Originally seen: March 7th, 2019 by Nicholas Thompson of Wired.
YESTERDAY AFTERNOON, MARK Zuckerberg presented an entirely new philosophy. For 15 years, the stated goal of Facebook has been to make the world more open and connected; the unstated goal was constructing a targeted advertising system built on nearly infinite data. Yesterday, though, Zuckerberg pronounced that the company is reversing course. The social network of the future won’t be one where everyone connects openly together, as in a town square; it will be one where more connections happen one to one, as in a living room. Instead of data permanence, data will disappear.
Facebook isn’t putting the current platform—worth roughly half a trillion dollars—in the garbage disposal. As Zuckerberg made clear in a Wednesday afternoon interview with WIRED, Facebook as we know it now will still exist. But it will change. And there will also just be something new.
It’s unclear the extent to which Facebook will ultimately push users toward privacy, and in what exact ways. But Zuckerberg controls Facebook, and his manifesto will make its gears start to turn in different directions. As that begins, here are nine important questions the company will have to think through.
1. Facebook knows how to make money in the town square. How does it make money in this new living room?
Private, encrypted messaging is hard to monetize. In our interview, Zuckerberg demurred when asked what the new business model will be after clamping down on the data firehose. The company would, he said, build the product first and figure out the financials later. Facebook does have nascent efforts in commerce and cryptocurrency, but there’s no question that figuring out revenue on the new platform will be a hard problem for Dave Wehner, Facebook’s chief financial officer. A former Facebook employee told me last night, “Mark is like a cartoon character who walks through a bunch of dangerous situations and always comes out on top. Dave is the guy running behind him catching the cat, stopping the ladder from tipping, deflecting the flying axe with a manhole cover.”
2. What does this do to safety on the platform?
Facebook rightly faces endless criticism for all the data it collects. But there are benefits to data collection as well. It can help stop bullies, or even potential suicides. Once those communications become private, Facebook no longer has the same powers to track and moderate. The public—from the media, to nonprofits, to academics, to individuals, to the government—also uses the public nature of Facebook to track bad behavior. If Russian intelligence operatives had just used private encrypted messaging to manipulate Americans, would they have been caught? As Facebook knows from running WhatsApp, which is already end-to-end encrypted, policing abuses gets ever harder as messages get more hidden.
In our interview, Zuckerberg explained that this, not fears about the business model, is what keeps him up at night. “There is just a clear trade-off here when you’re building a messaging system between end-to-end encryption, which provides world-class privacy and the strongest security measures on the one hand, but removes some of the signal that you have to detect really terrible things some people try to do, whether it’s child exploitation or terrorism or extorting people.” When asked whether he cared more about these fears than fears about his business model, he said yes. “I am much more worried about those trade-offs around safety.”
3. What does this do to the company’s efforts in artificial intelligence?
Facebook has spent the past several years building artificial intelligence systems to change the way almost every element of the company works. They are, for example, crucial in the work to eliminate toxic content. But AI, particularly the subset known as machine learning, requires training data, and the more the merrier. Facebook, of course, won’t be just wiping all of its machines as it implements Zuckerberg’s vision. But there will almost certainly be times when the company faces a tradeoff between living up to the ideals in the manifesto or storing something that will make the work of the AI teams easier.
4. What does this do the news industry?
One of the most vexed issues for Facebook is its relationship with the news business. The media industry relies on Facebook for distribution, but it deeply resents that Facebook has swallowed much of the advertising business. Facebook executives know that many people come to the platform to read news, but they hate most of the news written about the platform. News Feed will continue under whatever Facebook builds next, but it’s hard not to imagine that distribution for publishers on Facebook will decline, which may elicit even further media scrutiny. On the other hand, if Facebook is actually pivoting to a new business model, maybe advertising will return to media?
5. How does this change the way regulators react to the company?
Facebook is currently besieged by regulators of all stripes. There are German regulators going after the ad business, British parliamentarians publishing internal emails, American politicians talking about antitrust, and members of the Federal Trade Commission who may be about to fine the company billions of dollars. Much of the anger comes from Facebook’s loose attitudes toward privacy in the past; perhaps this new philosophy will help set people’s minds at ease. Or perhaps not. It is certainly the case, though, that one of Zuckerberg’s proposed moves—further integrating WhatsApp, Instagram, and the main app—will make it much harder to split the company apart in the way that scholars of antitrust have been proposing in recent months.
6. Relatedly, will Facebook now advocate for privacy laws?
Facebook has consistently run afoul of regulators focused on privacy. It has resisted, and sometimes quietly lobbied against, their efforts. Now, though, Zuckerberg has planted a flag in favor of privacy. Does that mean that he will turn, like Tim Cook—aka Tim Apple—into a public advocate for strong privacy legislation?
7. How much does this have to do with Facebook’s Blockchain initiative?
For the past year, Facebook has had a secret team working away in a building on some kind of blockchain initiative. They have been exploring payments, identity, and the creation of a new stablecoin. But no one outside of the company knows for sure what they’ll actually launch. Some insiders view the project as a ludicrous lark. Others think of it as crucial in the quest to redefine Facebook. It seems almost certain that the blockchain initiative informed Zuckerberg’s philosophy. And the connection may be even more direct, particularly if the company is indeed planning to launch a crypto payments system that will work across messaging platforms.
8. What does this do to the company’s chances of going into China?
In his manifesto, Zuckerberg talked about the need to keep servers out of authoritarian countries. As he added when talking to WIRED, “if you put a data center in a place, or you store people’s information in a country, then you’re giving that government the ability to use force to get that data.” In a way, this was a free moral stand. Facebook is already banned in China, by far the most important country where this is an issue. But no one knows how the dynamics between the United States and China will evolve in the next five years. By coming out so strongly in favor of encryption, and against authoritarianism, Facebook may be signaling that it’s giving up on its quest to connect the largest country on earth.
9. How much of this will actually happen?
To skeptics, Zuckerberg’s privacy manifesto was a bundle of naked cynicism and hypocrisy. The company, after all, developed a system to make his personal messages disappear long ago, only rolling it out more broadly under public pressure. But whatever the motives, and whatever the odds that one thinks Facebook will follow through, there’s no question that, inside of Facebook a new era of sorts starts today. Tradeoffs will have to be resolved in different ways. New problems will emerge. Different people will move to different teams. The public and the media, trained to distrust what Facebook says, will judge whether the company is living up to promises that the CEO just made very publicly. In our interview, I asked Zuckerberg how hard this is going to be. “You have no idea how hard it is,” he said laughing.
But, more important, he noted that this will be something rather different for Facebook. “This is a big opportunity, but it’s going to mean adopting and taking some positions on some of these big issues that involve some really big trade-offs and are frankly different from what we may have prioritized historically.”
This IDC White Paper discusses IBM Cloud for VMware Solutions, a portfolio of VMware environment offerings hosted within the IBM Cloud. This document highlights the strengths of the portfolio and illustrates how it offers a secure and flexible path to public cloud and to broader digital transformation.
There are no current reports of the vulnerability being exploited in the wild. However, given the ease in which the bug can be exploited, users should accept incoming updates to their Android builds as soon as possible.
As vendors utilizing the Android operating system roll out security patches and updates at different rates, Google has declined to reveal the technical details of the exploit to mitigate the risk of attack.
Google’s bulletin also outlined remote code execution flaws impacting the Android library, system files, and Nvidia components. Elevation of privilege and information disclosure security holes have also been resolved.
Source code patches for the .PNG issue, alongside other security problems raised in the bulletin, have also been released to the Android Open Source Project (AOSP) repository.
In January, researchers revealed the existence of a new malvertising group called VeryMal. The scammers specifically target Apple users and bury malicious code in digital images using steganography techniques to redirect users from legitimate websites to malicious domains controlled by the attackers.
We often hear about sextortion, business email compromise (BEC), and inheritance scams, but the often overlooked “Romance Scams” could be the most insidious of them all. Not only do victims lose money, but the emotional entanglement ultimately leads to heartbreak.
Romance scams are months long, if not year long, campaigns where bad actors catfish, or pretend to be in love with, an unsuspecting victim in order to steal money from them. They do this by creating fake romantic relationships that the victims become invested in and are willing to help them with fake financial troubles.
In a report shared with BleepingComputer, the Agari Cyber Intelligence Division (ACID) outlines how a criminal gang out of Nigeria called “Scarlet Widow” targets those who are more likely to be lonely such as farmers, elderly, the disabled, and divorced.
This catfishing is done through the creation of fake personas that utilize stolen pictures of attractive people, fake names, personalities, and back stories where they were victimized in the past, but still believe that love is possible. They then create accounts on social media and dating sites, including ones that may attract those looking for love or are lonely such as Dating4Disabled.com, Farmers Dating Site, and DivorcedPeopleMeet.com.
For example, one of the fake personas discovered by Agari is a person named “U.S. Army Captain Michael” who is serving a tour of duty overseas, but is looking for love after he lost his wife.
“According to one of his fake dating site profiles, Captain Micheal is a 43-year-old Catholic man from Austin, Texas, who is currently serving a tour of duty overseas in Kabul, Afghanistan. His profile indicates that, like most of the other personas created by Scarlet Widow, he has lost a loved one in his past. In this case, Captain Micheal lost his wife, as his status describes him as “Widowed.” Since the death of his wife, he has been “searching for so long” for the perfect woman and hopes the women has a trusting mind to fall in love.”
The fake persona for Captain Michael was posted to dating sites such as MilitaryCupid.com and MarriedDateLink.com during a 6 month period in 2017.
Agari states that each of the personas created by Scarlet Widow have different personalities and ways of communicating that reflect their backstory and who they are targeting. For example, the researchers state that Captain Michael’s messages are usually short and to the point, while the gang’s female personas have a “softer, inquisitive, and more verbose tone”.
It’s all about the money
Ultimately, though, these scams are not about making true romance, but about stealing as much money from the victims as they can.
Once a “relationship” is established, the scammers tell their victims that they are having financial difficulty and need financial assistance. This assistance is usually in the form of money for plane tickets, travel assistance, or accommodations.
If the victim is shown to be willing to send money, then the scammers continue with their relationship while continuing to siphon money over a long period of time.
Such is the case with Texan man who was going through a painful divorce and met one of the gang’s fictitious characters named “Laura Cahill”. Over a period of one year, the Scarlet Widow persona was able to scam the individual out of $50,000.
This person was so firmly hooked that when the scammers didn’t reply to him in over a week, he sent a distraught email to her pleading for a reply.
It ultimately got so bad, that this individual stole $10,000 from his father to send to the scammers. This “relationship” ultimately ended when the scammers stopped replying, but it shows how deeply entrenched victims can get in these fake “relationships”.
While this sounds like something that few would fall for, according to Agari it is not that unusual.
“We are tracking a number of Nigerian scammer groups that continue to engage in romance scams and seek out new victims. In 2018, Agari documented a long-running, $500,000 swindle of a divorced American woman with children who refinanced her home to send money to the con artist. Eventually the creditors closed in, and she was forced to sell her house, pull her children out of school, and move the family in with a friend. She continued to believe he was real until Agari presented her with irrefutable evidence of the truth, enabling her to finally break free in 2018. “
Unfortunately, protecting yourself from scams like this can be difficult, especially if you are the type of person that they are targeting. That is because lonely people crave love and camaraderie in their life and may miss warning signs.
Originally seen on CYBERSCOOP by Jeff Stone: February 6, 2019
At least eight airlines, including Southwest, use e-ticketing systems that could allow hackers to access sensitive information about travelers merely by intercepting emails, according to research published Wednesday by the mobile security company Wandera.
The systems fail to secure customers’ personally identifiable information, including names, boarding passes, passport numbers and flight numbers, Wandera said.
The email vulnerabilities still exist, Wandera found, even though researchers notified affected companies weeks ago, and despite growing corporate awareness about the risks associated with sacrificing security for convenience.
The weakness is a check-in link that is emailed to customers, Wandera researchers found. Customer information is embedded in the links, allowing travelers to travel from their email to a website where they check in for a flight without needing to enter their username and password. However the links are unencrypted and re-usable, presenting a tempting target for hackers, according to Michael Covington, vice president of product at Wandera.
“The airlines, in an effort to make it easy for their passengers to check in, have taken shortcuts that have led to the potential exposure of personal information,” he said.
Affected airlines include Southwest, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa, Wandera found. Wandera has reported the vulnerability to each company and received responses, though none appear to have fixed the vulnerability, Covington said.
The airlines appear to be using unique servers for automated marketing that fail to protect user information.
“It’s not just the personal information they could get into, but the e-ticketing systems are basically allowing people in without authentication, which would allow you to change details about people like seat assignments and bags checked,” Covington said. “In some cases you can change existing bookings.”
There is no evidence outsiders have exploited the vulnerabilities.
Southwest Airlines is perhaps the best known low-cost airline operating in the U.S., with a 5 percent capacity growth planned for 2019, according to industry analysts at the Center for Aviation. Air France and KLM, which merged under a single holding company in 2004, jointly form one of the world’s largest airlines. Other companies named in the report — Vueling, Transavia and Air — are based in Europe. Thomas Cook is a British charter airline and Jetstar is a low-cost airline in Australia.
CyberScoop sought comment from each of the airlines named in this report. Several acknowledged receiving a request for comment. All except three failed to provide a statement or answer questions by press time.
In a statement, a Thomas Cook spokeswoman said, “We take the security of our customers’ data very seriously and have investigated this matter as a priority. We have looked into the questions raised and have taken immediate action to further increase the security of our customer data.” A Southwest spokesman said, “While we don’t have a comment on this specific issue, the safety and protection of our customers and their data privacy is our highest priority.”
A spokesperson for JetStar said the company takes data security and privacy “extremely seriously” and that the airline has “multiple layers of security in place.”
Air travelers anxious for a web connection in an airport, hotel or elsewhere on their journey are especially at risk because they could be more likely to connect to public WiFi, ignoring security precautions, Covington said.
“If you’re on a Wi-Fi network or a physical network that uses encryption, this would not be a problem,” he said.
“I can’t speak for the airlines individually,” he said. “We’re not a vulnerability testing company, and it’s not our business to go out and find this. But I can tell you the airlines we’ve engaged with have been keen to listen and are open to hearing more.”
Originally seen on ThreatPost by Lindsay O’Donnell: February 26th, 2019
A tricky two-stage phishing scam is targeting Facebook and Google credentials using a landing page that hides behind Google’s translate feature.
Recently-discovered phishing emails scoop up victims’ Facebook and Google credentials and hides its malicious landing page via a novel method – Google Translate.
The phishing campaign uses a two-stage attack to target both Google and Facebook usernames and passwords, according to researchers at Akamai who posted a Tuesday analysis. But in a tricky twist of events, the scam also evades detection through burying its landing page in a Google Translate page – meaning that victims sees a legitimate Google domain and are more likely to input their credentials.
“When it comes to phishing, criminals put a lot of effort into making their attacks look legitimate, while putting pressure on their victims to take action,” Larry Cashdollar, with Akamai, said in a Tuesday post. “This is an interesting attack, as it uses Google Translate, and targets multiple accounts in one go.”
Cashdollar said that he first noticed the attack on Jan. 7 when an email notification on his phone informed him that his Google account had been accessed from a new Windows device.
The message, titled “Security Alert,” features an image branded with Google that says “A user has just signed in to your Google Account from a new Windows device. We are sending you this email to verify that it is you.” Then, there’s a “Consult the activity” button below the message.
Interestingly, the message looked much more convincing in its condensed state on his mobile device, rather than on a desktop where the title of the email sender is more apparent, he said.
Upon closer look at the email, Cashdollar found that the “security alert” was sent from “facebook_secur[@]hotmail.com.”
That triggered two suspicions: Firstly, the email is from a Hotmail account, raising red flags – but also, the entire address had nothing to do with Google, instead referencing Facebook.
“Taking advantage of known brand names is a common phishing trick, and it usually works if the victim isn’t aware or paying attention,” he said. “Criminals conducting phishing attacks want to throw people off their game, so they’ll use fear, curiosity, or even false authority in order to make the victim take an action first, and question the situation later.”
When clicking on the “Consult the activity” button, Cashdollar was brought to a landing page that appeared to be a Google domain, prompting him to sign into his Google account.
However, one thing stuck out about the landing page – it was loading the malicious domain via Google Translate, Google’s service to help users translate webpages from one language to another.
Using Google Translate helps the bad actor hide any malicious attempts through several ways: Most importantly, the victim sees a legitimate Google domain which “in some cases… will help the criminal bypass endpoint defenses,” said Cashdollar.
Using Google Translate also means the URL bar is filled with random text. Upon further inspection of that text, victims could see the real, malicious domain, “mediacity,” being translated.
Luckily, “while this method of obfuscation might enjoy some success on mobile devices (the landing page is a near-perfect clone of Google’s older login portal), it fails completely when viewed from a computer,” said Cashdollar.
For those who fail to notice red flags regarding the landing page, their credentials (username and password) are collected – as well as other information including IP address and browser type – and emailed to the attacker.
“We are aware of the phishing attempts and have blocked all sites in question, on multiple levels,” a Google spokesperson told Threatpost. The spokesperson urged users to report them if they encounter a phishing site.
However, the attack didn’t stop there. The attacker then attempts to hit victims twice, by forwarding them to a different landing page that purports to be Facebook’s mobile login portal as part of the attack.
These type of two-stage attacks appear to be on the rise as bad actors look to take advantage of victims who already fell for the first part of the scam, Cashdollar told Threatpost: “It seems this is becoming more common as the attacker knows they’ve gained your trust and try to steal additional credentials.”
Like the Google page, this Facebook landing page has some red flags. It uses an older version of the Facebook mobile login form, for instance.
“This suggests that the kit is old, and likely part of a widely circulated collection of kits commonly sold or traded on various underground forums,” said Cashdollar.
Despite these mistakes, the two stages of the phishing attack suggest a certain level of sophistication on the part of the attacker.
“It isn’t every day that you see a phishing attack leverage Google Translate as a means of adding legitimacy and obfuscation on a mobile device. But it’s highly uncommon to see such an attack target two brands in the same session,” he said.
Phishing Scams on the Rise
Phishing attacks have continued to grow over the past year – and this particular scam is only one example of how bad actors behind the scams are updating their methods to become trickier.
Other methods of phishing have increased as well. Up to 49 percent of respondents said they have experienced “voice phishing” (when bad actors use social engineering over the phone to gain access to personal data) or “SMS/text phishing” tactics (when social engineering is used via texts to collect personal data) in 2018. That’s up from the 45 percent of those who experienced these methods in 2017.
The company has turned to external help to prevent data breaches from ever affecting its properties again
Hyatt Hotels has launched a bug bounty program in light of recent card-skimming attacks against the hospitality chain.
On Wednesday, the company said the new initiative will be hosted on bug bounty program HackerOne and is designed to allow Hyatt to “tap into the vast expertise of the security research community to accelerate identifying and fixing potential vulnerabilities.”
Ethical hackers can use the platform — as well as rival services such as Bugcrowd — to report vulnerabilities, security flaws, leaky servers and more before less well-intentioned individuals stumble across them, potentially leading to cyberattacks or data theft.
The bug bounty program is public and includes the main hyatt.com domain, m.hyatt.com, world.hyatt.com, and both the iOS and Android Hyatt mobile apps.
Novel origin IP address discovery, authentication bypass, back-end system access via front-end services, container escapes, SQL injections, cross-site request forgery, WAF bypass, and cross-site scripting (XSS) bugs will all be considered for rewards, among other issues.
Hyatt has chosen to use the Common Vulnerability Scoring Standard (CVSS) standard to evaluate the severity of security flaws found.
Researchers who report valid, high-severity flaws can expect rewards of up to $4,000; important bugs will earn them $1,200 and less severe vulnerabilities are worth between $300 and $600.
“At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day,” said Hyatt Chief Information Security Officer Benjamin Vaughn. “As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information.”
In a Q&A with HackerOne, Vaughn said an invitation-only program was launched first, which may account for the $5,650 in bug bounty rewards which have already been issued at the time of writing.
It is unfortunately quite common for hotel chains and others in the hospitality space to become the focus of cyberattacks due to the vast amount of valuable data these businesses process and store.
In 2015, 250 properties managed by Hyatt across countries including the US, UK, China, Germany, Japan, Italy, France, Russia, and Canada were subject to a cyberattack. Information-stealing malware was implanted on systems, leading to the exposure of customer financial data including cardholder names, card numbers, expiration dates, and internal verification codes.
A second data breach occurred in 2017, in which 41 locations were affected and unauthorized access to payment card information was detected.
Chicago-based Hyatt Hotels manages over 750 properties in 55 countries.
Other organizations that use HackerOne to tap into a vast pool of security researchers include Google, Twitter, the US Department of Defense, GitHub, and Qualcomm.
Big hacks and data leaks are nothing new, but this year has seen a surge in reported breaches. The reason for this might be simple: After the EU general update to data protection regulation (GDPR) came into place in May, firms are more likely to report attacks.
But it also demonstrates that the huge amounts of data collected by companies is not immune to hacking. And many firms aren’t doing enough to ensure they are secure. Let’s take a look back at five massive hacks of this year and examine what they mean for cybersecurity in 2019.
Facebook has suffered several breaches this year, with the worst seeing at least 50 billion users compromised. The biggest breach, in late September enabled hackers to exploit a weakness in Facebook’s code to access the ‘View As’ privacy tool that allows users to see how their profile looks to other people.
Three major security incidents affected user data in 2018, says Lewis Henderson, VP threat intelligence at Glasswall Solutions – and these are just the ones we know about. “Having been caught playing fast and loose with their users’ data, further major security incidents demonstrate Facebook’s infrastructure was probably never designed to cope with this many subscribers. It simply doesn’t have security built in, nor has Facebook taken those companies who exploit subscriber data through a robust third-party security process.”
Facebook has a large security budget and a team that’s known throughout the industry as top-notch, says Joan Pepin, CISO at Auth0. “They should know what they’re doing – but they have a complicated product. The latest hack combined several features in concert, which QA never thought to test. It was a failure of imagination and an outcome of the incredible complexity of their product.”
At the end of November, hotel group Marriott admitted it had suffered a massive data breach affecting the records of up to 500 million customers. The firm revealed its Starwood division’s guest reservation database had been compromised by an unauthorized party. Information accessed included payment information, names, mailing addresses, phone numbers, email addresses and passport numbers.
“Regardless of who the finger is being pointed at, it’s clear this stealthy attack meant the perpetrator had unrestricted access, across multiple IT systems for a very long time,” says Glasswall’s Henderson. “Presumably with many elevated privileged accounts compromised, the attackers were clear to traverse customer data held in different locations and likely cleared their tracks as they went.”
And when people trust firms with their data, even cybersecurity experts aren’t immune. “I am a Marriott Platinum for Life customer: My data was hacked alongside that of millions,” says José Hernandez author of Broken Business.
He points out that good crisis management requires full, timely, and complete disclosure – alongside an independent investigation. “Beyond trust and good governance, with Europe’s GDPR, waiting two months to report a significant hack is likely to be met with significant fines and penalties.”
It’s not the data breach that will be most impactful to the company; it’s the regulatory and class actions that follow, says Ian Thornton Trump, head of cyber security at Amtrust International. “But the big question is, why was this data not encrypted while at rest? Why are passport numbers and details not required by law to be encrypted at rest? The Marriott breach was not just about failing to protect the data they have; it’s a failure of governments to insist identity documents are treated with the same requirements as credit card data.”
In December, Quora suffered a massive breach of user data. The intrusion, discovered on November 30, included up to 100 million users’ names, email addresses, IP addresses, user IDs, encrypted passwords, user account settings, personalization data, public actions and content such as questions, answers, comments, blog posts and upvotes.
“The breadth and potential value of the data compromised, like encrypted passwords and social media data, was notable,” says Andrew Tsonchev, director of technology, Darktrace Industrial.
Edward Whittingham, a former law enforcement officer who is MD of The Defence Works, agrees. “Quora’s data breach was pretty punchy, mainly because it exposed the names, email address and encrypted passwords, as well as data from social networks like Facebook and Twitter, to which people had connected their accounts,” he says.
“Perhaps most interesting, is how the cybercriminals might then go on to use the data, such as questions and answers posed on the platform. I’d expect to see this information sold on the dark web and if there are any contentious questions or answers in there, the fraudsters will be sure to make use of this information and possibly look to hold some users to ransom.”
On 6 September, British Airways informed its customers that details from around 380,000 booking transactions had been stolen, including bank card numbers, expiry dates and cvv codes. It took the firm just one day to announce it had been hit by a cyber-attack between 21 August and 5 September.
Soon afterwards, it was discovered the details were taken via a script designed to steal financial information by ‘skimming’ the payment page before it was submitted. Security researchers now think the perpetrator is the same group that breached Ticketmaster, Magecart.
The impact to affected customers was still being felt in November when it was discovered the Russian hacker group behind Magecart was selling the details in the dark web for around $10 a card.
“In the immediate aftermath, many banks and credit card companies issued replacements or warnings to their customers who may have been affected, netting the Russian group a possible $12m from the hack,” says Martin Jartelius, CSO at Outpost24.
“Aside from BA’s parent company’s shares taking a hit in the immediate aftermath, it’s likely that the company will be penalized under the GDPR legislation, with some experts stating the impact could be in the region £500m or 4% of its turnover, or – if IAG is held accountable – an even larger sum: reportedly around £800m.”
Without Inbenta’s knowledge, Ticketmaster used this code on its payments page, where it was discovered by hackers and modified to extract payment information. The scale isn’t as massive as some other breaches – but the impact was huge. Some customers reported their money had been stolen and others claimed their details had turned up for sale on the dark web. The culprit was apparently credit-card skimming criminals Magecart.
“Just one month after GDPR came into full effect, Ticketmaster announced 40,000 customers’ data was accessed due to a malicious hack on a third party solution,” says Guy Bunker, SVP of Products, Clearswift.
He points out that many security incidents occur as a result of the actions of customers, suppliers and partners. “It’s important to ensure that security measures are up to date across the entire network of companies. Ticketmaster was only as secure as its weakest link.”
Cyber security in 2019
After hitting Ticketmaster and BA, experts predict that Magecart will target more than credit card data in 2019. “In 2018, credit-card skimming criminals grouped under the Magecart label have been carrying out a full-scale assault on e-commerce. They show zero signs of stopping as we head into 2019, with the attacks only getting more traction as various groups learn how to become more effective,” says RiskIQ’s Klijnsma.
He predicts: “As web skimming can skim all sorts of information entered into a website, Magecart groups will surely expand to skimming more than just payment data, such as login credentials and other sensitive information.”
As nation state actors ramp up their campaigns, critical infrastructure will also likely be a target. These attacks are already on the rise, says Andrew Tsonchev, director of technology, Darktrace Industrial. “This year, the ports of San Diego and Barcelona were attacked with ransomware: compromising industrial devices can now allow criminals to ransom access to operational systems as well as data.”
Jake Moore, cyber security expert at ESET, predicts 2019 will see a new form of attack: GDPR bounty hunting. “GDPR bounties work effectively when the attacker extorts an organization by providing them with a copy of their data to prove that it has been breached.
“They then give the victim two options: pay the possibly eye watering ICO fine of up to €20m or 4% of their annual global turnover – or pay the hackers’ chosen fee, which could be anything less than the maximum from the ICO. Hackers take advantage of the fact that some organizations will be tempted to choose the second option so they can avoid any reputational damage caused by a data breach.”
The end of the year is a notoriously busy time for most organizations. Now that we are within the new year, take the time to focus on your security. Please keep these reminders handy to help protect yourself against Cybercrime.
Most malicious attacks an organization will face, will be initiated via email, and can easily spread through an organization without the proper protection. Even a company with a dedicated IT department can still have these attacks slip through.
Phishing scammers lure their targets into a false sense of security by spoofing the familiar, trusted logos of established, legitimate companies. Or they pretend to be a friend or family member.
Phishing scammers make it seem like they need your information or someone else’s, quickly – or something bad will happen. They might say your account will be frozen, you’ll fail to get a tax refund, your boss will get mad, even that a family member will be hurt or you could be arrested. They lie with the intent of obtaining you or your organizations confidential and financial information.
Never let your guard down.
Never assume anything you receive via email is legit. If you are not 100% certain call the sender to verify.
Do not allow yourself or your organization to complete financial transactions solely via email. There have been widespread bank wire fraud attacks. Please be extremely careful.
The best practice here, is to come up with a strict set of actions that are required for financial transactions, and stick to them. A phone call or face to face hand off should be at least one of the steps.
Even the most careful users, are susceptible to this kind of fraud. This is why at ITG we urge our clients to take the necessary proactive measures. ITG has new products and recommendations that will further protect you from these types of security scams. We strongly recommend sending all of your users our Be Aware and Be Alert checklist from above.
ITG services and our customized plans include full security coverage:
Prevention – reduce the number of phishing and spam emails that make it through to the users.
Training – user awareness is a critical part of the defense.
Compliance – many organizations are now subject to either Federal or State security compliance rules. We are here to help you navigate these and build a security platform that will ensure you can meet and maintain compliance.
If you have any questions or would like to request additional information feel free to contact us today.
“With businesses expanding their online presence to create more touchpoints with customers, employees and partners, the boundaries between what’s inside the firewall and what’s outside become less and less discernible, opening a whole new front in the battle between attackers and security teams,” the company wrote in a blog post. “These attackers target brands and consumers on the open web with tactics like phishing, spinning up malicious mobile apps, hacking third-party suppliers and directly compromising websites.”
The report found that cybercrime costs businesses $600 billion each year, with ransomwarespecifically costing corporations $8 billion per year, or more than $15,000 per minute.
In addition, there are 1,274 new malware variants released each minute, 22.9 phishing email attacks per minute and 2.9 billion record leaks from publicly disclosed incidents each day (that’s more than 5,000 each minute). The data also showed .17 blacklisted mobile apps, .21 new phishing domains, .07 incidents of the Magecart credit card skimmer, .1 new sites running the CoinHive cryptocurrency mining script and four potentially vulnerable web components discovered during the evaluation process.
“This data shows that as organizations continue to roll out new digital strategies and initiatives, the new digital assets they create are subject to scores of malware, malvertising, phishing and crypto mining efforts on a massive scale, while rogue apps, domain and brand infringement, and social impersonation cause business disruption and material loss,” according to RiskIQ.
The company noted that the instances of these cybercrimes have gotten worse since last year, showing that companies need to do more to protect themselves and their clients.
“When brands understand what they look like from the outside-in, they can begin developing a digital threat management strategy that allows them to discover everything associated with their organization on the internet, both legitimate and malicious, and monitor it for potentially devastating cyberattacks. However, bringing the massive scope of an organization’s attack surface into focus is no easy task,” the company added.
Originally seen: Forbes.com by Itzik Kotler on August 22, 2018
We’re all familiar with the idea of recycling as a means of reducing the waste stream. Most of us are in the habit of separating our paper, plastic, glass and metal trash from other garbage. What you may not know is that recycling is a major trend in the hacker community, too. Many of the data breaches that have struck in recent years were accomplished using software that has been around for a long time — today’s hack, yesterday’s technique.
Tools that have been proven effective at fooling users and sneaking past network defenses are regularly reused by hackers. Whether the software was developed specifically for hacking or as a tool with a legitimate purpose that has been adapted for a less savory one, the hacker community has become expert at extracting value from what already exists. As with commercial software development, it takes time and money for hackers to write and test their code, and in order to maximize their profits, it makes sense to recycle what works. Often, these tried-and-true products are packaged and sold to others, furthering their potential to do harm.
This large-scale recycling program means there is an abundance of bad actors spreading an abundance of viruses, trojan horses, ransomware and other junk intended to wreak havoc and steal money and intellectual property. One recent example of recycled software getting heavy use by the hacker community is Mimikatz, a tool used to capture passwords, user credentials and other sensitive information from Windows-based operating systems.
Mimikatz was first created in 2007 and since then has been instrumental in a number of large-scale malware attacks, including the NotPetya campaign that disrupted networks and commerce during the summer of 2017, costing affected companies hundreds of millions of dollars according to the tech journal eWeek. Mimikatz was also used in the PinkKite attack that infected retail point-of-sale (POS) systems, primarily throughout Europe and North America, stealing credit card data used in consumer transactions.
There are other common tools, many of which were developed for legitimate purposes, that have been co-opted by the hacker community in many malicious hacking campaigns. Microsoft originally created PowerShell to automate administrative tasks in Windows. Now PowerShell is available as open source code, supporting Linux and macOS, and available to the developer community — including hackers. PowerShell has been a key component in attacks using stolen passwords and digital credentials to give hackers access to and control of networks. PowerShell was used in the REDLeaves attack, discovered in 2016, targeting the health care and energy industries. PowerShell was also part of a state-sponsored attack targeting teams participating in the 2018 Winter Olympics.
Likewise, macros are small, code-based shortcuts developed for the Microsoft Office suite of products and are used to execute larger, more complex functions. Macros make life easier for Office users, but they have been adapted for spam attacks where they are embedded in attachments that look like legitimate files. Once clicked, the macro downloads malware to the victim’s computer, infecting it with whatever code the adversary wants. Macros were behind the Locky ransomware attack that bedeviled hospitals in the U.S. and elsewhere in 2016 by encoding important files that the hackers would only release upon receipt of payment in bitcoin.
While this illicit activity has contributed to the relentless assault on personal and corporate networks, it has one major flaw that chief information security officers (CISOs) can exploit to protect their networks and endpoints. Because so many hackers conduct campaigns using recycled code, mass-marketed malware and reused techniques, the number of attacks has increased. But that also makes it possible, with the right security strategy, to identify the key signatures in those campaigns and thwart such attacks before they are successful.
The NotPetya and PinkKite campaigns targeted two different kinds of systems. Both used Mimikatz because it worked well for the job it was designed to perform. There was no reason to invent, test and try a new tool for stealing the credentials essential for their hacks because Mimikatz was already available. Because both NotPetya and PinkKite used Mimikatz, defenses configured to detect their telltale signatures would have been able to detect its presence. Security teams which used such defenses were alerted to an attack and with this knowledge could have quickly intervened to thwart the campaign and prevent infection.
This is not revelatory. I previously wrote about an entire information/cybersecurity industry sector built on the collection, analysis and use of this information known as threat intelligence, as a key part of a cyber-defense strategy. Knowing this, why aren’t more organizations taking advantage of this major flaw in the hackers’ use of recycled and open-source code? The information security industry may be too focused on generating fear, uncertainty and doubt than in helping companies establish the security priorities needed to bring to bear all the capabilities available to them.
Because of the adversary’s reuse of hacking tools, CISOs should make sure their systems are calibrated to not only detect the newest zero-day threats but also thwart the malware and methods that continue to wreak havoc on their networks. The information security industry is turning the corner in its fight against the global hacker community, and keeping pace with the threat means building on what we already know. After all, the key to stopping tomorrow’s hack can often be found in the lessons learned from yesterday’s attack.