At a glance.
- SimpleTire caught asleep at the wheel.
- Criminals don't keep secrets well: the case of RaidForums.
- Barracuda zero-day exploited for over seven months.
- Consumers want trustworthy, easy-to-use interfaces without intrusive tracking.
SimpleTire caught asleep at the wheel.
Website Planet reports that cybersecurity researcher Jeremiah Fowler recently found an unprotected database on the web containing more than a million customer records connected to SimpleTire, one of the largest online purveyors of tires in the US. The records included customer names, phone numbers, street addresses, and partial credit card numbers, along with expiration dates, and the server on which they were stored was accessible to anyone on the web. Fowler’s contacted SimpleTire multiple times to disclose his discovery, but despite his efforts the database remained exposed for over three weeks after it was found. It has since been fully restricted, but Fowler has yet to receive any correspondence from SimpleTire.
Paul Bischoff, Consumer Privacy Advocate at Comparitech, offered some observations on the speed with which criminals can be expected to exploit exposed data. "SimpleTire mistakenly exposed the database on the public internet for at least three weeks," he wrote. "That's more than enough time for cybercriminals to find and steal the data. Our honeypot experiments show that attackers can find and steal data within just a few minutes of exposing a database on the internet. SimpleTire customers should be on the lookout for targeted phishing emails. Scammers will use details from the stolen database to make their messages more convincing. Never click on a link or attachment in an unsolicited email!"
Adrian Sanabria, a member of Valence Threat Labs research team, sees the incident as an instance of a common problem. “The SimpleTire data leak is an example of one of the most common types of breaches. It's extremely easy to leave data open to the public Internet accidentally and equally challenging to realize that you've done so. We're lucky to have security researchers like Jeremiah Fowler looking out for issues like these and reporting them when they find them. There are three important lessons we can take away from this example:
- "Any business as large as SimpleTire should have a Vulnerability Disclosure Program (VDP). Simply put, a VDP makes it easy for the general public to quickly bring a security or privacy issue to a company's attention. It should not have taken three weeks to get someone's attention on this issue.
- "Companies need tools that let them know of data leaks like these before they happen. SaaS security and External Attack Surface Monitoring (EASM) tools are commercially available and serve this purpose but are not yet widely known to security teams.
- "Insurance companies are shifting towards evidence-based approaches to pricing cybersecurity policies. Some are already using the aforementioned tools to determine if there might be a data leak-related breach waiting to happen before agreeing to underwrite an insurance policy.”
Alisdair Faulkner, co-founder and CEO of financial security startup Darwinium, set the incident in the larger context of online fraud. "This latest breach... serves as a stark reminder that - once in the hands of adversaries - customer data is a powerful tool for AI-facilitated scams and fraud attacks," Faulker wrote. "Fraudsters can use this data in a multitude of ways:
- "To add to other breached and stolen data to create near-perfect replicas of customer identities, for account takeover attempts. To layer credibility and precise information to social engineering scams to increase their success.
- "Knowing personal or transactional information about you or your purchases naturally makes a caller sound more legitimate and can build trust between a fraudster and a victim.
- "To fuel AI-facilitated automated attacks, to mass test the validity of stolen data at different institutions – the net can be cast far and wide at a speed that is hard to compete with.
"Although it seems like an impossible battle, businesses can win back the advantage. Understanding user behavior from the moment they land on a website to the moment they leave, can pick up anomalies' indicative of fraud. This might include:
- "Unusual behaviors that point to an account takeover attempt - even if a fraudster is using all the “correct” customer identity data.
- "Signs that a customer may be being coerced or guided through a series of steps, such as changes in the way a user interacts with a website, or unusual online interactions or transactions.
- "Machine-generated behavior that is inconsistent with human behavior, even if it has been designed to look like normal customer traffic."
Criminals don't keep secrets well: the case of RaidForums.
One year ago, an operation headed by the US Department of Justice led to the seizure of the popular online cybercrime forum RaidForums. Now TechCrunch reports that a database containing the details of nearly half a million RaidForums users has been posted online. The data was dumped on Exposed, a newer forum that many cybersecurity experts see as RaidForums’ replacement, by an admin who goes by the handle “Impotent.” RaidForums boasted about 550,000 users when it was shut down, and Impotent says “All of the users that were on raidforums may have been infected.” The database includes usernames, email addresses, hashed passwords, and registration dates for members who registered on the forum between March 20, 2015 and September 24, 2020. As Computing notes, some members of the Exposed forum have reported their data is among the exposed info, indicating it is legitimate. Although US law enforcement authorities likely already have this data, the data dump could help security researchers learn more about the forum’s operations. Created in 2015, RaidForums had become one of the world’s leading marketplaces for stolen databases, which included the bounty from recent attacks on cryptocurrency wallet service Gatehub and mobile phone giant T-Mobile.
Christopher Budd, Sophos’ senior manager of threat research said, in an email, "If I can’t trust criminals to keep my data safe, who can I trust? We know that these forums are dangerous places with dangerous people, where predators turn into prey – you venture into this world at your own risk.” As usual, the biter is bit; the hawk is under the eagle's foot; Saruman is betrayed by Sauron, and so forth.
Another Sophos expert, senior threat researcher Matt Wixey, thinks this is probably old news to the police. "Law enforcement likely already have this information and more, as they seized RaidForums over a year ago, so this may only be useful to them in comparing the new leaked data to that which they possess," he said. "The leaked data appears to be incomplete – it contains usernames, email addresses, and hashed/salted passwords, but no posts, private messages, or IP addresses, and it only includes users who registered between 2015-2020. It might be useful for researchers – for example, if usernames/email addresses/passwords appear elsewhere on the internet, that could be interesting. There could be more leaks on the way, but it’s impossible to say."
That the leak happened may be unsurprising, but the explanation behind it may be more interesting. "The real question is, who leaked it, and why?" Wixey added. "It’s not offered for sale; anyone on Exposed (a new leak site based on RaidForums/BreachForums, which copies their look and feel) can download the data if they have enough credits. When threat actors sign up for these forums, their biggest concern may be that the sites end up getting seized by law enforcement. Having their personal data publicly exposed – and therefore suffering the same fate as many of the targeted organizations whose data appears on sites like this – is more unusual." And maybe not all publicity is good publicity. "In the thread in which the leaked data is posted, more than one user has posted something along the lines of 'unfortunately, the journalists are coming,' which shows they’re aware of the media attention leaks like this can generate. It’s also worth bearing in mind a potential flipside of this leak and others like it. Security researchers, journalists, and law enforcement have covert accounts on many criminal marketplaces and forums. If there have been operational security mistakes – using an email address with a full name, for instance, or logging into a site from a corporate/government network – then those accounts could be exposed, and the identities of the individuals/agencies operating those accounts could be revealed."
Barracuda zero-day exploited for over seven months.
IT security firm Barracuda Networks has disclosed that a critical vulnerability discovered in the company’s popular Email Security Gateway (ESG) software has been under active exploitation since October. Now patched, the zero-day bug is a remote-command injection vulnerability, and when exploited, an attacker could execute system commands through the QX operator, Ars Technica explains. “Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take,” the user notification issued yesterday states. “Barracuda has also reached out to these specific customers. Additional customers may be identified in the course of the investigation.” The company did not say how many organizations have been breached, but with the assistance of cybersecurity firm Mandiant, it has been determined that at least three different malicious payloads had been dropped on impacted machines. Help Net Security reports that the three malware types identified to date are known as Saltwater, Seaside, and Seaspy. As Computing notes, the disclosure urges customers to update their ESG appliances to ensure the bug has been patched. "Barracuda's investigation was limited to the ESG product, and not the customer's specific environment. Therefore, impacted customers should review their environments and determine any additional actions they want to take," it reads. Barracuda also recommends customers cease use of compromised appliances, request new virtual or hardware appliances, and reset all credentials associated with the impacted appliances. Customers are also advised to inspect their network logs for any suspicious activity.
Consumers want trustworthy, easy-to-use interfaces without intrusive tracking.
Okta released its Customer Identity Trends Report on May 24th, and it argues that frictionless, secure methods of identity security are sure methods of ensuring profits. The report explains that while customers want a secure and reliable means to carry out their desired purchases or services, they will prioritize those companies that make the user experience more customizable and easy to use. Additionally, customers are striving to protect their personal data by choosing to purchase phones that disable third party tracking, and this can make it more difficult to provide the desired personalized experience. The report writes, “Third-party cookies are also disappearing, and some mobile device manufacturers are restricting the use of device identifiers and making it easier for users to opt out of app-specific targeting or tracking.”
Okta also emphasizes the need for more transparency regarding data usage between the consumer and the company. “The large majority of users understand that their online activities leave a data trail, and a large proportion are taking steps to control their digital footprints”, Okta writes. About 62% of the respondents aware of their digital trail take measures to minimize it. Okta maintains that the best way to ensure these users continue to buy a company’s product is to create a trustworthy and loyal brand. This would ensure that users return on their own volition rather than being targeted by advertisements that they work to avoid. A main point in the report is the required frictionless experience to maintain a returning customer base. They emphasize that friction is a surefire way to reduce profits and suggest moving to secure passwordless methods for logins. “A significant majority of survey respondents indicated that they would be more likely to spend money when services offered a simple, secure, and frictionless login process.” The report adds “Almost two-thirds of survey respondents report feeling overwhelmed with the number of usernames and passwords they have to manage.” Ultimately, the report shows that consumers want a trustworthy, easy-to-use interface that won’t target them with third-party cookies but retains personalized details.