The war between attackers and phishing prevention services is a perennial one. None of the parties ever seem to be willing to settle for less, and hence the cyber-world is full of dynamism and vibrancy. Another week has passed, and with that, we have a hundred updates added to the list of activities in the cyber world. But to save you the hard work, here we have compiled the top headlines from the world of digital security.
User Data Released By Maze Operators
The operators of Maze ransomware have gone by their word and released the data belonging to victims who refused to pay the ransom. This vicious scheme was first adopted by the operators in December 2019 to publish a fragment of the 120 GB of data they had stolen from Southwire company. The other victim companies include RBC, THEONE, Vernay, Baker Wotring, BILTON, Grecco Auto, Groupe Igrec, Mitch Co International, Einhell, Continental NH3, and Groupe Europe Handling SAS. Besides, the city of Pensacola, American tax advisory firm BST & Co., and laboratory testing facility MDL, too, were victims of this ransomware attack.
On its website, the maze ransomware lists these companies and says that their defiance in paying the ransom will lead to the online publication of all their data. Maze operators have already uploaded files belonging to Einhell, Fratelli Beretta, Crossroadsnet, MDL, BST & Co, SAXBST, and Auteuil Tour Eiffel.
In response to the bold step of adversaries, Southwire filed a lawsuit against the operators of the site in the Northern District of Georgia. The site (http[:]//mazenews[.]top/ ) was brought down soon after. But the attackers certainly couldn’t be stopped after this. They launched a new ‘mazenews’ website with the ISP hosted out of Singapore via Alibaba after this. And now they published 14.1 GB of new files stolen from Southwire.
Ensuring phishing protection is the only way to minimize the risk of details of your company going viral. In any case, attackers are not going to stop their threatening; it’s about time we think about our safety and act accordingly.
Data Breach At London’s CHS Consulting
London-based CHS Consulting has left the details of thousands of UK business professionals unprotected online. This breach of the employees’ information got channeled through a leaky Amazon Web Services bucket.
This was spotted by researchers, who found files belonging to several consulting firms left publicly viewable without any authentication. But researchers aren’t sure whether CHS is the valid owner of the database since they do not have a website of their own. The leaked database contained files from the HR departments of several UK consulting firms such as Eximius Consultants, Dynamic Partners, and IQ Consulting.
Among the information left online were the passport scans, tax documents, criminal record information and background checks, HMRC-related paperwork, emails, and private messages range of PII, including names, email and home addresses, dates of birth, and phone numbers. Fortunately, this database did not reach adversaries before anti-phishing protection measures were taken, or else, the losses would have been tremendous.
False Ransomware Alarm: Silence
Silence – a group of the most active Advanced Persistent Threat actors, was recently suspected of attacking banks in Sub-Saharan Africa (SSA) by security research firm Kaspersky. However, the South African Banking Risk Information Centre (Sabric) has affirmed on Tuesday that the banking industry and its clients stand no risks of being attacked by any malware.
Kaspersky had previously warned that Silence claimed to have made inroads in hacking into financial institutions in the region. But the acting chief executive of Sabric, Susan Potgieter says that there is no evidence of any attacks on banks and financial institutions take phishing attack prevention very seriously. Since this industry is most vulnerable to attacks, its anti-phishing strategies are continually reviewed and updated.
Kaspersky bases its allegations on the record of the Silence group in successfully targeting large banks with rapid and coordinated thefts over the years.
Data Breach At Australian Bank
The Australian bank P&N recently underwent a data breach in which the Personally Identifiable Information (PII) and sensitive account information of customers were exposed. The P&N bank is a branch of Police & Nurses Limited that functions in Western Australia. Off late, the bank has been sending out notices to its customers, warning them of an “information breach”. This breach is said to have occurred through the bank’s Customer Relationship Management (CRM) platform.
While performing a server upgrade around December 12th, the bank underwent a cyber attack. The chances are that the attackers got through because of the inadequate phishing prevention measures of the company hired by P&N Bank to provide hosting.
This breach has compromised several essential customer details, such as their names, addresses, email addresses, phone numbers, customer numbers, ages, account numbers, and account balances. The bank suspects that information included in their interaction records, too, may have been affected by this breach.
However, other intricate customer details such as their passwords, social security numbers, tax file numbers, driver’s license or passport details, credit card numbers, and dates of birth are still safe. The exact number of people affected in this breach isn’t known yet.
In its notice, the bank informed customers that they have already initiated measures to ensure protection against phishing and have shut down the source of the vulnerability. They have also collaborated with the West Australian Police Force (WAPOL) and other federal authorities to get to the roots of the attack.
Peekaboo Moments Gives Babies Their First Data Breach
China-based app Peekaboo Moments promises to be a secure space for parents to record their child’s birth and growth and has been quite popular among users. With over 1 million downloads since its launch in 2012, the app not only helps parents store the special moments of their child but also provides extra storage space for a subscription fee that starts at $8.99/quarter.
However, security researcher Dan Ehrlich of Twelve Security recently identified a data breach at Peekaboo Moments, which proves that the app failed miserably in ensuring protection from phishing attacks. The app couldn’t safeguard a 100 GB Elasticsearch database, which contained over 70 million log files. This led to the compromise of sensitive details of users, such as their email addresses, geographic location data, detailed device data, and links to photos and videos.
An estimated 800,000 email addresses were affected in the data breach. These were stored on servers hosted by Singapore-based Alibaba Cloud. Researcher Ehrlich calls the servers, website, and the iOS/Android app of Alibaba Cloud ‘bizarrely done and grossly insecure’.
The duration for which the Elasticsearch server remained exposed online is uncertain, and the CEO and employees of Peekaboo Moments too are unreachable. Details of the breach are very hazy at the moment.
Emotet Malware Attacks The United Nations
In a mastermind stroke, the operators of Emotet malware impersonated the Permanent Mission of Norway and tried to get the email addresses associated with users at the United Nations.
Emotet scams usually involve fake accounting reports, delivery notices, and invoices, but this time they had something different in mind. They pretended to be representatives of Norway at the United Nations in New York and asked recipients to review the attached document. They said there was some problem in the attached signed document and needed to be corrected immediately. The attackers had sent out this email to over 600 email addresses in the United Nations.
This attached document was marked as “Doc_01_13” and was the same document that Emotet uses for all its malspam campaigns. The document prompts the user to ‘Enable editing’ or ‘Enable Content’ to view the document. Emotet is capable of manifesting a full network compromise and if a user falls for this trick, then the following this happen:
- Malicious Word macros get executed.
- These macros then download and install Emotet on the user’s system.
- Emotet runs in the background and sends out spam emails to other prospective victims.
- Emotet then installs other payloads such as TrickBot TrojanTrojan.
- The TrickBot TrojanTrojan tries to harvest data from the victim’s system and spread itself to other computers on the network.
- The end step is to install Ryuk ransomware, which not only encrypts computers on the network but also steals data before encryption. This is the beginning of all significant thefts, crimes, and financial losses.
What can be done?
No fixed solution exists for ensuring phishing prevention, but employees can be trained well to recognize and avoid phishing emails. They must also consult their network administrator and cross-check with the sender of a suspicious mail to confirm its authenticity.
Equifax Breach Final Settlement
In line with the 2017 data breach that affected 147 million Americans, Equifax has finally reached an agreement where it is willing to pay $380.5 million to the victims. This decision has been approved by a court in the Northern District of Georgia. Although a significant loss for the company, this compensation is only justified because Equifax failed to prevent phishing attacks induced by a known vulnerability.
What are the clauses?
- Equifax will deposit the $380.5 million into a fund.
- Victims of the breach can withdraw up to $20,000, provided they furnish details of out-of-pocket losses.
- Equifax may have to add $125 million for additional out-of-pocket claims.
- Equifax needs to spend $1 billion on anti-phishing protection measures.
- Only those victims who apply for the settlement amount before January 22nd shall be eligible for a share of the settlement.
- Victims must abide by the terms available on EquifaxBreachSettlement.com
- Ten years of credit monitoring or financial compensation to be provided to victims.
Swift Management Of Ransomware By New York Airport
On one of the busiest days of the year, the servers of the New York airport were hit by Sodinokibi ransomware. The officials identified this attack at the Albany County Airport Authority on Christmas. LogicalNet, who is the computer management provider of the airport, first revealed the breach of its management services network, which then spread to the authority’s servers and encrypted their files and backup servers.
Although the attack encrypted administrative files, it did not affect the personal or financial details of travelers. The airport’s IT department was quick in executing its anti-phishing solutions, and so the operations at the Albany International Airport were uninterrupted by the attack. The Transportation Security Administration and airline computers too remained unharmed.
However, the airport authorities committed the blunder of paying the demanded ransom. They could have solved the issue by avoiding the payment and yet they decided to pay a considerable sum in Bitcoin. They haven’t revealed the exact amount paid but have said that the amount is under six figures. They took the assistance of the economic coverage of the insurance carrier and shall try to recover $25,000 from LogicalNet. They paid the adversaries on December 30th, and soon after, the decryption key was sent to them.
Nemty To Launch Leaked Data Site
Like Maze and Sodinokibi, Nemty ransomware, too, plans to publish files belonging to organizations that refuse to pay the demanded ransom. As per the latest updates, Nemty is soon to create a website where they will leak stolen data if the victim companies do not make payments. This comes not just as an attack on a company but also as a compromise of personal and third-party information.
This has compelled people to look at ransomware attacks as data breaches, for these attacks do not just encrypt systems but also steal files in recent times.
How does Nemty work?
- Nemty launches network attacks that target an entire network instead of individual computers.
- It creates ransomware executables that are only for corporations. Thus, a single key is used to decrypt all the devices in the network, crippling users with individual machines.
Beware Of Fake Reviews
With maximum targets in Russia, Brazil, and India, ‘Shopper’ – a new trojan application is boosting popular shopping app ratings and installations and spreading numerous ads, much to the annoyance of users.
The Trojan displays unreliable advertisements and boosts installations of online shopping applications. It creates a phony hype among both users and advertisers. This malicious app acts silently by visiting app stores of smartphones, downloading and launching applications, and leaving fake reviews impersonating a user. This is done under the covers, and the owner barely has an idea that such frauds are executed from his phone.
This comes out as a hazardous malware because it can easily access the system interface and applications, capture data featured on the screen, and press buttons. Although the roots of the malware aren’t known yet, it is assumed that the app gets downloaded on the user’s device from fraudulent ads or third-party app stores while trying to reach a precise application.
The Shopper app is currently targeting the retail world, but it can spread false information using a victim’s social media handles. Extreme caution must be taken, and sound anti-phishing tools must be used so that the Trojan cannot use a person’s Google or Facebook account to register on popular shopping and entertainment apps. These apps include AliExpress, Lazada, Zalora, Shein, Joom, Likee, and Alibaba.
Texas School District Loses $2.3M To Attackers
The Texas Manor Independent School District (ISD), which is 15 miles away from Austin, facilitates the educational requirements of over 9,600 students. This massive structure recently withstood a phishing attack, which cost them about $2.3 million in total. The adversaries launched the email phishing scam in three different fraudulent transactions back in November.
Email phishing prevention at the Manor ISD is now handled by the Texas authorities and the FBI. According to officials, the attackers used several different schemes to con the school district, such as disguised email addresses, phone numbers, fake links, etc.
Further, the Federal Trade Commission has notified that the attackers often use impersonated identities of company people and account holders to give shape to their malicious schemes. This doesn’t come as news to us that the attackers direct the victim to click on a link or give passwords or bank account numbers. Clicking on these malicious links would install programs that can lock you out of your computer and can steal your personal information.
Although the law enforcement agencies have maintained silence on the progress made, they did say that they have found some strong leads. On its part, the school district is working in collaboration with the Manor Police Department for handling the issue.