At a glance.
- Tracking data as they're entered (and before they're submitted).
- Facestealer infests Play Store Android apps.
- Conti dumps engineering firm's employee data.
Every keystroke you take, they’ll be watching you.
Bleeping Computer discusses a new type of third-party web tracker that collects the data users enter on web forms, even before they hit submit. According to a recent study, trackers on 3% of the world's top 100,000 highest ranking sites are gathering data like usernames, passwords, and messages, even if the user ultimately deletes the info before pressing “enter.” In the US, 2,950 websites were found to allow these trackers to exfiltrate email addresses before submission, and when visiting those same sites from Europe, the number of sites collecting information was 1,844, due in part to protections in the EU’s General Data Protection Regulation. The purpose of the trackers is to monitor visitor traffic in order to create a more personalized experience for users and allow advertisers to serve targeted ads. While they theoretically maintain a persistent anonymous ID for each user, the collection of such keystroke activity could render any attempt at anonymity ineffective. To protect themselves, users are urged to activate their browser’s third-party tracking blockers, or use a private email relay service that can generate pseudonymous email addresses.
Kunal Modasiya, senior director of product management at cybersecurity company PerimeterX, wrote to point out that this is a special case of abusing identity and account information:
“The abuse of identity and account information on the web continues to be a critical problem for organizations. Client-side supply chain attacks can cause tremendous damage to a brand’s reputation and its ability to comply with growing data privacy regulations, including GDPR and CCPA.
"In this example, third-party web trackers that run on websites have the same level of resource access as first-party scripts, i.e. they can interact with any sensitive fields and exfiltrate the data even before the user submits. To combat the growing threat of client-side supply chain attacks that come from third-party trackers, organizations must employ comprehensive real-time visibility and control into their site’s client-side supply chain attack surface, to identify vulnerabilities and anomalous behavior. Additionally, they need to employ a comprehensive mitigation strategy that helps proactively mitigate compliance risk. This includes blocking the specific action of the third-party tracker without removing it from their website so they can access approved fields for legitimate purposes.”
Malicious Android apps using spyware to collect user data.
Facestealer spyware has been detected on over two hundred Android apps available on the Google Play app store. The Hacker News explains that the platforms, which pose as harmless fitness, photo editing, and puzzle apps, are using the spyware to collect user data like Facebook login credentials. Trend Micro analysts Cifer Fang, Ford Quin, and Zhengyu Dong explained in their recent report, "Similar to Joker, another piece of mobile malware, Facestealer changes its code frequently, thus spawning many variants. Since its discovery, the spyware has continuously beleaguered Google Play." Forty-two of the apps are VPN services, twenty are camera apps, and thirteen are photo editing apps. It’s worth noting that Trend Micro also discovered over forty fake cryptocurrency miner apps designed to trick users into signing up for subscription services, some even stealing private keys and mnemonic phrases linked to the user’s cryptocurrency wallet.
Conti dumps data after ransomware attack on US engineering firm.
The Parker-Hannifin Corporation, an aerospace engineering firm located in the US state of Ohio, has disclosed a breach that exposed personal employee data, and the Conti ransomware gang has published the data allegedly stolen during the attack. Bleeping Computer reports that the incident occurred last March when an intruder gained unauthorized access to the company’s computer systems. Parker-Hannifin immediately shut down the impacted systems, but the subsequent investigation revealed that the attackers had exfiltrated current and former employee data including names, Social Security numbers, ID card details, health insurance information, and for a small subset of victims, treatment details. On April 1, Conti claimed responsibility for the attack and posted 3% of the allegedly stolen data as proof. The threat actors posted the remainder later that month, presumably because they failed to convince Parker-Hannifin to meet their ransom demands. At this time, it’s unclear exactly how many individuals were impacted.