CySecurity News - Latest Information Security and Hacking Incidents: Amazon

Amazon Cryptographic CyberThreat data security Datathreat PQC Quantum- safe Encryption Technology

The Future of Data Security Lies in Quantum-Safe Encryption

Cybersecurity experts and analysts have expressed growing concerns over the potential threat posed by quantum computing to modern cryptographic systems. Unlike conventional computers that rely on electronic circuits, quantum computers leverage the principles of quantum mechanics, which could enable them to break widely used encryption protocols.

If realized, this advancement would compromise digital communications, rendering them as vulnerable as unprotected transmissions. However, this threat remains theoretical at present. Existing quantum computers lack the computational power necessary to breach standard encryption methods. According to a 2018 report by the National Academies of Sciences, Engineering, and Medicine, significant technological breakthroughs are still required before quantum computing can effectively decrypt the robust encryption algorithms that secure data across the internet.

Despite the current limitations, researchers emphasize the importance of proactively developing quantum-resistant cryptographic solutions to mitigate future risks. Traditional computing systems operate on the fundamental principle that electrical signals exist in one of two distinct states, represented as binary bits—either zero or one. These bits serve as the foundation for storing and processing data in conventional computers.

In contrast, quantum computers harness the principles of quantum mechanics, enabling a fundamentally different approach to data encoding and computation. Instead of binary bits, quantum systems utilize quantum bits, or qubits, which possess the ability to exist in multiple states simultaneously through a phenomenon known as superposition.

Unlike classical bits that strictly represent a zero or one, a qubit can embody a probabilistic combination of both states at the same time. This unique characteristic allows quantum computers to process and analyze information at an exponentially greater scale, offering unprecedented computational capabilities compared to traditional computing architectures. Leading technology firms have progressively integrated post-quantum cryptographic (PQC) solutions to enhance security against future quantum threats.

Amazon introduced a post-quantum variant of TLS 1.3 for its AWS Key Management Service (KMS) in 2020, aligning it with evolving NIST recommendations. Apple incorporated the PQ3 quantum-resistant protocol into its iMessage encryption in 2024, leveraging the Kyber algorithm alongside elliptic-curve cryptography for dual-layer security. Cloudflare has supported post-quantum key agreements since 2023, utilizing the widely adopted X25519Kyber768 algorithm.

Google Chrome enabled post-quantum cryptography by default in version 124, while Mozilla Firefox introduced support for X25519Kyber768, though manual activation remains necessary. VPN provider Mullvad integrates Classic McEliece and Kyber for key exchange, and Signal implemented the PQDXH protocol in 2023. Additionally, secure email service Tutanota employs post-quantum encryption for internal communications. Numerous cryptographic libraries, including OpenSSL and BoringSSL, further facilitate PQC adoption, supported by the Open Quantum Safe initiative.

Modern encryption relies on advanced mathematical algorithms to convert plaintext data into secure, encrypted messages for storage and transmission. These cryptographic processes operate using digital keys, which determine how data is encoded and decoded. Encryption is broadly categorized into two types: symmetric and asymmetric.

Symmetric encryption employs a single key for both encryption and decryption, offering high efficiency, making it the preferred method for securing stored data and communications. In contrast, asymmetric encryption, also known as public-key cryptography, utilizes a key pair—one publicly shared for encryption and the other privately held for decryption. This method is essential for securely exchanging symmetric keys and digitally verifying identities through signatures on messages, documents, and certificates.

Secure websites utilizing HTTPS protocols rely on public-key cryptography to authenticate certificates before establishing symmetric encryption for communication. Given that most digital systems employ both cryptographic techniques, ensuring their robustness remains critical to maintaining cybersecurity. Quantum computing presents a significant cybersecurity challenge, with the potential to break modern cryptographic algorithms in mere minutes—tasks that would take even the most advanced supercomputers thousands of years.

The moment when a quantum computer becomes capable of compromising widely used encryption is known as Q-Day, and such a machine is termed a Cryptographically Relevant Quantum Computer (CRQC). While governments and defense organizations are often seen as primary targets for cyber threats, the implications of quantum computing extend far beyond these sectors. With public-key cryptography rendered ineffective, all industries risk exposure to cyberattacks.

Critical infrastructure, including power grids, water supplies, public transportation, telecommunications, financial markets, and healthcare systems, could face severe disruptions, posing both economic and life-threatening consequences. Notably, quantum threats will not be limited to entities utilizing quantum technology; any business or individual relying on current encryption methods remains at risk. Ensuring quantum-resistant cryptographic solutions is therefore imperative to safeguarding digital security in the post-quantum era.

As the digital landscape continues to evolve, the inevitability of quantum computing necessitates a proactive approach to cybersecurity. The widespread adoption of quantum-resistant cryptographic solutions is no longer a theoretical consideration but a fundamental requirement for ensuring long-term data security.

Governments, enterprises, and technology providers must collaborate to accelerate the development and deployment of post-quantum cryptography to safeguard critical infrastructure and sensitive information. While the full realization of quantum threats remains in the future, the urgency to act is now. Organizations must assess their current security frameworks, invest in quantum-safe encryption technologies, and adhere to emerging standards set forth by cryptographic experts.

The transition to quantum-resilient security will be a complex but essential undertaking to maintain the integrity, confidentiality, and resilience of digital communications. By preparing today, industries can mitigate the risks posed by quantum advancements and uphold the security of global digital ecosystems in the years to come.

Amazon Faces Lawsuit Over Alleged Secret Collection and Sale of User Location Data



 

Data Theft

Amazon class action lawsuits Data Breach Data Harvesting SDK Data Privacy Data Safety User Data data security Data Theft

Amazon Faces Lawsuit Over Alleged Secret Collection and Sale of User Location Data

A new class action lawsuit accuses Amazon of secretly gathering and monetizing location data from millions of California residents without their consent. The legal complaint, filed in a U.S. District Court, alleges that Amazon used its Amazon Ads software development kit (SDK) to extract sensitive geolocation information from mobile apps. According to the lawsuit, plaintiff Felix Kolotinsky of San Mateo claims

Amazon embedded its SDK into numerous mobile applications, allowing the company to collect precise, timestamped location details. Users were reportedly unaware that their movements were being tracked and stored. Kolotinsky states that his own data was accessed through the widely used “Speedtest by Ookla” app. The lawsuit contends that Amazon’s data collection practices could reveal personal details such as users’ home addresses, workplaces, shopping habits, and frequented locations.

It also raises concerns that this data might expose sensitive aspects of users’ lives, including religious practices, medical visits, and sexual orientation. Furthermore, the complaint alleges that Amazon leveraged this information to build detailed consumer profiles for targeted advertising, violating California’s privacy and computer access laws. This case is part of a broader legal pushback against tech companies and data brokers accused of misusing location tracking technologies.

In a similar instance, the state of Texas recently filed a lawsuit against Allstate, alleging the insurance company monitored drivers’ locations via mobile SDKs and sold the data to other insurers. Another legal challenge in 2024 targeted Twilio, claiming its SDK unlawfully harvested private user data. Amazon has faced multiple privacy-related controversies in recent years. In 2020, it terminated several employees for leaking customer data, including email addresses and phone numbers, to third parties.

More recently, in June 2023, Amazon agreed to a $31 million settlement over privacy violations tied to its Alexa voice assistant and Ring doorbell products. That lawsuit accused the company of storing children’s voice recordings indefinitely and using them to refine its artificial intelligence, breaching federal child privacy laws.

Amazon has not yet issued a response to the latest allegations. The lawsuit, Kolotinsky v. Amazon.com Inc., seeks compensation for affected California residents and calls for an end to the company’s alleged unauthorized data collection practices.

No More Internet Cookies? Digital Targeted Ads to Find New Ways



 

User Data

Amazon Chrome Cookie Data Facebook Safari Technology User Data

No More Internet Cookies? Digital Targeted Ads to Find New Ways

Google Chrome to block cookies

The digital advertising world is changing rapidly due to privacy concerns and regulatory needs, and the shift is affecting how advertisers target customers. Starting in 2025, Google to stop using third-party cookies in the world’s most popular browser, Chrome. The cookies are data files that track our internet activities in our browsers. The cookie collects information sold to advertisers, who use this for targeted advertising based on user data.

“Cookies are files created by websites you visit. By saving information about your visit, they make your online experience easier. For example, sites can keep you signed in, remember your site preferences, and give you locally relevant content,” says Google.

In 2019 and 2020, Firefox and Safari took a step back from third-party cookies. Following their footsteps, Google’s Chrome allows users to opt out of the settings. As the cookies have information that can identify a user, the EU’s and UK’s General Data Protection Regulation (GDPR) asks a user for prior consent via spamming pop-ups.

No more third-party data

Once the spine of targeted digital advertising, the future of third-party cookies doesn’t look bright. However, not everything is sunshine and rainbows.

While giants like Amazon, Google, and Facebook are burning bridges by blocking third-party cookies to address privacy concerns, they can still collect first-party data about a user from their websites, and the data will be sold to advertisers if a user permits, however in a less intrusive form. The harvested data won’t be of much use to the advertisers, but the annoying pop-ups being in existence may irritate the users.

How will companies benefit?

One way consumers and companies can benefit is by adapting the advertising industry to be more efficient. Instead of using targeted advertising, companies can directly engage with customers visiting websites.

Advances in AI and machine learning can also help. Instead of invasive ads that keep following you on the internet, the user will be getting information and features personally. Companies can predict user needs, and via techniques like automated delivery and pre-emptive stocking, give better results. A new advertising landscape is on its way.

Amazon Fined for Twitch Data Breach Impacting Turkish Nationals



 

Streaming Platform

Amazon Data Breach Data Leak Data protection data security Fines Hacker attack Personal Data Streaming Platform

Amazon Fined for Twitch Data Breach Impacting Turkish Nationals

Türkiye has imposed a $58,000 fine on Amazon for a data breach that occurred on its subsidiary, Twitch, in 2021. The breach exposed sensitive personal information of thousands of Turkish citizens, drawing scrutiny from the country’s Personal Data Protection Board (KVKK). The incident began when an anonymous hacker leaked Twitch’s entire source code, along with personally identifiable information (PII) of users, in a massive 125 GB torrent posted on the 4chan imageboard. The KVKK investigation revealed that 35,274 Turkish nationals were directly affected by the leak.

As a result, KVKK levied fines totaling 2 million lira, including 1.75 million lira for Amazon’s failure to implement adequate preemptive security measures and 250,000 lira for not reporting the breach in a timely manner. According to the regulatory body, Twitch’s risk and threat assessments were insufficient, leaving users’ data vulnerable to exploitation. The board concluded that the company only addressed the vulnerabilities after the breach had already occurred. Twitch, acquired by Amazon in 2014 for $970 million, attempted to minimize concerns by assuring users that critical login credentials and payment information had not been exposed. The company stated that passwords were securely hashed with bcrypt, a strong encryption method, and claimed that systems storing sensitive financial data were not accessed.

However, the leaked information still contained sensitive PII, leading to significant privacy concerns, particularly for Turkish users who were impacted. The motivation behind the hack was reportedly ideological rather than financial. According to reports from the time, the hacker expressed dissatisfaction with the Twitch community and aimed to disrupt the platform by leaking the data. The individual claimed their intent was to “foster more disruption and competition in the online video streaming space.” While this rationale highlighted frustrations with Twitch’s dominance in the industry, the data breach had far-reaching consequences, including legal action, reputational damage, and increased regulatory scrutiny. Türkiye’s actions against Amazon and Twitch underline the growing importance of adhering to local data protection laws in an increasingly interconnected world.

The fines imposed by KVKK serve as a reminder that global corporations must ensure compliance with regional regulations to avoid significant penalties and reputational harm. Türkiye’s regulations align with broader trends, as data privacy and security become critical components of global business practices. This incident also underscores the evolving nature of cybersecurity challenges. Hackers continue to exploit vulnerabilities in popular platforms, putting pressure on companies to proactively identify and address risks before they lead to breaches. As regulatory bodies like KVKK become more assertive in holding companies accountable, the need for robust data protection frameworks has never been more urgent. The Twitch breach also serves as a case study for the importance of transparency and swift response in the aftermath of cyberattacks.

While Twitch’s reassurances regarding encrypted data helped mitigate some concerns, the lack of prompt reporting to Turkish authorities drew criticism. Companies handling large amounts of user data must prioritize both preventive measures and clear communication strategies to regain user trust after incidents. Looking forward, the Twitch data breach highlights the necessity for all companies—especially those managing sensitive user data—to invest in proactive cybersecurity strategies. As hackers grow increasingly sophisticated, businesses must adopt a forward-thinking approach to safeguard their platforms, comply with local laws, and ensure users’ privacy remains uncompromised.

Amazon and Audible Face Scrutiny Amid Questionable Content Surge



 

Youtube

Amazon Audible ClearFake Cyber Security CyberCrime Cyberhackers CyberThreat Google Youtube

Amazon and Audible Face Scrutiny Amid Questionable Content Surge

The Amazon online book and podcast services, Amazon Music, and Audible have been inundated by bogus listings that attempt to trick customers into clicking on dubious "forex trading" sites, Telegram channels, and suspicious links claiming to offer pirated software for sale. It is becoming increasingly common to abuse Spotify playlists and podcasts to promote pirated software, cheat codes for video games, spam links, and "warez" websites.

To spam Spotify web player results into search engines such as Google, threat actors can inject targeted keywords and links in the description and title of playlists and podcasts to boost SEO for their dubious online properties. In these listings, there are playlist names, podcast description titles, and bogus "episodes," which encourage listeners to visit external links that link to places that might cause a security breach.

A significant number of threat actors exploit Google's Looker Studio (formerly Google Data Studio) to boost the search engine ranking of their illicit websites that promote spam, torrents, and pirated content by manipulating search engine rankings. According to BleepingComputer, one of the methods used in the SEO poisoning attack is Google's datastudio.google.com subdomain, which appears to lend credibility to the malicious website.

Aside from mass email spam campaigns, spammers are also using Audible podcasts as another means to spread the word about their illicit activities. Spam can be sent to any digital platform that is open to the public, and no digital platform is immune to that. In cases such as those involving Spotify or Amazon, there is an interesting aspect that is, one would instinctively assume that the overhead associated with podcasting and digital music distribution would deter spammers, who would otherwise have to turn to low-hanging fruit, like writing spammy posts to social media or uploading videos that have inaccurate descriptions on YouTube.

The most recent instance of this was a Spotify playlist entitled "Sony Vegas Pro 13 Crack...", which seemed to drive traffic to several "free" software sites listed in the title and description of the playlist. Karol Paciorek, a cybersecurity enthusiast who spotted the playlist, said, "Cybercriminals exploit Spotify for malware distribution because Spotify has become a prominent tool for distributing malware. Why? Because Spotify's tracks and pages are easily indexed by search engines, making it a popular location for creating malicious links.".

The newest business intelligence tool from Google, Looker Studio (formerly, Google Data Studio) is a web-based tool that allows users to make use of data to create customizable reports and dashboards allowing them to visualize and analyze their data. A Data Studio application can, and has been used in the past, to track and visualize the download counts of open source packages over some time, such as four weeks, for a given period. There are many legitimate business cases for Looker Studio, but like any other web service, it may be misused by malicious actors looking to host questionable content on illegal domains or manipulate search engine results for illicit URLs.

Recent SEO poisoning campaigns have been seen targeting keywords related to the U.S. midterm election, as well as pushing malicious Zoom, TeamViewer, and Visual Studio installers to targeted sites. In advance of this article's publication, BleepingComputer has reached out to Google to better understand the strategy Google plans to implement in the future.

Firstory is a new service launched in 2019 that enables podcasters to distribute their shows across the globe, and even connect with audiences, thereby empowering them to enjoy their voice! Firstory is open to publishing podcasts on Spotify, but it acknowledges that spam is an ongoing issue that it is increasingly trying to address, as it focuses on curtailing it as much as possible.

Spam accounts and misleading content remain persistent challenges for digital platforms, according to Stanley Yu, co-founder of Firstory, in a statement provided to BleepingComputer. Yu emphasized that addressing these issues is an ongoing priority for the company. To tackle the growing threat of unauthorized and spammy content, Firstory has implemented a multifaceted approach. This includes active collaboration with major streaming platforms to detect and remove infringing material swiftly.

The company has also developed and employed advanced technologies to scan podcast titles and show notes for specific keywords associated with spam, ensuring early identification and mitigation of potential violations. Furthermore, Firstory proactively monitors and blocks suspicious email addresses commonly used by malicious actors to infiltrate and disrupt digital ecosystems. By integrating technology-driven solutions with strategic partnerships, Firstory aims to set a higher standard for content integrity across platforms.

The company’s commitment reflects a broader industry imperative to protect users and maintain trust in an ever-expanding digital landscape. As digital platforms evolve, sustained vigilance and innovation will be essential to counter emerging threats and foster a safer, more reliable online environment.

Chenlun’s New Phishing Schemes Target Big-Name Brands



 

Scam

Amazon Hacking links phishing Scam

Chenlun’s New Phishing Schemes Target Big-Name Brands

A new phishing campaign unveiled by researchers from DomainTools is a phishing campaign on the go, deceiving users via fake text messages. The messages masquerade as trusted brands like Amazon to get the targets to give away sensitive data. This operation is put at the hands of the threat actor "Chenlun," who was seen tricking people last year for masquerading as a USPS delivery alert during the holiday season. On 18 October 2024, consumer targeting waves, this wave represents new waves in tactics that target trusting consumers on the most-used brands.

Phishing Attack Evolution: From USPS Notification Scam to Authentication and Authorization Hack

In December 2023, DomainTools reported on the earlier approach that Chenlun used through exploiting USPS alerts to instruct users on how to navigate to fraudulent websites. This scheme, also labelled as "smishing, tricked users into message prompting them to visit virtually identical websites to the one genuine USPS websites. These next sent information that victims did not need to provide. With the current attack, however, Chenlun used the more narrow deception of alerts that there is unauthorised access to his or her online store accounts. This prompted victims into confirmation of their account information with links that led him to a scam website. To this end, it goes without saying that one ought to be careful when opening any link on email or text.

Advanced techniques of hiding and concealing evidence

The strategies that Chenlun uses today are more advanced than that of not being detected. The phishing attack this year is different from the past years because it does not use domain names containing USPS but instead uses a DGA. A DGA automatically generates new, arbitrary domain names, which creates an added difficulty in blocking malicious websites and makes it challenging for the security systems to identify phishing attempts. The constant change in the infrastructure of the domain leaves Chenlun free to continue their attacks without instant interference from cybersecurity defences.

Changed Domain Structures and Aliases

The latest phishing campaign also demonstrates the changed structure of the Chenlun domain. Last year, the fraudsters utilised domains like the official USPS websites. This time around, they change them into simple domains and even switch to other registrars and name servers. Now, they use NameSilo and DNSOwl, for example, and not Alibaba Cloud's DNS service, just like last year. The changing tendency makes phishing attempts less predictable and also complicates the procedure for cybersecurity analysts in relation to the identification and monitoring of suspicious domains.

Moreover, the most recent activity of Chenlun used pseudonyms like "Matt Kikabi" and "Mate Kika". These pseudonyms, which were first identified in the 2023 report, have more than 700 active domains. Reusing these identities, Chenlun has been able to maintain a massive presence online undetected by cybersecurity tools.

Collaboration as a Critical Form of Defense Against Phishing

DomainTools emphasises that effective countermeasures against phishing attacks require the collective efforts of organisations. Recommendations from security experts include active monitoring of registration patterns, sharing threat intelligence, and developing robust strategies that can counter changing phishing techniques.

DomainTools further emphasises that Chenlun's strategy changes reflect the ongoing problem that cybersecurity professionals face. By constantly changing obfuscation techniques, Chenlun underlines the importance of domain-related data in identifying patterns and suspect domains.

Takeaway for Business and Consumers

Continuous activity by Chenlun also points to the fact that vigilance needs to be maintained, given the sophistication in phishing scams. Business entities need to strengthen cybersecurity measures in monitoring domain registrations and promote threat intelligence sharing. Individual consumers need to maintain vigilance by avoiding a response to unsolicited messages or links.

In short, Chenlun's latest phishing campaign calls out for proactive defence. While the attackers continue adapting with a view to remain unseen, the necessity for people to stay updated and network inter-sectorally is the urgent requirement in the world of digitization.

Security Alert for Gmail, Facebook, and Amazon Users



 

Privacy

Amazon Android Vulnerability Cyberattacks Cyberdrime Cybersecurity CyberThreat Facebook Kaspersky Passwords Privacy

Security Alert for Gmail, Facebook, and Amazon Users

The number of hacks that occur on Google, Gmail, and Amazon accounts keeps on rising, causing users to become anxious. By using phishing tactics, hackers are targeting users' passwords for Gmail, Facebook, and Amazon through phishing campaigns that pose significant risks to their personal information.

A new notice has appeared warning users of Google Mail, Facebook, and Amazon that there has been a new attack on password hacking that puts their personal information at risk because society has gone digital and protecting your credentials is "the name of the game." There is no denying the fact that these platforms are among the most popular in the world, so it is vital to have a good understanding of what threats are coming and what possibilities there are to prevent these threats.

Overall, cybersecurity experts predict a steady increase for the year, but they also note that the complexity of password hacks for Gmail and Facebook, as well as attempts to access Amazon accounts, has grown dramatically as well. It has been found that the complexity of password hacks for Gmail and Facebook has increased dramatically as a result of increased complexity in the attacks.

Typically, these hacking attempts benefit from phishing attacks, brute force attacks, and social engineering attacks, all of which are designed to take advantage of overly trustful users or weaknesses within the platforms that make them vulnerable. Several new threat analyses, including those conducted by Kaspersky Labs, reveal that password theft attacks have become increasingly common against Amazon users, Facebook users, and, most of all, Google users. There have been several attacks targeting these platforms, including those aimed at stealing passwords.

Kaspersky reported an increase of 40% in attempts of hackers to entice users to access malicious sites impersonating these brands in comparison to last year based on a study it conducted. It is no surprise that malicious hackers are seeking credentials for Gmail, Facebook, and Amazon accounts to spread their malicious programming. As a matter of fact, these accounts may be exploited to reach the full heights of cybercrime by committing data theft, malware distribution, and credit card fraud all at the same time.

A Google account is a skeleton key that can be used to unlock an entire treasure trove of other account credentials, as well as personal information, enabling fraudsters to access a treasure trove of private information. The information contained in a user's Gmail inbox is immeasurable when compared to that contained in their inbox on the web, and the chances are that they will have one given how popular this web-based free email service is with most people these days. As per Kaspersky reports, hackers are mainly targeting Google, Amazon, and Facebook passwords in their effort to steal personal information.

During the first half of 2024, Kaspersky Security reported a 243% increase in the number of attack attempts, with the company itself preventing approximately 4 million attempts. It is estimated that Facebook users were exposed to 3.7 million phishing attempts during the same period, and Amazon users were exposed to 3 million. In an interview with Kaspersky Internet Security, Olga Svistunova, who is an expert in data security at the company, warned that a criminal with access to a Gmail account may be able to access "multiple services".

Thus, it is important to note that not only may business information be leaked as a result, but also the personal information of customers can also be leaked as a result. To target these platforms, hackers are looking for account passwords, as getting access to these platforms allows them to commit fraud, distribute malware, and steal sensitive information. It is proposed that Google accounts are especially valuable since they can be used to hack into other accounts and to collect personal information that can be used in fraud attempts.

According to researchers at GuidePoint Research and Intelligence Team, Rui Ataide and Hermes Bojaxhi of the GuidePoint Research and Intelligence Team, there is an ongoing phishing campaign targeting more than 130 U.S. organizations, which has been detected as a new and worrying one. There have been so many misuses of the term "highly sophisticated threat actor" in recent years that it almost has lost all meaning, but the tactics and intrusion capabilities that were employed by this as-yet-unnamed attacker have led the GRIT researchers to conclude that this attacker deserves to be called such a label.

A spear-phishing attack, as with other spear-phishing campaigns, revolves around the targeting of specific employees within an organization rather than attempting to hit every single email account in an organization with a scattergun approach, as is so often the case with so-called spear-phishing campaigns. The attack has also targeted other tech giants, including Microsoft and Apple, as well as numerous smaller companies. Additionally, DHL, Mastercard, Netflix, eBay, and HSBC are also among the companies involved.

Cloud security provider Netskope, in a recent report, found a 2,000-fold increase in traffic to phishing pages sent through Microsoft Sway, a cloud-based application that provides users with the ability to create visual instructions, newsletters, and presentations through the use of visual illustrations. Hackers are increasingly exploiting a technique known as “quishing,” a form of phishing that utilizes QR codes to deceive users into logging into malicious websites, thereby stealing their passwords. This method is particularly effective as QR codes can bypass email scanners designed to detect text-based threats.

Additionally, since QR codes are frequently scanned with mobile devices—which often lack the robust security measures found on desktops and laptops—users become more vulnerable to these types of attacks. A new variant of QR code phishing has been recently detailed by J. Stephen Kowski, the Field Chief Technology Officer at SlashNext, in a LinkedIn article. Unlike traditional QR code phishing, which typically involves an image-based QR code redirecting users to a malicious site, this new method leverages Unicode text characters to create QR codes.

According to Kowski, this approach presents three significant challenges for defenders: it evades image-based analysis, ensures accurate screen rendering, and creates a duality in appearance between the screen rendering and plain text, making detection more difficult. Given these emerging threats, individuals who frequently use platforms such as Google’s Gmail, Facebook, and Amazon, as well as other major online services, should exercise caution to avoid becoming victims of identity theft. The risk of falling prey to password-hacking attempts can be significantly reduced by adhering to best practices in security hygiene across different accounts and maintaining a high level of vigilance.

In today’s technology-driven world, personal awareness and proactive measures serve as the first line of defence against such cyber threats. Protecting Business Accounts from Phishing Attacks

1. Recognize Phishing Indicators

- Generic Domain Extensions: Be cautious of emails from generic domains like "@gmail.com" instead of corporate domains, as attackers use these to impersonate businesses.

- Misspelt Domains: Watch for near-identical domains that slightly alter legitimate ones, such as "Faceb0ok.com." These deceptive domains are used to trick users into providing sensitive information.

- Content Quality: Legitimate communications are typically polished and professional. Spelling errors, poor grammar, and unprofessional formatting are red flags of phishing attempts.

- Urgency and Fear Tactics: Phishing messages often create a sense of urgency, pressuring recipients to act quickly to avoid negative consequences, such as account suspensions or security breaches.

- Unusual Requests: Be wary of unexpected requests for money, personal information, or prompts to click links or download attachments. Hackers often impersonate trusted entities to deceive recipients.

2. Implement Security Software

- Install robust security tools, including firewalls, spam filters, and antivirus software, to guard against phishing attacks.

- Utilize web filters to restrict access to malicious websites. - Regularly update software to patch vulnerabilities and protect against new threats.

3. Use Multi-Factor Authentication (MFA)

- Enhance account security by implementing MFA, which requires a second verification factor (e.g., a code, fingerprint, or secret question) in addition to a password.

- MFA significantly reduces the risk of unauthorized access and helps safeguard business credentials. By staying vigilant, maintaining updated security software, and utilizing MFA, businesses can better protect their accounts and sensitive information from phishing attacks.

Bling Libra Shifts Focus to Extortion in Cloud-Based Attacks



 

Web Services

Amazon AWS Bling Libra Cloud Attacks Cloud Vulnerabilities CyberCrime Cybersecurity CyberThreat Microsoft GitHub Privacy Web Services

Bling Libra Shifts Focus to Extortion in Cloud-Based Attacks

It was observed during an incident response engagement handled by Unit 42, that the threat actor group Bling Libra (which was responsible for distributing ShinyHunters ransomware) had shifted from extortion to extortion of victims rather than its traditional tactic of selling/publishing stolen data in an attempt to increase their profits.

During this engagement, it was also demonstrated how the group was able to acquire legitimate credentials, which were accessed from public repositories, to gain initial access to an organization's Amazon Web Services (AWS) environment through its public username and password. The compromised credentials had limited impact due to the limited permissions associated with them, but Bling Libra managed to infiltrate the organization's AWS environment and conduct reconnaissance operations on it during this time.

The threat actor group used various tools for gaining information and accessing S3 bucket configurations, interacting with S3 objects, as well as deleting files from the service using tools such as the Amazon Simple Storage Service (S3) Browser and WinSCP. As a result of previous jobs with high-profile data breaches, including the Microsoft GitHub and Tokopedia incidents in 2020, Bling Libra has developed a special part of their business model that enables them to monetize stolen data through underground marketplaces.

There has, however, been a significant change in the methods that Unit 42 implements, which have been reported in a recent report. As of 2024, Bling Libra has revitalized its business model from data theft to extortion, primarily targeting vulnerabilities within cloud-based environments to heighten its revenue. As Unit 42 explained in its latest report, Bling Libra obtained AWS credentials from a sensitive file that was exposed online to perform the latest attack.

AWS account credentials were obtained from an Identity and Access Management (IAM) user, which would have provided the attackers with access to the victim's account on Amazon Web Services (AWS). While the permissions for accessing Amazon S3 resources were restricted, Bling Libra exploited them to gain a foothold in the cloud environment even though they were limited. Even though Bling Libra uses the same method of accessing victims for the first few minutes, it has instead instigated the double-extortion tactics normally associated with ransomware gangs - they initially steal data from victims and threaten to publish it online if they do not pay the ransom.

According to the researchers, Bling Libra used credentials from a sensitive file exposed by the attacker on the Internet as a way of stealing the credentials, even though this file contained a variety of credentials. Aside from these exposed AWS access keys, the group also alleged that it "targeted a few other one-time credentials that were exposed by this individual as well as a few other exposed AWS access keys belonging to this individual.".

Using these credentials, it is possible for the threat actors to gain access to the AWS account where the IAM user resides and to use the AWS API call to interact with the S3 bucket under the context of the AmazonS3FullAccess policy, which allows all permissions to be granted to users. The attackers in this case sat on the network and lurked for about a month before launching an attack that led to the exfiltration of information, its deletion from the environment, and the recovery of an extortion note demanding ransom payment.

Their ransom note gave them a week to make their payment. It has been reported that Bling Libra also created new S3 buckets in the aftermath of their attack, presumably to mock the organization about the attack, as well. Ticketmaster's attack in June was notable because of how much data Bling Libra was able to obtain during this attack. At the time, the organization claimed that a total of more than half a million records were stolen, some of which contained Personal Identifiable Information (PII) such as names, emails, addresses, and partial credit card information.

In May, the same group also claimed responsibility for several other attacks on other companies, including Ticketek Entertainment Group (TEG), in Australia, that occurred around the same period as Ticketmaster. Like Ticketmaster, TEG was attacked at the beginning of May. This group has been associated with several significant data breaches that have affected millions of records of data, and the implications have been severe.

In the final phase of the attack, Bling Libra created new S3 buckets with mocking names to signify their control over the environment, illustrating their ability to manipulate the system. The threat group known as Bling Libra has adopted a new tactic, pivoting to extortion as a primary method for monetizing their cyber breaches.

Following their recent cloud-based attacks, the group sent out extortion emails demanding payment in exchange for the return of stolen data and the cessation of further malicious activities. This shift in strategy underscores their focus on using extortion as a central means to profit from their operations. A recent report by Unit 42 offers a comprehensive analysis of Bling Libra's operational tools, particularly emphasizing their use of S3 Browser and WinSCP.

These tools enable the threat actors to interact seamlessly with Amazon Web Services (AWS) environments. The report provides in-depth insights that assist incident responders in distinguishing between legitimate tool usage and activities indicative of a security breach. To counteract such threats, Unit 42 strongly advises organizations to adhere to the principle of least privilege, ensuring that users have only the minimal level of access necessary to perform their functions.

Additionally, they recommend implementing robust security measures, including the use of AWS IAM Access Analyzer and AWS Service Control Policies. These tools are essential for mitigating the risks associated with similar attacks on cloud infrastructure. As businesses increasingly depend on cloud technologies, maintaining a proactive and vigilant cybersecurity posture is critical. Organizations must be diligent in their efforts to protect their cloud environments from sophisticated threat actors like Bling Libra.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

Report Abuse

About Me

Showing result(s) for

Popular Posts

Pages

The Future of Data Security Lies in Quantum-Safe Encryption

Amazon Faces Lawsuit Over Alleged Secret Collection and Sale of User Location Data