The first week of the year is not without cybersecurity updates, and we bring to you the most relevant of these security headlines. Here are the updates from this past week.
Supply Chain Attacks Target Real Estate Websites
Supply chain attacks are known to sabotage organizational networks, and these attacks have increased late. The most recent targets of these attacks are real estate websites. Popular real estate listing website Sotheby’s was a victim of a supply chain attack where attackers deployed a skimmer on the cloud video platform it uses – Brightcove. Consequently, all videos projected on its website (via Brightcove video player) were infected. All websites importing real estate property videos from Sotheby also had their websites compromised by the payment card details stealing skimmer. Interestingly, this scam has been ongoing for a year and has only recently come to light.
Researcher Reports Uber Email System Vulnerability Risking 57M Users And Drivers
Cybersecurity researcher and bug bounty hunter Seif Elsallamy recently uncovered a vulnerability in Uber’s email system, which has existed for a long time now. This flaw could allow anyone on the internet to send emails to users and drivers on behalf of Uber. The email won’t be marked as spam because it technically comes from legitimate Uber servers. The spam email passes both DMARC and DKIM security checks using this vulnerability. It is, therefore, a threat for all the 57 million Uber users and drivers whose details were leaked in the 2016 data breach.
Elsallamy informed Uber about this flaw in its servers through its HackerOne bug bounty program, but Uber rejected his report calling it erroneous. As per reports, this flaw was previously reported by researchers Shiva Maharaj and Soufiane el Habti, but their reports too went unacted upon. Uber seems to know about this flaw and continues to keep it unpatched.
People receiving emails like ‘Your Uber is arriving now,’ ‘Your Thursday morning trip with Uber’ will fail to identify whether it comes from Uber or is just spam, making this vulnerability so risky. Uber owes fines of €600.000 to Netherlands’ Data Protection Authority and £385,000 to UK‘s Information Commissioner’s Office (ICO) because of this cybersecurity negligence.
To ensure email protection for users, Elsallamy recommends some email security measures to Uber, which can minimize the repercussions of the users’ losing their data to the vulnerable undisclosed form. He further asks Uber to use a security encoding library for HTML entity encoding. Uber users and drivers must lookout for phishing emails claiming to be from Uber and take necessary protection measures.
Tips For CISOs To Procure More Funds
Chief Information Security Officers (CISOs) are expected to find loopholes in IT systems and ensure ransomware protection. An adequate budget must accompany a heavy responsibility like that; however, just over 10% of total IT budgets are assigned to CISOs, as per the latest Deloitte report. To obtain the required funds, CISOs can adopt specific strategies. The CISOs can consider meeting business shareholders in person instead of following the hierarchy and keeping things formal. Sharing ideas informally can be a good start sometimes, especially if yours is a new role in the organization.
Learning to pitch cybersecurity investments properly before a board with particular beliefs is essential. For instance, a firm looking at increasing its total revenue in the coming year may be approached using cybersecurity investments to avoid unnecessary losses. Similarly, for executives who may not be acquainted with cybersecurity jargon, it is advised to use relatable real-world examples to make your stand more convincing. Overall, CISOs need to work with sound cybersecurity strategies to approve the required funds.
New Year Brings New Ransomware Gang
One week into the new year, we have the emergence of a brand new ransomware gang called Lapsus$. The ransomware targeted Portugal’s largest media conglomerate – Impresa, over the New Year Holiday and defaced all its sites with a ransom note. Lapsus$ has a furious approach and not just encrypted the company’s files but also accessed (and probably stole) contents of all Expresso and SIC websites and channels. Fortunately, the cable TV and radio broadcasts remained unaffected.
Lapsus$ was reportedly spotted first in December 2021, and since then, the ransomware operator has attacked multiple organizations. Apart from Impresa, its other victims include South American telecommunication providers – Embratel and Claro, Brazil’s Ministry of Health. Impresa regained control over most of its affected sites soon after the attack, but Lapsus$ still claims to have access to its resources.
Bogus QR Codes in Circulation Across Austin Parking Meters
When in a hurry to get done with the parking ticket, one may not choose to pay in cash or even use the designated mobile app; instead, they choose the easy option of scanning the QR code. The adversaries are taking advantage of this convenience one looks for and replacing QR codes on the side of parking meters with bogus ones which seemingly accept our parking session payment but are actually transferring funds to adversaries.
When some suspicious users reported the issue to the Austin police department, an investigation was launched into the matter, revealing that over 100 parking meters had been similarly stickered in December 2021. This comes out as a reasonably new fraud theme circulating across Austin, Texas. But almost any fraudster across the globe can use the same tactic to con unsuspecting people. Authorities advise people to make payments either in cash or through the relevant applications instead of scanning QR codes.
FBI Warns Against Sharing Phone Numbers On Online Marketplaces
The Federal Bureau of Investigation (FBI) warns Americans against sharing their phone numbers and email addresses on online marketplaces, and social media portals as hackers use these details in Google Voice authentication scams. FBI notified that it had received reports of people being targeted by these scams in various locations and even through sites where they post about lost pets.
In a typical Google Voice authentication scam, attackers approach the victims through email or text messages and express an interest in purchasing/buying the item they have put up for sale. They then ask the unsuspecting sellers to verify the authenticity of the deal by sharing an authentication code they will receive from Google. The attackers actually create a Google Voice account in the victims’ name using their phone numbers. This same tactic is also used to compromise victims’ Gmail accounts and launch phishing scams.
The FBI advises people to visit Google’s support website to restore their Google Voice Accounts. It further reiterates the point that sharing Google verification codes with others is a cybersecurity blunder one should always avoid. The FBI warns against sharing contact numbers or email addresses with buyers and sellers and conducting related payments only through legitimate payment processors.