. And of course, protect accounts with complex, unique passwords and two-factor authentication.
Google Apps Script used as cover for data theft.
The research team at Sansec has found that threat actors are using the Google scripting platform Apps Script as a means of stealing private data. Hiding behind the seemingly innocuous Google domain allows the attackers to avoid detection by malware scanners. The perpetrators begin by injecting obfuscated code into an ecommerce site. Then the malware skims off payment data and sends it to an app hosted by Google Apps Script, and because the Google domain indicates it’s a trusted site, the victims are none the wiser. Sansec has found evidence that, at least in their test case, the harvested data are being sent to a site based in Israel.
Ameet Naik, security evangelist at web application security provider PerimeterX, commented on this as a case of third-party risk. “This attack highlights the importance of continuous visibility into all third-party scripts on websites. Controls like content security policy (CSP) are useful but not sufficient by themselves. They allow website admins to restrict website script activity to known good domains. However, they cannot protect the site when one of those domains gets compromised or subverted to inject Shadow Code into the sites. Website admins must ensure they have continuous runtime visibility into what the scripts are doing, in order to detect and mitigate threats quickly. Consumers must continue to be vigilant while shopping online and monitor their credit card statements for signs of fraud."