Phishing attack prevention can never be an absolute target; there will always be the presence of notorious threat actors in the cyberworld. Hence, one must focus on learning to live in coexistence without letting the adversaries get their hands on confidential information. To this end, here are the major hacks and cyberattacks this week.
Data Breach Hits ShopGoodwill.com
The e-commerce auction platform – ShopGoodwill.com, owned by the American non-profit Goodwill, recently underwent a data breach that compromised customer accounts. As part of its phishing prevention measures, ShopGoodwill Vice President – Ryan Smith sent out breach notifications to customers citing that some of their personal contact details may have been affected as part of the breach. Fortunately, the incident did not affect customers’ payment card details and only leaked buyer contact information.
ShopGoodwill has now fixed the vulnerability causing the breach and apologized to all customers for the inconvenience caused. Investigations into the breach continue, and customers with queries on the same have been instructed to contact Goodwill via email.
Data Breach Hits Aditya Birla Fashion
A data breach recently hit Indian fashion brand – Aditya Birla Fashion, where adversaries accessed one of its databases and made it public. The initial reports revealed that the incident affected some customer information (names, addresses, contact numbers, DOBs, credit card details, order histories, and passwords) and employee information (religion, salary details, and marital status).
As part of its measures for protection against phishing, the organization sent out breach notifications to all customers stating that no financial data was leaked and adversaries accessed only parts of their personally identifiable information (PII). Later, after detailed investigations, Aditya Birla Fashion once again addressed its customers on its portal and assured them that the data breach did not leak their sensitive information.
The City of Tenino Loses $280,309 to Employee Approved Fraudulent Payments
While fake payment requests from seemingly genuine organizations are a known phishing scam, few people take preventive measures to handle such scams. An example of this is the City of Tenino, where its former Clerk-Treasurer John Millard caused a loss of $280,309 to the city. Between 19th March 2020 and 4th May 2020, Millard approved 20 automated clearing house payments from the city’s bank account to many out-of-state bank accounts. He did not verify the authenticity of the emails requesting payment or seek the city’s approval before releasing the payment. It is yet to be established if Millard had any vested interests in this, but he resigned in December last year and moved out of state soon after.
Interestingly, Millard was not the only one to receive these phishing emails, several other state employees received them, but the recipients either ignored the emails or reported them, which prevented any damage, but Millard took things into his own hands, and the repercussions had to be borne by the state. Millard exhibited this negligence of anti-phishing solutions despite receiving training in cybercrimes when he served the U.S. military.
He doubted the payment on 5th May 2020 when a Texas-based bank approached him, saying that someone had come to withdraw funds from an account that received an ACH payment and then tried to close the account. When Millard approached the professional association regarding the same, they seemed unaware of such a transaction. This is when Millard saw the red flag and informed the Mayor of Tenino city about the loss of funds to the scam.
Washington State Patrol undertook the initial investigations and then forwarded the case to the Federal Bureau of Investigation. The Tenino Auditor’s office claims that the scam was a success because Millard was the sole person in charge of all the city’s bank accounts and needed no monitoring to initiate electronic transfers. The city of Tenino has adopted preventive measures ever since and secured its wire transfer and ACH transaction process with dual control. In addition, it has hired a Lacey-based IT organization called Right! Systems Inc., to help secure its systems and network.
Cyberattack Targets OpenSubtitles
Popular website providing free movie subtitles OpenSubtitles underwent a ransomware attack in August last year and paid a ransom to recover its files, but unfortunately, the adversaries have leaked its data now. The data breach came to the surface after a copy of the leaked files was listed by Have I Been Pawnd recently. Data belonging to over 6 million registered OpenSubtitles users was compromised in the incident. The exposed user information includes users’ usernames, email addresses, and MD5 password hashes.
In its defense, OpenSubtitles states that its site dates back to 2006. This is why all its passwords were stored in MD5() hashes without salt until now. This made it very easy to break passwords. As part of its anti-phishing protection measures, OpenSubtitles has updated its code and recommends users change their passwords at the earliest as a precaution. Fortunately, no payment card information was compromised because of the breach.
OpenSubtitles mentioned that the breach was caused because of the unhealthy password habits of an admin. It noted that the adversaries approached OpenSubtitles on Telegram in August 2021, giving evidence of their access to its network. The threat actor promised to delete the stolen data when OpenSubtitles paid the BTC ransom. Despite the ransom amount being too high, the organization complied, hoping that customer data would be safe, but we all know what truth lies in attackers’ promises!
AlphV/BlackCat Ransomware Targets Moncler
The AlphV/BlackCat ransomware attacked the Italian luxury fashion giant – Moncler in the final week of December 2021 and stole some of its files. While informing people of the breach, Moncler had said that the attack would lead to nothing beyond a temporary outage. Moncler had taken necessary measures to prevent phishing attacks and restored its logistic systems ten days after the attack.
A month later, the ransomware operators published the stolen files on the dark web. The compromised information includes details belonging to Moncler’s customers, current and former employees, consultants, suppliers, and business partners. Reportedly, the data breach was caused because Moncler refused to pay the demanded ransom. Fortunately, customers’ financial data remains unaffected by this incident. In its statement, Moncler stated with conviction that anybody found distributing the stolen data further would be penalized. Moncler is one of the first victims of the new RaaS actor ALPHV (BlackCat). Moncler has informed the Italian Data Protection Authority and the enterprise stakeholders to minimize the attack’s impact.
Unauthorized Withdrawals Distress Crypto.com Users
Around 483 Crypto.com users recently saw the unauthorized withdrawal of cryptocurrency from their accounts – something that Crypto.com has been hinting at since last week. The official statement informing of the incident was released shortly after. The platform has disabled the option allowing users to withdraw funds to ensure protection from phishing attacks. While in most cases, Crypto.com could prevent the threat actors from making unauthorized withdrawals, customer funds were reimbursed at the platform’s expense for all the rest of the cases.
The illegal withdrawals totaled 443.93 BTC, 4,836.26 ETH, and around US$66,200 in other cryptocurrencies. This amounted to nearly $31 million in regular currency. The incident was detected when Crypto.com saw withdrawals happening without any role of the 2FA in place. The platform immediately revoked all 2FA tokens and implemented its incident-response measures. The entire episode caused a downtime of around 14 hours. Crypto.com’s robust cybersecurity measures also shifted to an entirely new 2FA infrastructure.
Cyberattack Hits the International Committee of the Red Cross
A sophisticated cyber-attack recently hit the International Committee of the Red Cross (ICRC) and compromised the personal data of over 515,000 people. The attack targeted servers hosting highly sensitive information belonging to people separated from their families due to migration, conflict, disaster, detention, etc. The breach affected more than 60 Red Cross and Red Crescent National Societies across the globe. The attack did not directly target the ICRC servers but targeted its third-party data storage provider based in Sweden.
In its statement, the ICRC does not call this a ransomware attack as the attack did not shut the systems down. ICRC brought down its systems, particularly the “Restoring Family Links” program, as part of its anti-phishing measures. So far, there is no evidence to prove that the confidential data people shared with ICRC was compromised, and neither has any threat actor come up and taken ownership of the attack.