Growing Number of Phish Kits Bypass MFA

Read Time:1 Minute, 47 Second

Growing Number of Phish Kits Bypass MFA

Phishing kits designed to circumvent multi-factor authentication (MFA) by stealing session cookies are increasingly popular on the cybercrime underground, security researchers at Proofpoint have warned.

After years of prompting by security teams and third-party experts, MFA finally appears to have reached a tipping point of user adoption. Figures from Duo Security cited by Proofpoint in a new blog today claim that 79% of UK and US users deployed some kind of second-factor authentication in 2021 versus 53% in 2019.

However, the threat landscape is changing as a result. Phishing kits offer a cheap-and-easy way for budding cyber-criminals to launch and monetize campaigns.

“In recent years, Proofpoint researchers have observed the emergence of a new type of kit that does not rely on recreating a target website. Instead, these kits use a transparent reverse proxy to present the actual website to the victim,” the firm explained.

“Modern web pages are dynamic and change frequently. Therefore, presenting the actual site instead of a facsimile greatly enhances the illusion an individual is logging in safely. Another advantage of the reverse proxy is that it allows the threat actor to man-in-the-middle (MitM) a session and capture not only the usernames and passwords in real-time, but also the session cookie.”

These cookies can then be used to access a targeted account without needing a username, password or MFA token.

Proofpoint has already noticed an uptick in the availability of such phishing kits and warned that the trend would only increase as MFA becomes more popular. They include “Modlishka,”  “Muraena/Necrobrowser” and “Evilginx2.”

“We are now in 2022, the pandemic still rages, many workers are still working from home and many may not return to the office. As more companies follow Google’s lead and start requiring MFA, threat actors will rapidly move to solutions like these MitM kits,” Proofpoint concluded.

“They are easy to deploy, free to use, and have proven effective at evading detection. The industry needs to prepare to deal with blind spots like these before they can evolve in new unexpected directions.”

Read More

Target releases web skimming detection tool Merry Maker as open source

Read Time:49 Second

Web skimming has been a major scourge for online shops over the past several years with attacks ranging from simple script injections into payment forms to sophisticated compromises of legitimate third-party scripts and services. Sometimes referred to as Magecart attacks, they have become the leading cause of card-not-present (CNP) fraud and have impacted small and big brands alike, as well as different types of ecommerce platforms.

As one of the top online retailers, Target started looking for solutions a few years ago to combat this threat and keep its own customers protected while shopping on its platform. Since there were no ready-made detection tools for such attacks at the time, two of the company’s security engineers decided to develop their own. After being in active use on Target.com for over three years, the company’s client-side scanner has now been released as an open-source project dubbed Merry Maker.

To read this article in full, please click here

Read More

Why buy now, pay later is the next big fraud risk for retailers

Read Time:38 Second

Retailers are offering customers more buy now, pay later (BNPL) finance purchasing options to drive sales across a wide range of products. Shoppers can get instant credit at the point of sale (POS) and then delay or spread payments (often at no extra cost) instead of paying outright at the time of purchase. This can appeal to consumers and has proven to be particularly popular during busy shopping periods such as Black Friday and the holiday season.

However, BNPL is also capturing the attention of online fraudsters. While it is maturing with new providers and products coming to the market, so too are the risks of fraud for retailers as cybercriminals look to exploit the BNPL process.

To read this article in full, please click here

Read More

Apple AirTag and other tagging devices add to CISO worries

Read Time:51 Second

We tag content, devices and our belongings. Tagging is ubiquitous today, in early 2022, but it wasn’t always the case.

Stepping back into history, the late 1990s and early 2000s saw the unsavory side of competitive intelligence in Silicon Valley, with companies having their trash dumpsters siphoned for useful information, pretext calling to elicit inside information, and the wholesale theft of electronic devices. Stories ad infinitum exist of teams finishing an engineering meeting and heading down to Chevy’s for dinner and putting their laptops in the trunk of the vehicle and heading into the eatery, only to find the trunk had been jacked and all the laptops missing. Same at the local sports fields, parents would arrive, throw their bag/device into the trunk only to find it gone when they returned. Such was the frequency both the San Jose and Milpitas police began placing signage in shopping centers reminding individuals to take their belongings with them.

To read this article in full, please click here

Read More

Home Improvement Firm Fined £200k for Nuisance Calls

Read Time:2 Minute, 10 Second

Home Improvement Firm Fined £200k for Nuisance Calls

A Welsh home improvement firm has been fined £200,000 by the UK’s privacy watchdog after making more than half a million nuisance phone calls.

Home2Sense Ltd of Lampeter made 675,478 nuisance calls between June 2020 and March 2021 to offer individuals insulation services, according to the Information Commissioner’s Office (ICO).

However, these people were registered with the Telephone Preference Service (TPS), meaning they had explicitly opted out of receiving unsolicited marketing calls.

According to the UK’s Privacy and Electronic Communications Regulations (PECR), it is illegal to contact anyone registered with the TPS for more than 28 days unless that person has explicitly notified the company that they do not object to receiving such calls.

Among the scores of complaints made to the ICO about Home2Sense’s business practices, one distressed victim said a call center marketer asked to speak to their late mother, who had passed away a decade earlier.

On other calls, the operative posed as a local surveyor and claimed the recipient might be in line for a free grant to replace their loft insulation.

“This is my recently deceased mother’s house that I have just inherited in the past few months. It was extremely upsetting to have someone deliberately cold-call me,” they complained.

The company also illegally used several aliases when presenting themselves to the public, including “Cozy Loft,” “Warmer Homes” and “Comfier Homes.”

Head of ICO regions, Ken Macdonald, argued that the firm’s attempt to blame its staff for failing to screen individuals on the TPS list shows a complete disregard for victims’ privacy.

“Some of the complainants described the calls received as ‘aggressive,’ and the company caused two complainants to feel distressed and upset when they asked to speak to a relative that had passed away,” he added.

“Business owners operating in this field have a duty to have robust procedures and training in place so the law is followed. Attempts to rely on ignorance of the law, or trying to pass the buck onto members of staff or external suppliers, will not be tolerated.”

However, it remains to be seen if Home2Sense ends up paying the full £200,000. Just a quarter (26%) of the monetary value of fines issued by the ICO from January 2020 to September 2021 have been paid, according to a November 2021 report. That’s down from 32% during the previous  report period (January 2019-August 2020).

Fines for nuisance calls were among the most likely to remain unpaid, with nearly 80% yet to be collected.

Read More

Online Thieves Steal $320m from Crypto Firm Wormhole

Read Time:1 Minute, 45 Second

Online Thieves Steal $320m from Crypto Firm Wormhole

Yet another cryptocurrency firm is offering a multimillion-dollar ‘bug bounty’ reward to those who hacked it after suffering a cyber-heist worth an estimated $322m.

Wormhole operates what’s known as a cross-blockchain bridge, enabling holders of certain cryptocurrencies to transfer tokens, data and other assets between siloed blockchains. It offers this service to bridge Ethereum, Solana, BSC, Polygon, Avalanche, Oasis and Terra.

In a brief statement late yesterday, the firm tweeted that its network was down while it investigated a potential exploit.

Then came the news that users were dreading: Wormhole confirmed that attackers stole 120,000 Ethereum tokens worth over $320m.

However, the firm claimed that it would be adding more Ethereum to its platform “over the next hours” to ensure any assets it owns are backed 1:1. The fear is that without this backing, various Solana users and platforms would be helpless.

A security researcher going by the handle “samczsun” on Twitter has a detailed write-up of the attack here, having reverse-engineered the exploit. The hacker exploited a vulnerability on the Wormhole platform, enabling them to pocket new wrapped Ethereum (wETH) without needing to deposit any in return.

WETH is a version of Ethereum designed to be exchanged with other Ethereum-based tokens and has the same value as ETH.

Just like Qubit Finance a few days ago, Wormhole has reached out to its attacker, offering a massive $10m reward for finding the bug.

“We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a white hat agreement, and present you a bug bounty of $10m for exploit details, and returning the wETH you’ve minted,” it said in a message on the Ethereum blockchain.

The audacious cyber-heist makes this easily the biggest theft of cryptocurrency so far this year and the largest such incident targeting cross-blockchain bridges.

In its most recent update, Wormhole claimed the vulnerability had now been patched, and it was working on getting the network back up and running.

Read More

Multiple Vulnerabilities in Cisco Products Could Allow for Arbitrary Code Execution

Read Time:27 Second

Multiple vulnerabilities have been discovered in Cisco Products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated, remote attacker to execute code on the affected systems. Depending on the privileges associated with the targeted user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users configured to have fewer privileges on the system could be less impacted than those who operate with elevated privileges.

Read More

Privacy in Practice: Securing Your Data in 2022 and Beyond

Read Time:6 Minute, 6 Second

Every year we can count on new technology to make our lives easier. Right? As beneficial and convenient as tech can be, it can also pose risks to our online safety and privacy—risks that we should be prepared to handle. Increasingly, we’re seeing governments around the world implementing stricter privacy laws. And even major players like Google are phasing out invasive tracking technology like cookies. However, when it comes to activities like banking, shopping, taxes, and more, the need for broader online privacy protection has never been greater. Let’s take a look at some prominent trends in the way we now live online and how we can protect our data.  

Web3

Crypto, the blockchain, NFTs, tokens – all of these terms are considered part of what’s being termed Web3. Whereas Web 2.0 described an internet made up of large corporations hosting content and consumers, Web3 is governed by the blockchain. What this means is that applications use a decentralized online ledger to document transactions of all sorts. The most famous example is bitcoin, a blockchain that acts as a digital currency. Another example would be NFTs, which are digital works of art. Web3 may be in its infancy, but it’s important to consider what this means for privacy and data protection. Blockchain affords users anonymity in regards to currencies like bitcoin. Of course that means bitcoin also has a reputation as the currency of choice for money-launderers and other shady enterprises. Still, that means it’s good for privacy, right? Well, maybe. The EU’s GDPR rights to erase or amend data are at odds with transactions on a blockchain, which are essentially unchangeable. So if you’re buying cryptocurrency, NFTs, or interacting with blockchains in other ways, just understand your personal information might be hidden, but the record of your transactions is totally visible. 

Tip: If you’re keeping cryptocurrencies in an online wallet, you’ll want to use an identity protection service to monitor those account credentials so you can be warned of breaches and leaks onto the dark web. 

 Education

Student privacy is a top concern as households turn to remote learning. In a rush to optimize remote learning experiences in the face of a rapidly evolving digital landscape, many educators and remote learners may not realize the hazards that put student privacy at risk. 

Since 2020, schools have adopted a range of technologies to optimize the digital classroom, including virtual learning platforms, holistic learning solutions, and even social media applications. However, many of these digital platforms are not designed for child usage, nor do they have privacy policies in place to ensure that the student data gathered is protected. Many learning platforms may even treat student data as consumer data, raising more red flags regarding student data privacy and compliance. Online learning has also garnered the attention of cybercriminals looking to exploit student data, resulting in online bullying, identity theft, and more. 

For educators and parents alike, knowledge is the greatest asset to mitigating the risks of remote learning. IT teams and educators must understand the implications of the student data they collect, govern access to it, and control its usage to comply with child privacy regulations. Parents can take proper precautions by discussing the importance of privacy with their children. Keeping learning platforms up to date and monitoring their children to prevent them from downloading suspicious apps or straying to unknown websites are all ways to ensure safer remote learning environments. 

Tip: Getting a VPN for the family to use is a great way to safeguard your privacy while your kids are learning online. 

Work

Remote work has become commonplace nowadays as more companies permit their employees to work from home long-term and, for some, permanently. In a recent Fenwick poll among HR, privacy, and security professionals across industries, approximately 90% of employees now handle intellectual property, confidential, and personal information in their homes. Endpoint security, or the protection of end-user devices such as our laptops and mobile devices, poses more of a concern as employees trade in office networks for their in-home Wi-Fi. If these devices and networks are unsecured or if the data is not encrypted, employees run the risk of exposing sensitive information to hackers. Those of us working from home can help ensure the safety of our company’s confidential information by boosting our awareness of security threats and prevention measures via company-mandated security training.  

Tip: McAfee’s Protection Score is a great way to understand how protected you are online and what you can do to stay more secure 

The Metaverse

This buzzy term is being used to describe Meta’s (previously Facebook) vision for a fully connected future. Right now it exists as an AR/VR space accessible through Meta’s own VR hardware, Oculus. However, the terminology has caught on as a catch-all for platforms that may contain work, business, gaming, entertainment, social interactions, and more in one easily navigable, immersive online setting. Web3 features, like blockchain, NFTs, and cryptocurrencies are being touted as integral parts of the metaverse. As exciting and futuristic as this is, there are major privacy questions that will have to be answered. This means that as customers you’ll want to think hard about what you choose to share through the metaverse and look into the privacy settings a platform offers you.  

Tip: Use comprehensive online protection. McAfee Total Protection secures all aspects of your life online. From identity to online connections to antivirus, a full security suite like Total Protection keeps you and your family safer on all the devices you use and places you go online. 

 Personal Finances

Some of the platforms I use the most allow me to keep track of and manage my finances. Whether it’s my mobile banking app or taking advantage of online tax filing, there is such a convenience in having the ability to pay bills, deposit checks, and more, all with the devices I use every day. But many of us may not realize just how much trust we put into these platforms to protect our online privacy, especially when we don’t have a clear picture of who exactly is on the other end of our online transactions. 

While recognizing the signs of online banking and tax-related fraud helps ease the burdens associated with these schemes, there are multiple steps users can take to prevent becoming a victim of these scams in the first place.  

Tip: Full-featured identity protection will protect you financially. Services like McAfee Identity Protection Service include credit checks, identity theft restoration, and even stolen fund restoration as benefits. 

Digital devices are part of how we live our lives every day, whether we’re taking conference calls on our laptops, tracking the latest mile on our smartwatches, or banking on the go. Although our everyday digital devices make our lives that much more convenient, securing them makes our lives that much safer by minimizing online threats to ourselves and those around us. Safeguarding the digital platforms we use for work, school, finances, you name it, is the first step to ensuring our private information remains just that—private. 

The post Privacy in Practice: Securing Your Data in 2022 and Beyond appeared first on McAfee Blog.

Read More

DSA-5066 ruby2.5 – security update

Read Time:12 Second

Several vulnerabilities have been discovered in the interpreter for the
Ruby language and the Rubygems included, which may result in
XML roundtrip attacks, the execution of arbitrary code, information
disclosure, StartTLS stripping in IMAP or denial of service.

Read More

News, Advisories and much more

Exit mobile version