This week in Breaches!

full frame shot of abstract pattern

Photo by Sabrina Gelbart on Pexels.com

 

This week shows no shortage of targeted attacks designed to extract large datasets from a broad range of consumer sites.  Travel, finance and entertainment sites were targeted, impacting more than 100,000,000 unsuspecting victims.  If anything, this week clearly demonstrates why individuals need to proactively monitor for their compromised data with tools like our SpotLight ID – Personal Identity & Credit Monitoring Solutions.  The events of this week also clearly demonstrate why businesses must monitor for compromised credentials that can be used to exploit internal systems and to compromise or takeover customer accounts.

Highlights:

  • Leaked credentials from a 3rd party data breach used to exploit 45,000 Transamerica customers 
  • No Tickets for You! – TicketFly shuts down to identify and fix the source of leak impacting 26M customers
  • Booking.com shows that phishing attacks never take a vacation
  • Google Groups – taking a page right out of Amazon’s leaky bucket playbook?

In other news…

The City of Atlanta’s losing streak continues thanks to ransomware hacks! This time, the city’s evidence chain of custody breached, allowing police evidence to be destroyed – impacting investigations and prosecutions.
https://cyware.com/news/atlanta-ransomware-attack-destroyed-years-of-police-dashcam-footage-potentially-critical-evidence-9e8134ac

Europol has a new team dedicated to cybercrime on the Dark Web, hoping to monitor and mitigate criminal activity. Multiple law enforcement agencies throughout Europe are participating in this team, in addition to some non-European organizations. Keep fighting the good fight!
https://www.welivesecurity.com/2018/06/01/europol-eu-team-fight-dark-web/

Google Groups can’t get its act together when it comes to privacy settings, resulting in accidental disclosure of users’ private documents. If your business uses Google Groups, make sure to set your group to private!
https://www.securityweek.com/thousands-organizations-expose-sensitive-data-google-groups

It looks like there’s more than just gators to watch out for in the sunshine state… Florida named the worse state in consumer cybersecurity.

https://www.darkreading.com/vulnerabilities—threats/survey-shows-florida-at-the-bottom-for-consumer-cybersecurity/d/d-id/1331983


 What we’re STILL listening to this week!

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!

TicketFly

Exploit: Database misconfiguration, hacker doxing/ransoming

Risk to Small Business: High: Demonstrates the impact of database misconfiguration and security controls.
Risk to Exploited Individuals: High: Social engineering and identity theft as a large amount of personal information including names, addresses and phone numbers of customers were leaked.
TicketFly: Owned by Eventbrite, TicketFly is a popular site where customers can purchase tickets online for upcoming events and shows.

Date Occurred
Discovered
May 30, 2018
Date Disclosed TicketFly made an official statement on June 6, 2018
Data Compromised Email addresses, Phone Number, Billing Address and Home Addresses
How it was Compromised A hacker attempted to contact the company about a vulnerability, demanding 1 Bitcoin as ransom to reveal the weakness. The hacker claims the emails to the company went unanswered so the cybercriminal vandalized the TicketFly site and leaked some of the information acquired to the press.
Customers Impacted
26 million, and even more if you consider the customers who are unable to buy tickets while the site has been down.
Attribution/Vulnerability Undisclosed at this time.

https://www.marketwatch.com/story/ticketfly-breach-may-have-exposed-data-of-26-million-customers-2018-06-03

MyHeritage

Exploit: Unsecured/misconfigured data store. Poor data at rest encryption. Poor password encryption.
Risk to Small Business: High: Demonstrates the impact of database misconfiguration, security controls and weak encryption.
Risk to Exploited Individuals: Moderate: Email addresses leaked but DNA/family history data supposedly stored separately.
MyHeritage: Users search historical records and create a family tree using this web-based service from Israel.

Date Occurred
Discovered
October 26, 2017
Date Disclosed June 4, 2018
Data Compromised
All email addresses and hashed passwords of users up to October 26, 2017
How it was Compromised
The CISO of MyHeritage received a message from a researcher that he had found a great deal of MyHeritage’s data on a server not connected with the site. The CISO confirmed that the data originated from their site but exactly how the data was acquired is not clear as of now.
Customers Impacted
92,283,889 Users
Attribution/Vulnerability Unclear, but MyHeritage did not store passwords, instead of storing a one-way hash of each password that has a key unique to each user. All credit card information is located on third party sites and the most sensitive information the website holds such as family tree and DNA data is stored in segregated systems with additional layers of security.

https://blog.myheritage.com/2018/06/myheritage-statement-about-a-cybersecurity-incident/#

https://motherboard.vice.com/en_us/article/vbqyvx/myheritage-hacked-data-breach-92-million

Transamerica
Exploit:  Compromised credentials
Risk to Small Business: High: Demonstrates the need to proactively monitor for compromised credentials from 3rd party data breaches and phishing attack mitigation.
Risk to Exploited IndividualsHigh: Highly sensitive personal information was stolen and could be used to impersonate an employee; or an outside agent could pose as a relative of an employee to phish for information

Transamerica: This company offers mutual funds, retirement strategies, insurance, and annuities.

Date Occurred
Discovered
Between March 2017 and January 2018
Date Disclosed May 2018
Data Compromised
Names, Addresses, Social Security Numbers, DOB, Financial data And Employment Information
How it was Compromised Third party compromised credentials were used to access user’s account data
Attribution/Vulnerability Outside actor

https://cyware.com/news/transamerica-hacked-nearly-45000-retirees-personal-and-sensitive-details-stolen-c2c419f5

https://www.theregister.co.uk/2018/06/05/transamerica_retirement_plan_hack/

Booking. com
Exploit: Phishing

Risk to Small Business Risk: High: Demonstrates how well-crafted phishing attacks can lead to massive data loss even with strong end-user security awareness training program and security tools in place.

Risk to Exploited Individuals: High: Money was stolen from the individuals who responded to the convincing email, and their stolen personal information could be used again.

Booking. com: A popular site for booking hotels, houses, apartments and boats.

Date Occurred
Discovered
June 2018
Date Disclosed June 3, 2018
Data Compromised Names, Addresses, Phone Numbers, Dates, Price of bookings and Reference Numbers
How it was Compromised
Certain properties of Booking.com received a link that detailed a security breach and urged them to change their password. Once the link was clicked the hackers had access to booking information that they used to send highly convincing phishing emails to customers asking for advance payments. The emails contained booking and pricing info for previously booked rooms, making the emails almost indistinguishable from an actual email from the company. The company reported that there was no compromise on their systems and that any customers who lost money due to the incident will be reimbursed.
Attribution/Vulnerability Outside actors, deployed through spam email campaign

https://www.independent.co.uk/travel/news-and-advice/travel-website-hackers-cyber-crime-phishing-holidays-a8382771.html

https://www.thesun.co.uk/money/6437309/hackers-target-booking-steal-thousands/

https://www.scmagazine.com/cybercriminals-phish-bookingcom-customers-after-possibly-breaching-partner-hotels/article/771091/

PageUp
Exploit: Malware
Risk to Small Business Risk: High: Demonstrates that malware exploits are often very difficult to detect and defend against.

Risk to Exploited Individuals: High: It is unclear what information has been compromised and from which customers of PageUp, but given the nature of the company and the information they store, the risk is serious.

PageUp: A large Australian company that provides HR, career, and recruitment service to large and small businesses around the world.

Date Occurred
Discovered
May 23, 2018
Date Disclosed June 6, 2018
Data Compromised Unclear, but passwords were hashed and salted
How it was Compromised
The investigation into the breach is ongoing, but due to the new implementation of GDPR in Europe and Australia’s Notifiable Data Breaches Scheme, PageUp disclosed the breach in compliance with the laws.
Attribution/Vulnerability Malware was found on one of PageUp’s IT systems, but how the malware entered the system is still being investigated

https://www.bleepingcomputer.com/news/security/malware-infection-at-hr-company-triggers-flurry-of-data-breach-notifications/


An important takeaway from this week finds its origin in research done by Dr. Michael McGuire, funded by Bromium and titled ‘The Web of Profit’ : The unfortunate truth is that crime does pay.Cybercrime produces 1.5 Trillion each year, which rivals Russia’s GDP and would place cybercrime at number 13 in a comparison of the world’s highest gross domestic product. $500 Billion of that can be contributed to intellectual property theft and data trading accounts for $160 Billion.

The scope of cybercrime profits and influence points to the conclusion that it is an economy in and of itself, a conclusion that is supported by the growth of platform criminality. Platform criminality is much like the business models of platform businesses such as Google, Uber, or Amazon that trade in data. Data is a profitable business as demonstrated by these famous companies (or at least two of them), and criminals have taken note.

Using the Dark Web as a means of facilitating transactions, cyber criminals are able to buy and sell anything from data to a day-zero exploit. The main takeaway from looking at how cybercrime has evolved is that cyber criminals are selling crime rather than committing it. Much like how Uber is selling a platform where drivers are paired with passengers, criminals are selling the tools and data needed to commit cybercrimes over ‘back alley’ marketplaces.

The research done by Dr. McGuire also highlights the importance of monitoring the Dark Web for personal information, stating:

New kinds of software tools are required for uncovering how cybercriminals are using digital technologies for hiding and laundering revenues. One example would be virtualization tools that can generate safe havens, isolated from the internet, where illicit revenue-generating activity can be diverted and neutralized. Another would be more sophisticated scanning tools capable of better tracking and locating items of value across the net – in particular, personal data”(125).

The Dr. also concluded that while Dark Web monitoring is vital to combatting the economy of cybercrime, it is far from an easy task. The difficult nature of monitoring the Dark Web is not just because it is harder to navigate than the traditional web… explains McGuire, it is “because many of the sites only grant access by word of mouth, or on the basis of ratings status and trust, which may take some time to build up” (57). The Dark Web and the economy surrounding it is nothing to take lightly, and ignoring its existence only adds to the ability for cyber criminals to go about their work unscathed. Dark Web ID by ID Agent fulfills this need for Dark Web monitoring, instead of turning a blind eye to the complex and dynamic reality of the cybercrime economy our services dive right in.

https://learn.bromium.com/rprt-web-of-profit.html

https://www.darkreading.com/cloud/cybercrime-is-skyrocketing-as-the-world-goes-digital/a/d-id/1331905

Advertisements

About Vic Levinson
Telecommunications and IT professional with over 25 years experience in Business Technology Solutions. Specializing in managed technologies solutions : hosted VoIP, cyber security, help desk, remote monitoring and maintenance, cloud work space and - the works. Founded Prime Telecommunications in 1993 and providing business communications solutions. Cloud Applications- everything from hosted network security, hosted Disaster Recovery, hosted printer management, data centers and colocation solutions for businesses.

Comments are closed.

%d bloggers like this: