Tag Archives: cyber security

Toyota suffered a data breach compromising sales information of almost 3.1 million customers

  • Hackers breached Toyota’s IT systems and gained unauthorized access to servers that contained sales information of almost 3.1 customers.
  • The accessed data belongs to several sales subsidiaries such as Toyota Tokyo Sales Holdings, Tokyo Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Nets Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla.

What is the issue – Japanese car manufacturing giant Toyota recently suffered a data breach compromising sales information of almost 3.1 million customers.

It should be noted that this is the second breach that Toyota has suffered in the last five weeks. The first breach impacted its Australia branch, while this incident impacted the company’s main branch in Japan.

What happened

Toyota revealed that hackers breached its IT systems and gained unauthorized access to servers that contained sales information of almost 3.1 customers. However, no financial information was stored in the server.

The accessed data belongs to several sales subsidiaries such as Toyota Tokyo Sales Holdings, Tokyo Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Nets Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla.

What actions were taken?

  • The car manufacturing company is conducting investigations on the incident.
  • Toyota is planning to implement information security measures in order to avoid such incidents from happening in the future.

“We apologize to everyone who has been using Toyota and Lexus vehicles for the great concern. We take this situation seriously, and will thoroughly implement information security measures at dealers and the entire Toyota Group,” a Toyota spokesperson told the press.

Worth noting – On the same day that Toyota Japan announced its data breach, Toyota Vietnam also disclosed a similar cyber-security incident. However, details on the incident remain unclear.

Business Email Compromise (BEC) Scams: A deep insight on how attackers leverage social engineering tricks to perform BEC scams

Business Email Compromise (BEC) is a type of scam that targets corporate companies that pay bills via wire transfers. BEC scammers targeting employees of corporate companies mostly impersonate the company’s CEO or senior executives. These scammers use social engineering techniques to trick employees into sending funds directly to the scammers.

Types of BEC Scams

According to the FBI, there are five types of BEC scams:

  • Bogus Invoice Scheme – This scheme is also known as the ‘Supplier Swindle’ and ‘Invoice Modification Scheme’. This scheme often targets companies with suppliers abroad. These scammers impersonate the suppliers and request payment via wire transfer to an account controlled by the scammers.
  • CEO Fraud – In this type of scam, attackers compromise CEO or a senior executive’s email account and use it to send emails to employees requesting money transfer to the account controlled by them.
  • Account Compromise – Scammers compromise targeted employees’ email accounts and send email to multiple vendors requesting payment via wire transfer to the scammers’ accounts.
  • Attorney Impersonation – In this case, scammers impersonate lawyers who are in charge of confidential matters and request payment from victims.
  • Data Theft – In this scam type, attackers target employees PII, social security number and tax statements to be used for various other attack campaigns.

Examples of BEC scams

Example 1 – BEC scam targeting employees’ paycheck

In January 2019, BEC scammers targeted employees paycheck. These scammers sent spoof emails to the HR department impersonating the employees and requesting the HR to change their direct deposit information and divert monthly salary paycheck to a fake account controlled by the scammers.

Example 2 – BEC scammers exploiting a Gmail feature

In February 2019, Business Email Compromise (BEC) scammers were exploiting a Gmail feature ‘Dot accounts’ to perform various fraudulent activities such as filing for fake tax returns, filing for fake unemployment benefits, and more.

Gmail’s ‘Dot accounts’ is a feature of Gmail addresses that ignores dot characters inside Gmail usernames, regardless of their placement. Scammers were taking advantage of this feature and creating multiple email accounts to perform various fraudulent activities.

For example, scammers leveraged this feature to trick Netflix account owners into adding card details to scammers’ accounts.

BEC scammers switching to mobile

Recently researchers noted that scammers are adopting SMS as a communication platform for BEC attacks as mobile devices are easier to facilitate attacks. For which, these scammers are using temporary US-based phone numbers and are utilizing services such as Google Voice to perform multiple attacks from the same US number.

How to stay protected?

  • It is always best to use two-factor authentication while logging in to your email accounts.
  • To stay protected from such attacks it is important for organizations to train their employees on how to react to emails or SMS that request any sort of financial task.
  • It always best to ensure the sender’s email address and confirm directly with the sender in person or via phone call regarding the email.
  • Experts recommended users to never open any email or attachments that come from anonymous senders.

TrickBot Creators Collaborate With BokBot to Conduct Man-in-the-Middle Attacks

Security researchers warned that the cybercriminals behind the two banking Trojans are now collaborating to perform man-in-the-middle (MitM) attacks.

On March 17, Crowdstrike discovered a BokBot proxy module called shadDll in conjunction with TrickBot. The code for the two banking Trojans is 81 percent similar, the researchers said, which means the proxy module can be seamlessly integrated into TrickBot’s extensible, modular framework. It’s possible the two threat groups have been collaborating on an ongoing basis, the researchers added.

Adding New Features Through Threat Group Collaboration

After infecting a machine by duping victims into installing malware via phishing messages, TrickBot can use the shadDll module to access networking functions and install illegitimate secure socket layer (SSL) certificates. At this point, it can do many of the things BokBot can do, including intercepting web traffic and redirecting it, taking screenshots to steal personal information, and injecting other malicious code.

The researchers have attributed the BokBot Trojan to a cybercriminal group called Lunar Spider, while TrickBot is believed to have been created by a group called Wizard Spider. TrickBot, which first emerged in late 2016, has proven highly versatile in attacking financial services firms, and Wizard Spider may include members of the group that developed the earlier Dyre malware, according to Crowdstrike.

How to Stay Ahead of TrickBot’s Tricks

The “IBM X-Force Threat Intelligence Index” for 2019 identified TrickBot as the most prevalent financial malware family of last year, representing 13 percent of all campaign activity. This was in part due to the ability of various threat actors to make use of the Trojan’s variants. For example, the report showed that IcedID distributed TrickBot within its own botnet in a 2018 campaign. However, experts noted that proper security controls, regular user education and planned incident response can help keep this threat at bay.

X-Force researchers also discovered that TrickBot has been used to steal cryptocurrency, and distribution of the BokBot module may make it even more popular. Organizations should employ advanced malware protection to receive alerts for high-risk devices and notifications when malware has been detected to ensure this cooperation among cybercriminals doesn’t lead to even deadlier attacks.

Man drives 3,300 miles to talk to YouTube about deleted video

On Sunday, police in Mountain View, California, where Google is headquartered, arrested a man who drove more than 3,300 miles from Maine to discuss what he thought was the company’s removal of his YouTube account and the one video he’d posted – one about getting rich quick.

It was not, in fact, deleted by YouTube. It turns out, his wife deleted it, concerned as she was about her husband’s mental state. She told BuzzFeed News that the video, created by 33-year-old Kyle Long, was “rambling” and “bizarre.”

According to a press release from the Mountain View police department (MVPD), Iowa State Patrol on Friday gave them a heads-up about Long’s journey. Iowa police spoke to Long twice that day: once when he got into a collision (without injuries) and then again after he vandalized a restroom at a gas station store a short time later.

Employees at the gas station store didn’t want to press charges, and the collision didn’t warrant Long’s detention, so Iowa police let him go.

Three baseball bats and a serious need to chat

Then, on Sunday, the MVPD got another heads-up. This one came from police in Long’s hometown of Waterville, Maine. Waterville police told MV police that they’d been tipped off about Long having made it to California. They’d also gotten a tip that he intended to resort to physical violence if his meeting with Google execs didn’t go well.

MVPD began to look into the matter …and kept an eye out for Long’s arrival. Officers were stationed in and around Googleplex, and monitoring all the major highways around the city in order to intercept Long before he could step foot on Google’s main campus.

On Sunday afternoon, around 1pm, they spotted Long’s car. When they stopped him, they found three baseball bats.

Legislation Introduced in California to Strengthen Data Breach Notification Law

California Attorney General Xavier Becerra and Assemblymember Marc Levine (D-San Rafael) unveiled AB 1130, legislation to strengthen California’s data breach notification law to protect consumers. The bill closes a loophole in the state’s existing data breach notification law by requiring businesses to notify consumers of compromised passport numbers and biometric information.

“Knowledge is power, and all Californians deserve the power to take action if their passport numbers or biometric data have been accessed without authorization,” said Attorney General Becerra. “We are grateful to Assemblymember Levine for introducing this bill to improve our state’s data breach notification law and better protect the personal data of California consumers. AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection.”

“There is a real danger when our personal information is not protected by those we trust,” said Assemblymember Levine. “Businesses must do more to protect personal data, and I am proud to stand with Attorney General Becerra in demanding greater disclosure by a company when a data breach has occurred. AB 1130 will increase our efforts to protect consumers from fraud and affirms our commitment to demand the strongest consumer protections in the nation.”

In 2003, California became the first state to pass a data breach notification law requiring companies to disclose breaches of personal information to California consumers whose personal information was, or was reasonably believed to have been, acquired by an unauthorized person. This personal information includes identifiers such as a person’s social security number, driver’s license number, credit card number, and medical and health insurance information. This bill would update that law to include passport numbers as personal information protected under the statute. Passport numbers are unique, government-issued, static identifiers of a person, which makes them valuable to criminals seeking to create or build fake profiles and commit sophisticated identity theft and fraud. AB 1130 would also update the statute to include protection for a person’s unique biometric information, such as a fingerprint, or image of a retina or iris.

The legislation was prompted by the massive data breach of the guest database at Starwood Hotels — recently acquired by Marriott — in 2018. Marriott revealed that the massive breach exposed more than 327 million records containing guests’ names, addresses, and more than 25 million passport numbers, among other things. Though the company did notify consumers of the breach, current law does not require companies to report breaches if only consumers’ passport numbers have been improperly accessed.

Microsoft Edge secretly whitelisted sites running Flash Player for Facebook

Facebook has found itself involved in another controversy, this time a cybersecurity researcher has revealed Microsoft Edge allows Flash Player content to be played on Facebook without notifying the user.

Google Project Zero’s Ivan Fratric came across what is essentially a secret whitelist and reported it on November 26, 2018 and waited the usual 90 days before making his discovery public. In this case, the public disclosure came after Microsoft addressed the issue, CVE-2019-0641, with its February Patch Tuesday rollout. The domains on the list were enabled to play Flash content on Facebook.

What Fratric came across was the binary file C:\Windows\system32\edgehtmlpluginpolicy.bin. This contains the default whitelist of at least domains 58 domains that can bypass Flash click2play and load Flash content without getting user confirmation in Microsoft Edge in Windows 10, he wrote.

The sites that had been whitelisted range from music.microsoft.com to the gaming site www.poptropica.com to www.vudu.com along with two Facebook URLs https://www.facebook.com and https://apps.facebook.com. Post update the list has been whittled down to include only the two Facebook domains.

“The most common permission flag value (1) indicates that the site is allowed to load Flash content if: the Flash content is hosted on the same domain *OR* The element containing Flash is larger than 398×298 pixels as can be seen in FlashClickToRunHelper::DetermineControlAction,” he said.

Fratric pointed out the security issues involved with the secret whitelist. An XSS vulnerability on any of the domains would allow bypassing click2play policy. Primarily the unpatched XSS vulnerabilities contained within several of these sites and that the list contained HTTP sites which could allow a man in the middle attacker to bypass the click2play policy.

The overall danger contained in such whitelists was pointed out by Mike Bittner, digital security and operations manager at The Media Trust.

“Block/blacklists and allow/whitelists can outlive their usefulness within seconds. As soon as new malware surface — and 285,000 new ones are created every day — a blocklist’s utility takes a dive. It’s important to continuously update such lists not only to keep pace with attacks but also to ensure their accuracy so that harmless, legitimate sites aren’t needlessly blocked, he said.

Adobe announced in July 2017 it will end support for Flash in 2020. The application receives a steady stream of security updates and has been banned from many browsers.

Google Play announces 2019 malicious app crackdown

Google Play announced it will continue its crackdown on malicious apps into 2019 by focusing more on user privacy, developer integrity and harmful app contents and behavior.

Google said it plans to introduce additional policies for device permissions and user data throughout the year, according to a Feb. 13 blog post.

“In addition to identifying and stopping bad apps from entering the Play Store, our Google Play Protect system now scans over 50 billion apps on users’ devices each day to make sure apps installed on the device aren’t behaving in harmful ways,” Google said in the post.

“With such protection, apps from Google Play are eight times less likely to harm a user’s device than Android apps from other sources.”

Google also said it will set out to increase developer integrity. The firm said that because 80 percent of severe policy violations are conducted by repeat offenders, it will focus on better screening for those who get booted off and then create new accounts to continue uploading their malicious content.

In addition, Google said it would work to enhance its capabilities to counter adversarial behavior, and strive relentlessly to provide users with a secure and safe app store.

 

Remote Code Execution Vulnerability: What is it and how to stay protected from it?

  • Remote Code Execution (RCE) Vulnerability could allow an attacker to gain full control of a victim’s infected machine.
  • An attacker gaining access to a victim’s machine exploiting the RCE vulnerability can execute system commands, write, modify, delete or read files, and can connect to databases.

Remote code execution vulnerability allows an attacker to gain access to a victim’s machine and make changes, irrespective of where the machine is geographically located. This vulnerability can lead to a full compromise of the infected machine.

RCE vulnerabilities can provide an attacker with the ability to execute malicious code and take complete control of an infected system with the privileges of the victim running the application.

After gaining access to the system, attackers will often attempt to elevate their privileges. Once the attacker remotely executes malicious code on a vulnerable system and gains access to the infected system, he can execute system commands, write, modify, delete or read files, and can connect to databases.

Example of RCE Vulnerability

One example of a Remote Code Execution vulnerability is the CVE-2018-824vulnerability. This vulnerability is also known as ‘Microsoft Excel Remote Code Execution Vulnerability’. This vulnerability could allow an attacker to run malware on a vulnerable computer.

An attacker exploiting this vulnerability could take full control of the victim’s machine when the victim logs on to the machine with administrative user privileges. Once the system is compromised, the attacker could view, modify or delete data, install programs, as well as create new accounts with full user privileges.

According to Microsoft, there can be two delivery methods to exploit this CVE-2018-8248 vulnerability,

  • One delivery method could be in the form of a phishing email with a Microsoft Excel attachment that contains a specially crafted malicious file.
  • Another method is via web-based attack, where an attacker could host a compromised website that accepts or hosts user-provided content containing a malicious file designed to exploit the CVE-2018-8248 vulnerability.

In both the scenarios, malicious email and web-based attack, the attacker has to persuade users to click on the attachment or a link to open the malicious file. This vulnerability has been fixed by Microsoft.

How to protect your computer from RCE Vulnerability?

  • The best way to protect a computer from a remote code execution vulnerabilityis to fix loopholes that could allow an attacker to gain access.
  • To protect a computer from such vulnerability, users must periodically update their software and must keep their system up-to-date.
  • If your organization is using servers that have software which is vulnerable to remote code execution, then the latest software security patch should be applied.
  • Moreover, it is best to automate server patching in order to prevent remote code execution attacks.
  • It is recommended not to open any file or attachment from an anonymous sender.
  • Another best option would be to not use functions such as eval and to not allow anyone to edit the content of files that might be parsed by the respective languages.
  • In order to protect a computer from RCE, you should not allow a user to decide the name and extensions of files.
  • To prevent RCE, you should not sanitize user input and should not pass any user-controlled input inside evaluation functions or callbacks.
  • It is also recommended to not blacklist special characters or function names.