At a glance.
- Web-scraping bots target the travel industry.
- Dutch secret service allegedly used Pegasus spyware.
- US issues warning about Karakurt threat group.
Web-scraping bots target the travel industry.
Researchers at PerimeterX have released their 2022 Automated Fraud Benchmark Report, and the data shows that web scraping has increased a whopping 240% over last year. Three web scraping attacks targeting two major consumer online travel agencies were discovered. In the first, an itemization attack, bots attempted to use the application’s search engine to scrape itemized product and pricing information while hiding in legitimate app traffic. In another search engine attack, the number of malicious requests comprised the majority of all the application traffic during a 24-hour period, and while the number of malicious users was low, the volume of malicious requests was significantly higher. And in the third attack, instead of focusing on product or pricing data, the bots attempted to scrape product reviews and testimonials from the site, perhaps to steal reviews for a competitor, or to trick users looking for the target site to visit a fraudulent site instead. Such bot attacks negatively impact the target site by negating any competitive pricing edge, reducing look-to-book ratios, increasing global distribution system costs, and slowing website performance.
Dutch secret service allegedly used Pegasus spyware.
The NL Times reports that Dutch intelligence service AIVD has been accused of using NSO Group’s controversial Pegasus spyware. Four anonymous sources claim that the AIVD used Pegasus in 2019 to hack the phone of Ridouan Taghi, a Moroccan-Dutch crime boss who is currently on trial for murder, along with several other unnamed targets. DutchNews.nl notes that Dutch parliamentarian Pieter Omtzigt earlier this year launched an investigation to determine whether the spyware was being used in the Netherlands. "I want to know within which framework it was deployed, against which categories of people, and how supervision is organized. I also want to know what the Prime Minister thinks about the use of Pegasus by the Netherlands,” Omtzigt stated. Security Week adds that in March the European Parliament created a "committee of inquiry" to investigate accusations that Pegasus was being used by EU governments, notably in Hungary and Poland. Though Pegasus is intended only for use by governments looking to track down criminals and terrorists, an investigation by Canada's Citizen Lab and Amnesty International last year revealed that governments across the globe have been using Pegasus to spy on opposition members, activists, and journalists. Neither the AIVD nor NSO Group has commented on the allegations.
US issues warning about Karakurt threat group.
A joint cybersecurity advisory on the Karakurt data extortion group was issued this week by the US Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the Department of Treasury, and the Financial Crimes Enforcement Network. Typical of most extortion gangs, Karakurt’s M.O. is to threaten to auction off or publish stolen data unless the attackers’ ransom demands are met. As the summary explains, the threat actors go as far as calling or emailing the target’s employees, business partners, and clients and supplying proof of the stolen data in order to pressure the victims into cooperating. Karakurt’s demands have ranged anywhere from $25,000 to $13,000,000, and the target usually has about one week to pay up. As of last month, Karakurt’s website contained several terabytes of data allegedly belonging to victims across North America and Europe, along with lists of naming victims who had not cooperated, and instructions for cybercriminals seeking to purchase the data. Mitigation recommendations include implementing a recovery plan for sensitive or proprietary data, maintaining backup data on servers in a segmented and secure location, installing and regularly updating antivirus software with real-time detection, reviewing systems for new or unrecognized accounts, and implementing a principle of least privilege when it comes to user and administrative accounts.
Erich Kron, security awareness advocate at KnowBe4, commented on Karakurt and the general implications of dealing with ransomware operators:
“Groups like this use the threat of data exposure to force organizations into paying ransoms, and the willingness to harass customers, business partners, and employees, shows just how far they are willing to go to make a few dollars. Besides the operational impact of ransomware, the reputational damage can be severe. This potential damage is what adds to the leverage they already have, and it is a very effective tool.
"While paying the ransom may stop the harassment and may even limit the public exposure of the stolen data, given the lengths these attackers are going to in order to make a few bucks, it can be expected that the information will also be sold on the dark web or shared with other cybercriminals.
"Since the primary means of spreading ransomware is phishing emails, organizations are wise to employ a robust employee education program, to include simulated phishing attacks. This education and the simulations can hone the defensive skills of employees, allowing them to delete or report phishing emails before the damage is done.
"In addition to employee education, organizations should ensure they have strong Data Loss Prevention (DLP) controls in place that can identify and stop attempts to exfiltrate sensitive data that can later be used as leverage.”