Cyber Security Training from QA

Cyber Pulse: Edition 31

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


5 September 2018

British Airways Data Breach Compromises 380K Cards

British Airways announced that it was hit by a customer data breach on its website and mobile app, which affected around 380,000 card payments. The airline told CNBC that the breach took place from Aug. 21 to Sept. 5 and is now resolved. The hack has been reported to the authorities, including the U.K. Information Commissioner’s Office. British Airways said the stolen data did not include travel or passport details. “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously,” said Alex Cruz, British Airways’ CEO, according to Financial Times. The airline advised any customers who believe they may have been affected by the incident to contact their banks or credit card providers. This is just the latest breach to hit an airline. In fact, there were 1,000 cyberattacks on aviation systems every month during 2016, according to the European Aviation Safety Agency. That same year, Vietnam Airlines had to complete its operations at airports by hand after hackers took down its website. Last year, LATAM Airlines and Ukraine’s Boryspil airport were both hit by ransomware. In addition, just last week, Air Canada confirmed that its mobile app suffered a data breach, which affected approximately 20,000 people — or about 1 percent of the 1.7 million people who use the app. The company said it detected “unusual login behavior” between Aug. 22 and Aug. 24. In an email to customers, Air Canada said hackers may have accessed profile data, such as email addresses and phone numbers, as well as more sensitive data that users added to their accounts — passport numbers, expiration dates and country of issuance; NEXUS numbers for travelers; gender, dates of birth and in which country users reside. However, credit card data was not compromised in the breach.

This is the NCSC's guidance for anyone who thinks they may have been affected:

  1. If you've used the BA website or mobile application to purchase services while the data was at risk (21st Aug-5th Sept) we recommend that you contact your bank
  2. Ensure your passwords are secure. If you have been affected you may want to consider changing passwords for key accounts such as banking. See Cyber Aware's advice on creating a good password that you can remember, or read the NCSC’s blog post for help on using a password manager . You should also monitor your financial accounts for any suspicious transactions
  3. If you receive any suspicious phone calls, emails or text messages then report these to Action Fraud
  4. In general, it is advised you make use of two-factor authentication (2FA) on important accounts – even SMS-based two-factor is better than none. The benefit of this is that even if someone does obtain an account password then they would still not be able to access due to this extra security measure
  5. Now would also be a good time to check if your account has appeared in any other public data breaches. Visit https://haveibeenpwned.com , enter your email address and go from there

Watch Out for This FAKE Viber App Which Steals Your WhatsApp Data

Lukas Stefanko, a malware researcher at Slovakia-based IT-security company ESET, has tweeted a warning about a new Android-based spyware program being peddled through a website mimicking Google Play. Calling itself "Viber Messenger," the Viber lookalike, described as a "Lite Chatting App," steals WhatsApp media and document files, WeChat media, all of your photos, files from your download directory, and a record of your phone calls. The fake even includes a "Most Secure Messenger" checkmark and shield logo, as well as "500 million downloads" and "4.3" rating icons similar to those found on the real Google Play. ESET was given a headsup about the malware by a vigilant user, confirming its malicious nature after taking a look through the program's code. Viber is a popular cross-platform instant messaging service with over 900 million registered users. The program is particularly possible in Russia, with 100 million registered Russian users.

Hackers can steal your Android unlock pattern by turning your phone into a sonar system

New research from researchers in Sweden and the UK reveals that hackers would be able to steal the unlock pattern of your Android phone by turning the device into an improvised sonar system. Using the speakers and microphones in a handset, the sonar would be able to pick up the movements of fingers against the screen and determine possible patterns that could unlock the phone. The technique is named SonarSnoop, ZDNet reports, and uses FingerIO (seen in the video below) as the primary source of inspiration. FingerIO is a smartwatch interaction model published back in March 2016, which proposes the use of a sonar-like system to pick up hand gestures and translate them into actions on the screen. SonarSnoop, meanwhile, is the malicious version of FingerIO, but you shouldn’t panic over it. Using this method, hackers would be able to reduce the number of possible unlock patterns by 70% thanks to the machine learning algorithms built into the attack. But deploying the attack in the real world isn’t terribly realistic in this day and age. As it stands right now, you shouldn’t even rely on unlock patterns to protect your phone. Most Android phones ship with fingerprint sensors, which are a lot more secure than pattern unlocks. If you use an older device, you might want to set up a strong passcode rather than an unlock pattern, even if the latter feels more convenient. Also, you can set up your phone to wipe all data after a number of failed unlock attempts. Finally, make sure your Android gadget runs the latest software available for it, especially when it comes to security patches.

Teenage hacker admits sparking 400 UK school evacuations with 24,000 hoax bomb threats

A teenage hacker has admitted making bomb threats to thousands of schools prompting 400 evacuations across the UK. George Duke-Cohan, 19, sparked chaos with his mass hoax campaign in March this year. The 19-year-old was arrested just days later but in April, while under investigation, he sent more emails to schools in the UK and US claiming pipe bombs had been planted on the premises. Up to 24,000 emails - spoofed to look like they had been sent by a gaming network known as VeltPvP - were sent to addresses across the country, including the North East, London, Bristol and Humberside. Duke-Cohan admitted three counts of making hoax bomb threats at Luton Magistrates' Court today. VeltPvP later issued a statement which read: "We have nothing to do with the bomb threats that were sent out to the 400+ UK schools. "We've been being harassed by a group of cyber criminals that are trying to harass us in anyway possible. We're extremely sorry for anyone who had to deal with this, but just know it's fake." National Crime Agency investigators working with the FBI also identified that Duke-Cohan made bomb threats to a US-bound United Airlines flight via phone calls to San Francisco Airport and their bureau police. In a recording of one of the phone calls, which was made while the plane was in the air, he posed as a worried father claiming his daughter contacted him from the flight to say it had been hijacked by gunmen, one of whom had a bomb.

Cryptocurrency mining craze going for data centers

Cybercriminals have always been financially motivated, and cryptocurrency mining is the latest trend in generating revenue. With Bitcoin peaking at around $25,000 each, cybercriminals are turning their attention to crypto mining instead of traditional ransomware. In fact, crypto currency-enabled malware is increasingly outdoing ransomware in popularity, with the rise in adoption picking up significantly in the past six months. Bitdefender’s telemetry has been studying this phenomenon and today releases an in depth report into the ways cybercriminals are targeting cryptomining. One of the most interesting attacks involved the use of industrial control systems. The industrial control systems, supervisory control and data acquisition servers of a water utility in Europe were used for the first time to mine Monero. The more cryptocurrency has been mined, the more resource-intensive the process becomes. This makes it unfeasible for cybercriminals to target and control pools of individual users. It is expected that large data centers and cloud infrastructures are next in line. One reason for the growth of crypto mining is from the emergence of browser-based web scripts that make it easy for cybercriminals to compromise high-traffic websites and plant cryptocurrency mining script. This is often done instead of deploying traditional spear phishing campaigns to infect a large number of victims, as ransomware does.

Attackers Employ Social Engineering to Distribute New Banking Trojan

Unknown attackers have begun using a sophisticated, new banking Trojan, dubbed CamuBot, to steal money from the business customers of several major banks in Brazil, a country sometimes used as a testing ground for financial malware that is about to be launched globally. IBM X-Force security researchers, who have been tracking the threat, this week described the CamuBot campaign as a combination of highly targeted social engineering with malware-assisted account and device takeover. The malware operators have been getting victims to download CamuBot on their systems by disguising it as a required security module — complete with logos and brand imaging — from their banks. Troublingly, CamuBot has functionality that suggests it has the ability to hijack device driver controls for fingerprint readers, USB keys, and other third-party security peripherals that banks often use as an additional mechanism for authenticating users. CamuBot is different from other banking Trojan in terms of how it is deployed and used, says Limor Kessem, executive security advisor at IBM Security. "Firstly, the distribution is very targeted. The attackers phone a potential victim and lead them to an infection zone, where the malware is downloaded to their device," she says. The attackers have typically targeted individuals who are the most likely owners of their organizations' bank account credentials. They identify themselves as bank employees and ask the victim to browse to a location for checking whether his company's bank security module is up to date. The validity check always comes up negative, and the targeted individual is then tricked into downloading an "updated" version of the module. If the victim downloads the module, a fake application appears in the foreground while CamuBot is silently installed in the background and establishes a connection with its command-and-control server. The victim is then redirected to what appears to be his bank's online portal, where he is prompted to enter his login credentials, which are promptly captured by the attackers.

Malware campaign infects thousands of Magento e-commerce sites

Over the last six months, a recently discovered, highly prolific payment card-scraping campaign managed to infect more than 7,000 online stores running on the open-source Magento e-commerce software platform. Dutch security researcher, Willem de Groot reported that the operation involved online payment skimming malware called MagentoCore. Of the 7,339 e-shops found to be impacted, at least 1,450 of them were infected for the entire half-year period the threat has existed. De Groot further explained that MagentoCore skimmers "gain illicit access to the control panel of an e-commerce site, often with brute force techniques," then embed Javascript into the HTML template. The malicious script records keystrokes and "sends everything in real-time to the magentocore.net server, registered in Moscow." Additionally, the malware also inserts a backdoor for periodic downloads, removes competing malware, and changes the passwords of common staff user names. In the two weeks preceding the post, the attackers were infecting websites at a clip of 50 to 60 stores per day, according to de Groot. "Magento is an open-source platform and for this reason is also a favorite target of bad actors. This latest attack was likely carried out through password guessing and exploited vulnerabilities in Magento servers..." said Devon Merchant, digital security and operations manager at The Media Trust, in emailed comments. "The vulnerabilities might lie in the web application source code, enabling bad actors to manipulate the code and inject rogue script into the HTML template. The script then logs keystrokes and sends them to a command-and-control server."

Marketing agency fined £60,000 for nuisance emails

The Information Commissioner’s Office (ICO) has fined Everything DM Ltd (EDML), based in Stevenage, £60,000 for sending 1.42 million emails without consent. The investigation found that, between May 2016 and May 2017, the firm used its direct marketing system called ‘Touchpoint’ to send emails on behalf of its clients for a fee. Those emails gave the impression they were sent by the clients directly, and EDML couldn’t prove that the recipients had ever given consent to receive marketing emails from its clients or itself. The investigation revealed that EDML relied on the consent of third parties but didn’t take reasonable steps to make sure the data complied with the Privacy and Electronic Communications Regulations (PECR). ICO Director of Investigations, Steve Eckersley, said: “Firms providing marketing services to other organisations need to double-check whether they have valid consent from people to send marketing emails to them. Generic third party consent is not enough and companies will be fined if they break the law.”

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 30

Cyber Pulse: Edition 29

Cyber Pulse: Edition 28

Cyber Pulse: Edition 27

Cyber Pulse: Edition 26

Cyber Pulse: Edition 25

Cyber Pulse: Edition 24

Cyber Pulse: Edition 23

Cyber Pulse: Edition 22

Cyber Pulse: Edition 21

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.