FFT news digest April 9 2021

Facebook

The personal details of more than half a billion Facebook users have turned up on a hacker forum, but the social media behemoth has no plans to notify the people affected - let alone apologise to them. In a blog post, Facebook said “malicious actors” had obtained the data prior to September 2019 by “scraping” profiles using a vulnerability in the platform’s tool for synching contacts. A spokesman later told Reuters that Facebook wasn't confident it had full visibility on which users would need to be notified, and there was nothing to be done about the availability of the data anyway.

The information in question includes names, mobile numbers, genders, occupations, locations, birthdays, and marital status.
Initially, Facebook characterised this as "old news" which was disclosed at the time. But, as Wired reports, that's far from the whole story. In fact, there have been so many vast Facebook breaches that it's easy to lose track of what was leaked - or disclosed - when. You can check whether you're affected by using the breach tracking site HaveIBeenPwned, but on a practical level so many organisations have lost so much information that it's worth assuming your details are out there somewhere.

Just to underline that, it's emerged that the personal details of half a billion LinkedIn users is also being offered for sale.
CyberNews says the information includes LinkedIn IDs, names, email addresses, phone numbers, genders, links to LinkedIn profiles, links to other social media profiles, professional titles, and other work-related data. Passwords and payment data don't seem to be affected and, according to CyberNews, "it's unclear whether the threat actor is selling up-to-date LinkedIn profiles, or if the data has been taken or aggregated from a previous breach suffered by LinkedIn or other companies". So far, LinkedIn has said precisely nothing.

Threats

COVID-19: For fraudsters and scumbags, the pandemic is the gift that keeps on giving. Latest examples include fake post-vaccination surveys and evidence of attempts to take advantage of online get-togethers (for example, by creating wine-themed scam websites). Researchers also warn of travel-related scams as (some) parts of the world begin to relax restrictions.

Netflix: Messages offering a free Netflix subscription are being used to spread malicious software between Android devices. Check Point

PDF: There's been a sharp increase in the use of fake PDF files to target victims. Researchers also warn against fake verification Captchas which use a static image; when clicked, it takes the user to a malicious website. Unit 42

Office 365: A fake OneDrive notification repeatedly uses the victim's username together with credible Microsoft branding to reinforce authenticity. PhishLabs

DocuSign: A new tool to build malicious documents is on sale in a Russian crime forum, with one version imitating electronic signature tool, DocuSign. Intel471

Browsers: Saving passwords in web browsers is convenient but risky, as illustrated by new malicious software (dubbed "CopperStealer"). It spreads through websites offering fake software. Proofpoint

LinkedIn: A very sneaky campaign is using fake job offers to target LinkedIn users. It takes someone's current job title and adds "position" to it in an attempt to persuade the target to open a malicious ZIP file. eSentire

WeTransfer: A phishing campaign is impersonating the file sharing app to try to steal credentials. The email lure's subject line is; “You received some important files via WeTransfer!” Avanan

'War'

Nation state cyber attacks are becoming more frequent, varied and open...and the world is moving closer to a point of 'advanced cyberconflict' than at any time since the inception of the internet. That's the conclusion of Nation States, Cyberconflict and the Web of Profit by the University of Surrey (sponsored by HP). It's part of a long-term research project and it includes a heat map showing we have reached point where "the perception exists that there are minimal reasons not to engage in war". The US Global Trends report comes to the same assessment, describing an increasingly “volatile and confrontational” global security landscape. In a real-world example, this week the chief of India's defence staff admitted that China possessed cyber weapons that would cause widespread disruption if they were used. For the moment, the country's focus is on recovery rather than prevention, General Bipin Rawat said

Fake

Last month, the FBI warned that "foreign actors" would almost certainly launch "deepfake" attacks over the next 18 months. This week, news emerged of a Middle Eastern group using voice changing software as part of an espionage attempt. Cado Security says it found a copy of Morph Vox Pro software as part of an investigation into a Palestinian-linked group. The same group is known to have used profiles of attractive women to target members of the Israeli Defense Forces. Fake voices have been used before in fraud attempts, but this is the first time such tactics have been spotted as part of an espionage operation. 

Hacking humans

With analysis suggesting everyday users are facing more attacks than ever, it's worth remembering that most threats are based on social engineering. Or, to avoid the jargon, we should assume that criminals have perfected techniques designed to mimic the way we expect to interact with genuine websites. In practice, this means never taking the easy option (e.g. clicking a button) to do something important like confirming a password. This is particularly true during these strange pandemic times when remote working continues to be a reality for so many. Bitdefender has a round-up of the attackers' tools, including ransomware which it says rose by 485% in 2020 compared to 2019.

The wages of sin

Anonymous online communication isn't as easy as Hollywood makes out, as an Italian discovered after being arrested on suspicion of hiring a hitman on the dark web. The alleged target was the suspect's ex-girlfriend and the cost was around €10,000, paid in Bitcoins. Europol tracked him down by identifying where he bought the Bitcoins and persuading the provider to help identify him. More widely, Europol has warned about the increasing use of violence by organised crime, which it says is becoming "more fluid and digitalised".

In brief

Counting: VENUEx is a video player designed to count the number of people watching a stream. Not for accurate ratings, but to enable the content provider to charge per head.

Oversight: Seoul's municipal government is installing ‘smart poles’ which act as streetlights, traffic lights, environmental sensors, footfall counters, smartphone chargers, Wi-Fi access points, CCTV. And can charge drones. Cities Today

Diagnosis: An app can diagnose COVID-19 from nothing more than a voice sample. An Israel-based company says that in tests of 2,000 people, the app achieved an accuracy rate of 81.2%, including asymptomatic carriers. TNW

Loans: "Coercive loan apps" first cripple your smartphone and then shut it down if you fall behind on repayments. Rest of the world reports on the spread of the apps in India.

Chips: The ongoing shortage of components, in particular processors, is affecting Apple, with production of some MacBooks and iPads reported to be delayed. Nikkei

Fire: A second web hosting provider has suffered a fire in one of its data centres. It started when a backup generator kicked in during a power failure and promptly caught light. WebNX's grammatically-challenged update warns of an extended outage.

Elmo: A home inspector in Michigan has been charged with aggravated indecent exposure and property damage after being caught on camera, um, pleasuring himself with an Elmo doll. A nursery cam alerted the home owner to what was going on. "Just when I think I have seen it all, someone steps up and surprises me," the local sheriff said. Detroit Free Press

Updates

Attackers are taking advantage of vulnerabilities in SAP and Fortinet products that have not been updated. Researchers and US officials have both issued warnings about the speed with which such issues are exploited. We don't underestimate how challenging it can be to ensure updates are applied, but SAP's research shows that, on average, vulnerabilities in its products are weaponised within 72 hours of being disclosed publicly. SAP has a list of six issues that are being exploited, while US agencies say attackers are taking advantage of vulnerabilities in Fortinet's FortiOS to try to compromise government and commercial systems.

Apple Mail: A 'zero-click' vulnerability (i.e. one that requires no user interaction) was fixed in the latest versions of macOS. Threatpost

Cisco: Updates to address a critical vulnerability affecting SD-WAN vManage Software's remote management component. Meanwhile, it says it won't fix another critical security vulnerability affecting some of its Small Business routers. Instead it's urging users to replace the devices.

LG: Has pledged to issue future Android OS updates to many of its smartphones despite confirming this week that it is to close its mobile phone business. 

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217