technology

FBI says there’s no evidence Chinese hackers used Equifax data, but consumers can’t be complacent

Posted on

Equifax Breach Pic

Originally seen on CNBC on Feb 10th, 2020 by Megan Leonhardt

The Justice Department announced Monday that it’s indicting four members of the Chinese military for the 2017 Equifax data hack, which exposed the personal information of 147 million Americans.

The department’s painstaking investigation also found there’s no evidence the data stolen has been used “at this time,” FBI Deputy Director David Bowdich said during a press conference Monday.

Yet Bowdich urged consumers to remain vigilant when it comes to protecting their information. “As American citizens, we cannot be complacent about protecting our sensitive, personal data,” he says.

The Equifax data breach, first announced in September 2017, is one of the largest in history, with 147 million consumers affected, according to the Federal Trade Commission. Hackers were able to get access to a multitude of consumers’ private information, including names, Social Security numbers, dates of birth, credit card numbers and even driver’s license numbers.

During the investigation into the breach, Equifax admitted the company was informed in March 2017 that hackers could exploit a vulnerability in its system, but it failed to install the necessary patches.

Last summer, Equifax agreed to pay $700 million to settle federal and state investigations into how it handled the massive data breach. As part of the settlement individual consumers were able to claim up to $20,000 for any losses or fraud caused by the breach or free credit-monitoring services. If you already had credit monitoring in place, you could submit a claim for up to $125 cash payment.

The settlement received final approval last month. If you’re still unsure if your data was part of the Equifax breach, you can enter your name and the last 4 digits of your Social Security number in a search here.

The best ways to protect your information

Although none of the stolen Equifax data has been detected yet, that doesn’t mean that it will never surface, cyber-security expert Joseph Steinberg tells CNBC Make It.

That’s especially true since much of the information that was stolen in the Equifax breach, including Social Security numbers, does not change with time. In fact, this type of data can become more valuable over time, aging like a fine wine, Steinberg says. “If the Chinese use the data a decade from now, few people will even be thinking about the Equifax breach.”

That said, Steinberg says the Chinese government is probably not stealing data in order to steal money, and identity theft is probably not its primary reason either. “The data might have tremendous value in terms of recruiting spies and other military-type purposes,” he says, adding that “the FBI would not have a clue if the data were used as such.”

To protect your data, Bowdich recommends Americans avoid clicking on links or opening attachments in emails, especially when you don’t know the sender.

Emails are a particularly common way for fraudsters to gain access to your credit card information or identity. Hackers send what’s called a phishing email. “Email is the number-one way cyber crime of all forms happens. If a bad guy can get you to click on a link in an email, he can do all manner of bad things to your online life,” says Dave Baggett, co-founder and CEO of anti-phishing start-up Inky.

Americans should also use two-factor authentication, which generally requires users to not only enter a password, but also confirm their identity by logging onto your phone or entering a code texted or emailed to you.

Last, people should check their credit report on a “fairly regular” basis, Bowdich said. Unlike a simple credit score, your entire credit report provides a comprehensive look at your credit history and activity. You can get a free copy of your report once a year from each of the three major credit bureaus: EquifaxExperian and Transunion.

“They should make sure their data and their information is secure,” Bowdich said.

Yahoo Breach Payout: How To Claim Up To $25,000 Before The Deadline

Posted on

Yahoo Article Image

Originally seen on Forbes on Feb 11th, 2020 by Kate O’Flaherty

The Yahoo breach is known as one of the worst of all time, partly because of its size. When the firm was hacked twice in 2016, all of Yahoo’s 3 billion users were affected. Worse still, hackers had stolen highly sensitive information including names, security questions and answers, and passwords.

It’s only fair, then, that those impacted are given compensation of some kind. Last year, Yahoo said it would pay up to $25,000 to each person affected by the breach, with $100 or free credit monitoring available to most users. It is part of a $117.5 million breach settlement for 194 million people.

The higher $25,000 is available if you can prove the financial damage you suffered due to the Yahoo hack. You are eligible for the $100 payout if you can prove you already have credit monitoring in place.

Last week, you might have received an email telling you more about the Yahoo payout. The deadline of July 20 this year is getting closer, so what better time to apply for your compensation? Here’s what you need to do.

How to apply for a Yahoo breach compensation payout

If you are based in the U.S. and had a Yahoo account between January 1 2012 and December 31 2016, you are eligible to make a claim. The first thing you need to do is visit Yahoo’s settlement website, where you can see whether you qualify for credit monitoring or the $100 cash payout. The cash payout might even go higher–if too few people apply in time, the money could go up to a more enticing $358.80 per claim.

However, you do need to prove that you have credit monitoring in place in order to qualify for the cash.

You also might be eligible for a payout of up to $25,000 in out of pocket losses. According to the Yahoo settlement website, this includes “lost time, that you believe you suffered or are suffering because of the data breaches.”

The settlement site explains that you can receive payment for up to fifteen hours of time at an hourly rate of $25.00 per hour or unpaid time off work at your actual hourly rate, whichever is greater. If your lost time is not documented, you can receive payment for up to five hours at that same rate, the site says.

Once you have worked out whether you are eligible, and how much you can apply for, you can file your claim via a form on the Yahoo settlement website. You will need to supply all the relevant documents.

Breach settlement payouts increase

The Yahoo and Equifax breaches are considered among the worst hacks of all time, and both firms have been the subject of class action lawsuits resulting in payouts. The initial Equifax claim deadline, which saw breach victims apply for up to $20,000, has just passed.

There is no doubt that companies such as these needed to take better care of customers’ data, and paying some kind of compensation is quite frankly, the least they can do.

Calibration Attack Drills Down on iPhone, Pixel Users

Posted on Updated on

apple iphone pixel calibration fingerprinting tracking

Originally seen: Threatpost on May 23rd, 2019 by Tara Seals

A new way of tracking mobile users creates a globally unique device fingerprint that browsers and other protections can’t stop.

A proof-of-concept for a new type of privacy attack, dubbed “calibration fingerprinting,” uses data from Apple iPhone sensors to construct a globally unique fingerprint for any given mobile user. Researchers said that this provides an unusually effective means to track people as they browse across the mobile web and move between apps on their phones.

Further, the approach also affects Pixel phones from Google, which run on Android.

A research team from the University of Cambridge in the UK released their findings this week, showing that data gathered from the accelerometer, gyroscope and magnetometer sensors found in the smartphones can be used to generate the calibration fingerprint in less than a second – and that it never changes, even after a factory reset.

The attack also can be launched by any website a person visits via a mobile browser, or any app, without needing explicit confirmation or consent from the target.

In Apple’s case, the issue results from a weakness in iOS 12.1 and earlier, so iPhone users should update to the latest OS version as soon as possible. Google has not yet addressed the problem, according to the researchers.

A device fingerprint allows websites to detect return visits or track users, and in its innocuous form, can be used to protect against identity theft or credit-card fraud; advertisers often also rely on this to build a user profile to serve targeted ads.

Fingerprints are usually built with pretty basic info: The name and version of your browser, screen size, fonts installed and so on. And browsers are increasingly using blocking mechanisms to thwart such efforts in the name of privacy: On Apple iOS for iPhone for instance, the Mobile Safari browser uses Intelligent Tracking Prevention to restrict the use of cookies, prevent access to unique device settings and eliminate cross-domain tracking.

However, any iOS devices with the iOS version below 12.2, including the latest iPhone XS, iPhone XS Max and iPhone XR, it’s possible to get around those protections, by taking advantage of the fact that motion sensors used in modern smartphones use something called microfabrication to emulate the mechanical parts found in traditional sensor devices, according to the paper.

“MEMS sensors are usually less accurate than their optical counterparts due to various types of error,” the team said. “In general, these errors can be categorized as deterministic and random. Sensor calibration is the process of identifying and removing the deterministic errors from the sensor.”

Websites and apps can access the data from sensors, without any special permission from the users. In analyzing this freely accessible information, the researchers found that it was possible to infer the per-device factory calibration data which manufacturers embed into the firmware of the smartphone to compensate for these systematic manufacturing errors. That calibration data can then be used as the fingerprint, because despite perceived homogeneity, every Apple iPhone is just a little bit different – even if two devices are from the same manufacturing batch.

“We found that the gyroscope and magnetometer on iOS devices are factory-calibrated and the calibration data differs from device-to-device,” the researchers said. “Extracting the calibration data typically takes less than one second and does not depend on the position or orientation of the device.”

To create a globally unique calibration footprint requires adding in a little more information, however, for instance from traditional fingerprinting sources.

“We demonstrated that our approach can produce globally unique fingerprints for iOS devices from an installed app — around 67 bits of entropy for the iPhone 6S,” they said. “Calibration fingerprints generated by a website are less unique (~42 bits of entropy for the iPhone 6S), but they are orthogonal to existing fingerprinting techniques and together they are likely to form a globally unique fingerprint for iOS devices.”

A longitudinal study also showed that the calibration fingerprint, which the researchers dubbed “SensorID,” doesn’t change over time or vary with conditions.

“We have not observed any change in the SensorID of our test devices in the past half year,” they wrote. “Our dataset includes devices running iOS 9/10/11/12. We have tested compass calibration, factory reset, and updating iOS (up until iOS 12.1); the SensorID always stays the same. We have also tried measuring the sensor data at different locations and under different temperatures; we confirm that these factors do not change the SensorID either.”

In terms of how applicable the SensorID approach is, the research team found that both mainstream browsers (Safari, Chrome, Firefox and Opera) and privacy-enhanced browsers (Brave and Firefox Focus) are vulnerable to the attack, even with the fingerprinting protection mode turned on.

Further, motion sensor data is accessed by 2,653 of the Alexa top 100,000 websites, the research found, including more than 100 websites exfiltrating motion-sensor data to remote servers.

“This is troublesome since it is likely that the SensorID can be calculated with exfiltrated data, allowing retrospective device fingerprinting,” the researchers wrote.

However, it’s possible to mitigate the calibration fingerprint attack on the vendor side by adding uniformly distributed random noise to the sensor outputs before calibration is applied at the factory level – something Apple did starting with iOS 12.2.

“Alternatively, vendors could round the sensor outputs to the nearest multiple of the nominal gain,” the paper said.

Privacy-focused mobile browsers meanwhile can add an option to disable the access to motion sensors via JavaScript.

“This could help protect Android devices and iOS devices that no longer receive updates from Apple,” according to the paper.

Although most of the research focused on iPhone, Apple is not the only vendor affected: The team found that the accelerometer of Google Pixel 2 and Pixel 3 can also be fingerprinted by the approach.

That said, the fingerprint has less individual entropy and is unlikely to be globally unique – meaning other kinds of fingerprinting data would also need to be gathered for full device-specific tracking.

Also, the paper noted that other Android devices that are also factory calibrated might be vulnerable but were outside the scope of testing.

While Apple addressed the issue, Google, which was notified in December about the attack vector, is still in the process of “investigating this issue,” according to the paper.

Threatpost has reached out to the internet giant for comment.

Phishing targeting SaaS and webmail services increased to 36% of all phishing attacks

Posted on Updated on

Originally seen: Helpnetsecurity on May 20th, 2019

Users of Software-as-a-Service (SaaS) and webmail services are being targeted with increasing frequency, according to the APWG Q1 2019 Phishing Activity Trends Report.

SaaS webmail phishing increased

The category became the biggest target in Q1, accounting for 36 percent of all phishing attacks, for the first time eclipsing the payment-services category which suffered 27 percent of attacks recorded in the quarter.

Online SaaS applications have become fundamental business tools, since they are convenient to use and cost-effective. SaaS services include sales management, customer relationship management (CRM), human resource, billing and other office applications and collaboration tools.

“Phishers are interested in stealing logins to SaaS sites because they yield financial data and also personnel data, which can be leveraged for spear-phishing,” said Greg Aaron, APWG Senior Research Fellow.

Stefanie Ellis, AntiFraud Product & Marketing Manager at MarkMonitor said: “The total number of confirmed phishing sites increased in early 2019, with the biggest jump in March.”

The total number of phishing sites detected in 1Q of 2019 was 180,768. That was up notably from the 138,328 seen in the fourth quarter of 2018, and from the 151,014 seen in the third quarter of 2018.

Payment Services and Financial Institution phishing continued to suffer a high number of phishing attacks. But attacks against cloud storage and file hosting sites continued to drop, decreasing from 11.3 percent of all attacks in the first quarter of 2018 to just 2 percent in the first quarter of 2019.

Meanwhile, cybercriminals deployed HTTPS-protected phishing websites in record numbers, according to PhishLabs, posting a record high of nearly 60 percent of detected phishing websites in 1Q 2019 employing this data encryption protocol.

Phishers turn this security utility against users, leveraging the HTTPS protocols padlock icon that appears in the browser address bar to assure users that the website itself is trustworthy.

SaaS webmail phishing increased

“In Q1 2019, 58 percent of phishing sites were using SSL certificates, a significant increase from the prior quarter where 46 percent were using certificates,” said John LaCour, CTO of PhishLabs.

“There are two reasons we see more. Attackers can easily create free DV (Domain Validated) certificates, and more web sites are using SSL in general. More web sites are using SSL because browser warning users when SSL is not used. And most phishing is hosted on hacked, legitimate sites.”

Amazon employees listen in to your conversations with Alexa

Posted on Updated on

A report suggests you may have eavesdroppers in your living room.
Originally seen: April 11,2019 on Zdnet by Charlie Osborne

Amazon is using a team of human staff to eavesdrop on queries made to Amazon Alexa-enabled smart speakers in a bid to improve the voice assistant’s accuracy, a new report suggests.

If you check out your Amazon Echo smart speaker’s history via the Alexa app (Alexa account – > History), depending on where and when you use the device, you may see little more than general, genuine queries.

My history is full of cooking timer requests, light control commands, and news briefings.

There are also a few nonsense recordings generated by the nearby television on record — including a man talking about his dog and politics mentioned once or twice — and while they may be seen as acceptable recording errors, the idea of an unknown human listening in may be enough to make you uneasy.

According to Bloomberg, this may be the case, as Amazon staff in areas including Boston, Costa Rica, India, and Romania are listening in to as many as 1,000 audio clips per day during nine-hour shifts.

While much of the work is described as “mundane,” such as listening in for phrases including “Taylor Swift” to give the voice assistant context to commands, other clips captured are more private — including the example of a woman singing in the shower and a child “screaming for help.”

Recordings sent to the human teams do not provide full names, but they do connect to an account name, device serial number, and the user’s first name to clips.

Some members of the team are tasked with transcribing commands and analyzing whether or not Alexa responded properly. Others are asked to jot down background noises and conversations picked up improperly by the device.

“The teams use internal chat rooms to share files when they need help parsing a muddled word — or come across an amusing recording,” Bloomberg says.

In some cases, however, the soundbites were not so amusing. Two unnamed sources told the publication that in several cases they picked up potentially criminal and upsetting activities, accidentally recorded by Alexa.

An Amazon spokesperson said in an email that only “an extremely small sample of Alexa voice recordings” is annotated in order to improve the customer experience.

“We take the security and privacy of our customers’ personal information seriously,” the spokesperson added. “We have strict technical and operational safeguards, and have a zero tolerance policy for the abuse of our system.”

It is possible to withdraw from these kinds of programs for the benefit of your personal privacy. In order to do so, jump into the Alexa app and go to Alexa Account – > Alexa Privacy – > “Manage how your data improves Alexa.”

In this tab, you can toggle various options including whether or not you permit your Alexa usage to be used to “develop new features,” and whether messages you send with Alexa can be used by Amazon to “improve transcription accuracy.”

In related news, the Intercept reported in January that the Amazon-owned company provided its Ukraine-based research and development team close to “unfettered” access to an unencrypted folder full of all the video footage recorded by every Ring camera worldwide. Some employees had access to a form of ‘god’ mode which permitted 24/7 access to customer camera feeds.

Parent company of popular restaurants breached; payment card data exposed.

Posted on Updated on

What happened?

Earl Enterprises, which manages popular restaurant brands including Buca di Beppo, Planet Hollywood, Earl of Sandwich, Chicken Guy!, Mixology, and Tequila Taqueria, announced that nearly 100 restaurant locations around the United States may have exposed customer payment card data over a 10-month period from May 2018 to March 2019.

In a data breach notice posted on its website, Earl Enterprises confirmed that malware was installed on some point of sale systems at certain affected restaurant locations. The malware was designed to capture payment card data, including credit and debit card numbers, expiration dates, and cardholder names. Online orders paid for online through third-party apps or platforms were not affected by this breach. Per the company, the incident has been contained and is being investigated.

Earl Enterprises has yet to confirm the size, but independent security researchers reported over 2 million stolen cards are now for sale on the dark web on the dark web, seemingly as a result of this breach.

What does this mean?

While cardholders are generally not liable for fraudulent charges, it is important to monitor your credit and debit card accounts for suspicious charges and report fraudulent activity to your bank in a timely fashion.

Opening this image file grants hackers access to your Android phone

Posted on Updated on

Originally seen on: Zdnet by Charlie Osborne, February 7th, 2019

Be careful if you are sent an image from a suspicious source.

Opening a cute cat meme or innocent landscape photo may seem harmless enough, but if it happens to be in a .PNG format, your Android device could be critically compromised due to a new attack.

In Google’s Android security update for February, the tech giant’s advisory noted a critical vulnerability which exists in the Android operating system’s framework.

All it takes to trigger the bug is for attackers to send a crafted, malicious Portable Network Graphic (.PNG) file to a victim’s device. Should the user open the file, the exploit is triggered.

Remote attackers are then able to execute arbitrary code in the context of a privileged process, according to Google.

Android versions 7.0 to 9.0 are impacted.

The vulnerability was one of three bugs impacting Android Framework — CVE-2019-1986,  CVE-2019-1987, and CVE-2019-1988 — and is the most severe security issue in the February update.

There are no current reports of the vulnerability being exploited in the wild. However, given the ease in which the bug can be exploited, users should accept incoming updates to their Android builds as soon as possible.

As vendors utilizing the Android operating system roll out security patches and updates at different rates, Google has declined to reveal the technical details of the exploit to mitigate the risk of attack.

Google’s bulletin also outlined remote code execution flaws impacting the Android library, system files, and Nvidia components. Elevation of privilege and information disclosure security holes have also been resolved.

Source code patches for the .PNG issue, alongside other security problems raised in the bulletin, have also been released to the Android Open Source Project (AOSP) repository.

In January, researchers revealed the existence of a new malvertising group called VeryMal. The scammers specifically target Apple users and bury malicious code in digital images using steganography techniques to redirect users from legitimate websites to malicious domains controlled by the attackers.

The Scarlet Widow Gang Entraps Victims Using Romance Scams

Posted on Updated on

Originally seen on: Bleepingcomputer by Lawrence Abrams, Febraury 13th, 2019

We often hear about sextortion, business email compromise (BEC), and inheritance scams, but the often overlooked “Romance Scams” could be the most insidious of them all. Not only do victims lose money, but  the emotional entanglement ultimately leads to heartbreak.

Romance scams are months long, if not year long, campaigns where bad actors catfish, or pretend to be in love with, an unsuspecting victim in order to steal money from them. They do this by creating fake romantic relationships that the victims become invested in and are willing to help them with fake financial troubles.

In a report shared with BleepingComputer, the Agari Cyber Intelligence Division (ACID) outlines how a criminal gang out of Nigeria called “Scarlet Widow” targets those who are more likely to be lonely such as farmers, elderly, the disabled, and divorced.

This catfishing is done through the creation of fake personas that utilize stolen pictures of attractive people, fake names, personalities, and back stories where they were victimized in the past, but still believe that love is possible. They then create accounts on social media and dating sites, including ones that may attract those looking for love or are lonely such as Dating4Disabled.com, Farmers Dating Site, and DivorcedPeopleMeet.com.

For example, one of the fake personas discovered by Agari is a person named “U.S. Army Captain Michael” who is serving a tour of duty overseas, but is looking for love after he lost his wife.

“According to one of his fake dating site profiles, Captain Micheal is a 43-year-old Catholic man from Austin, Texas, who is currently serving a tour of duty overseas in Kabul, Afghanistan. His profile indicates that, like most of the other personas created by Scarlet Widow, he has lost a loved one in his past. In this case, Captain Micheal lost his wife, as his status describes him as “Widowed.” Since the death of his wife, he has been “searching for so long” for the perfect woman and hopes the women has a trusting mind to fall in love.”

The fake persona for Captain Michael was posted to dating sites such as MilitaryCupid.com and MarriedDateLink.com during a 6 month period in 2017.

Captain Michael Persona
Captain Michael Persona

Agari states that each of the personas created by Scarlet Widow have different personalities and ways of communicating that reflect their backstory and who they are targeting. For example, the researchers state that Captain Michael’s messages are usually short and to the point, while the gang’s female personas have a “softer, inquisitive, and more verbose tone”.

Example of email from Captain Michael
Example of email from Captain Michael

It’s all about the money

Ultimately, though, these scams are not about making true romance, but about stealing as much money from the victims as they can.

Once a “relationship” is established, the scammers tell their victims that they are having financial difficulty and need financial assistance. This assistance is usually in the form of money for plane tickets, travel assistance, or accommodations.

If the victim is shown to be willing to send money, then the scammers continue with their relationship while continuing to siphon money over a long period of time.

Such is the case with Texan man who was going through a painful divorce and met one of the gang’s fictitious characters named “Laura Cahill”. Over a period of one year, the Scarlet Widow persona was able to scam the individual out of $50,000.

This person was so firmly hooked that when the scammers didn’t reply to him in over a week, he sent a distraught email to her pleading for a reply.

Distraught email from victim
Distraught email from victim

It ultimately got so bad, that this individual stole $10,000 from his father to send to the scammers. This “relationship” ultimately ended when the scammers stopped replying, but it shows how deeply entrenched victims can get in these fake “relationships”.

While this sounds like something that few would fall for, according to Agari it is not that unusual.

“We are tracking a number of Nigerian scammer groups that continue to engage in romance scams and seek out new victims. In 2018, Agari documented a long-running, $500,000 swindle of a divorced American woman with children who refinanced her home to send money to the con artist. Eventually the creditors closed in, and she was forced to sell her house, pull her children out of school, and move the family in with a friend. She continued to believe he was real until Agari presented her with irrefutable evidence of the truth, enabling her to finally break free in 2018. “

Unfortunately, protecting yourself from scams like this can be difficult, especially if you are the type of person that they are targeting. That is because lonely people crave love and camaraderie in their life and may miss warning signs.

E-ticketing system exposes airline passengers’ personal information via email

Posted on Updated on

Originally seen on CYBERSCOOP by Jeff Stone: February 6, 2019

At least eight airlines, including Southwest, use e-ticketing systems that could allow hackers to access sensitive information about travelers merely by intercepting emails, according to research published Wednesday by the mobile security company Wandera.

The systems fail to secure customers’ personally identifiable information, including names, boarding passes, passport numbers and flight numbers, Wandera said.

The email vulnerabilities still exist, Wandera found, even though researchers notified affected companies weeks ago, and despite growing corporate awareness about the risks associated with sacrificing security for convenience.

The weakness is a check-in link that is emailed to customers, Wandera researchers found. Customer information is embedded in the links, allowing travelers to travel from their email to a website where they check in for a flight without needing to enter their username and password. However the links are unencrypted and re-usable, presenting a tempting target for hackers, according to Michael Covington, vice president of product at Wandera.

“The airlines, in an effort to make it easy for their passengers to check in, have taken shortcuts that have led to the potential exposure of personal information,” he said.

Affected airlines include Southwest, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa, Wandera found. Wandera has reported the vulnerability to each company and received responses, though none appear to have fixed the vulnerability, Covington said.

The airlines appear to be using unique servers for automated marketing that fail to protect user information.

“It’s not just the personal information they could get into, but the e-ticketing systems are basically allowing people in without authentication, which would allow you to change details about people like seat assignments and bags checked,” Covington said. “In some cases you can change existing bookings.”

There is no evidence outsiders have exploited the vulnerabilities.

Southwest Airlines is perhaps the best known low-cost airline operating in the U.S., with a 5 percent capacity growth planned for 2019, according to industry analysts at the Center for Aviation. Air France and KLM, which merged under a single holding company in 2004, jointly form one of the world’s largest airlines. Other companies named in the report — Vueling, Transavia and Air — are based in Europe. Thomas Cook is a British charter airline and Jetstar is a low-cost airline in Australia.

CyberScoop sought comment from each of the airlines named in this report. Several acknowledged receiving a request for comment. All except three failed to provide a statement or answer questions by press time.

In a statement, a Thomas Cook spokeswoman said, “We take the security of our customers’ data very seriously and have investigated this matter as a priority. We have looked into the questions raised and have taken immediate action to further increase the security of our customer data.” A Southwest spokesman said, “While we don’t have a comment on this specific issue, the safety and protection of our customers and their data privacy is our highest priority.”

A spokesperson for JetStar said the company takes data security and privacy “extremely seriously” and that the airline has “multiple layers of security in place.”

Air travelers anxious for a web connection in an airport, hotel or elsewhere on their journey are especially at risk because they could be more likely to connect to public WiFi, ignoring security precautions, Covington said.

“If you’re on a Wi-Fi network or a physical network that uses encryption, this would not be a problem,” he said.

“I can’t speak for the airlines individually,” he said. “We’re not a vulnerability testing company, and it’s not our business to go out and find this. But I can tell you the airlines we’ve engaged with have been keen to listen and are open to hearing more.”

Clever Phishing Attack Enlists Google Translate to Spoof Login Page

Posted on Updated on

Originally seen on ThreatPost by Lindsay O’Donnell: February 26th, 2019

A tricky two-stage phishing scam is targeting Facebook and Google credentials using a landing page that hides behind Google’s translate feature.

 

Recently-discovered phishing emails scoop up victims’ Facebook and Google credentials and hides its malicious landing page via a novel method – Google Translate.

The phishing campaign uses a two-stage attack to target both Google and Facebook usernames and passwords, according to researchers at Akamai who posted a Tuesday analysis. But in a tricky twist of events, the scam also evades detection through burying its landing page in a Google Translate page –  meaning that victims sees a legitimate Google domain and are more likely to input their credentials.

“When it comes to phishing, criminals put a lot of effort into making their attacks look legitimate, while putting pressure on their victims to take action,” Larry Cashdollar, with Akamai, said in a Tuesday post. “This is an interesting attack, as it uses Google Translate, and targets multiple accounts in one go.”

Cashdollar said that he first noticed the attack on Jan. 7 when an email notification on his phone informed him that his Google account had been accessed from a new Windows device.

The message, titled “Security Alert,” features an image branded with Google that says “A user has just signed in to your Google Account from a new Windows device. We are sending you this email to verify that it is you.” Then, there’s a “Consult the activity” button below the message.

phishing email

Interestingly, the message looked much more convincing in its condensed state on his mobile device, rather than on a desktop where the title of the email sender is more apparent, he said.

Upon closer look at the email, Cashdollar found that the “security alert” was sent from “facebook_secur[@]hotmail.com.”

That triggered two suspicions: Firstly, the email is from a Hotmail account, raising red flags – but also, the entire address had nothing to do with Google, instead referencing Facebook.

“Taking advantage of known brand names is a common phishing trick, and it usually works if the victim isn’t aware or paying attention,” he said. “Criminals conducting phishing attacks want to throw people off their game, so they’ll use fear, curiosity, or even false authority in order to make the victim take an action first, and question the situation later.”

When clicking on the “Consult the activity” button, Cashdollar was brought to a landing page that appeared to be a Google domain, prompting him to sign into his Google account.

However, one thing stuck out about the landing page – it was loading the malicious domain via Google Translate, Google’s service to help users translate webpages from one language to another.

phishing facebook google translate

Using Google Translate helps the bad actor hide any malicious attempts through several ways: Most importantly, the victim sees a legitimate Google domain which “in some cases… will help the criminal bypass endpoint defenses,” said Cashdollar.

Using Google Translate also means the URL bar is filled with random text. Upon further inspection of that text, victims could see the real, malicious domain, “mediacity,” being translated.

Luckily, “while this method of obfuscation might enjoy some success on mobile devices (the landing page is a near-perfect clone of Google’s older login portal), it fails completely when viewed from a computer,” said Cashdollar.

For those who fail to notice red flags regarding the landing page, their credentials (username and password) are collected – as well as other information including IP address and browser type – and emailed to the attacker.

“We are aware of the phishing attempts and have blocked all sites in question, on multiple levels,” a Google spokesperson told Threatpost. The spokesperson urged users to report them if they encounter a phishing site.

However, the attack didn’t stop there. The attacker then attempts to hit victims twice, by forwarding them to a different landing page that purports to be Facebook’s mobile login portal as part of the attack.

These type of two-stage attacks appear to be on the rise as bad actors look to take advantage of victims who already fell for the first part of the scam, Cashdollar told Threatpost: “It seems this is becoming more common as the attacker knows they’ve gained your trust and try to steal additional credentials.”

Like the Google page, this Facebook landing page has some red flags. It uses an older version of the Facebook mobile login form, for instance.

“This suggests that the kit is old, and likely part of a widely circulated collection of kits commonly sold or traded on various underground forums,” said Cashdollar.

Despite these mistakes, the two stages of the phishing attack suggest a certain level of sophistication on the part of the attacker.

“It isn’t every day that you see a phishing attack leverage Google Translate as a means of adding legitimacy and obfuscation on a mobile device. But it’s highly uncommon to see such an attack target two brands in the same session,” he said.

Phishing attacks have continued to grow over the past year – and this particular scam is only one example of how bad actors behind the scams are updating their methods to become trickier.

phishing attack google translate

According to a recent Proofpoint report, “State of the Phish,” 83 percent of respondents experienced phishing attacks in 2018 – up 5 percent from 2017.  That may not come as a surprise, as in the last year phishing has led to several massive hacks – whether it’s hijacking Spotify users’ accounts or large data breaches like the December San Diego Unified School District breach of 500,000.

Other methods of phishing have increased as well. Up to 49 percent of respondents said they have experienced “voice phishing” (when bad actors use social engineering over the phone to gain access to personal data) or “SMS/text phishing” tactics (when social engineering is used via texts to collect personal data) in 2018. That’s up from the 45 percent of those who experienced these methods in 2017.