This Last Week in Breach

 

This week, Amazon experienced technical issues, and cybersecurity culture isn’t where it needs to be in 95% of organizations.

Dark Web ID Trends:
Top Source Hits: ID Theft Forums (98%)
Top Compromise Type: Domains
Top Industry: Manufacturing
Top Employee Count: 11-50 employees (36%)


Global Breach – Amazon
https://www.theregister.co.uk/2018/11/21/amazon_data_breach/

Exploit: Technical error.
Amazon: Online shopping behemoth. Amazon is based out of Washington in the United States.

correct severe gauge Business Risk: 2.333 = Severe: Customers get concerned when they receive an email that informs them that their data has been disclosed, and despite the problem being a technical issue rather than an external actor hacking into the network, the image of the organization is still tarnished.
correct moderate gauge Individual Risk: 2.857 = Moderate: Those affected by this breach are at an increased risk of phishing attacks. When people are addressed by their name or if there is any personal info in a phishing email, it is more likely to opened.

Customers Impacted: Unclear at this time.
How it Could Affect Your Business: The severity of this breach is not the most damaging part, contrary to most breaches. In fact, the most damaging part of this breach has been Amazon’s poor transparency which causes speculation and paints the organization in a very negative light. The behavior of the company indicates that if a seriously damaging breach were ever to occur, they would not be transparent to their customers.

ID Agent to the Rescue: Spotlight ID by ID Agent offers comprehensive identity monitoring that can help minimize the fallout from a breach of this type. Learn more: https://www.idagent.com/identity-monitoring-programs

Risk Levels:
1 – Extreme Risk
2 – Severe Risk
3 – Moderate Risk
*The risk score is calculated using a formula that takes into account a wide range of factors related to the assessed breach.

United States – Make-A-Wish Foundation

https://threatpost.com/cryptojacking-attack-targets-make-a-wish-foundation-website/139194/

Exploit: Crypto jacking.
Make-A-Wish Foundation: Non-profit that arranges for children with critical illnesses to have experiences they would not be able to otherwise.

correct severe gauge Business Risk: 2.333 = Severe: The negative public image associated with being breached does not give a break to even the most just of causes, non-profit or for profit. Those who have visited the Make-A-Wish foundation international site have been lending CPU power to mine for cryptocurrency which will deter visitors in the future.
correct moderate gauge Individual Risk: 3 = Moderate: No information related to the individual has been compromised.

Customers Impacted: Unclear at this time.
How it Could Affect Your Business: While the personal data of customers was not accessed or breached, the site itself has been stealing CPU power from those visiting the site in order to mine cryptocurrency. This would affect how many customers would use a site, and also is a prime example that non-profit organizations are not immune to being targeted by hackers.

ID Agent to the Rescue: ID Agent offers Dark Web ID™ which discovers compromised credentials that could be used to implement a crypto jacking script. Make sure your credentials are safe; for more information go to https://www.idagent.com/dark-web/

Risk Levels:
1 – Extreme Risk
2 – Severe Risk
3 – Moderate Risk
*The risk score is calculated using a formula that takes into account a wide range of factors related to the assessed breach.


In Other News:

Dark Web Down 

One of the largest hosting services for Dark Web sites has been hacked, with devastating results to the sites that used the service. 100% of the accounts hosted by Daniel’s Hosting were deleted, including the root account. Over 6,500 Dark Web sites were hosted by the service and it is unlikely they will see their data again.
https://www.zdnet.com/article/popular-dark-web-hosting-provider-got-hacked-6500-sites-down/

What We’re Listening To

Know Tech Talks
The Continuum Podcast
Security Now
Defensive Security Podcast 
Small Business, Big Marketing – Australia’s #1 Marketing Show!
TubbTalk – The Podcast for IT Consultants
Risky Business
Frankly MSP
CHANNELe2e

National Computer Security Day is Upon Us 

Friday the 30th of November is National Computer Security Day, and the perfect chance for you to convey what it means for your clients to have good cyber hygiene! Offering tips makes both of your jobs easier. Starting this conversation not only shows your expertise as their MSP but it gives clients real examples of how your other security services will protect their network and pair well in their current security stack.



Do It for The Culture
According to a report by ISACA, 95% of organizations find there is a gap between their desired culture surrounding cybersecurity and what their culture actually looks like. This is concerning, especially because 87% of those surveyed said that their organization would be more profitable if their cybersecurity culture improved.

What is causing this gap? A variety of factors come into play, including a lack of understanding on the part of leadership, lack of funding, and a lack of employees respecting the cybersecurity procedures.

With the holidays approaching and employees shopping across the web, now is the perfect time to reinforce cybersecurity culture at your organization. A breach on a popular retail site could lead to a breach within your organization if employees use the same passwords at work and home.

http://www.isaca.org/SiteCollectionDocuments/Cybersecurity-Culture-INFOGRAPHIC.pdf

Advertisements

The week in BREACH!!

Success Rate of Phishing by Day

 

This week you’ll hear how a supply chain attack could snatch your customers’ credit card information right from underneath you and why Google+ goes bye-bye.

Dark Web ID Trends:

  • Total Compromises: 974
  • Top Source Hits: ID Theft Forum (501)
  • Top PIIs compromised: Domains (973)
    • Clear Text Passwords (498)
  • Top Company Size: 11-50
  • Top Industry: High-Tech & IT

United States – Shopper Approved
https://www.zdnet.com/article/new-magecart-hack-detected-at-shopper-approved/
Exploit: Malicious code.
Shopper Approved: Utah-based company that provides a review widget for other companies’ websites, that allows customers to post reviews.
Risk to Small Business: 2.111 = Severe: This is another attack conducted by one (or more) of the several groups who operate under a similar style, given the term Magecart as a general identifier. Magecart is also responsible for the hacking of Ticketmaster and British Airways.

If your business uses Shopper Approved, you should remove the code from your website immediately.

Individual Risk: 2.428 = Severe: Those affected by this breach should cancel their credit cards and enroll in a credit monitoring service.
Customers Impacted: Unclear how many customers were affected by this breach, but only sites with the widget code on their checkout pages had credit card information compromised. The incident only lasted 2 days before being discovered, a much shorter span than many of the other Magecart breaches.
How it Could Affect Your  Business: A breach of this kind can often go unknown for a long period of time while the hackers collect valuable user data and credit card information. Even though it is a third party who was breached, it will be your business that takes the PR damage.
ID Agent to the Rescue: Spotlight ID™ by ID Agent offers comprehensive identity monitoring that also includes credit monitoring. Learn more: https://www.idagent.com/identity-monitoring-programs
Risk Levels:
1 – Extreme Risk
2 – Severe Risk
3 – Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

United States – Rebound Orthopedics and Neurosurgery
https://cyware.com/news/hackers-hit-rebound-orthopedics-neurosurgery-2800-patient-records-compromised-026125d8
Exploit: Compromised employee credentials.
Rebound Orthopedics and Neurosurgery: Vancouver-based orthopedics and neurosurgery practice.
Risk to Small Business: 1.555 = Severe: This breach would have a long-lasting effect on customer trust for any business, and in many countries the government will fine an organization heavily for failing to secure health data.
Individual Risk: 2.142 = Severe: Health information is valuable data for hackers and useful for identity theft. Those affected by this breach are at a severe risk for insurance fraud and identity theft.
Customers Impacted: 2800.
How it Could Affect Your Business: Organizations that store health information are held to a higher standard for securing data due to the sensitive nature of the information and HIPAA laws. When an organization fails to keep the data secure, it reflects very poorly on the company and usually results in a fine from the government.
ID Agent to the Rescue: Spotlight ID by ID Agent offers comprehensive identity monitoring that can help minimize the fallout from a breach such as this. Learn more: https://www.idagent.com/identity-monitoring-programs
Risk Levels:
1 – Extreme Risk
2 – Severe Risk
3 – Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


In Other News:

Google –
Google+ will be shutting down, and yes Google+ is (or at least was) still around. After exposing more than 500,000 users’ data to external developers, the tech giant has decided the best course of action is to close down the failed social network. This move makes sense given the recent outrage against Facebook after the social media site exposed 50 million people’s data. An unfortunately fitting ending to the continuously failing website.
https://www.yahoo.com/news/google-exposed-user-data-feared-repercussions-disclosing-public-170304936–finance.html?soc_src=newsroom&soc_trk=com.apple.UIKit.activity.CopyToPasteboard&.tsrc=newsroom

Podcasts:
Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


A note for you:
e-mail….ware
New research has revealed that a whopping 90% of all malware is delivered via email. The team also discovered that the average employee will not go 48 hours without seeing a phishing message.  In addition, over half of the phishing messages examined used the word “invoice” in the subject line. A little under a quarter (21%) of the flagged emails also had malicious attachments sent with the phishing message.

Watch out for suspicious emails! All it takes is one employee to fall for a phishing email and an entire organization can be compromised.

https://www.darkreading.com/attacks-breaches/most-malware-arrives-via-email/d/d-id/1333023

 

Need to learn more about your Dark Web exposure? Click Here!

Want some free tools to combat phishing? Click Here

The Week In Breach

Passport Dar kWeb

Trends in data found on the Dark Web this week:

  • Total Compromises: 24,968
  • Top Source Hits: ID Theft Forum
  • Top PIIs compromised: Domains
    • Clear Text Passwords (24,884)
  • Top Company Size: 11-50
  • Top Industry: Construction and Engineering

Canada – Altima Telecom
https://techcrunch.com/2018/10/01/altima-telecom-server-flaw-customer-data-exposed/
Exploit: SQL injection attack.
Altima Telecom: Serving Montreal and Toronto, Altima Telecom is one of the largest independent Canadian internet service providers.
Risk to Small Business: 1.555 = Severe: As the risk score shows, this is a severe breach that could deal major damage to any organization. Payment info exposure is a particularly significant deterrent for customers looking to do business.
Individual Risk: 2.142 = Severe: Those affected by this breach are at an increased risk for identity theft and spam.
Customers Impacted: All of Altima Telecom’s customers.
How it Could Affect Your Business: Not only was all the organization’s customer data exposed by this breach, but the affected data was highly sensitive. This would sever trust between the customer and the organization, which could take a significant time to rebuild.
ID Agent to the Rescue: Spotlight ID™ by ID Agent offers comprehensive identity monitoring that can help minimize the fallout from a breach such as this. Learn more: https://www.idagent.com/identity-monitoring-programs
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

United States – Apollo
https://cyware.com/news/hackers-hit-apollo-stealing-database-containing-200-million-contact-records-d9c87501
https://techcrunch.com/2018/10/01/apollo-contacts-data-breach/
Exploit: Unclear at this time.
Apollo: New York-based sales engagement startup.
Risk to Small Business: 2 = Severe: This could deal a significant blow to an organization’s ability to retain customers.
Individual Risk: 2.428 = Severe: The customers affected by this breach will be at a higher risk for spam due to the nature of the data accessed.
Customers Impacted: 200 million.
How it Could Affect Your Business: A breach that exposes such a large number of customers will garner media attention and erode customer trust significantly.
ID Agent to the Rescue: Spotlight ID by ID Agent offers comprehensive identity monitoring that can help minimize the fallout from a breach such as this. Learn more: https://www.idagent.com/identity-monitoring-programs
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


In Other News:
The Chinese Chip
China was able to infiltrate US companies and governmental agencies with a simple but effective supply chain attack. The attack was discovered after Amazon had a third party examine the hardware of the servers they purchased from another American company that manufactures their servers in China. The company discovered a microchip on the servers that allow for attackers to make stealth doorways on their network. Hardware attacks are rarer and more difficult to execute than software attacks, but with China making 90% of the world’s PCs, they are in a good position to continue using hardware to infiltrate organizations across the world.

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Podcasts:
Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show


Planning your next vacation may have just gotten weird… 

Where should I go? This is a normal question one thinks about when planning a trip. Should I go to white sandy beaches or breathtaking mountains?
When should I go? Do I visit family during the holidays, or do I plan a summer getaway?
Who should I be? This question is asked much less, but maybe more than you think. A recent study has uncovered startling secrets surrounding the passport market on the Dark Web!

  • The average cost of a passport scan on the Dark Web is $14.71.
  • Australian passport scans are the most common, but the average cost is the most expensive at $61.27.
  • The average price of a real physical passport is $13,567, while a counterfeit physical passport is just under $1,500 ($1,478).

The Dark Web is a place where black markets and illicit activity reign. In the depths of the Dark Web, identities are traded regularly and for a low price, so why leave the unknown unchecked? With Spotlight ID, know that your identity is safe even from the darkest corners of the Dark Web.
https://www.comparitech.com/blog/vpn-privacy/passports-on-the-dark-web-how-much-is-yours-worth/

The Week In Breach October 1 2018

 

 

Cyber awareness Match

 

This week Medical Data is on our minds, due to a new study on the healthcare industry and cyber security. Facebook and the United Nations were also breached this week, and both were very large datasets, impacting tens of millions of people.

Dark Web ID Weekly Trends:

  • Total Compromises: 861
  • Top Source Hits: ID Theft Forum
  • Top PIIs compromised: Domains
    • Clear Text Passwords: 501
  • Top Company Size: 11-50
  • Top Industry: High-Tech & IT

United States – Facebook

https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html

Exploit: Web vulnerability.
Facebook: Facebook is a social media platform that is one of the Internet’s most popular websites.
Risk to Small Business: 2.333 = Severe: The loss of trust any organization would feel after a breach of this magnitude would greatly harm the organization’s ability to retain or obtain customers.
Individual Risk: 2.571 = Moderate: The data accessed puts those affected by this breach at an increased risk for identity theft, spam and targeted phishing campaigns.
Customers Impacted: 50 million.

How it Could Affect Your Business: Facebook being such a large and widely-used social media platform means that it has data on a large amount of the population that uses the Internet. If employees post information to this site, they could now be open to targeted phishing campaigns and spam.

Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk

*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

United States – Aspire Health

https://www.usatoday.com/story/money/nation-now/2018/09/26/aspire-health-hacked-phishing-scheme-patient-health-data/1430262002/

Exploit: Compromised email account hacked through a phishing scheme.
Aspire Health: According to Aspire health website, “Aspire Health specializes in providing an extra layer of support and relief from stress, pain and symptoms to patients facing a serious illness.”
Risk to Small Business: 2.333 = Severe: The risk to small business is severe due to medical data as well as confidential information being accessed.
Individual Risk: 2.571 = Moderate: The data accessed puts those affected by this breach at an increased risk for identity theft.
Customers Impacted: This information has not been released as the investigation is ongoing.

How it Could Affect Your Business: Breaches that involve medical data can have serious long-lasting effects on the reputation of a business, due to the sensitive nature of the data.

ID Agent to the Rescue: Spotlight ID by ID Agent offers comprehensive identity monitoring that can help minimize the fallout from a breach such as this. Learn more: http://downloads.primetelecommunications.com/Dark-WeB

Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk

*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

United Nations

https://cyware.com/news/united-nation-wordpress-site-publicly-exposes-thousands-of-resumes-2f2a8cf1

Exploit: WordPress Vulnerability.
United Nation: An intergovernmental organization tasked to promote international cooperation and to create and maintain international order.
Risk to Small Business: 2.333 = Severe: While the United Nations is unlikely to see any repercussions for this breach, a small business would face serious PR consequences if they experienced a breach such as this.
Individual Risk: 2.714 = Moderate Risk: Resumes contain a significant amount of personal information and job history, which can be used for spear phishing attacks and identity theft.
Customers Impacted: Resumes that have been submitted to the UN since 2016.

How it Could Affect Your Customer’s Business:  The exposure of resumes for 2 years would deal a serious blow to an organization of any size: the amount of time the data was exposed, and the type of data included in resumes makes this breach score severe on our risk score scale.

Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk

*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


In Other News:

No Fly Zone
The Dark Web is known to have all things illegal for sale, from medical information to illicit drugs. A new trend has been discovered by researchers where frequent flyer miles are being sold for significantly less than what legitimate buyers would pay. The average rate that a batch of frequent flyer miles sells for is $31, although the price depends on the airline and number of miles.
https://www.hackread.com/stolen-frequent-flyer-miles-of-top-airlines-sold-on-dark-web/

Podcasts:
Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


A note for you:

The Cost of Healthcare on The Dark Web.
We all know that compromised health records and other medical information is highly valuable and sought after on the Dark Web. A new study by JAMA helps us conceptualize the volume of medical information for sale, and how much your health records go for on the Dark Web.

The annual data breach tally has increased every year since 2010 (except for 2015). The median number of records accessed per breach: 2,300. The mean number of records accessed per breach: 84,456. With patient records selling on the Dark Web for $300 – $500, hackers could make close to $700,000 ($690,000) by breaching an organization that stores medical information.

Who in the healthcare sector was hit the hardest?

  • Healthcare providers: 1,503 data breaches or 37.1 million records
  • Health plans: 278 data breaches or 110.4 million records

Be careful where you allow your medical records to be stored!
https://www.hcanews.com/news/yes-healthcares-data-breach-problem-really-is-that-bad

The Week In Breach September 12 2018

The Week In Breach September 12

 

It’s been one bad week for “Spyware” app developers as their customers’ data is leaked for all to see!  It’s not just misconfigured AWS buckets you have to worry about, it’s your misconfigured Tor site that’s not so secure.

Highlights from The Week in Breach:

Tor Vulnerability?
Freedom of Information Act Fail.
iSpy, uSpy… mSpy.

In Other News:

The Mask Comes Off
You may be familiar with misconfigured databases, a common reason for a breach. When setting up a database, the Admin may forget to put a password in place or just create a simple one like 1234. But what you may not have heard of before is a Tor (The Onion Router) site that is misconfigured. That’s right, just like any other website, Tor sites that are misconfigured can expose the hosted public IP address. Because a Tor browser is used for accessing the Dark Web, a part of the web that thrives on anonymity, the exposure of one’s IP address greatly reduces this coveted privacy.
https://www.bleepingcomputer.com/news/security/public-ip-addresses-of-tor-sites-exposed-via-ssl-certificates/

Three is a Crowd
A pair of Russian hackers is causing some serious damage to former Soviet Republic countries’ financial institutions. The group, known as Silence, has stolen $800,000 in just the thefts reported. It is highly likely the group is responsible for other attacks, but because of how new the duo is, and the irregular frequency of their activity, it’s difficult to discern other hacks they may have perpetrated. The organization has access to unique, advanced malware, and demonstrates great knowledge about ATMs and the inner workings of banks. This leads researchers to believe that at least one of the two is an insider or only recently left the security industry.
https://www.darkreading.com/attacks-breaches/silence-group-quietly-emerges-as-new-threat-to-banks/d/d-id/1332742

Podcasts:

Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


United States – United States Government (Freedom of Information Act Web Portal)

Exploit: Exposed database.
Risk to Small Business: HighAn exposure such as this can taint an organization’s reputation for an extended period.
Individual Risk: Extreme: The nature of the data exposed leaves those affected vulnerable to identity theft.
Freedom of Information Act Web Portal: foiaonline.gov is the website the United States government uses to process inquiries related to the Freedom of Information Act, an act that allows Americans to request information that the state has associated with them.
Date Occurred/Discovered: August 2018
Date Disclosed: September 4, 2018
Data Compromised:

  • Social Security Numbers
  • Date of birth
  • Immigrant identification number
  • Addresses
  • Contact details
  • Description of crime perpetrated against victim
  • Victims of identity theft had their SSN exposed

Customers Impacted: Unclear, dozens to hundreds.
https://edition.cnn.com/2018/09/03/politics/foia-revealed-social-security-numbers/index.html

United States – Family Orbit
Exploit: Weak password on database.
Risk to Small Business: HighA company that sells spyware to parents, exposed pictures of their kids on the internet, which will likely have catastrophic effects on their business.
Individual Risk: Moderate: The data by itself is not harmful but is pretty creepy. However, in use with other data accessible through the Dark Web, advanced spear phishing campaigns could be launched using the exposed data.
Family Orbit: A spyware application for parents to monitor their children.
Date Occurred/Discovered: August 2018
Date Disclosed: September 4, 2018
Data Compromised:

  • Pictures
  • Videos
  • Screenshots of developer desktops
    • Passwords
    • ‘other secrets’

Customers Impacted: Hundreds, 281 gigabytes of pictures and videos were exposed.
https://motherboard.vice.com/en_us/article/ywk8gy/spyware-family-orbit-children-photos-data-breach

https://securityaffairs.co/wordpress/75888/data-breach/family-orbit-hacked.html

United Kingdom – mSpy
Exploit: Exposed database.
Risk to Small Business: High: While a breach of this size with such sensitive information would normally cripple a company, this is actually mSpy’s sophomore breach, with the first happening in 2015 when similar information was leaked onto the Dark Web.
Individual Risk: High: The data that was exposed was both financial and very personal, and could be used for highly-targeted phishing attacks.
mSpy: A company that sells a software as a service product which spies on mobile devices of the customer’s kids or partner.
Date Occurred/Discovered: August 30, 2018
Date Disclosed: September 4, 2018
Data Compromised:

  • Passwords
  • Call logs
  • Text messages
  • Contacts
  • Notes
  • Location data
  • Names
  • Email addresses
  • Mailing addresses
  • Amount paid
  • Apple iCloud username
  • Whatsapp messages
  • Facebook messages

Customers Impacted: Millions.
https://krebsonsecurity.com/2018/09/for-2nd-time-in-3-years-mobile-spyware-maker-mspy-leaks-millions-of-sensitive-records/


Malwhat?
The Fortinet Q2 Threat Landscape Report is out, and with it, a load of new statistics that really show how at-risk most businesses are, even if they don’t realize it. Here are some of the most alarming malware statistics: 

  • There have been 23,945 unique variants of malware recorded this quarter.
  • On average there are 13 unique daily detections per firm.
  • There were 6 variants of malware that spread to more than 10% of firms.

Malware development is not slowing down, but it is changing. ‘Malware as a service’ is a popular model for the developers of the malicious programs. New types of malware such as ‘cryptojackers’ that mine cryptocurrency on the victim’s computer, or ransomware that extorts businesses, have become commonplace. The threat landscape is always changing, which is why it is important for every organization of every shape and size to have robust cyber security.
https://www.fortinet.com/blog/threat-research/threat-landscape-report–virtually-no-firm-is-immune-from-severe.html

The Week In Breach: August 22 to August 29 2018

A slow, but troubling week to say the least!  Phishing and compromised databases still rule the day. This Week in Breach highlights incidents involving a New York-based gaming developer, medical data held by a University, and the disclosure of sensitive data held by a popular babysitter application.

Is Breaking Bad?
A German company by the name of Breaking Security has been up in arms about the use of their legitimate software named Remcos (Remote Control and Surveillance). Remcos is used for managing Windows systems remotely and is increasingly being used by hackers for malicious attacks known as Remote Access Trojan (RAT). The question is, however… are they telling the truth? Researchers have uncovered that the product sold by the company is widely advertised on Dark Web hacking forums and it seems that not only does the organization know that this is happening, they are encouraging it. Breaking Security has strongly stated that any license linked to malicious hacking campaigns are revoked, yet still, many hacking campaigns continue to use the service.
https://www.darkreading.com/attacks-breaches/attackers-using-legitimate-remote-admin-tool-in-multiple-threat-campaigns/d/d-id/1332631

Not So Private Messages
In May, the popular live streaming service, Twitch, exposed user’s private messages because of a bug in their code. The Amazon subsidiary disabled the service, which allowed users to download an archive of past messages. When a user requested this archive, the game streaming company accidentally intertwined messages from other users. Twitch has come out and said that this only affected a limited number of users and has provided a link for customers to visit so they can find out if any of their messages were exposed and what the messages were.
https://www.bleepingcomputer.com/news/security/twitch-glitch-exposed-some-users-private-messages/

Podcasts:
Know Tech Talks – Hosted by Barb Paluszkiewicz
IT Provider Network – The Podcast for Growing IT Service
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Small Business, Big Marketing – Australia’s #1 Marketing Show!


United States – Augusta University
Exploit: Email compromise by phishing attacks.
Risk to Small Business: High: This is a significant breach in scale and severity, and due to the sensitive nature of the data compromised the organization will likely face heavy fines.
Individual Risk: Extreme: Individuals affected by this breach are at high risk for identity theft, as well as their medical information being sold on the Dark Web.
Augusta University: Georgia based healthcare network.
Date Occurred/Discovered: September 10, 2017 – July 11, 2018
Date Disclosed: August 20, 2018
Data Compromised:

  • Medical record numbers
  • Treatment information
  • Surgical details
  • Demographic information
  • Medical data
  • Diagnoses
  • Medications
  • Dates of services
  • Insurance information
  • Social Security numbers
  • Driver’s license numbers

Customers Impacted: 417,000
https://cyware.com/news/augusta-university-health-breach-exposes-personal-records-of-over-400k-patients-432de74e

https://www.augusta.edu/notice/message.php

United States – Animoto
Exploit: Undisclosed.
Risk to Small Business: High: A breach of customer trust, especially involving geolocation data, can be highly damaging to a company’s image.
Individual Risk: Moderate: Users affected by this breach are at a higher risk of spam and phishing.
Animoto: New York-based company that provides a cloud-based video-making service for social media sites.
Date Occurred/Discovered: July 10, 2018
Date Disclosed: August 2018
Data Compromised:  

  • Names
  • Dates of birth
  • User email addresses
  • Salted and hashed passwords
  • Geolocation

Customers Impacted: Unclear.
https://techcrunch.com/2018/08/20/animoto-hack-exposes-personal-information-geolocation-data/

United States – Sitter
Exploit: Exposed MongoDB database.
Risk to Small Business: High: Most customers would be uncomfortable with a company leaking data about their kids and when they are left alone with someone who doesn’t live there.
Individual Risk: High: A lot of sensitive personal information was exposed in this breach, much of it unsettling.
Sitter: An app that connects babysitters and parents.
Date Occurred/Discovered: August 14, 2018
Date Disclosed: August 14, 2018
Data Compromised:

  • Encrypted passwords
  • Number of children per family
  • User home addresses
  • Phone numbers
  • Users address book contacts
  • Partial payment card numbers
  • Past in-app chats
  • Details about sitting sessions
    • Locations
    • Times

Customers Impacted: 93,000.

https://www.linkedin.com/pulse/incident-report-no1-babysitter-application-exposure-bob-diachenko/

https://www.bleepingcomputer.com/news/security/mongodb-server-exposes-babysitting-apps-database/

Australia – Melbourne High School

Exploit: Negligence.
Risk to Small Business: Extreme: This is a major exposure of sensitive and potentially embarrassing information that could irreparably damage a company’s reputation.
Individual Risk: High: Those affected by the data breach have sensitive information about their personal medical information that is considered highly private and could leave them exposed to identity theft.
Melbourne High School: School in Melbourne.
Date Occurred/Discovered: August 20-22, 2018
Date Disclosed: August 22, 2018
Data Compromised:

  • Medical information
  • Mental health conditions
  • Learning behavioral difficulties

Customers Impacted: 300 students.
https://www.theguardian.com/australia-news/2018/aug/22/melbourne-student-health-records-posted-online-in-appalling-privacy-breach


 


Tick Tock.
The cost of cybercrime is no joke. This is easy to say from the perspective of someone whose business it is to know all about cybercrime trends, attack vectors, and yada, yada, yada.  But to really quantify how big of a problem cybercrime is in the world of business, it is often easier to compare it to day to day things… like a doctor explaining a complicated procedure or a mechanic telling you why your car is making that noise. So today I would like to compare the cost of cybercrime to the most universal understanding that there is… time.

The cost of cybercrime each minute globally: $1,138,888

The number of cybercrime victims each minute globally: 1,861

Number of records leaked globally each minute (from publicly disclosed incidents): 5,518

The number of new phishing domains each minute.21

As you can see, cybercrime buids by the minute.
https://www.darkreading.com/application-security/how-threats-increase-in-internet-time/d/d-id/1332629


This Week in Breach August 10 to August 17 2018

Dark Web Inforgraphic

This week we saw mobile apps making headlines. Tinder was used by a potential spy to unsuccessfully bait military secrets out of an airman and Snapchat’s source code was published on Github. The marketing campaign for the PGA championship has hit a speed bump in the form of a ransomware attack and an Australian hospital specializing in maternal health exposed treatments on the web.

Highlights from The Week in Breach:

  • Samsung Meets Meltdown
  • Snapchat Source Code
  • Think of the Children
  • The PGA is in the Sand Trap

In Other News:

Catfished
A hacker recently tried a new take on an old trick, utilizing the dating app Tinder in a honeypot scheme. The bad actor set out to steal military secrets from the British Royal Air Force, using a compromised RAF airwomen’s dating profile to try and trick a serviceman into revealing the details of the F-35 stealth fighter. The brand-new fighter is the result of a £9 billion project . China and Russia are eager to get their hands on any details they can about the plane. The airwomen realized almost immediately that her account was hacked and informed RAF, who was able to confirm that no information was disclosed, and the airman targeted was not connected to the F-35 program.
https://www.telegraph.co.uk/news/2018/08/05/honeytrap-hacker-attempted-steal-raf-fighter-jet-secrets-using/

Galaxy Meltdown
Samsung phones are not invulnerable to the microchip security flaw known as Meltdown as previously thought. Researchers at an Austrian University uncovered a way to exploit the vulnerability on the popular smartphone. The researchers plan on testing other phones in the future and believe that they will have similar results with other devices. With as much damage as Spectre exploits have done since its discovery, the same kind of exposure in smartphones could wreak havoc.
https://www.irishexaminer.com/breakingnews/business/samsung-galaxy-s7-phones-vulnerable-to-being-hacked-860965.html

Oh Snap!
A hacker got ahold of some of the source code for the popular photo-messaging service Snapchat, publishing the valuable code on Github. The hacker is believed to be from Pakistan and the code has since been taken down by the company. It is likely that the repo contained part of or all of their iOS app but because the code was removed from Github. There is no way to verify the amount of source code published. The validity of the source data is also questionable, but given Snapchats all-caps DMCA request, (seen below) it seems like there’s a good chance the code was the real deal.

“SNAPCHAT SOURCE CODE. IT WAS LEAKED AND A USER HAS PUT IT IN THIS GITHUB REPO. THERE IS NO URL TO POINT TO BECAUSE SNAP INC. DOESN’T PUBLISH IT PUBLICLY.”
https://thenextweb.com/security/2018/08/07/hacker-swipes-snapchats-source-code-publishes-it-on-github/

Podcasts:
Know Tech Talks – Hosted by Barb Paluszkiewicz
IT Provider Network – The Podcast for Growing IT Service
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


 

United States – The Professional Golfers’ Association (PGA)
Exploit: Ransomware.
Risk to Small Business: High: Ransomware is highly disruptive to any organization.
Individual Risk: High: Loss of data and possibly exfiltration of personal information can result from a ransomware attack.
The Professional Golfers Association: A golfing association that hosts the PGA Championship.
Date Occurred/Discovered: August 7, 2018
Date Disclosed: August 9, 2018
Data Compromised:

  • Creative material for the PGA Championship
    • Promotional banners
    • Logos
    • Digital signage
  • Creative material for the Ryder’s Cup in France
    • Abstracts of logos

Customers Impacted: With the PGA championship around the corner, this breach could affect golf fans all over the country.
https://cyware.com/news/pga-of-america-hit-by-ransomware-attack-days-before-championship-e16f53a7

Mexico – Hova Health
Exploit: Exposed the MongoDB database.
Risk to Small Business: High: Carelessness with customers’ sensitive data can cause irreparable damage to an organizations image.
Individual Risk: High: The information exposed on the internet could be used in identity theft.
Hova Health: Technology company that services the Mexican health care sector.
Date Occurred/Discovered: August 2018
Date Disclosed: August 7, 2018
Data Compromised:

  • Name
  • Gender
  • Date of birth
  • Insurance information
  • Disability status
  • Home address

Customers Impacted: 2 million individuals.
https://www.bleepingcomputer.com/news/security/health-care-data-of-2-million-people-in-mexico-exposed-online/

Australia – The Women’s and Children’s Hospital
Exploit: Negligence.
Risk to Small Business: High: The sensitive nature of the data exposed as well as the scope of the breach will cost the organization the trust of its customers and could possibly result in hefty fines.
Individual Risk: High: The data exposed by the organization could be extremely useful for bad actors to impersonate them, in addition to the high value of personal medical information on the Dark Web.
The Women’s and Children’s Hospital: An Adelaide based health care facility that provides treatment for women, babies and children.
Date Occurred/Discovered: Occurred over the last 13 years
Date Disclosed: August 6, 2018
Data Compromised:  

  • Names
  • Date of birth
  • Test results

Customers Impacted: 7,200 individuals.
https://cyware.com/news/7200-womens-and-childrens-hospital-patient-records-test-results-exposed-online-for-13-years-1d384ef4

United States – Comcast
Exploit: Web vulnerability.
Risk to Small Business: High: The loss of customer trust and the expense of providing identity monitoring for the affected individuals could damage any organization.
Individual Risk: High: Key data needed for identity theft was exposed.
Comcast: One of the United States largest cable providers.
Date Occurred/Discovered: August 2018
Date Disclosed: August 8, 2018
Data Compromised:

  • Social Security Numbers
  • Partial home addresses

Customers Impacted: 26.5 million individuals.
https://www.buzzfeednews.com/article/nicolenguyen/a-comcast-security-flaw-exposed-millions-of-customers



Go Phish.
Phishing emails have evolved far past the misspelled words and suspicious email addresses that most people use to help judge the validity of an email. The phishing email of today can look like an exact copy of the communications coming from the imitated company. With the constant PII saturation of dark web, personal details can be added to the phishing email to make it look even more convincing. The malicious emails will continue to get better and more refined, so how do you counter them? The best way to keep your organization safe is by training employees about social engineering attacks, encouraging employees to be skeptical of suspicious emails and to report them, and utilizing technologies such as an antivirus and simulated phishing awareness training and using constant credential monitoring with Dark Web ID™. A properly executed phishing email could result in a business’s operations suspended due to ransomware, the theft of IP or the exposure of customer data… so why wouldn’t any organization proactively get prepared?

The Week in Breach

spearphishing

Russian Dark Web
A reporter from The Guardian recently dove into a popular Russian Dark Web hacking forum known as FreeHacks, which aims to maximize efficiency in the attacks of its members and to disperse information on ‘quality’ hacking. On the surface it looks like any other forum, and (in essence) it is, with a twisted turn provided by the malicious nature of the subject matter. The categories of the forum are split into a wide variety of specific types of hacking and some ‘lifestyle’ forums as well.

Hacker news, humor, botnet, DDoS, programming, web development, malware and exploits, and security are examples of some of the topics discussed on the site. Some of the markets on the site include stolen credit cards, password cracking software, a clothing market to launder money, and a document market where members can buy passports and citizenships. The forum has about 5,000 active members and claims that a hacker is not a ‘computer burglar’ but rather ‘someone who likes to program and enjoy it.” Given the kind of information and marketplaces available on the site, this seems more like mental gymnastics rather than a nuanced examination of one’s own criminality. After passing the registration to get into the site, the reporter found step-by-step directions for finding someone’s physical address, among other nefarious ways to penetrate companies’ networks or to extort individuals.
https://www.theguardian.com/commentisfree/2018/jul/24/darknet-dark-web-hacking-forum-internet-safety

Gamer Recognize Game
The website for Kaiser Permanente was hijacked this week by hackers, defacing the site to include a variety of Game of Thrones quotes, which is a popular book series turned TV show. The American integrated care consortium based in Oakland, California had their pictures of happy healthy families on their front page replaced with a black screen and a declaration that a hacking group known as the faceless men was responsible for the act. The hacking group appears to be somewhat amateur in nature, and Turkish in origin. An investigation into the group’s members reveals that a few of the hackers listed are active Turkish gamers, which raises the question about how an organization that handles sensitive medical information was able to be hacked by a group of Turkish gamers with very little hacking experience. It is unclear whether any personal information has been accessed in the hack … the organization has declined to comment as of the writing of this Week in Breach.
https://www.databreaches.net/hear-me-roar-kaiser-permanente-site-defaced-by-got-fans/

Security > Convenience
More customers value security over convenience than professionals in the UK, according to a new study. 83% of customers prefer security, compared to only 60% of cybersecurity professionals. The study explores the reason for the disparity in the concern, citing organizations desire for frictionless customer experience as a reason for not having tight security. This could contribute to the UK scoring an unimpressive 56 out of 100 points on the Digital Trust Index which is one of the lowest in the world and 5 points lower than the global average. This disconnect is likely to continue in the future considering 88% of UK executives believe they are doing a good job protecting consumer data while over half of their organizations have been breached in the past year.
https://www.infosecurity-magazine.com/news/uk-consumers-prefer-security-to/

Hacking from The Inside
Across 5 different correctional facilities in Idaho, hundreds of inmates were able to add thousands of dollars’ worth of credits to their JPay accounts, which allows inmates to buy music or send emails. Over 300 inmates were able to exploit a vulnerability in the JPay system to add $224,772 across the group. One of those involved managed to gain nearly $10,000 using the exploit. Those who hacked their JPay accounts are being punished, and the vulnerability is being fixed, but this raises questions about the security of programs used by the U.S. prison system.
https://www.nytimes.com/2018/07/27/us/idaho-prison-hack-jpay-nyt.html

Podcasts:
IT Provider Network – The Podcast for Growing IT Service
Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


United States – Reddit
Exploit: SMS intercept.
Risk to Small Business: High: Could have damaging effects on the trust of clients, as well as highlighting the vulnerabilities of SMS 2FA.
Individual Risk: Moderate: The nature of the data is not particularly harmful due to the age and the scope but affected users could be at risk for spam.
Reddit: Extremely popular forum, one of the 5 most popular sites on the internet.
Date Occurred/Discovered: June 14 – 18, 2018
Date Disclosed: August 1, 2018
Data Compromised:

• Old Reddit user data (before May 2007)
• Usernames
• Salted hashed passwords
• Email addresses
• Public content
• Private messages
• Email digests
Customers Impacted: Users with accounts made before 2007, subscribers to email digests between June 3 and June 17, 2018.
https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/

United States – UnityPoint Health
Exploit: Phishing.
Risk to Small Business: High: A huge breach of customer trust, also this organization will be fined heavily because medical data was breached.
Individual Risk: High: The content breached is valuable on the Dark Web and is vital in identity theft.
UnityPoint Health: Multi hospital group operating in Iowa, Illinois and Wisconsin.
Date Occurred/Discovered: March 14 – April 3, 2018
Date Disclosed: July 31, 2018
Data Compromised:
• Protected health information
• Names
• Addresses
• Medical data
• Treatment information
• Lab results
• Insurance information
• Payment cards
• Social Security Number
Customers Impacted: 1.4 Million.
https://www.healthcareitnews.com/news/14-million-patient-records-breached-unitypoint-health-phishing-attack

New Zealand – Hāwera High School
Exploit: Phishing.
Risk to Small Business: High: Ransomware attacks can be very disruptive.
Individual Risk: High: Students could lose files stored locally on computers. High risk of identity theft if PII is stored.
Hāwera High School: A New Zealand High School.
Date Occurred/Discovered: August 2018
Date Disclosed: August 2, 2018
Data Compromised:
• Local files stored on school computers
Customers Impacted: Students at the school.
https://www.theregister.co.uk/2018/08/02/new_zealand_school_hit_by_ransomware_scum/

India – CreditMate.in
Exploit: Exposed database.
Risk to Small Business: High: The exposed database was found during a routine google search, this kind of breach would seriously damage an organizations image.
Individual Risk: High: Data key for identity theft were exposed in this breach.
CreditMate: Helps customers obtain loans to purchase motorbikes.
Date Occurred/Discovered: July 27, 2018
Date Disclosed: August 2, 2018
Data Compromised:
• Member reference number
• Enquiry number
• Enquiry purpose
• Amount of loan being sought
• Full name
• Date of birth
• Gender
• Income tax ID number
• Passport
• Driver’s license
• Universal ID number
• Telephone number
• Email address
• Employment information
• Employment income
• CIBIL credit score
• Residential address
• Payment history of other loans/credit cards
Customers Impacted: 19,000.
https://www.databreaches.net/exclusive-creditmate-in-developers-goof-left-19000-consumers-credit-reports-unsecured/

United States – Yale University
Exploit: Unclear.
Risk to Small Business: High: Highly sensitive personal information was leaked which would damage consumer trust.
Individual Risk: High: The data accessed would be highly useful for bad actors looking to steal someone’s identity.
Yale University: A prestigious American University.
Date Occurred/Discovered: April 2008 – January 2009
Date Disclosed: June 2018
Data Compromised:
• Social security numbers
• Dates of birth
• Email addresses
• Physical addresses
Customers Impacted: 119,000
https://www.zdnet.com/article/yale-discloses-old-school-data-breach/

A note for your customers:
Texts from a Hacker.
With the breach of Reddit being disclosed this week, it’s key to remember the importance of robust cybersecurity, given that the hacker of the site was able to bypass 2FA. The actor was able to do this by using a method called ‘SMS intercept’ which is when the hacker is able to receive the text that contains the code for authentication. One way this is done is by SIM-swap, which is when the attacker convinces the phone provider that he is the target and applies their service to a new SIM card. Another method of attack is when bad actor impersonates the target and tricks the phone provider into transferring the target’s number to a new provider where the attacker is then able to access any 2FA codes coming into the phone.

A more secure alternative to SMS 2FA is app-based authentication through organizations such as Duo, which is not subject to the same vectors of attack. Stay vigilant out there, because SMS-intercept attacks are going to become more and more prevalent as they have been shown to be successful, and publicly too considering Reddit is one of the most popular sites on the internet.

The Week In Breach! June 15 to June 22 2018

Dark Web

It should serve as no surprise, two of the breaches profiled this week occurred as the result of compromised email address and passwords. The particular events highlight the need to make password hygiene and compromised credential monitoring front and center.

This week also demonstrates that healthcare organizations are increasingly targeted by bad actors. Heathcare related PII/PHI is increasingly valuable and sought after in dark web markets and forums.  

A few more highlights…

– Malware on the move!  New Malware targeting Android phones making the rounds 

– Cortana… the weakest link? An exploit in Windows 10 was patched on Tuesday that allowed one to change passwords

– AI startup working on the United States drone program finds Russian malware on their server

– The Nigerian princes are back! This time, they want to be business partners…

There is a new mobile malware targeting Android phones, containing a banking Trojan, keyloggers, and ransomware. The malware, called MysteryBot will exfiltrate your data and send it back to LokiBot assets. While it’s still not in wide circulation, Android users should exercise caution when downloading apps both in and out of the play store.
https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/

A vulnerability that used Cortana to access computer files even if the device was locked was revealed this week… just after patch Tuesday.
https://securingtomorrow.mcafee.com/mcafee-labs/want-to-break-into-a-locked-windows-10-device-ask-cortana-cve-2018-8140/

Across the globe, email scammers are a consistent source of problems for those who use the web. This week the FBI made 74 arrests across 7 countries and an email scam bust that targeted mid-sized businesses. The scam originated in Nigeria, the same country where the notorious ‘Nigerian prince’ email scam comes from.
https://www.cnet.com/news/fbi-busts-international-email-fraud-ring-that-stole-millions/

Look out for suspicious .men! Some top-level domains are more likely to be malicious than others, with .men .gdn and .work being the most abused. If you open a .men link there is about a 50/50 chance that you are going to a site loaded with spam or malware. Check those hyperlinks!
https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/

What we’re listening to this week!

Know Tech Talks – Hosted by Barb Paluszkiewicz

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!

Elmcroft Senior Living

Exploit: Outside actor.

Risk to Small Business: High: Lack of Data Loss Protection (DLP) and chain of custody leading to breach

Risk to Exploited Individuals: High: Elevated probability for Identity theft and fraud based on PII compromised.

Elmcroft: Recently ending its management of more than 70 assisted living, memory care, and inpatient hospital rehabilitation, Elmcroft was in wind-down mode when the breach occurred.

Date Occurred
Discovered
Occurred May 10th 2018, Discovered on May 12th
Date Disclosed Elmcroft made an official statement on June 8th, 2018
Data Compromised Names

Date of birth

Social Security Numbers

Personal health information

How it was Compromised A third party had access to information being transferred from Elmcroft to the new management company
Customers Impacted
Residents

Residents family members

Employees

Possibly others

Attribution/Vulnerability Undisclosed at this time.

https://www.mcknightsseniorliving.com/news/data-breach-puts-personal-information-of-residents-workers-at-risk-elmcroft-senior-living-says/article/772385/

Terros Health

Exploit: Phishing scam that compromised one account.

Risk to Small Business: High: Demonstrates phishing is still a primary tactic to generate exploits and how one compromised email account can end in a major breach.

Risk to Exploited Individuals: High: Sensitive personal information, Social Security numbers and medical information were leaked all of which can be used maliciously by an outside actor.

Terros Health: Phoenix-based mental health and addiction services provider.

Date Occurred
Discovered
April, 2018
Date Disclosed June 8th, 2018
Data Compromised
Patient names

Date of birth

Social Security number

How it was Compromised
Phishing scam that compromised a single email account
Customers Impacted
1,600 patients
Attribution/Vulnerability One compromised email due to a phishing scam

https://www.bizjournals.com/phoenix/news/2018/06/10/terros-healthwarns-of-patient-data-breach.html

Clarifi
Exploit: Malware exploit to steal IP

Risk to Small Business: High: Demonstrates the need to harden security when dealing with Intellectual Property and being targets as a Federal Contractor/Supply Chain Sub-contractor.

Risk to Exploited IndividualsHigh: Highly sensitive military information is located at the company, making individuals who work their targets for state-sponsored hacking.

Clarifi: An artificial intelligence startup based in New York involved in improving U.S. military drones.

Date Occurred
Discovered
November, 2017
Date Disclosed June 2018
Data Compromised
Possibly customer data, although Clarifi denies that any data was compromised.
How it was Compromised Unclear, although the origin of the malware is believed to be Russian.
Attribution/Vulnerability Malware
Customers Impacted The company assures that no customer data was compromised

https://www.wired.com/story/startup-working-on-contentious-pentagon-ai-project-was-hacked

https://cyware.com/news/ai-startup-clarifai-working-on-pentagons-project-maven-was-allegedly-hacked-by-russian-source-8a171b30

HealthEquity
Exploit: Compromised email.

Risk to Small Business: High: Demonstrates the need for compromised credential monitoring and implementing stronger authentication tools.

Risk to Exploited Individuals: High: sensitive personal information and Social Security numbers were accessed during the breach.

HealthEquity: Utah based firm that handles millions of health savings accounts.

Date Occurred
Discovered
April 11, 2018
Date Disclosed June  2018
Data Compromised Names of members

HealthEquity ID numbers

Names of employers

Employers HealthEquity IDs

Social Security numbers

How it was Compromised
An email account of a HealthEquity employee was compromised, and the outside actor was able to gather data for two days before the malicious activity was noticed by the company.
Attribution/Vulnerability Compromised employee email.
Customers Impacted 23,000

https://www.infosecurity-magazine.com/news/23000-individuals-affected-in/

https://www.darkreading.com/operations/23000-compromised-in-healthequity-data-breach/d/d-id/1332050

Dixons Carphone
Exploit: Investigation ongoing.

Risk to Small Business: High: Breach response requirements of GDPR will significantly change how quick companies must disclose breach incidents and respond.

Risk to Exploited Individuals: High: Card data of customers was accessed by an outside actor.

Dixons Carphone: Electronics company located in the UK.

Date Occurred
Discovered
July, 2017
Date Disclosed June  2018
Data Compromised Customer Cards

Names

Addresses

Email addresses

How it was Compromised
The investigation is currently ongoing into how the breach happened, but it was only just discovered a little under a year after it happened.
Attribution/Vulnerability Unauthorized access to company data
Customers Impacted 5.9 million

An important takeaway from this week is the damage that a single compromised email account can have on an organization of any size. With one compromised email account a bad actor can send countless employees malware from an unsuspicious and legitimate email, often times without the employee knowing their email is compromised. Don’t let your business end up on the next Week in Breach. Make sure you and your employees’ passwords are strong, not reused or shared, and that your credentials aren’t up for sale on the Dark Web, by monitoring with Dark Web ID™ by Prime Telecommunications.  Please share this week’s breach news with a coworker or friend.

This week in Breaches!

full frame shot of abstract pattern

Photo by Sabrina Gelbart on Pexels.com

 

This week shows no shortage of targeted attacks designed to extract large datasets from a broad range of consumer sites.  Travel, finance and entertainment sites were targeted, impacting more than 100,000,000 unsuspecting victims.  If anything, this week clearly demonstrates why individuals need to proactively monitor for their compromised data with tools like our SpotLight ID – Personal Identity & Credit Monitoring Solutions.  The events of this week also clearly demonstrate why businesses must monitor for compromised credentials that can be used to exploit internal systems and to compromise or takeover customer accounts.

Highlights:

  • Leaked credentials from a 3rd party data breach used to exploit 45,000 Transamerica customers 
  • No Tickets for You! – TicketFly shuts down to identify and fix the source of leak impacting 26M customers
  • Booking.com shows that phishing attacks never take a vacation
  • Google Groups – taking a page right out of Amazon’s leaky bucket playbook?

In other news…

The City of Atlanta’s losing streak continues thanks to ransomware hacks! This time, the city’s evidence chain of custody breached, allowing police evidence to be destroyed – impacting investigations and prosecutions.
https://cyware.com/news/atlanta-ransomware-attack-destroyed-years-of-police-dashcam-footage-potentially-critical-evidence-9e8134ac

Europol has a new team dedicated to cybercrime on the Dark Web, hoping to monitor and mitigate criminal activity. Multiple law enforcement agencies throughout Europe are participating in this team, in addition to some non-European organizations. Keep fighting the good fight!
https://www.welivesecurity.com/2018/06/01/europol-eu-team-fight-dark-web/

Google Groups can’t get its act together when it comes to privacy settings, resulting in accidental disclosure of users’ private documents. If your business uses Google Groups, make sure to set your group to private!
https://www.securityweek.com/thousands-organizations-expose-sensitive-data-google-groups

It looks like there’s more than just gators to watch out for in the sunshine state… Florida named the worse state in consumer cybersecurity.

https://www.darkreading.com/vulnerabilities—threats/survey-shows-florida-at-the-bottom-for-consumer-cybersecurity/d/d-id/1331983


 What we’re STILL listening to this week!

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!

TicketFly

Exploit: Database misconfiguration, hacker doxing/ransoming

Risk to Small Business: High: Demonstrates the impact of database misconfiguration and security controls.
Risk to Exploited Individuals: High: Social engineering and identity theft as a large amount of personal information including names, addresses and phone numbers of customers were leaked.
TicketFly: Owned by Eventbrite, TicketFly is a popular site where customers can purchase tickets online for upcoming events and shows.

Date Occurred
Discovered
May 30, 2018
Date Disclosed TicketFly made an official statement on June 6, 2018
Data Compromised Email addresses, Phone Number, Billing Address and Home Addresses
How it was Compromised A hacker attempted to contact the company about a vulnerability, demanding 1 Bitcoin as ransom to reveal the weakness. The hacker claims the emails to the company went unanswered so the cybercriminal vandalized the TicketFly site and leaked some of the information acquired to the press.
Customers Impacted
26 million, and even more if you consider the customers who are unable to buy tickets while the site has been down.
Attribution/Vulnerability Undisclosed at this time.

https://www.marketwatch.com/story/ticketfly-breach-may-have-exposed-data-of-26-million-customers-2018-06-03

MyHeritage

Exploit: Unsecured/misconfigured data store. Poor data at rest encryption. Poor password encryption.
Risk to Small Business: High: Demonstrates the impact of database misconfiguration, security controls and weak encryption.
Risk to Exploited Individuals: Moderate: Email addresses leaked but DNA/family history data supposedly stored separately.
MyHeritage: Users search historical records and create a family tree using this web-based service from Israel.

Date Occurred
Discovered
October 26, 2017
Date Disclosed June 4, 2018
Data Compromised
All email addresses and hashed passwords of users up to October 26, 2017
How it was Compromised
The CISO of MyHeritage received a message from a researcher that he had found a great deal of MyHeritage’s data on a server not connected with the site. The CISO confirmed that the data originated from their site but exactly how the data was acquired is not clear as of now.
Customers Impacted
92,283,889 Users
Attribution/Vulnerability Unclear, but MyHeritage did not store passwords, instead of storing a one-way hash of each password that has a key unique to each user. All credit card information is located on third party sites and the most sensitive information the website holds such as family tree and DNA data is stored in segregated systems with additional layers of security.

https://blog.myheritage.com/2018/06/myheritage-statement-about-a-cybersecurity-incident/#

https://motherboard.vice.com/en_us/article/vbqyvx/myheritage-hacked-data-breach-92-million

Transamerica
Exploit:  Compromised credentials
Risk to Small Business: High: Demonstrates the need to proactively monitor for compromised credentials from 3rd party data breaches and phishing attack mitigation.
Risk to Exploited IndividualsHigh: Highly sensitive personal information was stolen and could be used to impersonate an employee; or an outside agent could pose as a relative of an employee to phish for information

Transamerica: This company offers mutual funds, retirement strategies, insurance, and annuities.

Date Occurred
Discovered
Between March 2017 and January 2018
Date Disclosed May 2018
Data Compromised
Names, Addresses, Social Security Numbers, DOB, Financial data And Employment Information
How it was Compromised Third party compromised credentials were used to access user’s account data
Attribution/Vulnerability Outside actor

https://cyware.com/news/transamerica-hacked-nearly-45000-retirees-personal-and-sensitive-details-stolen-c2c419f5

https://www.theregister.co.uk/2018/06/05/transamerica_retirement_plan_hack/

Booking. com
Exploit: Phishing

Risk to Small Business Risk: High: Demonstrates how well-crafted phishing attacks can lead to massive data loss even with strong end-user security awareness training program and security tools in place.

Risk to Exploited Individuals: High: Money was stolen from the individuals who responded to the convincing email, and their stolen personal information could be used again.

Booking. com: A popular site for booking hotels, houses, apartments and boats.

Date Occurred
Discovered
June 2018
Date Disclosed June 3, 2018
Data Compromised Names, Addresses, Phone Numbers, Dates, Price of bookings and Reference Numbers
How it was Compromised
Certain properties of Booking.com received a link that detailed a security breach and urged them to change their password. Once the link was clicked the hackers had access to booking information that they used to send highly convincing phishing emails to customers asking for advance payments. The emails contained booking and pricing info for previously booked rooms, making the emails almost indistinguishable from an actual email from the company. The company reported that there was no compromise on their systems and that any customers who lost money due to the incident will be reimbursed.
Attribution/Vulnerability Outside actors, deployed through spam email campaign

https://www.independent.co.uk/travel/news-and-advice/travel-website-hackers-cyber-crime-phishing-holidays-a8382771.html

https://www.thesun.co.uk/money/6437309/hackers-target-booking-steal-thousands/

https://www.scmagazine.com/cybercriminals-phish-bookingcom-customers-after-possibly-breaching-partner-hotels/article/771091/

PageUp
Exploit: Malware
Risk to Small Business Risk: High: Demonstrates that malware exploits are often very difficult to detect and defend against.

Risk to Exploited Individuals: High: It is unclear what information has been compromised and from which customers of PageUp, but given the nature of the company and the information they store, the risk is serious.

PageUp: A large Australian company that provides HR, career, and recruitment service to large and small businesses around the world.

Date Occurred
Discovered
May 23, 2018
Date Disclosed June 6, 2018
Data Compromised Unclear, but passwords were hashed and salted
How it was Compromised
The investigation into the breach is ongoing, but due to the new implementation of GDPR in Europe and Australia’s Notifiable Data Breaches Scheme, PageUp disclosed the breach in compliance with the laws.
Attribution/Vulnerability Malware was found on one of PageUp’s IT systems, but how the malware entered the system is still being investigated

https://www.bleepingcomputer.com/news/security/malware-infection-at-hr-company-triggers-flurry-of-data-breach-notifications/


An important takeaway from this week finds its origin in research done by Dr. Michael McGuire, funded by Bromium and titled ‘The Web of Profit’ : The unfortunate truth is that crime does pay.Cybercrime produces 1.5 Trillion each year, which rivals Russia’s GDP and would place cybercrime at number 13 in a comparison of the world’s highest gross domestic product. $500 Billion of that can be contributed to intellectual property theft and data trading accounts for $160 Billion.

The scope of cybercrime profits and influence points to the conclusion that it is an economy in and of itself, a conclusion that is supported by the growth of platform criminality. Platform criminality is much like the business models of platform businesses such as Google, Uber, or Amazon that trade in data. Data is a profitable business as demonstrated by these famous companies (or at least two of them), and criminals have taken note.

Using the Dark Web as a means of facilitating transactions, cyber criminals are able to buy and sell anything from data to a day-zero exploit. The main takeaway from looking at how cybercrime has evolved is that cyber criminals are selling crime rather than committing it. Much like how Uber is selling a platform where drivers are paired with passengers, criminals are selling the tools and data needed to commit cybercrimes over ‘back alley’ marketplaces.

The research done by Dr. McGuire also highlights the importance of monitoring the Dark Web for personal information, stating:

New kinds of software tools are required for uncovering how cybercriminals are using digital technologies for hiding and laundering revenues. One example would be virtualization tools that can generate safe havens, isolated from the internet, where illicit revenue-generating activity can be diverted and neutralized. Another would be more sophisticated scanning tools capable of better tracking and locating items of value across the net – in particular, personal data”(125).

The Dr. also concluded that while Dark Web monitoring is vital to combatting the economy of cybercrime, it is far from an easy task. The difficult nature of monitoring the Dark Web is not just because it is harder to navigate than the traditional web… explains McGuire, it is “because many of the sites only grant access by word of mouth, or on the basis of ratings status and trust, which may take some time to build up” (57). The Dark Web and the economy surrounding it is nothing to take lightly, and ignoring its existence only adds to the ability for cyber criminals to go about their work unscathed. Dark Web ID by ID Agent fulfills this need for Dark Web monitoring, instead of turning a blind eye to the complex and dynamic reality of the cybercrime economy our services dive right in.

https://learn.bromium.com/rprt-web-of-profit.html

https://www.darkreading.com/cloud/cybercrime-is-skyrocketing-as-the-world-goes-digital/a/d-id/1331905