FFT news digest Oct 28 2022

There but for the grace...

The UK data protection regulator has announced a £4.4 million fine against a construction company that fell victim to a phishing attack. The formal announcement from the Information Commissioner's Office is well worth a read because it provides a handy summary of what not to do. Among Interserve Group's many issues, it;
- Failed to respond to an initial alert of suspicious activity
- Used unsupported software systems and protocols
- Used out of date antivirus software (despite warnings)
- Failed to provide appropriate training
- Lacked effective risk assessments
- Failed to follow its own policies and standards

Personal data of up to 113,000 current and former employees were encrypted, including contact and banking details, national insurance numbers, as well as special category data such as ethnic origin, religion, disability details, sexual orientation, and health information. The breach occurred when an employee forwarded a phishing email (which Interserve’s systems failed to block or quarantine) to another employee who opened it, extracted the attached ZIP file and ran the content. The employee was working from home and using a split tunnel VPN. This meant that when the employee clicked on the link in the email, it did not go through Interserve's gateway system. Interserve went into administration in 2019 and so the fine is unlikely to be paid.

Time and again, major breaches have minor causes. A recent incident at business publication, Fast Company, happened after hackers exploited an easily guessed default password ("pizza123"). The password was reused across multipleWordPress accounts. DARKReading has an analysis of the notorious Equifax hack, the lessons from which are still relevant five years on. And the recent breach at Microsoft was caused by a misconfiguration. It affected 150,000 companies from 123 countries and included sales strategies, proof of concept documents and emails. 

Threats

DHL: You probably won't be surprised that DHL has taken the top spot in a survey of the brands most used in phishing attempts. Microsoft and LinkedIn came next. ESET

Stolen: A stolen iPad led to an (unsuccessful) phishing attempt six months later. The device's owner had sent a message to the iPad with her phone number. That resulted in a belated text message claiming to be from Apple Support in a bid to persuade her to enter her credentials on a spoofed iCloud website. Cyren

Google Ads: PhishLabs explains how attackers are exploiting a weakness in Google's advertising service to serve up legitimate landing pages that redirect victims to a malicious site. As ever, never follow a link to do anything important. Help New Security

Mimics: A massive campaign is using over 200 lookalike domains that impersonate popular brands to trick visitors into downloading Windows and Android malware. The brands include Snapchat and PayPal. Cyble

VPN: The FBI is warning about a rise in attacks that exploit unpatched VPN servers. The alert is directed at healthcare providers but it's an issue for anyone operating a VPN instance.

Social engineering: We can all be taken in by attacks that exploit our natural reactions to specific situations. Help New Security has a comprehensive (if rather dry) video explaining the issue.

Office 365: Researchers say Microsoft Office 365 Message Encryption (OME) can be easily hacked. The feature allows enterprise users to send encrypted messages as an HTML attachment via email. WithSecure

Chrome: A new campaign is pushing Google Chrome extensions that hijack searches and insert affiliate links into webpages. The add-ons offer colour customisation options. Guardio

Ransomware

The number of worldwide ransomware attacks has failen this year...but only from a record high in 2021. SonicWall says the 338.4 million attacks in the first nine months of this year are more than the total for each year since 2017 except for 2021. "Bad actors are coming at us in varying degrees, in varying locations, and in varying attacks more than ever, making this a very volatile threat landscape," SonicWall told The Register. In one of the latest campaigns, attackers are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices.

Passwords, yet again

The good news; there's concrete evidence that the death of passwords is coming closer. The bad news; most of us are still engaging in horribly risky behaviour when it comes to authentication. This week, PayPal provided a glimpse of a safer future when it announced support for passkeys to secure PayPal accounts for iPhone, iPad, and Mac users on PayPal.com. Initially, this will be available in the US and will roll out elsewhere next year. Passkeys are supported by Apple, Google and Microsoft and replace passwords with a pre-authenticated device, e.g. your phone. They can't come quickly enough because research shows many people continue to reuse simple passwords both at work and at home. And common passwords account for nearly all attacks.

In brief

LinkedIn: New security features have been introduced to try to weed out fake profiles. Not surprising given the scale of the problem. As veteran security journalist, Brian Krebs, reports, on Oct 10 "there were there were 576,562 LinkedIn accounts that listed their current employer as Apple Inc." Following a purge, "the next day, half of those profiles no longer existed."

Turkey: A pro-government newspaper has published the locations of exiled journalists. The Committee to Protect Journalists condemned the move as "unethical and irresponsible" and said it "could lead to serious harm."

Ukraine: Russia has threatened a retaliatory strike against commercial satellites. "Quasi-civilian infrastructure may become a legitimate target for retaliation," an official said.

Iran: There are multiple warnings this week about Iran's wicked ways. The FBI highlights hack and leak operations and likely efforts to target the upcoming mid-term elections (something China is also accused of). 

Disney: The Mouse House could soon start using Disney Plus viewing habits to influence the experience of park visitors — and vice versa. Of course. The Verge

Gas: Malwarebytes takes a look at the iPhone app biilled as the "only wholesome place left on the internet." 'Gas' is aimed at teens. Currently, it's only available in 12 US states.

TheTruthSpy: A huge cache of leaked data reveals the details of a stalkerware operation that is spying on hundreds of thousands of people around the world. TechCrunch has the unsettling details.

Sources: The technology already exists to generate slight differences in the same document so that if something leaks, the source can be identified. Robert Hansen explains the risk for journalists and whistleblowers.

Tips and tricks: Most of us charge iPhones overnight. As Macworld explains, that's why the batteries degrade so quickly. And 9TO5Mac has the skinny on how to clean a MacBook screen, effectively and safely.

USB-C: Apple has confirmed that it will comply with EU regulations and transition from Lightning to USB-C connectors.

Uganda: A new law carries penalties of up to seven years in prison for sharing information about a person without their consent and intercepting information without authorization. Reclaim The Net

This is a condensed version of the email our clients receive. You can subscribe to receive the full digest.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2022 Full Frame Technology - All Rights Reserved