Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the News Category

Magecart Skimmed Newegg Cards for a Month

Magecart Skimmed Newegg Cards for a Month

The infamous Magecart code has struck again, with an attack group this time using it to skim card details from customers of online retailer Newegg for a full month, according to researchers.

The US-based, tech-focused e-tailer has yet to release a statement on the news, but RiskIQ, which has been following Magecart closely over the past couple of years, posted an analysis of the attack yesterday.

Threat researcher Yonathan Klijnsma explained that, just like in the recently disclosed BA breach, the attackers made a concerted effort to blend in to the background to avoid detection.

They did this by first registering a domain similar to the primary newegg.com domain, certifying it with a Comodo certificate for authenticity. The linked IP address hosted a back-end server where skimmed card info was apparently stored.

The attackers then struck on around August 14, inserting the Magecart code on the retailer’s payment processing page, where it remained hidden for a month.

“The skimmer code is recognizable from the British Airways incident, with the same basecode. All the attackers changed is the name of the form it needs to serialize to obtain payment information and the server to send it to, this time themed with Newegg instead of British Airways, explained Klijnsma.

“In the case of Newegg, the skimmer was smaller because it only had to serialize one form and therefore condensed down to a tidy 15 lines of script.”

The code worked on both mobile and desktop versions of the site, and with estimated visitors to Newegg regularly numbering over 50 million per month, this could point to another significant breach of card data, according to RiskIQ.

“The attack on Newegg shows that while third parties have been a problem for websites — as in the case of the Ticketmaster breach — self-hosted scripts help attackers move and evolve, in this case changing the actual payment processing pages to place their skimmer,” concluded Klijnsma.

“We urge banks to issue new cards or added protection through OTP on cards they can correlate belonging to transactions that occurred on Newegg between August 14 and September 18.”

Newegg claims it is still determining which customer accounts have been affected.

Craig Young, security researcher at Tripwire, argued that organizations should be monitoring certificate transparency logs more closely to spot the early warning signs of an attack.

“In this case, the attack campaign started with the attackers setting up an HTTPS server at neweggstats.com,” he explained. “For Newegg, seeing this domain come online wouldn’t immediately indicate a breach, but it should be enough for a security team to investigate further and likely reveal the newly added references to this domain in their checkout code.”

UPDATE

Newegg later posted a tweet to its timeline, saying it had learned that one of its servers had been injected with malware which was identified and removed from our site. "We’re conducting extensive research to determine exactly what info was obtained and are sending emails to customers potentially impacted."

Source: Information Security Magazine

Mirai Masterminds Escape Jail Time

Mirai Masterminds Escape Jail Time

Three men responsible for creating and operating the infamous Mirai botnet have escaped jail time after agreeing to provide “substantial assistance” to the FBI in ongoing cases.

Paras Jha, 22, of Fanwood, New Jersey; Josiah White, 21, of Washington, Pennsylvania; and Dalton Norman, 22, of Metairie, Louisiana, were charged with conspiracy to violate the Computer Fraud & Abuse Act in operating the Mirai Botnet. Jha and Normal also pleaded guilty to charges related to operating a click fraud botnet.

However, the three will not serve time behind bars. Instead, they have each been sentenced to five years of probation, 2,500 hours of community service, and restitution of $127,000 as well as giving up “significant amounts” of cryptocurrency seized by the Feds during their investigation.

Their involvement in Mirai is said to have ended in autumn 2016, when Jha posted the source code on a criminal forum.

It was used to launch some of the biggest DDoS attacks ever seen, against the website Krebs on Security and DNS provider Dyn, the latter taking down some of the biggest names on the web including Twitter, Spotify and Reddit.

The trio’s work did not end with Mirai, however: from December 2016 until February 2017 they apparently built a click fraud botnet comprising 100,000 mainly US-based devices including home routers.

The three have already co-operated extensively with the FBI, providing help which “substantially contributed” to complex investigations and broader defensive efforts by law enforcers and researchers, according to the DoJ.

But as part of their plea agreement they must continue to “cooperate with the FBI on cybercrime and cybersecurity matters, as well as continued cooperation with and assistance to law enforcement and the broader research community.”

Jake Moore, security specialist at ESET, argued that injecting hacker knowledge into the government may not be a bad thing, and could even save law enforcement money in the long-run.

“Although law enforcement lacks money and young blood, it does need updating with ethical hacking techniques that could be time consuming to train the older generations, not to mention it is a far more inviting and romanticized option than jail time for the criminals,” he added.

Source: Information Security Magazine

ICO Fines Equifax £500K After 2017 Breach

ICO Fines Equifax £500K After 2017 Breach

The Information Commissioner’s Office (ICO) has issued the maximum fine possible to Equifax in response to failings which led to a major 2017 breach.

The £500,000 penalty is only the second time the UK privacy watchdog has used the full extent of its powers and comes after a major incident at the credit agency exposed data on 15 million UK customers.

The breach itself affected nearly 146m customers around the world, mainly in the US, and involved highly sensitive data including Social Security numbers, driver’s license numbers, tax IDs and much more.

Equifax was widely criticized at the time for failing to patch a known Apache Struts vulnerability for several months. It was this flaw that hackers ultimately exploited to attack the firm.

The ICO’s investigation, carried out with the Financial Conduct Authority, found that Equifax contravened five out of eight data protection principles of the Data Protection Act 1998. These included: failure to secure personal data; poor retention practices; and lack of legal basis for international transfers of UK citizens’ data.

Data management systems were “inadequate and ineffective” and there were issues with data retention, IT system patching, and audit procedures, the ICO claimed.

Information commissioner, Elizabeth Denham, said the incident would have caused many UK consumers particular distress because they would not have been aware that the firm even held their personal data.

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data,” she added.

“We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”

It’s certain that the fine would have been many times greater had Equifax been investigated under the new GDPR regime.

Source: Information Security Magazine

AsTech Consulting Combines with Moss Adams

AsTech Consulting Combines with Moss Adams

Because the need for application security continues to grow with the rise of cloud technology, Moss Adams, an accounting, consulting and wealth management firm, announced today that it has combined with cyber-risk management firm AsTech Consulting to augment its application security capabilities.

Moss Adams will essentially acquire AsTech Consulting as of November 1, 2018, though the terms of what the company prefers to call a "combination" are not yet being disclosed. The deal, however, will give AsTech Consulting access to the existing Moss Adams infrastructure, resources and client relationships.

In an interview with Infosecurity Magazine, Eric Miles, partner in charge of the Moss Adams Advisory Services Practice, said, “When we add services or capabilities, it’s because our customers ask about them, and the need for application security is starting to skyrocket. Whether its with our technology clients or those who are not using self-developed software, they are beginning to recognize that their risks don’t sit within the perimeter any longer but within the app itself.”

AsTech Consulting has been in the application security business for 21 years, which is part of what made them such an appealing partner for Moss Adams. “We have a great reputation, but we are small,” said Greg Reber, CEO and founder of AsTech Consulting.

“For us, we wanted to expand our reputation to be able to reach a bigger audience and help more companies be secure. It was both the culture and the reputation of Moss Adams that made the company the best fit for us.”

Sixteen members of the AsTech Consulting team will join Moss Adams, including Reber, who will become a partner.

In preparing for the combining of the companies, AsTech Consulting has worked with the existing cybersecurity team at Moss Adams. “There is some overlap, but working together helped us understand each other. We found we have a common language through working on projects together,” Reber said.

“We are reaching an inflection point in public awareness in the need for this kind of security. Many mid-market companies are becoming more aware of the need for both perimeter and application security – or source code security, especially if they are developing their own apps, and we understand the source code issues.”

Source: Information Security Magazine

Account Takeover Attacks Result in Phishing Scams

Account Takeover Attacks Result in Phishing Scams

Attackers are successfully stealing the credentials of employees and using them in account takeover (ATO) incidents more frequently, which makes business email compromise (BEC) one of the most prevalent types of cyber fraud, according to Barracuda Networks.

The latest Threat Spotlight, looked at the motives behind ATOs and found that while hackers have myriad objectives, many will commonly use ATOs to launch phishing campaigns.

“Some attackers try to use the hacked email account to launch phishing campaigns that will go undetected, some attackers steal credentials of other employees and sell them in the black market, and others use the account to conduct reconnaissance to launch personalized attacks,” researchers wrote.

“The most sophisticated attackers steal the credentials of a key employee (e.g., CEO or CFO), and use them to launch a business email compromise (BEC) attack from the real employee's email address.”

From April to June 2018, 60 incidents occurred among the 50 randomly selected organizations. Of the 50 organizations, four to eight reported having at least one account takeover incident. The result for those companies that were compromised was that accounts were used for nefarious purposes.

A large majority (78%) of the total incidents resulted in a phishing email where the attacker usually impersonated the employee and requested that the recipients click on malicious links or open infected attachments.

Analysis of the incidents revealed that 17% were platforms for spam campaigns that appeared to come from reputable domains, while 5% of incidents involved internal email traffic in which the attacker asked the recipient to download an attachment.

Over the course of the three-month study, 50 different email accounts were compromised. Through examining the roles of the compromised employees, some of whom were compromised multiple times, researchers found that the total number of compromised employees was 60, with 6% of those identified as executives and 22% reportedly in sensitive departments.

Barracuda recommends that any request involving money made via email, particularly something like a wire transfer request coming from the CEO, not be honored without first having an in-person conversation or, at the very least, a phone call where the sender's identity has been verified. 

Source: Information Security Magazine

Tech Giants Charged with Tracking Children

Tech Giants Charged with Tracking Children

New Mexico’s attorney general, Hector Balderas, announced a lawsuit, filed against Google, Twitter, Tiny Lab Productions, MoPub, AerServ, InModi PTE, AppLovin and IronSource, on allegations that nearly 100 gaming apps targeting children contain illegal tracking software.

The apps, designed by Tiny Lab Productions, are marketed in the Google Play Store and are reported to collect personal data from children under 13 without first acquiring parent consent. Collecting the data give not only the defendants but also whoever they sell the data to the ability to track and profile children who can then be targeted for marketing purposes.

“These apps can track where children live, play, and go to school with incredible precision,” said Balderas. “These multi-million-dollar tech companies partnering with app developers are taking advantage of New Mexican children, and the unacceptable risk of data breach and access from third parties who seek to exploit and harm our children will not be tolerated in New Mexico.”

In total, 91 gaming apps are developed by Tiny Lab. Of all the apps, only five have not been a part of Google’s Designed for Families (DFF) program. Some of the apps include Angry Bunny Race: Jungle Road, Arctic Roads: Car Racing Game, DexLand, Dragon Fight: Boss Shooting Game, Dragon Panda Racing, Fun Kid Racing, Magic Elf Fantasy Forest Run and Pet Friends Park Racing.

As children gain more access to the internet both at home and in school, the games they download can pose unique risks to them, which has long been a concern for Balderas.  

“Parents should be aware of these risks and should know how to protect their children before purchasing an internet connected device for their children. Parents should be extremely selective of the apps they choose for their children,” Balderas’s office wrote in a press release.  

In addition to listing all 91 apps, the AG’s office included six pages with instructions on how to limit ad tracking across multiple devices.

Source: Information Security Magazine

SMBs Fear Phishing, Fall Short on Cyber Training

SMBs Fear Phishing, Fall Short on Cyber Training

In surveying 500 small to medium-sized businesses (SMBs) across the US, Webroot discovered that many businesses fail to recognize the many cybersecurity threats their businesses face, in large part because they lack in-house security expertise. According to The 2018 Webroot SMB Pulse Report, phishing scams ranked the number-one threat to SMBs.

The report also found that while 24% of respondents viewed phishing as the number-one threat to their organization, 20% of smaller businesses – those with up to 19 employees – believed they should be focused on defending against ransomware.

Overall, 24% of SMBs were unable to identify their top threat, with the smallest organizations being the least likely to state their greatest risk. Of those companies classified as medium-sized (20-99 employees), 28% fear human error as their greatest threat. However, SMBs do realize that implementing awareness training programs would potentially help mitigate risks from cyber threats.

“Phishing is a tried-and-true tactic for bad actors. Employees are likely to click on things they shouldn’t, despite what businesses try to do to prevent it,” said Gary Hayslip, chief information security officer, Webroot, in a press release.  

“But humans get taken in by phishing scams out of simple curiosity or lack of security awareness, which underscores the need for continuous awareness training. For SMBs who feel overwhelmed by all the new cybersecurity challenges they face, partnering with an MSP is a great option to provide security expertise and management.”

Despite their fears of falling victim to a phishing scam or a ransomware attack, SMBs aren’t providing comprehensive, ongoing security awareness training for their employees, according to the report. The majority (66%) of participating businesses with up to 19 employees offer no cybersecurity training to employees.

As businesses grow in size, the numbers tend to get a little bit better, with only 29% of companies in the medium-sized and 13% of large companies (those with 100 to 500 employees) failing to provide a cybersecurity training in the workplace.

“Phishing attacks are one of the most common security challenges companies face in keeping their information secure. It’s easy and it’s effective. Cybercriminals set the bait and people click. Security awareness training with phishing simulations improve user behavior and get people to think before they click,” said Aaron Sherrill, senior analyst at 451 Research.

“Yet 451 Research Voice of the Enterprise surveys reveal that a large majority of businesses are cobbling together homegrown (and often ineffective) awareness solutions, wasting a lot of time and resources in the process. Small to medium-sized businesses need a solution that is cost effective, quick to deploy and easy to manage. Effective training programs do not need to be time consuming, cumbersome or costly.”

Source: Information Security Magazine

IoT Malware Detections Soar 273% Since 2017

IoT Malware Detections Soar 273% Since 2017

New IoT malware detections have soared over 200% since 2017 to reach over 120,000, according to new stats from Kaspersky Lab.

The Russian AV vendor claimed to have spotted 121,588 modifications of malware targeted at smart devices in the first half of 2018, a 273% increase on the 32,614 detected for the whole of last year.

The most popular way to spread malware is brute-forcing of passwords: used in 93% of detected attacks. Most of the remaining cases used well-known exploits to access the devices, according to the vendor.

The most commonly compromised devices were routers, accounting for 60% of the total, followed by a long tail of other connected devices including DVRs, printers and even smart washing machines.

IoT endpoints represent an attractive target for hackers as they’re always on, connected to the internet and often not secured adequately with strong passwords and updated firmware.

The threat is such that the FBI was forced to issue a public service announcement recently warning home users of the dangers of unsecured devices: most notably that they could be conscripted into botnets to launch DDoS attacks, crypto-mining, click fraud and more.

“For those people who think that IoT devices don’t seem powerful enough to attract the attention of cyber-criminals, and that won’t become targets for malicious activities, this research should serve as a wake-up call. Some smart gadget manufacturers are still not paying enough attention to the security of their products, and it’s vital that this changes — and that security is implemented at the design stage, rather than considered as an afterthought,” argued Kaspersky Lab principal security researcher, David Emm.

“At this point, even if vendors improve the security of devices currently on the market, it will be a while before old, vulnerable devices have been phased out of our homes. In addition, IoT malware families are rapidly being customized and developed, and while previously exploited breaches have not been fixed, criminals are constantly discovering new ones.”

Earlier this year the British Standards Institution launched a kitemark scheme designed to improve baseline security in the IoT space by making it easier for buyers to spot reliable kit.

Source: Information Security Magazine

Europol: Ransomware Will be Top Threat for Years

Europol: Ransomware Will be Top Threat for Years

Ransomware continues to be the biggest malware threat to businesses around the world, but mobile threats and crypto-jacking are emerging as serious challenges, according to Europol.

The law enforcement organization’s annual Internet Organised Crime Threat Assessment (IOCTA) provides a good snapshot of current industry trends. It reflects the findings of many security vendors: that ransomware is slowing but still the most widespread financially motivate threat out there, ahead of banking Trojans — and will be so for several years.

DDoS attacks were second only to malware in terms of volume in 2017, as infrastructure becomes more “accessible, low-cost and low-risk.”

On the wane as a means of infection are exploit kits, with “spam, social engineering and newer methods such as RDP brute-forcing coming to the fore.”

Europol also highlighted the emerging threat of crypto-jacking as one to watch, as it offers cyber-criminals a “regular, low risk revenue stream.” Mobile malware was also flagged.

“Mobile malware has not been extensively reported in 2017, but this has been identified as an anticipated future threat for private and public entities alike,” said the report.

As for the underground economy fueling these threats, Europol claimed success in shutting down three major marketplaces in 2017 and said that nine others closed or “exit scammed." However, new sites have unsurprisingly emerged to take their place.

“The almost inevitable closure of large, global darknet marketplaces has led to an increase in the number of smaller vendor shops and secondary markets catering to specific language groups or nationalities,” the report explained.

Javvad Malik, security advocate at AlienVault, said the report is a good validation of many of the trends security experts in the vendor and research community are seeing.

“Collaboration appears to be one of the biggest and most prominent takeaways. Being able to establish trustworthy channels to collaborate and share information and intelligence is vital,” he continued.

“Notable by its omission, there is no mention of the role of bots by organized crime and state to push agendas and misinformation, even though there are increasing industry studies that points to these as being tools in the arsenal of attackers.”

Source: Information Security Magazine

State Department Email Breach Hit Hundreds of Staff

State Department Email Breach Hit Hundreds of Staff

The US State Department has confirmed an email security breach which may have affected hundreds of employees, exposing their personal information to attackers.

Reports emerged on Monday that the incident earlier this year affected “less than 1% of employee inboxes.”

“We have determined that certain employees’ personally identifiable information (PII) may have been exposed,” it reportedly noted. “We have notified those employees.”

According to State Department figures, it employees nearly 70,000 staff, meaning in the region of 700 could be affected by the breach.

It’s not known how the attack occurred, although it affected the department’s cloud-hosted email service and not a nominally more secure classified system.

Government auditors have criticized the department in the past for failing to meet cybersecurity best practice standards.

As a result, several senators wrote to secretary of state Mike Pompeo last week demanding an update on its efforts to comply.

“According to a 2018 General Service Administration (GSA) assessment of federal cybersecurity, the Department of State had only deployed enhanced access controls across 11% of required agency devices. This despite a law — the Federal Cybersecurity Enhancement Act — requiring all executive branch agencies to enable MFA for all accounts with ‘elevated privileges’,” they noted.

“Similarly, the Department of State’s Inspector General (IG) found last year that 33% of Diplomatic Missions failed to conduct even the most basic cyber threat management best practices, like regular reviews and audits. The IG also noted that experts who tested these systems ‘successfully exploited vulnerabilities in email accounts of department personnel as well as department applications and operating systems'.”

Gary McGraw, vice president of security technology at Synopsys, argued that the department is not alone in lagging on cybersecurity.

“If the State Department has trouble rolling out two-factor authentication to protect the majority of its users, something that many corporations have had in place for years, how can we expect other aspects of its operations to be secure?  This breach provides more evidence that leadership in computer security can more likely be found in the private sector than in the public sector,” he added.

Sam Curry, chief security officer at Cybereason, claimed that the US government procurement process is holding it back.

“It is very difficult for State to buy new technology and continually improve the way the Global 1000 companies do," he argued. "Fundamentally this is likely a hack that led to a breach and not some type of insider issue."

Source: Information Security Magazine

Page 1 of 34512345...102030...Last »