Cybersecurity in these tough times is essential to ensure phishing prevention and to keep the money in your bank accounts safe to survive the global economic fall that’s ahead of us. The following headlines from the past week in cybersecurity shall help you strengthen your security measures:
FIN7’s Gift Card Trap
The FBI has recently found the threat actor group FIN7 guilty of luring victims with fake gift cards to steal their personal information. This time, they are sending out emails informing victims that the retail chain ‘Best Buy’ is extending a $50 gift card to its loyal customers. To increase credibility, they also included a USB drive claiming to list the items purchasable through the gift card.
To prevent phishing attacks, refrain from opening the USB drive because it silently steals information from a device by displaying a message of USB Malfunction on the screen. The information accessed via this method includes the username, hostname, user’s system privilege, computer model, memory capacity, OS serial number, language code, number of users, OS build, OS version, free memory available, etc.
Phishers Create Fake RBFCU Login Page
The adversaries have created a phishing page impersonating the Texas-based financial institution Randolph-Brooks Federal Credit Union (RBFCU) to extract personal details of its 850,000 members.
The page is indifferentiable and asks users for details in four steps. On the first page, you need to enter your account username and password. While the second page asks for security identification information, the third asks for your email address and password. With all these details, the attackers also ask for personally identifiable information, such as debit card number, expiration dates, ATM PIN, account number, and social security number on the final identity verification page.
Giving these details to attackers doesn’t leave much for them to find out. But it speaks a lot about the lack of phishing attack prevention measures with people which the attackers repeatedly keep exploiting.
Racoon Uses Drive To Avoid Detection
The Racoon malware was first spotted in April 2019, and it has infected over 100,000 users since then. Working as a malware-as-a-service (MaaS), Racoon was designed to steal credit card data, email credentials, cryptocurrency wallets, and other sensitive data.
But the recently discovered trait of this malware is its use of Google Drive to evade detection by anti-phishing services. After infecting a machine, the malware connects to a Google Drive URL to decrypt the actual C&C server. Sixty-seven IP addresses that were used as C2 servers have been identified so far, and a lot of these were associated with Google Cloud Services. Organizations should take measures to prevent phishing attacks based on past attacks by malicious malware.
SOS Online Backup Leaks 135M User Records
California based SOS Online Backup had left a database unprotected online recently. This database contained details of over 135 million of its customers. Although the company remained unresponsive both times it was contacted, they did fix the issue on 19th December 2019.
But this breach exposed 70GB of structural, reference, descriptive, and administrative metadata and personally identifiable information like names, emails, phone numbers, business details (for corporate customers), and account usernames.
Customers and employees of SOS Online Backup should anticipate an attack and adopt phishing prevention best practices well in advance.
Dharma Source Code On Sale
The creators of Dharma (Crysis) are selling their source code for $2000, which shall enable attackers to create their versions of the ransomware, thus intensifying the threat factor. Ever since its entry in 2016, the operators of Dharma have made over $24 million from its victims.
It has attacked systems in Russia, Japan, South Korea, North Korea, and Brazil and is one of the biggest ransomware networks in the world today. Even the anti-phishing measures adopted by larger enterprises are barely able to fight this giant malware, which came up with three new versions in the past week alone.
Indians Do Not Back Up
A survey conducted by Avast and AVG on its users between February 20-March 25 revealed that half of the Indians do not keep back up files of their data. This is either because they don’t feel the need for it, don’t know how to do it, or are not aware that their files are being backed up in the background.
Such a casual and ignorant approach to phishing protection makes them all the more vulnerable to ransomware and other malware, such as wipers attacks, which do not necessarily unlock data in spite of paying a ransom.
42 M Telegram Records Leaked
A trove containing 42 million records of Telegram users was found unprotected on an Elasticsearch cluster by security researcher Bob Diachenko and the Comparitech team on 21st March. Though deleted by 25th March, the possibility cannot be eliminated that someone might have posted the data on a hacking forum by now.
The exposed details included user account IDs, phone numbers, names, and hashes and secret keys. This information can be used by third-party hackers in financially motivated attacks, an example of which are the SIM swap attacks. Affected users are advised to take adequate phishing prevention measures to protect themselves from potential phishing attacks.
Second Attack On Marriott International
A second attack has been launched on the Marriott International hotel chain, and this time, the attackers got using the login credentials of two employees at a group hotel operating as a franchise. This attack exposed details (names, addresses, birth dates, gender, email addresses, and telephone numbers) of around 5.2 million guests. The authorities speculate that the attack began in and also exposed details like employer name, gender, room stay preferences, loyalty account numbers, etc.
Although the hotel says that passports, payment details or passwords weren’t exposed in the breach, it is only wise for people to take measures for protection against phishing. Marriott is doing its part by notifying authorities and the affected people. They have also set up a website aimed at helping the affected people.
Data Breach At Ozark Orthopaedics
In another attack on a medical facility, Arkansas-based Ozark Orthopaedics underwent a data breach that exposed data belonging to 15,240 patients.
Ozark Orthopaedics had seen some suspicious activity in its email system in late 2019. After investigating and securing their email system, they found that four of their employee email accounts had been compromised. The information exposed because of this attack includes patient names, treatment, diagnosis, prescription, medication, and health insurance information along with Medicare/Medicaid identification numbers, social security numbers, and financial account information.
Ozark Orthopaedics believes that no information has been misused so far. However, we recommend taking anti-phishing measures well in advance.
Security Issue With Zoom
Researchers have found a security issue with the Zoom Windows, which allows attackers to steal the credentials of users. Zoom allows its clients to communicate via text messages. If they happen to send any URLs on text, these get converted to the UNC path link, which, when clicked, will send the user’s login name and NTLM password hash to the remote site. These password hashes can be easily cracked using free tools like Hashcat.