A full plate of social engineering, another serving of Syrian Electronic Army mischief and a dessert course of ChewBacca malware made the security menu this week. It was the week we learned about how far one will go to keep and to steal a monosyllable Twitter handle, what grudge the SEA holds against PayPal and more – take a few minutes and catch up with all you missed!
This week, a developer lost his rare one letter Twitter handle, @N, after a hacker socially engineered his way into his GoDaddy accounts. Naoki Hiroshima was greeted with quite the surprise when he realized that his GoDaddy sites were no longer his. By taking control of Hiroshima’s domain name at GoDaddy, the hacker was in control of his email. Hiroshima, having already had issues with people trying to steal his coveted Twitter handle, immediately changed the email address connected to Twitter, disabling the hacker from accessing that account. The hacker wasn’t giving up.
So he sent Hiroshima an extortion email, asking for a “compromise” – the Twitter account for Hiroshima’s sites back. “One fake purchase and they can be repossessed by godaddy and never seen again,” he threatened in the email. In the end, Hiroshima relented and gave up @N, and while social engineering is a major and rising concern, this case in particular was a shock how easy it was for the hacker to gain control of Hiroshima’s websites. He was able to go so far as to obtain the last four digits of his credit card from a PayPal employee before using the numbers as verification at GoDaddy.
On the heels of several major breaches in the U.S., it’s increasingly important that businesses do whatever possible to protect customer’s data from these events – ensuring high security at every level, especially with employees. PayPal and GoDaddy have each released statements regarding their role in the incident, with both denying responsibility. Twitter has yet to comment. This certainly isn’t the last time we’ll see social engineering at play, but Hiroshima certainly learned an important lesson: Take the $50,000 an run!
Read the original post and whole story by Naoki Hiroshima here.
The SEA was back in action this week, targeting two of the world’s biggest websites in the UK for a brief period on Saturday. The Pro-Assad hackers redirected users from the UK sites for PayPal and eBay to a site with a depiction of the Syrian flag in binary code and a nasty message about the US government.
PayPal’s senior director of global initiatives, Anuj Nayar, told Mashable in a statement that “For a brief period today, a very limited number of people visiting certain PayPal and eBay marketing pages in the UK, France and India were redirected. The issue was quickly detected and resolved. No customer data was accessed by these redirects, and no customer accounts were affected.”
The group apparently hacked the sites because neither of the sites have a presence in Syria. “If your PayPal account is down for a few minutes, think about Syrians who were denied online payments for more than 3 years,” was tweeted from the official SEA account. The account was later suspended.
Read more about the SEA Hack here.
This week, legislation was introduced in Congress which tries to create more accountability and demand for transparency should a company be sieged with a breach. This bill, the Data Security and Breach Notification Act, was introduced by Dianne Feinstein (D-Calif.), John Rockefeller (D – W. Va) and three other Congress members.
The bill would require the FTC to issue security standards for companies that hold consumer data, both personal and financial. If a breach occurs, companies would be obligated to notify their affected customers in a timely manner, so that they can take all the necessary next steps in protecting themselves.
“Companies constantly collect personal information about their customers, like credit card information, financial account numbers and passwords. In return, I believe those companies should be responsible for securing this personal information throughout their systems that store this sensitive data,” Senator Rockefeller said. “The recent string of massive data breaches proves companies need to do more to protect their customers. They should be fighting back against hackers who will do whatever it takes to exploit troves of consumer information. Our bill gives consumers the peace of mind that companies are doing everything they can to protect and secure their personal information from criminals.”
We previously wrote about Senator Patrick Leahy, who reintroduced his Personal Data Privacy and Security Act for the fifth time in early January.
Read more about the new bill here.
Yahoo informed its email users on Thursday that a number of usernames and passwords were exposed to hackers during a coordinated attack. In a blog post, Jay Rossiter, Senior VP in charge of platforms and personalization products wrote that the data was most likely collected via third-party databases that were stolen using malicious computer software. The company did not release the number of accounts affected or when the attacks had taken place.
In response, Yahoo has begun letting affected users know about the incident and has started using two-step verification in re-securing the hacked accounts. The company is now working with federal law enforcement to fully investigate the incident and prevent it from happening again.
Read more from the Yahoo! blog here.
A ring of cybercriminals stole payment info off of at least 49,000 credit and debit cards using a private Trojan called “ChewBacca” before the operation was discovered and shut down. Security research company RSA last week disclosed evidence of online criminals targeting smaller retailers in at least 11 countries worldwide, including the US, Russia, Canada and Australia. The company discovered 119 infected PoS systems used in 45 separate retailers, totaling information on at least 24 million transactions.
The malware is designed to scrape large chunks of computer memory from the infected terminals, then collected and dumped into a file. It was created with dual data-stealing features: a generic keylogger and a memory scanner specifically designed to target systems that process credit cards, especially POS systems.
“The ChewBacca trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months,” wrote senior RSA security researcher Yotam Gottesman about their findings.
Read more about ChewBacca here.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.