Cybercriminals keep updating their techniques and do not relent in targeting big organizations every day. This week was no different in cyberspace. Here are this week’s phishing and data breach headlines.
BetMGM: A Famous Sports Betting Operator Hit by Data Breach
Sports betting service BetMGM recently said that cybercriminals obtained the personal information of its customers in an unauthorized manner but refrained from specifying the number of users affected. According to Reuters, the incident impacted customer information like name, contact information, hashed Social Security number, date of birth, account identifiers, and transaction information with BetMGM.
BetMGM did not respond when asked how many customers were impacted by the breach, which occurred in May this year. The sports betting operator said it became aware of the matter on November 28 and has no evidence that threat actors accessed account funds or patron passwords. BetMGM further added that its online operations did not get compromised.
Last month, another sports-betting firm DraftKings Inc (DKNG.O), reported a security breach where the login information of its customers got compromised.
One way to reduce the risk of a security breach due to phishing attacks is to use a phishing protection security solution, such as an email spam filter or a browser extension that can detect and block suspicious links.
The Guardian Newspaper Targeted by a Ransomware Attack
One of the world’s most popular newspapers was hit by a ransomware attack which forced it to send employees home. Jim Waterson, the media editor of The Guardian, said the incident affected “part of the company’s behind-the-scenes services and technology infrastructure.” The newspaper staff started work from home for the remaining week, although the incident did not impact the paper’s online publishing.
“As everyone knows, a serious incident affected our IT systems and network in the past 24 hours. We believe it was a ransomware attack but are considering all possibilities,” read a statement from Anna Bateson, the Guardian Media Group CEO, and Katharine Viner, editor-in-chief.
“We publish globally to our apps and website, although some internal systems are impacted. We are confident we will publish it in print tomorrow. Our IT and technology team is working to deal with various aspects of this incident, and most of our staff is working from home as they did during the pandemic.” It is unclear if the attackers took any sensitive data during the raid.
Google Ad Fraud Campaign On Adult Websites Rakes in Millions in Revenue for Cybercriminals
A massive ad fraud campaign used Google Ads and ‘popunders’ on adult websites and supposedly generated millions of ad impressions from stolen articles, earning the imposters an estimated $275k per month. Malwarebytes discovered the fraud campaign and reported it to Google, which took it down for violating policies that forbid Google Ads on adult sites.
While researchers could not ascertain the campaign’s operator, Malwarebytes collected evidence suggesting the threat actor is likely of Russian origin.
‘Popunders’ and Google Ads
The fraudsters designed advertising campaigns on adult websites and received massive traffic using ‘popunder’ ads. The advertisements are cheap and open as ‘pop-ups’ windows in the browser, so the user cannot see them until they move or close the main browser window.
Adult webcams, online dating services, and other adult content portals typically use ‘popunders.’ In the incident, the fraudster created legitimate-looking news portals containing scraped content from other websites and used them as ‘popunder’ advertisements.
However, they overlay an iframe promoting a ‘TXXX’ adult site instead of showing the page’s content. To generate ad revenue from such popunders, the threat actors embedded a Google Ad at the webpage’s bottom, violating Google’s advertising policies. A click anywhere on the webpage (the user may select one of the thumbnails and watch a particular video) triggers a click on a Google ad instead.
Little Rock School District Approves $250K as Ransomware Settlement
To recover stolen data from its servers, the Little Rock School District’s board approved a $250,000 settlement for ending a recent ransomware incident. However, during the public board meeting, an LRSD school board member unknowingly shared the entire settlement amount.
The Little Rock School District is a 21,200-student district in Arkansas and has released few details about the recent cyberattack since the December 5 meeting. However, LRSD Board President Greg Adams issued a letter to the school community saying they had reached a final agreement.
“After we confirm that we have retrieved the stolen information,” Adams wrote, “we will contact everyone whose data might be compromised.” Furthermore, everyone whose data got compromised and people potentially impacted by the incident will receive identity and credit monitoring services. “As a precautionary measure,” all district staff will receive the same services.
The FBI, the Multi-State Information Sharing Analysis Center, and the Cybersecurity and Infrastructure Security Agency highly discourage paying any ransom amidst a cyberattack because it cannot guarantee the recovery of victims’ files.
DarkTortilla Malware Distributed Through Phishing Sites Masquerading Grammarly and CISCO
Cyble Research and Intelligence Labs (CRIL) recently detected threat Actors (TAs) distributing the DarkTortilla malware. DarkTortilla is a complex, NET-based malware that has been operating since 2015.
Researchers say that the malware drops numerous Remote Access Trojans (RATs) and stealers, including AgentTesla, AsyncRAT, NanoCore, etc. Security researchers said that DarkTortilla spreads through spam emails containing malicious attachments. However, CRIL said that the Threat Actors (TAs) behind DarkTortilla built phishing websites to spread the malware.
“We identified two phishing websites that seemed legitimate Grammarly and Cisco sites. Fake website links could reach users via online ads or spam emails to infect them”, CRIL said.
Technical analysis showed that the Grammarly phishing site downloaded a malicious zip file, “GnammanlyInstaller.zip,” when the user clicked on the “Get Grammarly” Button. Furthermore, the zip file contained a malicious cabinet file, “GnammanlyInstaller.ce9rah8baddwd7jse1ovd0e01.exe,” masquerading as a Grammarly executable.
Stolen API Keys of Email Marketing Services Put Mobile App Users at Risk
CloudSEK’s BeVigil security search engine analyzed 600 apps on the Google Play store and found 50% leaking API (application programming interface) keys of three popular marketing and transactional email service providers. The providers included SendGrid, Mailgun, and MailChimp. CloudSEK notified all the involved entities and impacted apps about the hardcoded API keys.
The leaked API keys allowed cybercriminals to perform many unauthorized actions like deleting API keys, sending emails, and modifying two-factor authentication (2FA).
An API is a software that enables applications to communicate without human intervention. The API key is a unique identifier that helps developers, or users use to authenticate themselves to an API.
CloudSEK mentioned that an examination of the three providers’ data revealed that the US topped the list with the highest number of downloads, followed by the UK, Spain, Russia, and India. Thus, the report mentions that the discovery makes 54 million mobile app users vulnerable.
Social Blade Confirms Data Breach After Cybercriminals Post Stolen User Data
Social Blade, a Social media analytics platform, confirmed it suffered a data breach after discovering its database was up for sale on a hacking forum. Social Blade, an analytics platform, provides statistical graphs for YouTube, Instagram, Twitter, Twitch, Daily Motion, and Mixer accounts, allowing users to see estimated earnings and projects. It offers an API allowing users to integrate the Social Blade data into their platforms directly.
After BleepingComputer contacted Social Blade regarding the data sale, it confirmed they suffered a breach and began informing customers through data breach notifications. “On December 14, we got a notification regarding a potential data breach whereby a threat actor had acquired exports of our user database and attempted to sell it on a hacker forum,” read the data breach notification.
“We investigated the posted samples and verified they were real. It appears the cybercriminal exploited a vulnerability on our website and gained access to the database.”
The data breach notification mentions that the threat actors accessed its database and stole the following information:
- Email addresses
- Password hashes
- Client IDs
- Tokens for business API users
- Auth tokens for connected accounts
- Various internal and non-personal data
The notice further clarifies that no credit card information got exposed due to the security incident.
US Leads The Group as Researchers Discover 3.5 Million Exposed IP Cameras
According to recent Cybernews research, there is a steep rise in internet-facing IP cameras. The research team analyzed 28 of the most popular manufacturers and found 3.5 million cameras exposed to the internet. The findings signify an eightfold increase since April 2021. While the review period saw default security settings improve, some popular brands either offer no authentication or default passwords, meaning anyone can spy on the users.
Interestingly, Chinese companies manufacture the majority of internet-facing cameras. And while organizations are following cosmetic security measures, security leaders warn that the Chinese government can exploit technologies produced by Chinese companies. Recently, the UK parliament asked government agencies to stop installing Chinese equipment, including surveillance cameras, on sensitive sites.