The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening.

New York City based Sisense has more than 1,000 customers across a range of industry verticals, including financial services, telecommunications, healthcare and higher education. On April 10, Sisense Chief Information Security Officer Sangram Dash told customers the company had been made aware of reports that “certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)”

“We are taking this matter seriously and promptly commenced an investigation,” Dash continued. “We engaged industry-leading experts to assist us with the investigation. This matter has not resulted in an interruption to our business operations. Out of an abundance of caution, and while we continue to investigate, we urge you to promptly rotate any credentials that you use within your Sisense application.”

In its alert, CISA said it was working with private industry partners to respond to a recent compromise discovered by independent security researchers involving Sisense.

“CISA is taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations,” the sparse alert reads. “We will provide updates as more information becomes available.”

Sisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the company’s code repository at Gitlab, and that in that repository was a token or credential that gave the bad guys access to Sisense’s Amazon S3 buckets in the cloud.

Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisent customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.

The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers.

It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards.

The breach also makes clear that Sisense is somewhat limited in the clean-up actions that it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for extended periods of time — sometimes indefinitely. And depending on which service we’re talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials.

Beyond that, it is largely up to Sisense customers to decide if and when they change passwords to the various third-party services that they’ve previously entrusted to Sisense.

Earlier today, a public relations firm working with Sisense reached out to learn if KrebsOnSecurity planned to publish any further updates on their breach (KrebsOnSecurity posted a screenshot of the CISO’s customer email to both LinkedIn and Mastodon on Wednesday evening). The PR rep said Sisense wanted to make sure they had an opportunity to comment before the story ran.

But when confronted with the details shared by my sources, Sisense apparently changed its mind.

“After consulting with Sisense, they have told me that they don’t wish to respond,” the PR rep said in an emailed reply.

Nicholas Weaver, a researcher at University of California, Berkeley’s International Computer Science Institute (ICSI) and lecturer at UC Davis, said a company entrusted with so many sensitive logins should absolutely be encrypting that information.

“If they are hosting customer data on a third-party system like Amazon, it better damn well be encrypted,” Weaver said. “If they are telling people to rest credentials, that means it was not encrypted. So mistake number one is leaving Amazon credentials in your Git archive. Mistake number two is using S3 without using encryption on top of it. The former is bad but forgivable, but the latter given their business is unforgivable.”

Read More

In a world where digital communication dominates, the art of scamming has evolved into a sophisticated game of deception. A recent story in The Cut featured a seasoned personal finance journalist falling prey to an Amazon scam call and being duped out of a staggering $50,000. The story serves as a stark reminder that anyone, regardless of their expertise or background, can become a victim of vishing. Short for “voice phishing,” vishing is a form of cybercrime where scammers use phone calls to deceive individuals into revealing personal or financial information. 

Contrary to common belief, it’s not just the elderly or technologically naive who fall victim to such schemes. One national survey found that only 15% of Gen Z and 20% of millennials express concern about falling victim to financial fraud. However, the Federal Trade Commission paints a different picture, indicating that younger adults are over four times more likely to report losing money to fraud than older adults. This dissonance highlights the need for heightened awareness and education across all age groups. 

Types of vishing 

Vishing is a form of fraud that exploits the trust we place in phone calls. It operates through various strategies, all aimed at tricking victims. For example, wardialing involves automated systems dialing phone numbers to find vulnerable targets. VoIP, or Voice over Internet Protocol, allows scammers to make calls over the internet, often making it harder to trace them.  

Caller ID spoofing is another tactic where scammers manipulate the caller ID to display a trusted or familiar number, tricking recipients into answering. These techniques create a false sense of legitimacy, making it difficult for individuals to distinguish between real and fraudulent calls.  

Why vishing has gotten more effective  

Vishing exploits trust and naivety to obtain sensitive information or conduct unauthorized transactions. Humans have always been vulnerable to scams, but the abundance of personal data available on the dark web, obtained from various data breaches and leaks, has significantly heightened the threat. For example, LinkedIn experienced a data breach in 2021 that exposed data from 700 million users on a dark web forum. 

A data breach like that presents scammers with a treasure trove of details about potential victims, enabling them to personalize their attacks with alarming precision. By incorporating specific details gleaned from these data sources, scammers can craft convincing narratives and establish a false sense of trust and credibility with their targets. Consequently, even individuals who exercise caution in safeguarding their personal information may find themselves vulnerable to vishing scams.  

How to mitigate the threat 

As a result, individuals must remain vigilant and adopt comprehensive security practices. Familiarizing oneself with the telltale signs of a scam call is the first line of defense. Be wary of:  

Unsolicited calls: Be cautious of unexpected phone calls, especially if they request personal or financial information. 
Requests for sensitive information: Legitimate organizations typically don’t ask for sensitive information like Social Security numbers, passwords, or bank account details over the phone. 
Pressure tactics: Scammers often create a sense of urgency or fear to prompt immediate action, such as claiming your account is in danger or you’ll face legal consequences. 
Caller ID inconsistencies: If the caller ID seems suspicious or doesn’t match the organization they claim to represent, it could be a sign of spoofing.  
Unusual requests or offers: Be suspicious of unusual requests, such as asking you to pay fees upfront to claim a prize or offering unsolicited services or products. 

If an unsolicited call seems suspicious, hang up the phone. Verify the caller’s legitimacy through independent channels, such as contacting the organization directly using a trusted phone number. In addition to recognizing signs of scam calls, implementing call-blocking technologies or screening unknown numbers can reduce exposure to potential scams. McAfee Mobile Security’s call blocker feature can be employed to diminish the volume of incoming calls. 

The alarming reality is that vishing knows no bounds and can affect any age or demographic. The unfortunate ordeal of the seasoned journalist losing $50,000 serves as a sobering reminder of the perils lurking behind seemingly innocuous phone calls. Vishing demands vigilance and awareness. Security software and apps can significantly increase the overall security of your phone by detecting and preventing various threats, such as malware, phishing attempts, and unauthorized access to sensitive information. 

By adopting proactive measures, we can fortify our defenses against vishing scams and safeguard our financial well-being. Stay informed, stay vigilant, and stay protected. 

The post A Finance Journalist Fell Victim to a $50K Vishing Scam – Are You Also at Risk? appeared first on McAfee Blog.

Read More

The revision points out companies like NSO Group, known for surveillance tools like Pegasus

Read More