It is essential to be abreast of the latest phishing news headlines to plan anti-phishing strategies better. Here are this week’s most significant phishing updates for your perusal.


Cyberattack Hits Japanese Animation Studio – Toei

The Japanese Anime giant Toei recently underwent a cyberattack that delayed the airing of new episodes of its popular anime series (including Delicious Party Precure and ONE PIECE). The hack brought in major disappointment for ONE PIECE viewers who were eagerly waiting for the release of the series’ chapter 1000. Toei first detected suspicious activities in its systems on 6th March 2022 and immediately issued an internal notice demanding the shut down of all internal systems to ensure protection from phishing attacks. Toei also launched an investigation into the breach to determine whether the adversaries stole data from its systems.

Further, Toei hired a third-party cybersecurity firm to confirm if any data was stolen in the incident. In addition, it also informed law enforcement about the attack. After launching its investigation, Toei published a notification pose informing its fanbase of the delay in the airing of new episodes of “ONE PIECE,” “Dragon Quest Dai no Daibouken,” “Digimon Ghost Game,” and “Delicious Party Precure” until further notice. This delay in the production of new episodes for ONE PIECE also affects its global broadcasters, including Netflix, Crunchyroll, and Funimation.


Cyberattack Hits UK Ferry Operator Wightlink

A highly sophisticated cyberattack recently hit the UK ferry operator Wightlink, which may have compromised its customers’ and employees’ data. The incident only affected Wightlink’s back-office IT systems but not its booking system, ferry services, or website. As part of its phishing prevention measures, the ferry operator has informed the UK’s Information Commissioner’s Office (ICO), law enforcement, and the potentially affected victims.

Wightlink carries 4.6 million passengers annually and operates three routes running between Hampshire and the Isle of Wight, with over 100 daily sailings. Soon after detecting the attack, Wightlink hired third-party cybersecurity experts to look into the breach. The operator has also approached the South East Regional Organized Crime Unit for clarity and assistance. While Wightlink does not store payment card details, some of its customers and staff may have lost their personal details in this incident.


Source Code Data Breach At Mercado Libre

Mercado Libre – the Argentinian e-commerce giant recently confirmed unauthorized access of a part of its source code which impacted data belonging to over 300k of its users. Mercado Libre’s announcement follows that of the Lapsus$ group, which threatened to leak its data (along with a few other companies like Impresa and Vodafone).

The company has deployed its anti-phishing measures and thoroughly analyzed the breach. So far, the investigations do not suggest attack access of Mercado’s IT infrastructure or sensitive information. It confirmed in its initial statement that users’ account balances, passwords, financial information, investments, or credit card information were not compromised in the breach. With over 140 million active users in 18 countries, MercadoLibre is Latin America’s largest e-commerce and payments ecosystem. Lapsus$ confesses to having access to 24,000 source code repositories belonging to MercadoLibre and Mercado Pago. It has launched a poll on its Telegram channel asking users’ opinions on which company’s data to leak next, and this poll reportedly closed on 13th March 2022.


Cyberattack Hits Samsung

Samsung recently confirmed that a cyberattack targeted its source code. Like the MercadoLibre attack, Lapsus$ is believed to be responsible for this source code breach at Samsung. Fortunately, the incident did not affect Samsung’s business or customers’ personal data. However, Lapsus$ claimed to have stolen 190GB of sensitive data, and it also attached snapshots of the stolen data to support its claim.

In its notification confirming the breach, Samsung mentioned that it had implemented its phishing protection measures soon after detecting the breach. Its initial analysis reflected that data related to the source code of Galaxy devices were compromised in the breach. Therefore, no employee or customer data could have been compromised. When asked for comments on whether any ransomware demands have been made so far, Samsung remained silent.


Data Breach Hits Japanese Beauty Products Retailer Acro

The Japanese beauty products retailer Acro recently underwent a data breach that exposed the details of over 100,000 payment cards. Four of Acro’s beauty product websites were affected because of a vulnerability in its third-party payment processing vendor. Consequently, details belonging to 103,935 cards used on its Amplitude site and 89,295 payment cards (used on its Three Cosmetics domain) were compromised. Victims would include anyone who purchased Acro products on either of these websites between 21st May 2020 and 18th August 2021.

The exposed credentials include cardholder names, security codes, payment card numbers, and dates of expiry. In some cases, usernames and passwords may also have been affected. Soon after detecting the suspicious activity, Acro appointed a third-party cybersecurity firm to investigate the breach. It also reported the incident to Japan’s Personal Information Protection Commission and law enforcement. As part of its phishing attack prevention measures, Acro is notifying affected customers of the breach via email and urged victims to closely monitor their financial statements for any suspicious activities.


Cyberattack Hits PressReader

The digital platform for print newspapers and magazines – PressReader recently underwent a cybersecurity incident that caused outages across its branches and disrupted readers’ access to over 7,000 global publications, libraries, and museums. PressReader took to Facebook and Twitter to confirm the restoration of services for its content processing system and announced that all publications sent since 6th March have now been published.

However, certain publications are still delayed, and PressReader is in the process of having these published at the earliest. It announced that issues missed during the downtime (3rd March to 5th March) would be published in the coming days. Reportedly, PressReader’s security teams (particularly those in Vancouver and the Philippines) are working rigorously to tackle the incident and ensure the distribution of quality journalism.

While the company has refrained from answering whether it was a ransomware attack that targeted its systems, it claimed that the attack looks like a part of some larger attack trend. So far, there is no evidence to prove the compromise of customer data, but PressReader is taking necessary measures to prevent phishing attacks and urges customers to be patient in these tough times.


Ransomware Hits Romania’s Rompetrol Gas Station Network

A ransomware attack recently targeted Romania’s Rompetrol gas station network, a subsidiary of KMG International. Announcing the complex cyberattack recently, Rompetrol said that it had to shut down its websites and the Fill&Go service at gas stations to ensure protection against phishing. Believably, the Hive Ransomware Gang is responsible for this attack on Rompetrol, and it is now asking for 2 million in ransom. Being the operator of Petromidia (Romania’s largest oil refinery), which processes more than five million tons annually, Rompetrol becomes a primary target of the adversaries. In addition, KMG International is known to operate in fifteen countries across Europe, North Africa, and Central Asia.

The attack caused KMG and Rompetrol’s websites to be unreachable along with the Fill&Go application. However, the company’s email system (Microsoft Outlook) remained operational during the downtime. As part of its anti-phishing measures, KMG has informed the Romanian National Directorate of Cyber Security (DNSC). Fortunately, services at Rompetrol gas stations have not been disrupted by the security incident. An anonymous source also mentioned that the adversaries could break into the Petromidia refinery’s internal network, but services at the refinery remain unaffected.