Uncategorized

Amazon employees listen in to your conversations with Alexa

Posted on Updated on

A report suggests you may have eavesdroppers in your living room.
Originally seen: April 11,2019 on Zdnet by Charlie Osborne

Amazon is using a team of human staff to eavesdrop on queries made to Amazon Alexa-enabled smart speakers in a bid to improve the voice assistant’s accuracy, a new report suggests.

If you check out your Amazon Echo smart speaker’s history via the Alexa app (Alexa account – > History), depending on where and when you use the device, you may see little more than general, genuine queries.

My history is full of cooking timer requests, light control commands, and news briefings.

There are also a few nonsense recordings generated by the nearby television on record — including a man talking about his dog and politics mentioned once or twice — and while they may be seen as acceptable recording errors, the idea of an unknown human listening in may be enough to make you uneasy.

According to Bloomberg, this may be the case, as Amazon staff in areas including Boston, Costa Rica, India, and Romania are listening in to as many as 1,000 audio clips per day during nine-hour shifts.

While much of the work is described as “mundane,” such as listening in for phrases including “Taylor Swift” to give the voice assistant context to commands, other clips captured are more private — including the example of a woman singing in the shower and a child “screaming for help.”

Recordings sent to the human teams do not provide full names, but they do connect to an account name, device serial number, and the user’s first name to clips.

Some members of the team are tasked with transcribing commands and analyzing whether or not Alexa responded properly. Others are asked to jot down background noises and conversations picked up improperly by the device.

“The teams use internal chat rooms to share files when they need help parsing a muddled word — or come across an amusing recording,” Bloomberg says.

In some cases, however, the soundbites were not so amusing. Two unnamed sources told the publication that in several cases they picked up potentially criminal and upsetting activities, accidentally recorded by Alexa.

An Amazon spokesperson said in an email that only “an extremely small sample of Alexa voice recordings” is annotated in order to improve the customer experience.

“We take the security and privacy of our customers’ personal information seriously,” the spokesperson added. “We have strict technical and operational safeguards, and have a zero tolerance policy for the abuse of our system.”

It is possible to withdraw from these kinds of programs for the benefit of your personal privacy. In order to do so, jump into the Alexa app and go to Alexa Account – > Alexa Privacy – > “Manage how your data improves Alexa.”

In this tab, you can toggle various options including whether or not you permit your Alexa usage to be used to “develop new features,” and whether messages you send with Alexa can be used by Amazon to “improve transcription accuracy.”

In related news, the Intercept reported in January that the Amazon-owned company provided its Ukraine-based research and development team close to “unfettered” access to an unencrypted folder full of all the video footage recorded by every Ring camera worldwide. Some employees had access to a form of ‘god’ mode which permitted 24/7 access to customer camera feeds.

Parent company of popular restaurants breached; payment card data exposed.

Posted on Updated on

What happened?

Earl Enterprises, which manages popular restaurant brands including Buca di Beppo, Planet Hollywood, Earl of Sandwich, Chicken Guy!, Mixology, and Tequila Taqueria, announced that nearly 100 restaurant locations around the United States may have exposed customer payment card data over a 10-month period from May 2018 to March 2019.

In a data breach notice posted on its website, Earl Enterprises confirmed that malware was installed on some point of sale systems at certain affected restaurant locations. The malware was designed to capture payment card data, including credit and debit card numbers, expiration dates, and cardholder names. Online orders paid for online through third-party apps or platforms were not affected by this breach. Per the company, the incident has been contained and is being investigated.

Earl Enterprises has yet to confirm the size, but independent security researchers reported over 2 million stolen cards are now for sale on the dark web on the dark web, seemingly as a result of this breach.

What does this mean?

While cardholders are generally not liable for fraudulent charges, it is important to monitor your credit and debit card accounts for suspicious charges and report fraudulent activity to your bank in a timely fashion.

Albany, NY, is coping with a ransomware attack

Posted on

Originally seen on: April 6th, 2019 by Kevin Collier

(CNN) When Albany, New York, patrolman Gregory McGee went to work last Sunday morning, he got the unpleasant news that hackers had rendered many of the internet-connected tools he relied on for work inoperable.

“We were crippled, essentially, for a whole day,” McGee, who’s vice president of the Albany Police Department’s union, told CNN.
“All of our incident reports, all of our crime reports, that’s all digitized,” McGee said, which meant cops had to write down everything that happened on paper. They showed up to work and had no access to staff schedules.
“We were like, who’s working today?” McGee said. “We have no idea what our manpower is, who’s supposed to be here.”
The culprit was the City of Albany getting infected last Saturday with ransomware, in which malicious software spreads across a network, rendering computers inaccessible, encrypting their files and demanding a fee to go away. The city had recently taken over management of most of the police department’s networks.
City Hall itself experienced a number of municipal service interruptions, too. Albany residents were told to go elsewhere to get birth certificates, death certificates or marriage licenses. Some residents complain that building and development applications haven’t been available via the city’s website, Councilwoman Judy Doesschate told CNN.

What ransomware does

Ransomware fundamentally works as an extortion scheme, encrypting computers and demanding an extortion fee to unlock them. In recent years it has become one of the most prominent problems in cybersecurity. It’s often deployed by criminal hackers simply seeking money, though the US has said the two most infamous strains, WannaCry and NotPetya, were authored by the North Korean and Russian governments, respectively.
That the ransomware hit on a Saturday is likely no coincidence, said Kelly Shortridge, the vice president of strategy at Capsule8, a New York cybersecurity company.
“By infecting an organization with ransomware on a weekend, defenders are more likely to be at a farmers market than looking at their security command center,” Shortridge said. “The heightened sense of panic and scrambling may lead to defenders being more willing to pay out higher costs for the decryption keys, as well.”
Albany declined to share additional details, including what type of ransomware it’s facing and whether it’s hired a third-party company to mitigate the problem, but a spokesperson for the New York State Office of Information Technology Services told CNN it is assisting.
There’s no indication yet who may have deployed the attack, and there are a number of active groups that use ransomware to extort funds. There is precedent for the US accusing individuals of infecting cities with ransomware, however. In November, the US Department of Justice charged two Iranian men with a campaign of targeted ransomware attacks whose more than 200 victims included hospitals, municipalities and public institutions, including the cities of Atlanta and Newark, New Jersey.

After the initial Albany hit

Things started to get better after the beginning of the week. On Monday afternoon, police were able to digitally file incident reports again. A spokesperson for the Albany Police Department said the department “has remained adequately staffed since the attack and there was never an interruption in police services to our community,” but declined further comment.
By Tuesday, the city was able to process marriage licenses again.
Birth and death certificates, however, are still unavailable from City Hall. As of the first week of the attack, at least 17 people from Albany had contacted the State Department of Health instead for birth or death certificates.
And the police department’s scheduling program was still unusable. McGee, scheduled to teach a safety class Friday, didn’t know who he would be teaching.
“Nobody knows who has training today,” he said. “We have no idea who’s actually going to be there.”
Doesschate, the councilwoman, told CNN that while the ransomware has been an inconvenience for constituents who haven’t been able to access certain information online, it was relative.
“Up until about 2 1/2 years ago, this information was not regularly posted online,” she said. “It is disappointing and a bit frustrating, but in the scheme of things, not horrible.”

ThreatList: Phishing Attacks Doubled in 2018

Posted on

Originally seen on March 12th, 2019 by: Lindsey O’Donnell

Scammers used both older, tested-and-true phishing tactics in 2018 – but also newer tricks, such as fresh distribution methods, according to a new report.

Phishing attempts more than doubled in 2018, as bad actors sought to trick victims into handing over their credentials. They used both old tricks – such as scams tied to current events – as well as other stealthy, fresher tactics.

Researchers with Kaspersky Lab said in a Tuesday report that during the course of 2018, they detected phishing redirection attempts 482.5 million times – up from the 246.2 million attempts detected in 2017. In total, 18.32 percent of users were attacked, researchers said.

“We have seen a steady increase in phishing attacks on cryptocurrency-related resources, and expect new scams to appear in 2019,” according to the report, by Maria Vergelis, Tatyana Shcherbakova and Tatyana Sidorina with Kaspersky Lab. “Despite the fall in value and the lean times for the cryptocurrency market as a whole, phishers and spammers will try to squeeze everything they can out of this.”

Bad actors continued to rely on an age-old trick in 2018 for phishing attacks: Using newsworthy events, such as new smartphone launches, sales seasonstax deadlines, and the EU General Data Protection Regulation (GDPR) to hook the victim.

Phishing report Kaspersky Lab

Phishing emails purporting to be about GDPR, for instance, boomed in the first few months of 2018, because during those months there was an upturn in legitimate GDPR mailings warning users of the transition to the new policies, which require stringent processes to store and process personal data of European citizens.

Attackers unsurprisingly took advantage of this with their own GDPR-related emails: “It was generally B2B spam — mostly invitations to paid seminars, webinars, and workshops promising to explain the ins and outs of the new regulation and its ramifications for business,” said researchers.

Other top events, such as the 2018 FIFA World Cup and the launch of the new iPhone sparked phishing attempts, including emails leading to fake FIFA partner websites for the former, and spam messages purporting to sell accessories and replica gadgets for the latter.

Despite the cryptocurrency market’s struggle in 2018, bad actors’ interest in cryptocurrencies appears far from waning. In fact, scammers utilized a number of methods to capitalize on victims’ interests in the cryptocurrency market, such as posing as a cryptocurrency exchange or fake Initial Coin Offering (ICO) bent on convincing victims into transferring money to cryptocurrency wallets.

“In 2018, our Anti-Phishing system prevented 410,786 attempts to redirect users to phishing sites imitating popular cryptocurrency wallets, exchanges and platforms,” researchers said. “Fraudsters are actively creating fake login pages for cryptocurrency services in the hope of getting user credentials.”

Spam and phishing attack report

When it came to ICOs, scammers extended invitations to victims for investing in various ICOs via email and social-media posts.

One such scam targeted a cryptocurrency called buzcoin; the scammers got ahold of the project mailing list and sent fake presale invitations to subscribers before the ICO began – eventually making away with $15,000, according to Kaspersky Lab.

There were also sextortion scams that coerced victims to send cryptocurrency in exchange for keeping quiet about their private online activities, with one campaign in July noted for using victims’ legitimate password in the email as a scare tactic; and another one in December hit victims with ransomware.

Researchers said they don’t expect attackers’ interests in cryptocurrency to die down any time soon: “In 2019, spammers will continue to exploit the cryptocurrency topic,” they said. “We expect to see more fraudulent mailings aimed at both extracting cryptocurrency and gaining access to personal accounts with various cryptocurrency services.”

In 2018, the number of malicious messages in spam was 1.2 times less than in 2017, according to researchers. Of those malicious messages, the most widely distributed malicious objects in email (Exploit.Win32, CVE-2017-11882), exploited a patched Microsoft vulnerability that allowed the attacker to perform arbitrary code-execution.

spam phishing email attack report

Despite this downturn in malicious emails, scammers appear to be looking to other sneaky tactics to avoid detection and still make off with victims’ credentials — in particular using non-typical formats for spam like ISO, IQY, PIF and PUB attachments.

“2018 saw a continuation of the trend for attention to detail in email presentation,” researchers said. “Cybercriminals imitated actual business correspondence using the companies’ real details, including signatures and logos.”

In addition, bad actors appeared to transition to new channels of content distribution beyond email – including social media sites, services like Spotify, or even Google Translate.

“Cybercriminals in 2018 used new methods of communication with their ‘audience,’ including instant messengers and social networks, releasing wave after wave of self-propagating malicious messages,” said researchers. “Hand-in-hand with this, as illustrated by [an] attack on universities, fraudsters are seeking not only new channels, but new targets as well.”

9 QUESTIONS FOR FACEBOOK AFTER ZUCKERBERG’S PRIVACY MANIFESTO

Posted on

Originally seen: March 7th, 2019 by Nicholas Thompson of Wired.

YESTERDAY AFTERNOON, MARK Zuckerberg presented an entirely new philosophy. For 15 years, the stated goal of Facebook has been to make the world more open and connected; the unstated goal was constructing a targeted advertising system built on nearly infinite data. Yesterday, though, Zuckerberg pronounced that the company is reversing course. The social network of the future won’t be one where everyone connects openly together, as in a town square; it will be one where more connections happen one to one, as in a living room. Instead of data permanence, data will disappear.

Facebook isn’t putting the current platform—worth roughly half a trillion dollars—in the garbage disposal. As Zuckerberg made clear in a Wednesday afternoon interview with WIRED, Facebook as we know it now will still exist. But it will change. And there will also just be something new.

It’s unclear the extent to which Facebook will ultimately push users toward privacy, and in what exact ways. But Zuckerberg controls Facebook, and his manifesto will make its gears start to turn in different directions. As that begins, here are nine important questions the company will have to think through.

1. Facebook knows how to make money in the town square. How does it make money in this new living room?

Private, encrypted messaging is hard to monetize. In our interview, Zuckerberg demurred when asked what the new business model will be after clamping down on the data firehose. The company would, he said, build the product first and figure out the financials later. Facebook does have nascent efforts in commerce and cryptocurrency, but there’s no question that figuring out revenue on the new platform will be a hard problem for Dave Wehner, Facebook’s chief financial officer. A former Facebook employee told me last night, “Mark is like a cartoon character who walks through a bunch of dangerous situations and always comes out on top. Dave is the guy running behind him catching the cat, stopping the ladder from tipping, deflecting the flying axe with a manhole cover.”

2. What does this do to safety on the platform?

Facebook rightly faces endless criticism for all the data it collects. But there are benefits to data collection as well. It can help stop bullies, or even potential suicides. Once those communications become private, Facebook no longer has the same powers to track and moderate. The public—from the media, to nonprofits, to academics, to individuals, to the government—also uses the public nature of Facebook to track bad behavior. If Russian intelligence operatives had just used private encrypted messaging to manipulate Americans, would they have been caught? As Facebook knows from running WhatsApp, which is already end-to-end encrypted, policing abuses gets ever harder as messages get more hidden.

In our interview, Zuckerberg explained that this, not fears about the business model, is what keeps him up at night. “There is just a clear trade-off here when you’re building a messaging system between end-to-end encryption, which provides world-class privacy and the strongest security measures on the one hand, but removes some of the signal that you have to detect really terrible things some people try to do, whether it’s child exploitation or terrorism or extorting people.” When asked whether he cared more about these fears than fears about his business model, he said yes. “I am much more worried about those trade-offs around safety.”

3. What does this do to the company’s efforts in artificial intelligence?

Facebook has spent the past several years building artificial intelligence systems to change the way almost every element of the company works. They are, for example, crucial in the work to eliminate toxic content. But AI, particularly the subset known as machine learning, requires training data, and the more the merrier. Facebook, of course, won’t be just wiping all of its machines as it implements Zuckerberg’s vision. But there will almost certainly be times when the company faces a tradeoff between living up to the ideals in the manifesto or storing something that will make the work of the AI teams easier.

4. What does this do the news industry?

One of the most vexed issues for Facebook is its relationship with the news business. The media industry relies on Facebook for distribution, but it deeply resents that Facebook has swallowed much of the advertising business. Facebook executives know that many people come to the platform to read news, but they hate most of the news written about the platform. News Feed will continue under whatever Facebook builds next, but it’s hard not to imagine that distribution for publishers on Facebook will decline, which may elicit even further media scrutiny. On the other hand, if Facebook is actually pivoting to a new business model, maybe advertising will return to media?

5. How does this change the way regulators react to the company?

Facebook is currently besieged by regulators of all stripes. There are German regulators going after the ad business, British parliamentarians publishing internal emails, American politicians talking about antitrust, and members of the Federal Trade Commission who may be about to fine the company billions of dollars. Much of the anger comes from Facebook’s loose attitudes toward privacy in the past; perhaps this new philosophy will help set people’s minds at ease. Or perhaps not. It is certainly the case, though, that one of Zuckerberg’s proposed moves—further integrating WhatsApp, Instagram, and the main app—will make it much harder to split the company apart in the way that scholars of antitrust have been proposing in recent months.

6. Relatedly, will Facebook now advocate for privacy laws?

Facebook has consistently run afoul of regulators focused on privacy. It has resisted, and sometimes quietly lobbied against, their efforts. Now, though, Zuckerberg has planted a flag in favor of privacy. Does that mean that he will turn, like Tim Cook—aka Tim Apple—into a public advocate for strong privacy legislation?

7. How much does this have to do with Facebook’s Blockchain initiative?

For the past year, Facebook has had a secret team working away in a building on some kind of blockchain initiative. They have been exploring payments, identity, and the creation of a new stablecoin. But no one outside of the company knows for sure what they’ll actually launch. Some insiders view the project as a ludicrous lark. Others think of it as crucial in the quest to redefine Facebook. It seems almost certain that the blockchain initiative informed Zuckerberg’s philosophy. And the connection may be even more direct, particularly if the company is indeed planning to launch a crypto payments system that will work across messaging platforms.

8. What does this do to the company’s chances of going into China?

In his manifesto, Zuckerberg talked about the need to keep servers out of authoritarian countries. As he added when talking to WIRED, “if you put a data center in a place, or you store people’s information in a country, then you’re giving that government the ability to use force to get that data.” In a way, this was a free moral stand. Facebook is already banned in China, by far the most important country where this is an issue. But no one knows how the dynamics between the United States and China will evolve in the next five years. By coming out so strongly in favor of encryption, and against authoritarianism, Facebook may be signaling that it’s giving up on its quest to connect the largest country on earth.

9. How much of this will actually happen?

To skeptics, Zuckerberg’s privacy manifesto was a bundle of naked cynicism and hypocrisy. The company, after all, developed a system to make his personal messages disappear long ago, only rolling it out more broadly under public pressure. But whatever the motives, and whatever the odds that one thinks Facebook will follow through, there’s no question that, inside of Facebook a new era of sorts starts today. Tradeoffs will have to be resolved in different ways. New problems will emerge. Different people will move to different teams. The public and the media, trained to distrust what Facebook says, will judge whether the company is living up to promises that the CEO just made very publicly. In our interview, I asked Zuckerberg how hard this is going to be. “You have no idea how hard it is,” he said laughing.

But, more important, he noted that this will be something rather different for Facebook. “This is a big opportunity, but it’s going to mean adopting and taking some positions on some of these big issues that involve some really big trade-offs and are frankly different from what we may have prioritized historically.”

Opening this image file grants hackers access to your Android phone

Posted on Updated on

Originally seen on: Zdnet by Charlie Osborne, February 7th, 2019

Be careful if you are sent an image from a suspicious source.

Opening a cute cat meme or innocent landscape photo may seem harmless enough, but if it happens to be in a .PNG format, your Android device could be critically compromised due to a new attack.

In Google’s Android security update for February, the tech giant’s advisory noted a critical vulnerability which exists in the Android operating system’s framework.

All it takes to trigger the bug is for attackers to send a crafted, malicious Portable Network Graphic (.PNG) file to a victim’s device. Should the user open the file, the exploit is triggered.

Remote attackers are then able to execute arbitrary code in the context of a privileged process, according to Google.

Android versions 7.0 to 9.0 are impacted.

The vulnerability was one of three bugs impacting Android Framework — CVE-2019-1986,  CVE-2019-1987, and CVE-2019-1988 — and is the most severe security issue in the February update.

There are no current reports of the vulnerability being exploited in the wild. However, given the ease in which the bug can be exploited, users should accept incoming updates to their Android builds as soon as possible.

As vendors utilizing the Android operating system roll out security patches and updates at different rates, Google has declined to reveal the technical details of the exploit to mitigate the risk of attack.

Google’s bulletin also outlined remote code execution flaws impacting the Android library, system files, and Nvidia components. Elevation of privilege and information disclosure security holes have also been resolved.

Source code patches for the .PNG issue, alongside other security problems raised in the bulletin, have also been released to the Android Open Source Project (AOSP) repository.

In January, researchers revealed the existence of a new malvertising group called VeryMal. The scammers specifically target Apple users and bury malicious code in digital images using steganography techniques to redirect users from legitimate websites to malicious domains controlled by the attackers.

The Scarlet Widow Gang Entraps Victims Using Romance Scams

Posted on Updated on

Originally seen on: Bleepingcomputer by Lawrence Abrams, Febraury 13th, 2019

We often hear about sextortion, business email compromise (BEC), and inheritance scams, but the often overlooked “Romance Scams” could be the most insidious of them all. Not only do victims lose money, but  the emotional entanglement ultimately leads to heartbreak.

Romance scams are months long, if not year long, campaigns where bad actors catfish, or pretend to be in love with, an unsuspecting victim in order to steal money from them. They do this by creating fake romantic relationships that the victims become invested in and are willing to help them with fake financial troubles.

In a report shared with BleepingComputer, the Agari Cyber Intelligence Division (ACID) outlines how a criminal gang out of Nigeria called “Scarlet Widow” targets those who are more likely to be lonely such as farmers, elderly, the disabled, and divorced.

This catfishing is done through the creation of fake personas that utilize stolen pictures of attractive people, fake names, personalities, and back stories where they were victimized in the past, but still believe that love is possible. They then create accounts on social media and dating sites, including ones that may attract those looking for love or are lonely such as Dating4Disabled.com, Farmers Dating Site, and DivorcedPeopleMeet.com.

For example, one of the fake personas discovered by Agari is a person named “U.S. Army Captain Michael” who is serving a tour of duty overseas, but is looking for love after he lost his wife.

“According to one of his fake dating site profiles, Captain Micheal is a 43-year-old Catholic man from Austin, Texas, who is currently serving a tour of duty overseas in Kabul, Afghanistan. His profile indicates that, like most of the other personas created by Scarlet Widow, he has lost a loved one in his past. In this case, Captain Micheal lost his wife, as his status describes him as “Widowed.” Since the death of his wife, he has been “searching for so long” for the perfect woman and hopes the women has a trusting mind to fall in love.”

The fake persona for Captain Michael was posted to dating sites such as MilitaryCupid.com and MarriedDateLink.com during a 6 month period in 2017.

Captain Michael Persona
Captain Michael Persona

Agari states that each of the personas created by Scarlet Widow have different personalities and ways of communicating that reflect their backstory and who they are targeting. For example, the researchers state that Captain Michael’s messages are usually short and to the point, while the gang’s female personas have a “softer, inquisitive, and more verbose tone”.

Example of email from Captain Michael
Example of email from Captain Michael

It’s all about the money

Ultimately, though, these scams are not about making true romance, but about stealing as much money from the victims as they can.

Once a “relationship” is established, the scammers tell their victims that they are having financial difficulty and need financial assistance. This assistance is usually in the form of money for plane tickets, travel assistance, or accommodations.

If the victim is shown to be willing to send money, then the scammers continue with their relationship while continuing to siphon money over a long period of time.

Such is the case with Texan man who was going through a painful divorce and met one of the gang’s fictitious characters named “Laura Cahill”. Over a period of one year, the Scarlet Widow persona was able to scam the individual out of $50,000.

This person was so firmly hooked that when the scammers didn’t reply to him in over a week, he sent a distraught email to her pleading for a reply.

Distraught email from victim
Distraught email from victim

It ultimately got so bad, that this individual stole $10,000 from his father to send to the scammers. This “relationship” ultimately ended when the scammers stopped replying, but it shows how deeply entrenched victims can get in these fake “relationships”.

While this sounds like something that few would fall for, according to Agari it is not that unusual.

“We are tracking a number of Nigerian scammer groups that continue to engage in romance scams and seek out new victims. In 2018, Agari documented a long-running, $500,000 swindle of a divorced American woman with children who refinanced her home to send money to the con artist. Eventually the creditors closed in, and she was forced to sell her house, pull her children out of school, and move the family in with a friend. She continued to believe he was real until Agari presented her with irrefutable evidence of the truth, enabling her to finally break free in 2018. “

Unfortunately, protecting yourself from scams like this can be difficult, especially if you are the type of person that they are targeting. That is because lonely people crave love and camaraderie in their life and may miss warning signs.

E-ticketing system exposes airline passengers’ personal information via email

Posted on Updated on

Originally seen on CYBERSCOOP by Jeff Stone: February 6, 2019

At least eight airlines, including Southwest, use e-ticketing systems that could allow hackers to access sensitive information about travelers merely by intercepting emails, according to research published Wednesday by the mobile security company Wandera.

The systems fail to secure customers’ personally identifiable information, including names, boarding passes, passport numbers and flight numbers, Wandera said.

The email vulnerabilities still exist, Wandera found, even though researchers notified affected companies weeks ago, and despite growing corporate awareness about the risks associated with sacrificing security for convenience.

The weakness is a check-in link that is emailed to customers, Wandera researchers found. Customer information is embedded in the links, allowing travelers to travel from their email to a website where they check in for a flight without needing to enter their username and password. However the links are unencrypted and re-usable, presenting a tempting target for hackers, according to Michael Covington, vice president of product at Wandera.

“The airlines, in an effort to make it easy for their passengers to check in, have taken shortcuts that have led to the potential exposure of personal information,” he said.

Affected airlines include Southwest, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa, Wandera found. Wandera has reported the vulnerability to each company and received responses, though none appear to have fixed the vulnerability, Covington said.

The airlines appear to be using unique servers for automated marketing that fail to protect user information.

“It’s not just the personal information they could get into, but the e-ticketing systems are basically allowing people in without authentication, which would allow you to change details about people like seat assignments and bags checked,” Covington said. “In some cases you can change existing bookings.”

There is no evidence outsiders have exploited the vulnerabilities.

Southwest Airlines is perhaps the best known low-cost airline operating in the U.S., with a 5 percent capacity growth planned for 2019, according to industry analysts at the Center for Aviation. Air France and KLM, which merged under a single holding company in 2004, jointly form one of the world’s largest airlines. Other companies named in the report — Vueling, Transavia and Air — are based in Europe. Thomas Cook is a British charter airline and Jetstar is a low-cost airline in Australia.

CyberScoop sought comment from each of the airlines named in this report. Several acknowledged receiving a request for comment. All except three failed to provide a statement or answer questions by press time.

In a statement, a Thomas Cook spokeswoman said, “We take the security of our customers’ data very seriously and have investigated this matter as a priority. We have looked into the questions raised and have taken immediate action to further increase the security of our customer data.” A Southwest spokesman said, “While we don’t have a comment on this specific issue, the safety and protection of our customers and their data privacy is our highest priority.”

A spokesperson for JetStar said the company takes data security and privacy “extremely seriously” and that the airline has “multiple layers of security in place.”

Air travelers anxious for a web connection in an airport, hotel or elsewhere on their journey are especially at risk because they could be more likely to connect to public WiFi, ignoring security precautions, Covington said.

“If you’re on a Wi-Fi network or a physical network that uses encryption, this would not be a problem,” he said.

“I can’t speak for the airlines individually,” he said. “We’re not a vulnerability testing company, and it’s not our business to go out and find this. But I can tell you the airlines we’ve engaged with have been keen to listen and are open to hearing more.”

Clever Phishing Attack Enlists Google Translate to Spoof Login Page

Posted on Updated on

Originally seen on ThreatPost by Lindsay O’Donnell: February 26th, 2019

A tricky two-stage phishing scam is targeting Facebook and Google credentials using a landing page that hides behind Google’s translate feature.

 

Recently-discovered phishing emails scoop up victims’ Facebook and Google credentials and hides its malicious landing page via a novel method – Google Translate.

The phishing campaign uses a two-stage attack to target both Google and Facebook usernames and passwords, according to researchers at Akamai who posted a Tuesday analysis. But in a tricky twist of events, the scam also evades detection through burying its landing page in a Google Translate page –  meaning that victims sees a legitimate Google domain and are more likely to input their credentials.

“When it comes to phishing, criminals put a lot of effort into making their attacks look legitimate, while putting pressure on their victims to take action,” Larry Cashdollar, with Akamai, said in a Tuesday post. “This is an interesting attack, as it uses Google Translate, and targets multiple accounts in one go.”

Cashdollar said that he first noticed the attack on Jan. 7 when an email notification on his phone informed him that his Google account had been accessed from a new Windows device.

The message, titled “Security Alert,” features an image branded with Google that says “A user has just signed in to your Google Account from a new Windows device. We are sending you this email to verify that it is you.” Then, there’s a “Consult the activity” button below the message.

phishing email

Interestingly, the message looked much more convincing in its condensed state on his mobile device, rather than on a desktop where the title of the email sender is more apparent, he said.

Upon closer look at the email, Cashdollar found that the “security alert” was sent from “facebook_secur[@]hotmail.com.”

That triggered two suspicions: Firstly, the email is from a Hotmail account, raising red flags – but also, the entire address had nothing to do with Google, instead referencing Facebook.

“Taking advantage of known brand names is a common phishing trick, and it usually works if the victim isn’t aware or paying attention,” he said. “Criminals conducting phishing attacks want to throw people off their game, so they’ll use fear, curiosity, or even false authority in order to make the victim take an action first, and question the situation later.”

When clicking on the “Consult the activity” button, Cashdollar was brought to a landing page that appeared to be a Google domain, prompting him to sign into his Google account.

However, one thing stuck out about the landing page – it was loading the malicious domain via Google Translate, Google’s service to help users translate webpages from one language to another.

phishing facebook google translate

Using Google Translate helps the bad actor hide any malicious attempts through several ways: Most importantly, the victim sees a legitimate Google domain which “in some cases… will help the criminal bypass endpoint defenses,” said Cashdollar.

Using Google Translate also means the URL bar is filled with random text. Upon further inspection of that text, victims could see the real, malicious domain, “mediacity,” being translated.

Luckily, “while this method of obfuscation might enjoy some success on mobile devices (the landing page is a near-perfect clone of Google’s older login portal), it fails completely when viewed from a computer,” said Cashdollar.

For those who fail to notice red flags regarding the landing page, their credentials (username and password) are collected – as well as other information including IP address and browser type – and emailed to the attacker.

“We are aware of the phishing attempts and have blocked all sites in question, on multiple levels,” a Google spokesperson told Threatpost. The spokesperson urged users to report them if they encounter a phishing site.

However, the attack didn’t stop there. The attacker then attempts to hit victims twice, by forwarding them to a different landing page that purports to be Facebook’s mobile login portal as part of the attack.

These type of two-stage attacks appear to be on the rise as bad actors look to take advantage of victims who already fell for the first part of the scam, Cashdollar told Threatpost: “It seems this is becoming more common as the attacker knows they’ve gained your trust and try to steal additional credentials.”

Like the Google page, this Facebook landing page has some red flags. It uses an older version of the Facebook mobile login form, for instance.

“This suggests that the kit is old, and likely part of a widely circulated collection of kits commonly sold or traded on various underground forums,” said Cashdollar.

Despite these mistakes, the two stages of the phishing attack suggest a certain level of sophistication on the part of the attacker.

“It isn’t every day that you see a phishing attack leverage Google Translate as a means of adding legitimacy and obfuscation on a mobile device. But it’s highly uncommon to see such an attack target two brands in the same session,” he said.

Phishing attacks have continued to grow over the past year – and this particular scam is only one example of how bad actors behind the scams are updating their methods to become trickier.

phishing attack google translate

According to a recent Proofpoint report, “State of the Phish,” 83 percent of respondents experienced phishing attacks in 2018 – up 5 percent from 2017.  That may not come as a surprise, as in the last year phishing has led to several massive hacks – whether it’s hijacking Spotify users’ accounts or large data breaches like the December San Diego Unified School District breach of 500,000.

Other methods of phishing have increased as well. Up to 49 percent of respondents said they have experienced “voice phishing” (when bad actors use social engineering over the phone to gain access to personal data) or “SMS/text phishing” tactics (when social engineering is used via texts to collect personal data) in 2018. That’s up from the 45 percent of those who experienced these methods in 2017.

Hyatt Hotels launches bug bounty program

Posted on

Originally seen on Zdnet.com by Charlie Osborne

The company has turned to external help to prevent data breaches from ever affecting its properties again

Hyatt Hotels has launched a bug bounty program in light of recent card-skimming attacks against the hospitality chain.

On Wednesday, the company said the new initiative will be hosted on bug bounty program HackerOne and is designed to allow Hyatt to “tap into the vast expertise of the security research community to accelerate identifying and fixing potential vulnerabilities.”

Ethical hackers can use the platform — as well as rival services such as Bugcrowd — to report vulnerabilities, security flaws, leaky servers and more before less well-intentioned individuals stumble across them, potentially leading to cyberattacks or data theft.

The bug bounty program is public and includes the main hyatt.com domain, m.hyatt.com, world.hyatt.com, and both the iOS and Android Hyatt mobile apps.

Novel origin IP address discovery, authentication bypass, back-end system access via front-end services, container escapes, SQL injections, cross-site request forgery, WAF bypass, and cross-site scripting (XSS) bugs will all be considered for rewards, among other issues.

Hyatt has chosen to use the Common Vulnerability Scoring Standard (CVSS) standard to evaluate the severity of security flaws found.

Researchers who report valid, high-severity flaws can expect rewards of up to $4,000; important bugs will earn them $1,200 and less severe vulnerabilities are worth between $300 and $600.

“At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day,” said Hyatt Chief Information Security Officer Benjamin Vaughn. “As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information.”

In a Q&A with HackerOne, Vaughn said an invitation-only program was launched first, which may account for the $5,650 in bug bounty rewards which have already been issued at the time of writing.

It is unfortunately quite common for hotel chains and others in the hospitality space to become the focus of cyberattacks due to the vast amount of valuable data these businesses process and store.

Hard Rock Hotels & Casinos, Loews Hotels, Radisson Hotel Group, the Trump Hotel CollectionMarriott, and Hyatt Hotels itself is on the list of organizations which have experienced successful cyberattacks in recent years.

In 2015, 250 properties managed by Hyatt across countries including the US, UK, China, Germany, Japan, Italy, France, Russia, and Canada were subject to a cyberattack. Information-stealing malware was implanted on systems, leading to the exposure of customer financial data including cardholder names, card numbers, expiration dates, and internal verification codes.

A second data breach occurred in 2017, in which 41 locations were affected and unauthorized access to payment card information was detected.

Chicago-based Hyatt Hotels manages over 750 properties in 55 countries.

Other organizations that use HackerOne to tap into a vast pool of security researchers include Google, Twitter, the US Department of Defense, GitHub, and Qualcomm.