CyberWire staff | thecyberwire.com »
At a glance
- Magento skimmer uses malicious jpgs.
- France investigates Apple’s ad-tracking.
- SMS security issues.
- FBI warns of PYSA ransomware campaign against academic institutions.
New Magento 2 compromise employs malicious .JPG images.
Sucuri’s blog details a new compromise that skims credit card data from Magento 2 ecommerce websites. While investigating a Magento 2 website, researchers discovered a malicious injection that was harvesting POST request data from users at the checkout page, then encoding the data with base 64 and saving it to a .JPG file. The use of a fake .JPG is a shrewd method of concealing the harvested data while going unnoticed, and the stolen data which could include full names, street addresses, and payment info, could be used for credit card fraud or phishing operations. Website monitoring services and integrity control checks could help website owners to better detect this compromise.
France probe examines Apple’s ad tracking policies.
In response to pushback from privacy lobbyists, France’s data protection authority will launch an investigation into Apple’s recent changes to its data collection policies, AppleInsider reports. Lobbyist group France Digitale filed a complaint with the French National Commission on Informatics and Liberty (CNIL) earlier this month regarding Apple’s new App Tracking Transparency Feature. Launching in two weeks, the feature will require third party iOS developers to request user permission before employing ad tracking. Privacy advocates feel Apple is being unfair, as many of Apple’s own apps like the App Store and Apple News do not require permission before tracking. While it’s unclear how long CNIL’s investigation will last, it could result in the authority ordering Apple to revise its policies.
Twitter hacker cops a plea.
The Tampa Bay Times reports that a hacker who last summer hijacked Twitter accounts in order to steal over $100,000 in bitcoin has struck a deal with prosecutors. In exchange for his guilty plea, Graham Ivan Clark will avoid the minimum ten-year sentence he would serve if tried as an adult, and will instead serve three years in a young adult prison followed by three years of probation. Clark was seventeen when he was arrested for pulling off his massive Twitter scam: By convincing a Twitter employee that he worked in the company’s IT department, Clark was granted access to Twitter’s customer service portal, allowing him to successfully take over the accounts of public figures with massive followings like President Joe Biden, Elon Musk, Bill Gates, and even Uber. Posing as the account holders, he posted phony messages asking followers to deposit bitcoin in his account, and before Twitter caught on, Clark had accumulated $117,000. Clark’s sentencing forbids the use of a computer without police supervision, and he was required to relinquish the passwords to all of his accounts.
SMS hack takes advantage of regulatory blindspots?
With little government regulation, SMS message interception has become low-hanging fruit for cybercriminals. “SIM swapping” — the act of tricking cellphone employees into changing account credentials — is the most common method thieves employ for redirecting a victim’s text messages to another device. As the CyberWire noted yesterday, a new industry is unwittingly making it possible for thieves to intercept a victim’s messages even without a SIM swap. As part of their SMS marketing and mass messaging support services, companies like Sakari allow clients to redirect text messages to a number of their choosing by simply submitting a Letter of Authorization (or LOA).
Hackers like Lucky225 have quickly discovered how easy it is to take advantage of this service by simply filling out the required LOA with fraudulent info. Lucky225 explains to KrebsOnSecurity that this attack takes advantage of a loophole in SMS regulation policies. Most telecommunications companies must go through the Number Portability Administration Center (NPAC) to request authorization for a customer to reroute their phone number. But a private company called NetNumber has developed its own process for tracking telecommunications providers, and many of its clients are voice-over-IP (VoIP) or internet-based phone companies that will let anyone become a reseller with little to no verification. Lucky225 explained, “In essence, once you have a reseller account with these VoIP wholesalers you can change the Net Number ID of any phone number to your wholesale provider’s NNID and begin receiving SMS text messages with virtually no authentication whatsoever.” NetNumber claims that, since learning of the fraudulent activity, they have taken “precautionary measures.” But it would seem hackers are still finding ways around these measures, and while many major cell phone companies now have protections in place to make sure their customers aren’t affected by NetNumber requests, smaller carriers are likely still vulnerable.
FBI warns of renewed PYSA ransomware campaign against schools.
The FBI has warned educational institutions to expect a surge in PYSA ransomware attacks, which it’s seen as newly active in twelve US states and the United Kingdom. Also known as Mespinoza, the ransomware strain is usually installed either by remote desktop exploit or conventional phishing. As is now routinely the case with ransomware, PYSA’s operators first steal sensitive information, including personally identifiable information, before encrypting its victims’ files.
Some industry figures contacted us with comments on the warning, and on the ransomware threat. Jorge Orchilles, CTO of SCYTHE, wrote that, “Ransomware threat actors continue to evolve to ensure they receive payment. We have seen “double extortion” being used across various sectors, not just education. Threat actors exfiltrate data and post a sample to extort and push the victim for payment in addition to the traditional ransom of encrypting their data.”
Saryu Nayyar, CEO of Gurucul, points out that schools can, unfortunately, be easy marks. “For malicious actors, the education sector is a prime target. IT budgets are often limited and cybersecurity resources are stretched thin. The victims can be naive to cyber threats, which makes them easy targets for social engineering and phishing attacks,” she wrote. “With the rise of Cybercrime-as-a-Service, including ransomware and hybrid attacks that extract data for extortion before encrypting it, it’s no wonder they are going after easier targets like schools, seminaries, and colleges.
And she sees training and security education as a vital part of the response. “User education to reduce the change of becoming a victim is the first line of defense, as it almost always is when users are involved. But educational organizations need to take it further. They need to review their cybersecurity posture and update it to face complex threats as budget and resources allow.”
External Link: Improved skimmers. France scrutinizes Apple’s ad-tracking. SMS security. FBI warns schools of PYSA ransomware.