Please fill in the form below to subscribe to our blog

The Week in Breach: 08/13/18 – 08/17/18

August 23, 2018

This week ransomware continues to develop, as well as phishing tactics. Popular mobile platform GOMO was breached in a big way, and one of the largest banks in India was robbed over the weekend.

Highlights from The Week in Breach:

  • Hacking my Heart!
  • Sextortion Goes Mobile!
  • Huge GOMO Breach.
  • Cash-out in India.

In Other News:

Insta-Bot
Is someone trying to set up a botnet on Instagram? The popular photo-sharing website has experienced a wave of users getting logged out of their accounts and their personal information being changed, often times with profile pictures being changed to stills from Disney movies. When users go to reset their password and access their account, they find that the email address associated with their account has been changed to an email with a .ru domain. Could this be a Russian botnet in the making? Or another actor shifting blame onto another to avoid detection? Only time will tell.
https://cyware.com/news/hundreds-of-instagram-users-locked-out-of-accounts-recovery-emails-changed-to-ru-addresses-43d1a7a7

Heartbeat Spoofing
Hacking someone’s heart? While anything seems possible in the world of hacking today, it is still alarming that researchers from McAfee have discovered it is possible for hackers to falsify patient’s vitals using Rwhat protocol. Rwhat protocol is a networking protocol used by medical devices to monitor a patient’s condition and vital signs. By sending incorrect information to the central monitoring stations, a bad actor could feed wrong information, but only if they had physical access to the patient. The researchers also developed a vector of attack where one would not need physical access, although the hacker would need to be on the same network. This variation involves Address Resolution Protocol (ARP) spoofing the central monitoring station, capturing the patient data and then sending falsified data back to the real monitoring station.
https://www.bleepingcomputer.com/news/security/hackers-can-falsify-patient-vitals/

Attack of The Princess
There is a new kid on the block in the world of ransomware. The ransomware known as Princess Locker has gotten an upgrade and is being sold as ‘Princess Evolution’. This ransomware is being sold as a service, which means a few things. First, it means that the developers can focus on improving and supporting the ransomware while still earning revenue. Meanwhile, the affiliates can focus on social engineering attacks and infecting as many victims as possible. This particular ransomware is being sold at a 60/40 split, with the developer taking in 40% of each ransom paid out. This is different than other ransomware as service programs because often, the ransomware is sold as a subscription or at a flat price, while Princess Evolution takes a cut of every successful attack.
https://www.bleepingcomputer.com/news/security/princess-evolution-ransomware-is-a-raas-with-a-slick-payment-site/

Dial – XXX
The sextortion scam that has become popular over the last few months is continuing to evolve, now with partial phone numbers being used to fool victims into paying. This email campaign claims that the target’s phone was hacked and that the hacker created a double video of the screen and the front-facing camera on the phone. This threat is made seemingly legitimate through a combination of password, full name and phone number of the victim, which can scare a target into paying the bitcoin ransom. It is speculated that the hackers are getting partial phone numbers through account recovery programs where the last few phone numbers are revealed when asking if that is the right number to send a verification code to. This is a logical conclusion, given that if the hackers had the full phone number through a data breach then it would probably be more convincing to just use the entire number.
https://www.bleepingcomputer.com/news/security/new-hacked-phone-partial-number-extortion-emails-making-a-lot-of-money/

Podcasts:

Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!
IT Provider Network – The Podcast for Growing IT Service


China (Hong Kong) – Sungy Mobile Limited/GOMO

Exploit: Exposed database.
Risk to Small Business: Extreme: The organization did not only betray the trust of its customers, but it also exposed a great deal of sensitive internal data such as backend code.
Individual Risk: Extreme: A great deal of information valuable for spear phishing was exposed in this breach, as well as assets that would make it easy for a hacker to impersonate a business that the target is known to use.
Sungy Mobile Limited/GOMO: A Hong Kong based mobile application developer with more than 2 billion downloads of their apps.
Date Occurred/Discovered: Discovered May 25, 2018
Date Disclosed: Not disclosed by organization.
Data Compromised:

  • Development data
  • Product data
  • Admin data
  • Statistics data
  • Payment gateway data
  • Digital marketing data
  • Branding data for other companies
  • What appears to be the complete backend system for many of GOMO’s products
  • User data
    • Email addresses
    • Bcrypt passwords
    • Country of user
    • Username
    • Language preferences
    • School
    • Gender
    • Date of birth
    • International Mobile Subscriber Identity (imsi) number
    • Avatars
    • Comments
    • Notes
    • In-game credits
    • In-store purchases
    • Mobile phone numbers
    • Passwords
    • Users’ ID numbers that are matchable to the International Mobile Equipment Identity (imei) number
  • Type of connection

Customers Impacted: 50,553,664.
https://www.databreaches.net/50553664-gomo-app-users-information-exposed-researcher/

India – The Cosmos Bank

Exploit: Cloned ATM cards.
Risk to Small Business: Extreme: Most organizations would not be able to take such a severe hit to their finances especially in addition to the loss of trust.
Individual Risk: Moderate: The money stolen is being covered by the organization.
Cosmos Bank: The second oldest cooperative bank in India.
Date Occurred/Discovered: August 11/13, 2018
Date Disclosed: August 2018
Data Compromised: $13.4 Million
Customers Impacted: Account holders funds are safe according to the organization, but online banking is currently suspended in response to the event.
https://www.theregister.co.uk/2018/08/15/cosmos_bank_raided/

United Kingdom – Butlin Leisure Company

Exploit: Phishing.
Risk to Small Business: High: A permanent loss of trust in an organization could result from any sized data breach.
Individual Risk: Moderate: Affected customers would be subject to spam and possibly phishing emails.
Butlin Leisure Company: UK based chain of holiday camps that provides affordable holidays for British families.
Date Occurred/Discovered: August 2018
Date Disclosed: August 2018
Data Compromised:

  • Booking reference numbers
  • Lead guest names
  • Holiday arrival dates
  • Postal addresses
  • Email addresses
  • Telephone numbers

Customers Impacted: 34,000.
https://www.theinquirer.net/inquirer/news/3060923/butlins-data-breach-2018

United States – Adams County

Exploit: Vertical Privilege Escalation.
Risk to Small Business: High: The cost of providing identity monitoring to affected customers would put a great strain on any organization.
Individual Risk: High: Medical data and tax information was stolen, which is valuable on the Dark Web and useful to bad actors for identity theft.
Adams County: A county in Wisconsin.
Date Occurred/Discovered: January 2018 – March 28, 2018
Date Disclosed: June 29, 2018
Data Compromised:

  • Names
  • Addresses
  • Photographs
  • Health information
  • Tax information
  • Date of birth
  • Social Security number
  • Medical record number
  • License number
  • License plate numbers
  • Fingerprints

Customers Impacted: 250,000
https://www.wisconsinrapidstribune.com/story/news/2018/08/10/adams-county-data-breach-exposed-information-up-250-000-people/956200002/ 


A note to your customers:

CatPhish.

This year at Black Hat and DEF CON 2018, social engineers showed off the more advanced tactics used to fool targets into giving them the information they want. With traditional social engineering still being highly effective and instrumental in most hacks today, it’s no wonder that these techniques are being contently improved. Technical researcher for PwC Matt Wixey detailed ROSE, or Remote Online Social Engineering, which is his term for the ‘long con’ social engineering tactics where bad actors create complex false personae and do comprehensive reconnaissance to infiltrate the target network. This is achieved by building a relationship with a specific person at an organization by analyzing their online activity, motivations, and way they communicate.

The next step for the hacker is to create a comprehensive online persona that could have gone to the same school. And share similar hobbies or other traits that allow the target and the fake person to relate. This comprehensive online identity would include a social media presence, populated for years (these types of accounts are available for sale on the Dark Web), interactions with other people and possibly acquiring ‘mutual’ acquaintances of the target so even for someone doing a deep dive into this person’s online identity would conclude that the person is… real.

Social media and internet usage are so ingrained in our daily lives that it is often easy to forget to be skeptical of those who you know solely through the channels of LinkedIn or Facebook. As phishing attacks become more focused, comprehensive and believable, it is vital for maintaining a healthy level of skepticism on the web. As the famous New Yorker comic goes… “On the Internet, nobody knows you’re a dog.”

https://www.darkreading.com/risk/social-engineers-show-off-their-tricks/d/d-id/1332544

Are you an ID Agent Partner? Feel free to re-use this blog post (in part or in entirety) for your own social media and marketing efforts! Just send an email to [email protected] to let us know!

Not a Partner? Learn more about Dark Web ID™ and the benefits it holds for your Business. Contact us today!