This week’s news headlines highlight why phishing prevention should be a part of every organization’s cyber risk management strategy. Here are the major phishing and data breach headlines from this past week.
Data Breach Hits Costco
Costco customers are receiving breach notifications warning them of unauthorized payments. The security incident was brought to light by several customers of Costco who took to social media to speak about fraudulent charges associated with their Costco accounts.
Investigations into the breach revealed that adversaries had compromised users’ payment card information through a card skimming device at some Costco warehouses. Anyone who shopped at Costco using their card was vulnerable to the attack at this unfortunate time of hackers being in its systems.
While executives from Costco can’t say for sure whether all customers were affected, it says in its breach notification that in the interim of hackers intruding its systems and the intrusion being discovered, the threat actors could have acquired the magnetic stripe of users’ payment cards. This would mean a compromise of their names, card number, CVV, and card expiry date. Costco advises customers to check with their bank once and keep an eye on their credit card statements.
As part of its anti-phishing protection measure, the company has approached law enforcement and extended a year of complimentary identity theft protection, credit monitoring, and a $1 million insurance reimbursement policy to all victims.
Hacker Breaks Into FBI’s Email System
Malicious actors breached an FBI email server recently and sent spam emails to at least 100,000 people. The spam emails sent across bizarre warnings to people that spoke about the cybersecurity writer Vinny Troia and the cybercriminal group The Dark Overlord, the link between the both being research done by Troia’s company (Night Lion Security) on The Dark Overlord back in January 2021. After sending out technically incorrect information, the attacker signed off the email as the US Cyber Threat Detection and Analysis Group (Department of Homeland Security), which has been inactive for two years now.
Cybersecurity researcher Alex Grosjean highlighted that while adversaries believe that they can mask their identity while sending spam emails from a compromised email address, the email’s metadata usually makes the source server identifiable (which in this case was the FBI server). The recipients of this spam FBI email were mostly website administrators listed on the American Registry for Internet Numbers. An FBI spokesperson later clarified that the adversaries exploited a flaw in the configuration of an agency messaging system (the Law Enforcement Enterprise Portal) but couldn’t access any FBI files. The FBI uses the LEEP system mainly to send messages to the local and state law enforcement partners. Therefore, it can be said for sure that no PII was exploited through the FBI’s network.
Hacker Who Stole Robinhood Data is Now Selling it
An unnamed threat actor had recently used social engineering to hack into the email account of a Robinhood employee and had stolen around 7 million customer data. The threat actor has now emerged from the dark and owned up to stealing this vast expanse of data from Robinhood customers. Going by the name of pompompurin, the attacker stole 5 million email addresses, 2 million names, and other sensitive information for around 310 individuals. Pompompurin is selling this entire dataset on the dark web, except for the 310 individuals’ data which is more confidential in nature. Reportedly, the attacker is demanding a five-figure amount ($10,000 or higher) in exchange for the Robinhood database.
Pompompurin has put up the data for sale even after attempting to extort the victim company. And because of the high demand and nature of the stolen data, the attacker won’t have difficulty selling the database at a profitable and high price. The statement by Pompompurin reveals that Robinhood had initially refrained from disclosing the fact that ID cards too were compromised in the incident. Such instances of adversaries leaking or stealing user data prove why paying the demanded ransom and complying with attacker requests may not be the ideal choice.
Singapore’s Most Significant Data Breach: RedDoorz Customers Affected
In what may be the largest data breach in Singapore, the personal data of over 5.9 million customers of the hotel booking site RedDoorz was compromised. The customers of the site include Singaporeans and other Southeast Asian individuals.
It must be noted that this is the most severe data breach to occur after the implementation of the Personal Data Protection Act. Hence, the Personal Data Protection Commission (PDPC) has imposed a $74,000 fine on Commeasure (the local firm running the RedDoorz website). This fine, however, is a lot less compared to penalties imposed on other industries as the PDPC is considerate of the hardships faced by the hospitality sector during the pandemic.
The hardest-hit region in the RedDoorz breach is its Indonesian market. The company’s customers belong to Southeast Asian countries, and over 9,000 Singaporeans were directly affected by the breach. The affected customer data included their names, email addresses, contact numbers, DOBs, booking details, and encrypted passwords. Fortunately, the passwords were encrypted, which means that the adversaries could not access them without finding a way to decode them. Further, the attackers couldn’t access customers’ masked credit card numbers. RedDoorz customers must lookout for suspicious messages or emails and take measures to protect themselves from phishing.
Adult Cam Site StripChat Leaves Database Unprotected Online
StripChat is a popular online adult cam site that was recently found exposing the personal data of millions of users and models. The site left ElasticSearch data unencrypted online for three days from 4th November to 7th November. This means that anybody could have accessed, downloaded and (mis)used the data stored on the StripChat database without a password. Consequently, the personal data of millions of site users and adult models stand the risk of being exploited for malicious purposes.
Discovered by the security researcher Bob Diachenko, the StripChat database contained the usernames, email and IP address, account details, and other information of over 65 million registered users. It further had the personal data and strip scores of over 421,000 models along with 719,000 chat messages and 134 million transaction details.
However, the cam site was quick to take measures for protection against phishing and secured its servers within days of being notified. But the site is yet to announce publicly and inform users of the breach – something that can invite severe GDPR fines. There is no evidence of the database being discovered, accessed, or used by anyone other than Diachenko. The site eventually confirmed that the breach was the result of a routine server reconfiguration. There is no reason to believe that users’ payment or account details and passwords were accessed in the breach.
Data Breach Hits California Pizza Kitchen (CPK)
A data breach recently hit the US pizza chain – California Pizza Kitchen (CPK). Consequently, the social security numbers of over 100,000 former and current employees were compromised.
With outlets in over 250 locations across 32 US states, CPK has a broad customer base and thousands of employees. In its breach notification, CPK mentions that the intrusion was first detected on 15th September, and soon after noticing the disruption, the company took measures to contain the attack. The initial investigations revealed that certain files containing the names and social security numbers of employees were compromised.
While the breach notification doesn’t highlight the number of employees affected, the Maine attorney general’s office notification mentions that 103,767 current and former CPK employees were involved in the incident, with former employees constituting a majority of the victims. CPK notes that information security is one of its highest priorities, and it has put phishing attack prevention measures in place to prevent such an incident from happening again.
Beware of Bait Attacks
One of the latest attack schemes that adversaries are using includes bait attacks. Bait attacks are the introductory and harmless emails sent to victims to verify their email address and their intent of responding to a phishing email. These bait emails are usually blank and do not contain anybody or attachments, passing as harmless emails through phishing email prevention software.
A recent cybersecurity report by Barracuda states that bait attacks launched through traditional mailing platforms like Gmail, Yahoo, and Hotmail are very effective in luring victims, especially the organizations in the Asia-Pacific region. It further revealed that bait attacks had targeted over 10,500 global organizations since September this year. Hence, we must adopt suitable phishing protection measures to guard against such bait attacks.