Cyber Round-up for 23rd November
Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
Holiday Season Shopping Scams
The holiday season has officially kicked off and these days it all starts with Thanksgiving Day in the US. The online shopping frenzy begins with the Black Friday sales, runs through Christmas and typically concludes in the New Year at the end of the Boxing Day sales ( or it does in the UK at least ).
With the increase in online spend comes the inevitable online shopping scams that try to steal your personal information and credit cards details. As more and more people seek out the ultimate shopping deal, it is easy to lose focus and fall foul to one of these scams that promise the best deal or biggest discounts on products.
Black Friday sales started the end of last week in the UK, and by the weekend we had already seen several scams hitting social media. Be aware that these scams can be delivered using a number of different methods, including email, fake web pages, fake Facebook posts and pages, fake smartphone apps, hoax coupons and gift cards, and WhatsApp / SMS messaging campaigns.
Email phishing and spam campaigns remain the biggest source of Cyber threats today, and this is no different here. Talos Intelligence report that last year, 71% of emails that included references to Black Friday and the following Cyber Monday sales, were classified as spam.
Messaging platforms such as WhatsApp are also not immune. One such scam that has been circulating advertises huge discounts of up to 99% with Amazon but redirects its victims to a fake page in order to steel their information.
As always please stay vigilant, especially through this heightened period. Below are a few pointers to try and stay safe:
- Do not click on links from untrusted sources that may appear in emails, messages, posts, or web pages.
- Be extra cautious when advertised deals look too good to be true.
- Watch out for links that send you to addresses not associated with the company being advertised. i.e. http://rebrand.ly instead of https://amazon.com or https://amazon.co.uk.
- Look for spelling or grammatical errors in the scams and their associated links.
- Always use complex passwords that are different for each site.
- Where available enable Two factor authentication / Two-step verification on your accounts.
- IF IN DOUBT never click a link, enter your personal details or login credentials.
- If you think you may have already been victim of a scam, immediately change your password and contact the sites fraud department to report the possible account breach.
Stay safe and Happy shopping.
Amazon Customer Information Leak
Amazon have been contacting certain customers in the US and UK this week, informing them of a technical error on the website that has leaked their name and email address.
Hello, We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action. Sincerely, Customer Service http://Amazon.com
First impressions of the customers receiving this email (shown above) were that it was suspicious, looking potentially like a bad phishing email, which essentially is missing a link to the phishing site. The email content is very brief and provides no real information into what has occurred. Even Amazon’s own customer service department, when contacted, thought this was a phishing attempt.
After some digging it was found that this is in fact a real email from Amazon. Amazon themselves have confirmed the leak, reporting that the issue has been resolved and that all customers impacted by this information disclosure have been contacted.
According to Amazon this is not the result of a customer’s actions and there is no need to change your password, if you were a customer that was impacted.
Amazon need to take a close look at their notification process to ensure that future emails do not look like just another scam.
Data Breach at Vision Direct
Magecart has struck again, this time attacking the website of Vision Direct, an online provider of contact lenses. The attack has resulted in the loss of data for any users that created accounts, logged in or made payments on VisionDirect.co.uk between the 3rd and 8th November 2018.
Stolen data included both personal and credit card information that was made during updates to accounts or when completing online purchases. Unfortunately, full credit card information including CVV numbers for Visa, Mastercard and Maestro cardholders will have been compromised.
Magecart works by embedding a 3rd party Java script into the web pages of the compromised site, it collects input data from online forms, which is then syphoned off to a remote Command and Control (C2) server.
As this is a real time capture of information any existing information that was stored in the Vision Direct database will not have been compromised. Vision Direct have confirmed that the incident has since been resolved, and they are contacting those customers impacted by this issue directly.
If you believe you have been affected by this breach, you should reset your account password and report it to your credit card provider, so your cards can be cancelled and replaced.
A Tripwire blog post recently stated that 20% of online stores compromised by Magecart are likely to be re-infected within days of cleaning up the previous infection, with one store reportedly being infected up to 18 times.
If you are running an online payment site, you should seriously consider running Content Security Policy (CSP) and Subresource Integrity (SRI) to control the scripts that run on your website in order to prevent untrusted scripts from being injected.
For more information Scott Helme has some excellent technical blog posts on this subject.
Link to Vision Direct Data Theft notification: https://www.visiondirect.co.uk/customer-data-theft
Dark Web Hosting Provider Hacked
It seems that not even Dark Web sites are immune from hacking these days. A popular Dark Web hosting provider, Daniel’s Hosting, has been crippled by an attack, taking down the entire service which hosted more than 6,500 websites.
The hack reportedly took place on the 15th November, where a malicious actor got access to the backend database and deleted all accounts, including the root account. As this service was responsible for hosting nefarious websites such as malware operations, comand and control services etc. it is a matter of opinion whether this act was a good or bad thing.
Daniel Winzen, the guy responsible for running what was the largest hosting service on the Dark Web, has stated that all data for the hosted sites is now lost, and that he might re-enable the service once the vulnerability has been identified and resolved.
It is not yet clear what vulnerabilities may have been exploited to accomplish this attack, but a zero-day PHP vulnerability, which gained attention the day before, could have been a candidate.
This is not the first time a Dark Web hosting service has been the victim of a take down. In 2017 the hacktivists Anonymous took down the Freedom Hosting II service.
And that’s it for this week, please don’t forget to tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailList
You can also follow us using the social media links provided.
If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReview
Ironshare – Security Simplified
Edition #18 – 23rd November 2018