As a valued subscriber, we would like to better understand your needs and challenges. Complete our 15 minute survey for a chance to win a $100 gift card and to allow us to learn how we can better serve you.
Improved skimmers. France scrutinizes Apple's ad-tracking. SMS security. FBI warns schools of PYSA ransomware.
At a glance.
- Magento skimmer uses malicious jpgs.
- France investigates Apple's ad-tracking.
- SMS security issues.
- FBI warns of PYSA ransomware campaign against academic institutions.
New Magento 2 compromise employs malicious .JPG images.
Sucuri's blog details a new compromise that skims credit card data from Magento 2 ecommerce websites. While investigating a Magento 2 website, researchers discovered a malicious injection that was harvesting POST request data from users at the checkout page, then encoding the data with base 64 and saving it to a .JPG file. The use of a fake .JPG is a shrewd method of concealing the harvested data while going unnoticed, and the stolen data which could include full names, street addresses, and payment info, could be used for credit card fraud or phishing operations. Website monitoring services and integrity control checks could help website owners to better detect this compromise.
France probe examines Apple’s ad tracking policies.
In response to pushback from privacy lobbyists, France’s data protection authority will launch an investigation into Apple’s recent changes to its data collection policies, AppleInsider reports. Lobbyist group France Digitale filed a complaint with the French National Commission on Informatics and Liberty (CNIL) earlier this month regarding Apple’s new App Tracking Transparency Feature. Launching in two weeks, the feature will require third party iOS developers to request user permission before employing ad tracking. Privacy advocates feel Apple is being unfair, as many of Apple’s own apps like the App Store and Apple News do not require permission before tracking. While it’s unclear how long CNIL's investigation will last, it could result in the authority ordering Apple to revise its policies.
Twitter hacker cops a plea.
The Tampa Bay Times reports that a hacker who last summer hijacked Twitter accounts in order to steal over $100,000 in bitcoin has struck a deal with prosecutors. In exchange for his guilty plea, Graham Ivan Clark will avoid the minimum ten-year sentence he would serve if tried as an adult, and will instead serve three years in a young adult prison followed by three years of probation. Clark was seventeen when he was arrested for pulling off his massive Twitter scam: By convincing a Twitter employee that he worked in the company’s IT department, Clark was granted access to Twitter’s customer service portal, allowing him to successfully take over the accounts of public figures with massive followings like President Joe Biden, Elon Musk, Bill Gates, and even Uber. Posing as the account holders, he posted phony messages asking followers to deposit bitcoin in his account, and before Twitter caught on, Clark had accumulated $117,000. Clark’s sentencing forbids the use of a computer without police supervision, and he was required to relinquish the passwords to all of his accounts.
SMS hack takes advantage of regulatory blindspots?
With little government regulation, SMS message interception has become low-hanging fruit for cybercriminals. “SIM swapping” -- the act of tricking cellphone employees into changing account credentials -- is the most common method thieves employ for redirecting a victim’s text messages to another device. As the CyberWire noted yesterday, a new industry is unwittingly making it possible for thieves to intercept a victim’s messages even without a SIM swap. As part of their SMS marketing and mass messaging support services, companies like Sakari allow clients to redirect text messages to a number of their choosing by simply submitting a Letter of Authorization (or LOA).
Hackers like Lucky225 have quickly discovered how easy it is to take advantage of this service by simply filling out the required LOA with fraudulent info. Lucky225 explains to KrebsOnSecurity that this attack takes advantage of a loophole in SMS regulation policies. Most telecommunications companies must go through the Number Portability Administration Center (NPAC) to request authorization for a customer to reroute their phone number. But a private company called NetNumber has developed its own process for tracking telecommunications providers, and many of its clients are voice-over-IP (VoIP) or internet-based phone companies that will let anyone become a reseller with little to no verification. Lucky225 explained, “In essence, once you have a reseller account with these VoIP wholesalers you can change the Net Number ID of any phone number to your wholesale provider’s NNID and begin receiving SMS text messages with virtually no authentication whatsoever.” NetNumber claims that, since learning of the fraudulent activity, they have taken “precautionary measures.” But it would seem hackers are still finding ways around these measures, and while many major cell phone companies now have protections in place to make sure their customers aren’t affected by NetNumber requests, smaller carriers are likely still vulnerable.
Update, 3.22.21: Lucky 225 has identified himself to us as the Chief Information Officer at Okey Systems, LLC.
FBI warns of renewed PYSA ransomware campaign against schools.
The FBI has warned educational institutions to expect a surge in PYSA ransomware attacks, which it's seen as newly active in twelve US states and the United Kingdom. Also known as Mespinoza, the ransomware strain is usually installed either by remote desktop exploit or conventional phishing. As is now routinely the case with ransomware, PYSA's operators first steal sensitive information, including personally identifiable information, before encrypting its victims' files.
Some industry figures contacted us with comments on the warning, and on the ransomware threat. Jorge Orchilles, CTO of SCYTHE, wrote that, “Ransomware threat actors continue to evolve to ensure they receive payment. We have seen "double extortion" being used across various sectors, not just education. Threat actors exfiltrate data and post a sample to extort and push the victim for payment in addition to the traditional ransom of encrypting their data.”
Saryu Nayyar, CEO of Gurucul, points out that schools can, unfortunately, be easy marks. “For malicious actors, the education sector is a prime target. IT budgets are often limited and cybersecurity resources are stretched thin. The victims can be naive to cyber threats, which makes them easy targets for social engineering and phishing attacks," she wrote. “With the rise of Cybercrime-as-a-Service, including ransomware and hybrid attacks that extract data for extortion before encrypting it, it's no wonder they are going after easier targets like schools, seminaries, and colleges.
And she sees training and security education as a vital part of the response. “User education to reduce the change of becoming a victim is the first line of defense, as it almost always is when users are involved. But educational organizations need to take it further. They need to review their cybersecurity posture and update it to face complex threats as budget and resources allow.”
ICO registration mandatory for all businesses (ARLA Propertymark) Any business or sole trader who processes personal information must register with the Information Commissioner’s Office (ICO) under the Data Protection Act 2018 and failure to register is a criminal offence.
Cease and desist claims: a new way to curb data protection breaches by your competitors? (JD Supra) By bringing a cease and desist claim for unfair market practices, companies may have an important weapon at their disposal to teach a competitor that...
Apple Faces Next Round in French Probe Into iOS 14 Overhaul (Bloomberg) Apple set to get French antitrust ruling as soon as Wednesday. Software update plan aims to curb web tracking in privacy push.
REvil Group Claims Slew of Ransomware Attacks (Threatpost) The threat group behind the Sodinokibi ransomware claimed to have recently compromised nine organizations.
'I scrounged through the trash heaps... now I'm a millionaire:' An interview with REvil's Unknown (The Record by Recorded Future) REvil's Unknown talked to Recorded Future expert threat intelligence analyst Dmitry Smilyanets recently about using ransomware as a weapon
REvil member says gang targets organisations with cyber insurance for ransomware attacks (Computing) Pharmaceutical firms are also good payers, claims gang member 'Unknown'
Birmingham college falls victim to 'major ransomware attack' (Computing) The colleges says it is reverting to online teaching for one week starting Monday
Thinking of Joining Clubhouse? The Membership Fee Could Be Your Data Privacy (Check Point Software) Clubhouse’s exclusivity has created a huge buzz – but does the app and platform’s security match the hype around it? Jonathan Fischbein, Chief Information
FBI warns of rise in PYSA ransomware operators targeting US, UK schools (ZDNet) Data is being stolen ahead of encryption in extortion attempts.
Can We Stop Pretending SMS Is Secure Now? (KrebsOnSecurity) SMS text messages were already the weakest link securing just about anything online, mainly because there are tens of thousands of people (many of them low-paid mobile store employees) who can be tricked or bribed into swapping control over a mobile phone number to someone else. Now we're learning about an entire ecosystem of companies…
Hacker leaks payment data from defunct WeLeakInfo breach site (BleepingComputer) WeLeakInfo was a website that offered paid subscriptions that provides searchable access to a database containing 12.5 billion user records stolen during data breaches. This data included email addresses, names, phone numbers, addresses, and in many cases, passwords.