Texas School District Lost $2.3M to Phishing Email Scam

Por David Bisson em 13/01/2020 no site The State of Security

A school district in Texas announced that it lost approximately $2.3 million after falling victim to a phishing email scam.
On January 10, the Manor Independent School District (MISD) published a statement on Twitter and Facebook in which it revealed that it was investigating a phishing email scam that cost it $2.3 million.

In the statement, MISD Director of Communications Angel Vidal Jr said that the Federal Bureau of Investigations and the Manor Police Department were pursuing “strong leads” as part of their investigation but that their efforts were ongoing.
Vidal also took the opportunity to thank the Manor Police Department for working with MISD to notify the community about the security incident.
MISD’s statement didn’t disclose any information about the phishing email scam including how it occurred or how the school district, which serves 9,600 students, detected it.
Anne Lopez, a detective with the Manor Police Department, provided some details about the attack to television station KVUE:

It was three separate transactions. Unfortunately they didn’t recognize the fact that the bank account information had been changed and they sent three separate transactions over the course of a month before it was recognized that it was a fraudulent bank account.

Lopez’s insights suggest that the attack consisted of a business email compromise (BEC) scam in which digital fraudsters tricked an employee at MISD into changing the payment instructions for a vendor or supplier. Those attacks have individually cost companies like Nikkei and Toyota millions of dollars. Between June 2016 and July 2019, BEC scams were responsible for $26 billion in damages globally.
The attack described above highlights the importance of organizations taking steps to protect themselves against malicious emails. They can do so by educating their employees about some of the most common types of phishing attacks circulating in the wild today. This resource is a good place to start.

Cryptomining Software Discovered on Tennessee Hospital’s EMR Server

Por David Bisson em 08/02/2018 no site The Sate of Security

A Tennessee hospital discovered cryptomining software installed on a server that hosts its electronic medical records (EMR) system.

In January 2018, Decatur County General Hospital began notifying patients of a incident involving its electronic medical record systems. Its breach notification letter (PDF) reveals the hospital first learned about the security event from its EMR vendor:

On November 27, 2017, we received a security incident report from our EMR system vendor indicating that unauthorized software had been installed on the server the vendor supports on our behalf. The unauthorized software was installed to generate digital currency, more commonly known as “cryptocurrency.”

Decatur County General Hospital. (Source: Nashville Public Radio)

Decatur County General Hospital subsequently launched its own investigation into the incident. So far, it’s determined that a remote actor likely accessed the server on which its EMR system stores patients information including their names, addresses, dates of birth, Social Security Numbers, insurance details, and medical treatment records. It’s also found that the cryptomining software had been active since at least 22 September 2017.

The hospital’s EMR vendor replaced the server and operating system four days after discovery.

At this time, Decatur County General Hospital cannot confirm whether the individual responsible for the breach accessed patients’ information stored on the server. It tells patients as much:

Again, while our investigation continues into this matter, we have no evidence that your information was actually acquired or viewed by an unauthorized individual, and based upon reports of similar incidents, we do not believe that your health information was targeted by any unauthorized individual installing the software on the server. Our investigation to date, however, has been unable to reasonably verify that there was not unauthorized access of your information.

Cryptomining emerged as a salient threat in 2017. Tools responsible for generating new units of cryptocurrency preyed upon 1.65 million users over the first eight months of the year. Since then, researchers have discovered a single Monero mining campaign that victimized 15 million users in the fall of 2017. Such findings have led some security experts to wonder whether cryptomining will supplant ransomware as the most widespread form of digital crime in 2018.

Given that possibility, it’s important that hospitals and other healthcare organizations maintain the security and integrity of their EMR systems. They can find guidance for that objective here.

To learn more about how Tripwire can protect your healthcare organization against digital threats, click here

5 Notable DDoS Attacks of 2017

Por David Bisson em 21/12/2017 no site The State of Security

We all know what a great year distributed denial-of-service (DDoS) attacks had in 2016. In the last four months, the web registered two significant DDoS campaigns. The first targeted Brian Krebs at a peak size of 620 Gbps. The second struck Dyn and, in so doing, took down Twitter, Amazon, Spotify and other clients of the DNS provider’s critical infrastructure.

2017 was far quieter in terms of DDoS attacks, by comparison. But not for want of trying on the part of computer criminals. Indeed, Arbor Networks detected 6.1 million campaigns through September 30.

This figure breaks down to 22,426 attacks per day, 934 per hour, and 15 per minute. Additionally, the provider of network monitoring software observed several massive DDoS campaigns in 2017, with one even surpassing the attack that struck Krebs at 622 Gbps.

Amidst these millions of attacks, a few stood out for their targets and consequences. Here are five campaigns in particular that deserve mention.

1. Melbourne IT

Domain name registrar Melbourne IT, as well as two of its subsidiaries Netregistry and TPP Wholesale, suffered a DDoS attack on April 13. The assault began at 10:00 local time, forcing the victimized organizations to inform customers that their cloud hosting and mailing platforms, among other services, were at the time unavailable.

By 11:30, the companies had returned normal service by implementing “our DDoS mitigation services as standard operating procedure and… international traffic management measures.” It took them another hour to tell customers that they had resolved the issues and that they would continue to monitor the situation.

2. DreamHost

At 09:20 PDT on August 24, a DDoS attack deluged web hosting provider and domain name registrar DreamHost, knocking its systems –particularly its DNS infrastructure – offline.

The Register‘s Iain Thomson believes the attack originated from those who opposed the company’s decision to take on as Punished Stormer, a reincarnation of the neo-Nazi Daily Stormer website for which CloudFlare terminated service following the Charlottesville protests, as a customer that same day. DreamHost mitigated the attack a few hours later.

3. UK National Lottery

After 19:00 local time on September 30, someone decided to target the UK National Lottery with a DDoS campaign. The attack knocked the Lottery’s website www.national-lottery.co.uk and its mobile app offline, which prevented many UK citizens from playing the Lottery without visiting a partner retailer to purchase a ticket.

By 23:00 local time, the bulk of the attack had died down. Even so, the Lottery’s website and app continued to experience lesser issues until 03:00.

4. Electroneum

Electroneum cryptocurrency startup had crowdfunded $40 million worth of Bitcoin and Ether following an initial coin offering (ICO). Just before it launched its mobile mining app on November 2, the company’s website suffered a DDoS attack.

The campaign led Electroneum to lock investors out of their accounts while it worked to restore its network access. In the meantime, the Financial Conduct Authority took a moment to remind investors that ICOs offer no protection, which means investors should “be prepared to lose [their] entire stake.”

5. Boston Globe

On November 8 at approximately 15:00 EST, the Boston Globe suffered what was likely a probe to gauge the anti-DDoS defenses of bostonglobe.com and other websites owned by the company. This initial wave disrupted the newspaper’s telephones. It also interrupted its editing system.

Subsequently, the bad actors took the results of their test and resumed their attack at 11:00 EST on November 9. In so doing, they prevented many Boston Globe employees from doing their jobs and rendered bostonglobe.com inaccessible. Relief eventually came in mid-afternoon when the company’s Internet service provider put effective anti-DDoS measures in place.

Some Advice for the New Year

In light of the DDoS attacks discussed above, it’s important that companies make sure they prepare themselves for 2018 and beyond. Technology firms will continue to work to take down DDoS botnets like WireX. However, organizations should make sure they’ve protected themselves with DDoS mitigation technologies in the meantime.

For additional advice on how to defend against DDoS attacks, click here.

Monero Mining Software Found on Oil Transport Company’s Systems

Por David Bisson em 18/12/2017 no site The State of Security

n oil transportation company discovered someone had installed Monero-mining software on its systems without its authorization.

On 14 December, Vladimir Rushailo, vice president of the Russian state-owned transport monopoly Transneft, revealed that the company had found that one of its computers had automatically downloaded software designed to mine the Bitcoin rival. As quoted in a statement provided to Reuters:

Incidents where the company’s hardware was used to manufacture cryptocurrency have been found. It could have a negative impact on the productivity of our processing capacity.

The company subsequently deleted the program from the computer. It also implemented “programs to block such downloads in the future.”

Transneft has not provided any details about what caused the computer to download the cryptocurrency miner, including whether a malicious insider or external actor might have hacked the workstation. What is clear, however, is that these types of attacks are growing in frequency. Pavel Lutsik, a head of information security projects with Croc IT firm, agrees:

More and more people have learn[ed] that, in fact, they do not even need to stand up from the sofa to make money – if they are not caught.

Transneft logo. (Source: Twitter)

In recent months, several organizations including Ultimate Fighting Championship and Showtime have removed CoinHive and other Monero miners that slowed down visitors’ computers from their websites. Attackers have also gone after companies’ internal networks directly in order to mine cryptocurrencies. F5 threat researchers detected one such campaign dubbed “Zealot” that leverages the Apache Struts Jakarta Multipart Parser attack as well as a flaw affecting the DotNetNuke (DNN) content management system to compromise vulnerable systems. It then leverages EternalSynergy and EternalBlue, the same Microsoft vulnerability exploited by WannaCry and NotPetya, to move laterally inside the network, find Windows and Linux computers, and seize them for mining Monero.

Attackers victimized 1.65 million users with cryptocurrency miners in the first eight months of 2017. No doubt this number will increase to account for the rest of the year.

As reported by RT, Russia intends to create legislation that governs cryptocurrency mining and other related matters by July 2018. This move will no doubt help the state crack down on cryptocurrency mining attacks, especially those involving Russian corporate servers.

At the same time, organizations can take steps to protect themselves against cryptocurrency miners by making sure their computers are up-to-date. To do so, they should build a patch management program that, among other things, gives them complete visibility over all their assets and prioritizes known vulnerabilities based on their business requirements. For information on how Tripwire can help your organization build such a program, click here.

Notice of Ransomware Attack Released by National Capital Poison Center

Por David Bisson em 12/12/2017 no site The State of Security

The National Capital Poison Center (NCPC) in Washington, DC has published notice of a ransomware attack it suffered back in 2017.

According to the news release (PDF), the critical health resource detected a ransomware infection on its systems in October 2017. It then launched an investigation into the matter with the assistance of a third-party forensic expert. Here’s what the NCPC has learned so far:

While this investigation is ongoing, on November 27, 2017, NCPC determined that unauthorized access to a database server occurred on October 21, 2017, and that unauthorized access to the data stored on that server cannot be ruled out. The possibly affected database contains information provided during calls made to or from the center between January 1997 and October 21, 2017.

The NCPC goes on to clarify that the affected database did not contain Social Security Numbers, passport data, or any type of financial information. Instead it consisted of personal information collected during call center calls like a person’s name, date of birth, address, phone number, email address, and medical recommendations discussed over the phone.

At this time, it’s unclear what ransomware struck the NCPC, whether it paid the ransom or restored from backups, and how many people the attack might have affected.

Dr. Toby Litovitz, Executive and Medical Director of NCPC, urges those concerned by the possible exposure of their personal information to reach out to the Center:

NCPC takes the security of information stored on our systems very seriously, and we understand this incident may cause concern or inconvenience. We continue to work with third-party forensic investigators to ensure the security of our systems, and encourage people to contact us at 877-218-3009 (U.S. and Canada callers) or 814-201-3664 (international callers) with any questions or concerns.

The NCPC currently lacks complete contact information for at least some of the records in the affected database. As a result, it’s posting the ransomware notice on its homepage (poison.org) along with the websites of state media outlets and publications. It’s also urging those who might be affected to place a fraud alert or credit freeze on their credit reports with TransUnion, Experian, Equifax, and Innovis.

In the meantime, organizations can protect themselves against ransomware attacks by implementing foundational security measures that, among other things, protect data via encryption, limit what individuals can access sensitive information, and ensure an organization can recover from a data corruption incident using data backups. Learn more about these controls and how they pair with Tripwire’s solutions here.

News of this attack follows less than three months after Arkansas Oral & Facial Surgery Center notified128,000 patients of a ransomware attack that might have exposed their information.

Criminal Stole “a Significant Amount of Data” in Airport Hacking Attack

DAVID BISSON em 11/12/2017 no site The State of Security

A criminal stole “a significant amount of data” in a hacking attack that targeted one of the busiest airports in Australia.

According to The West Australian, the breach occurred in March 2016 when a Vietnamese man named Le Duc Hoang Hai abused a third-party contractor’s credentials to access the systems at Perth Airport, the fourth busiest airport in Australia. Kevin Brown, chief executive of the airport, says Perth’s IT team ultimately detected the breach and notified both the Australian Cyber Security Centre and the Australian Federal Police. As quoted in a statement provided to 9News Australia:

The assistance and hard work of these two agencies has resulted in the successful identification and prosecution of the individual responsible for the cyber intrusion. Based on evidence gathered by the Australian Federal Police, it appears that credit card theft was the motivation for the illegal accessing of our system. No personal data of members of the public, such as details of credit card numbers, was accessed but other Perth Airport documents were taken.

Those documents included building schematics and details of physical security measures that staff had implemented at the airport.

Perth Airport. (Source: Wikipedia)

Upon hearing from Perth Airport, the Australian Cyber Security Centre and the Australian Federal Police traced the attack back to Vietnam and tipped off local authorities. Vietnamese law enforcement subsequently began looking into the matter. Their investigation identified 31-year-old Hai as the culprit responsible for hacking not only Perth but also additional targets in Vietnam including banks and an online military newspaper.

Perth was Hai’s only Australian target.

Vietnamese police thereafter arrested Hai. In early December 2017, a military court ordered him to serve four years in prison for his digital offenses.

Prime Minister Malcolm Turnbull’s digital security adviser Alastair MacGibbon hasn’t found any evidence that Hai was working as part of a larger group or sold the stolen information. Even so, the hack to him constitutes “a sign of the type of work we are going to be doing a lot more of in the future.” That includes improving the security measures at Perth and other airports regarding what types of information third-party contractors can access.

This isn’t the first security incident to expose an airport’s sensitive data. News of this attack comes less than two months after Britain’s largest and busiest airport launched an investigation to determine how someone found a USB containing 2.5GB of its data on the street. That data included maps of CCTV cameras and other security measures.

Scammers Disseminating Unverified PayPal Transaction Phishing Emails

DAVID BISSON em 04/12/2017 no site The State of Security

Scammers are pushing out fake PayPal emails that use the premise of an unverified transaction to phish for customers’ personal and financial information.

The attack emails lure in users with subject lines stating how PayPal couldn’t verify their transactions or complete their most recent payments. Here’s one example:

Example of unverified PayPal transaction phishing email. (Source: Malwarebytes)

We couldn’t verify your recent transaction

Dear Client,

We just wanted to confirm that you’ve changed your password. If you didn’t make this change, please check information in here. It’s important that you let us know because it helps us prevent unauthorised persons from accessing the PayPal network and your account information.
We’ve noticed some changes to your unsual selling activities and will need some more information about your recent sales.

Verify Information Now

Thank you for your understanding and cooperation. If you need further assistance, please click Contact at the bottom of any PayPal page.

Sincerely,

PayPal

Clicking on the “Verify Information Now” redirects the user to myaccounts-webapps-verify-updated-informations(dot)epauypal(dot)com/myaccount/e6abe. This fake landing page in turn attempts to direct them to a resolution center. There, they’re prompted to resolve the issue by providing “a little more information about [their] account transactions.”

A little more information? Try the user’s name, address, phone number, mother’s maiden name, date of birth, and credit card information.

Fake PayPal resolution center page where users are prompted to submit their personal information. (Source: Malwarebytes)

Christopher Boyd, lead malware intelligence analyst at Malwarebytes, explains the damage that submitting such data into the fake form can cause to users:

Sadly, anyone submitting their information to this scam will have more to worry about than a fictional declined payment, and may well wander into the land of multiple actual not-declined-at-all payments instead. With a tactic such as the above, scammers are onto a winner—there’ll always be someone who panics and clicks through on a “payment failed” missive, just in case. It’s an especially sneaky tactic in the run up to December, as many people struggle to remember the who/what/when/where/why of their festive spending.

Needless to say, this isn’t the first PayPal phishing campaign that’s targeted users, and it won’t be the last. Customers should therefore protect themselves by familiarizing themselves with some of the most common phishing attack types. If they come across a PayPal-related email that even remotely resembles one of those phishing scams, they should report it to PayPal here.

Attackers Exploit 17-Year-Old Bug to Deliver Malware via Cobalt Strike

DAVID BISSON em 29/11/2017 no site The State of Security

Malicious actors are exploiting a 17-year-old vulnerability to infect machines with malware using a component of the Cobalt Strike penetration tool.

An attack under this campaign begins when a user receives a spam email from Visa announcing a change to its payWave service in Russia. The email comes with a password-protected archive that’s named “Изменения в системе безопасности.doc Visa payWave.doc.” Those behind this operation might have protected the archive with a password to lull the user into a false sense of security and thereby trick them into believing that Visa took precautions to protect the contents of the document.

Fake Visa notification email in Russian. (Source: Fortinet)

However, the archive is merely a distraction. The main focus of this attack email is a malicious RTF document that, when opened, exploits CVE-2017-11882, a 17-year-old arbitrary code execution vulnerability which Microsoft patched in mid-November 2017. This exploit triggers an obfuscated JavaScript that executes an obfuscated PowerShell script, which then downloads another PowerShell script and executes it to load Cobalt Strike in memory.

From there, the attacker can seize control of the infected system and potentially move laterally in the network.

Encoded and decoded PowerShell script downloader. (Source: Fortinet)

Fortinet security researchers Jasper Manual and Joie Salvio explain this campaign reveals the danger of users not patching their systems of known vulnerabilities on a timely basis:

Threat actors are always on the lookout for vulnerabilities to exploit and use them for malware campaigns like this. This goes both for new and old vulnerabilities, whether they have been published or not. We frequently see malware campaigns that exploit vulnerabilities that have been patched for months or even years. This may have come from an assumption that there are still a significant number of users out there that don’t take software updates seriously, which sadly, is far too often the case.

To protect against attacks such as these, users should update their systems regularly, and organizations should invest in a vulnerability management solution that can help them detect and prioritize all known bugs.

For information on how Tripwire’s solutions can help strengthen a company’s vulnerability management program, click here.

One in 25 Searchable ‘Black Friday’ Apps Blacklisted as Malicious, Finds Report

• DAVID BISSON em 23/11/2017 no site the state of security
• 

Black Friday is a big day for shoppers. In 2016, 154 million consumers shopped over Thanksgiving weekend and spent $9.36 billion, constituting a year-over-year increase of 16.4 percent.

More than half of that money spent ($5.27 billion) occurred online. Building on those figures, Black Friday 2017 looks like it will be even bigger than in previous years. Forbes forecasts consumer spending over the holiday weekend will increase by 47 percent.

Given the amount of money involved, it’s not a surprise that threat actors prey on shoppers around Black Friday. These bad actors leverage phishing pages, malicious apps and malware to make off with unsuspecting users’ credit card information.

They also steal access to people’s email and social media accounts, so that they can potentially exfiltrate sensitive information and launch secondary attacks against victims’ family, friends and contacts.

To help protect users this holiday season, RiskIQ ran a keyword query of the RiskIQ Global Blacklist and mobile app database, a tool which consists of 2 billion daily HTTP requests, 783 global locations across more than 100 countries, 20 million mobile apps, and 300 million domain records.

It looked specifically for instances of the brand names of the five leading e-tailer brands in the U.S. that appeared alongside “Black Friday” in blacklisted URLs or cause-pages (pages that send users to pages hosting malicious resources).

With respect to the mobile platform, the San Francisco-based security firm found that four percent (one in 25) of the 4,356 mobile apps it discovered were blacklisted as malicious.

At least 15 of those apps contained both the branded terms and “Black Friday.” Outside the holiday weekend, RiskIQ discovered a combined total of 32,000 blacklisted apps for the five leading brands.

RiskIQ 2017 Black Friday e-Commerce Blacklist page 2

Lou Manousos, CEO of RiskIQ, says that malicious actors go to great lengths to conceal their mobile programs’ true functionality:

“Savvy threat actors will use convincing branding, language, and URLs to make their apps and landing pages more realistic and more difficult for users to quickly authenticate. However, many of the schemes that leverage popular brands during the Black Friday season depend on user indiscretion. These blacklisted apps and landing pages are often meant to mimic legitimate ones, but if scrutinized, telltale signs become apparent.

“Manousos notes that users can protect themselves against these malicious apps by downloading programs from only official app stores, looking out for suspicious or inconsistent permissions, taking an app’s good reputation with a grain of salt, and exercising caution around programs created by unknown developers that exhibit poor grammar and spelling errors.”

Bad actors don’t limit their “Black Friday”-themed campaigns to mobile, however. In its 2017 keyword search, RiskIQ also found 19,218 cause-page URLs that contained “Black Friday” and 10,175 blacklist URLs that carried a “Black Friday” theme.

RiskIQ 2017 Black Friday e-Commerce Blacklist page 3

Users can protect themselves against these types of web-based threats by verifying the domain of a website, not providing credit card information unless they’re sure they’re on a secure shopping portal, and looking for “S” in “HTTPS” before they submit any financial or personal information.

RiskIQ’s CEO feels that brands also have a part to play:

“The onus is now on brands to protect their customers and prospects by making sure that their brand is not being abused across the web and mobile space. It’s crucial that retailers monitor and police the distribution and use of apps and websites using their branding, awareness that requires internet-scale visibility into how their brand is being used across the web and mobile app ecosystem. Aside from making sure there are no blacklisted apps and sites leveraging their brand, businesses should be making known threat campaigns leveraging their brand public as a warning to consumers.”

For advice on how to defend against other digital threats that prey upon users around Black Friday, click here.

Cryptocurrency Miner among October’s 10 Most Wanted Malware

• DAVID BISSON em 14/11/2017 no site the state of security

A cryptocurrency miner has earned its place on a list of the top 10 most wanted malware for the month of October 2017.

The browser-mining service in question goes by the name “CoinHive.” It’s a piece of JavaScript that site owners can embed into their websites. Whenever a user visits their domain thereafter, CoinHive will activate and begin mining for Monero, a cryptocurrency which already has a history with MineCrunch and other cryptominers like it.

Site owners commonly keep cryptocurrency miners a secret from visitors. This is a problem, as mining for cryptocurrency is resource-intensive. In October 2017, Check Point found that this process can consume as much as 65 percent of an unsuspecting user’s CPU, thereby degrading their computer’s performance. For that reason, the software provider decided to award CoinHive 6th place on its list of the 10 most wanted malware for the month.

Check Point feels it has just reason to do so:

“Crypto mining is emerging as a silent, yet significant, actor in the threat landscape, allowing threat actors to extract substantial profits while victims’ endpoints and networks suffer from latency and decreased performance. The emergence of Seamless and CoinHive once again highlights the breadth and depth of the challenges organizations face in securing their networks against cyber-criminals.”

Coinhive. (Source: Malwarebytes)

Meanwhile, a malvertising campaign known as RoughTed and Locky ransomware earned first and second place on Check Point’s list, respectively. They were joined by Seamless Traffic Distribution System (TDS) at third place. This malware redirects users to a malicious web page that exposes them to an exploit kit. If that program locates a software vulnerability it can exploit, it downloads additional malware onto the victim’s machine.

Researchers at Check Point are urging organizations to be on the lookout for threats like TDS:

“There is no doubt that this new form of malware is here to stay, highlights the need for advanced threat prevention technologies. This should involve a multi-layered cybersecurity strategy that protects against both established malware families and brand new, zero-day threats.”

To learn how Tripwire’s vulnerability management and other threat prevention solutions can help protect your organization, please click here.

In the meantime, users can protect themselves against JavaScript-based cryptocurrency miners by using a browser add-on like NoScript to block JavaScript on all unfamiliar sites they visit.

46.2 Million Mobile Numbers Leaked Online after Malaysian Data Breach

DAVID BISSON

Em 01/11/2017 no site The State of Security

46.2 million mobile numbers have appeared online following a data breach that affected several Malaysian telecommunication companies.

The incident involves 15 Malaysian telcos and mobile virtual network operators (MVNO). Included in the leak are customers’ mobile numbers along with their personal and device information. Of note, those exposed details contain customers’ IMEI and IMSI numbers that can help identify a device based on its SIM card.

A screenshot of one of the affected telco’s customer database. (Source: Lowyat.net)

Malaysian Internet forum and technology magazine website Lowyat.net first learned of the breach in mid-October 2017 when it received a tip that someone was attempting to sell several large databases of personal information on its forums. It subsequently decided to review the databases. This analysis revealed the telco customer database along with three databases belonging to the Malaysian Medical Council (MMC), the Malaysian Medical Association (MMA), and the Malaysian Dental Association (MDA).

Lowyat.net notified the Malaysian Communications And Multimedia Commission (MCMC) at the time of publication. A day later, the MCMC requested that the technology magazine website take down the original article. But a day after that on 20 October, the Commission published a statement on Facebook confirming an ongoing investigation into a data breach involving several telcos. Lowyat.net‘s original reappeared that same day.

In a subsequent post, Lowyat.net reveals the breach likely occurred back in May and July 2014. It’s therefore difficult to determine how long the data has been available for sale on the web or how long the hackers maintained access to the affected companies’ systems. Those responsible for the attack might have spent years gathering all that information.

Dr. Mazlan Ismail, the chief operating officer of the MCMC, said the Commission is currently working with all Malaysian telecommunication companies to determine how the data breach occurred. As he told Malay Mail Online:

“This is to ensure that they understand what is happening now, especially when the police, through the Commercial Crime Investigation Department, visit them to investigate. Communications services cannot escape the security aspects, [service providers] must work together, and safety features are important to gain the trust of consumers.”

Meanwhile, Lowyat.net is asking all telco companies implicated in the breach to begin replacing affected customers’ SIM cards.

With a population of 32 million, it’s possible the breach affected the entire country of Malaysia along with foreigners who might have received a pre-paid number while traveling there.

New Netflix Phishing Attack Goes after Users’ Credit Card Credentials

DAVID BISSON

Em 11/10/2017 no site The State of Security

A new Netflix phishing attack leverages fake emails from the streaming service to trick users into handing over their credit card credentials.

The attack starts when a user receives an email from what appears to be Netflix warning them that they need to update their membership information.

An example attack email received in the Netflix phishing campaign. (Source: PhishMe)

“Dear Valued Customer, We Would like to inform you that you have to update your account details. Your membership will automatically continue as long as you choose to remain a member, we won’t charge you. Update Cheers, The Netflix Team.”

You can see that the sender email address, support@onlineorders[.]desk-mail[.]com, has nothing to do with Netflix. So it’s not surprising that clicking on the “Update” link leads somewhere other than the streaming service. In fact, it directs the user to hxxp://see-all[.]norafix[.]com/, a location which immediately redirects them to the subdomain hxxp://account[.]norafix[.]com/ch/customer_center/customer-IDPP00C274/js/?country.x=&locale.x=en_.

That page prompts the user to enter in their Netflix credentials followed by their payment card details.

The Netflix phishing scheme’s credit card info-stealing page. (Source: PhishMe)

Once it’s succeeded in stealing that information, the scam confirms that the user’s account is now updated. It then provides them with a link to Netflix’s actual homepage.

So what happens then?

Well, the attacker could abuse the user’s stolen credentials to gain access to Netflix content for free. They could also leverage the credit card information to make fraudulent purchases. But they could also reuse the stolen login details in an attempt to gain access to some of the user’s other accounts.

PhishMe senior threat analyst Chase Sims elaborates on this scenario:

“So now the attacker hopes that you reuse the same password for your personal email account or, if the attacker is very lucky, for your work email account. In either case, they can now reset passwords for various other online services—banking, healthcare, social media—to pivot and carry their attack forward.

“One reason this tactic could succeed: a lot of companies might not enforce two-factor authentication for their single-sign-on services, which means reused credentials might be a skeleton key for multiple corporate services.”

This isn’t the first Netflix phishing scheme to surface on the web, and it certainly won’t be the last. With that in mind, users should make an effort to familiarize themselves with some of the most common social engineering ruses out there so that they can spot a potential attack. They should also exercise caution around suspicious links and email attachments, verify the legitimacy of a web domain before entering in any login or financial information, and enable multi-factor authentication on any and all accounts that allow it.