Hack strikes Words with Friends and Draw Something, amid claims 218 million players’ details breached

Players of the popular Words with Friends and Draw Something smartphone games are being advised to change their passwords following what sounds like a security breach at game developer Zynga.

Zynga, which also develops other hit games such as FarmVille and Mafia Wars, posted an advisory earlier this month that the account login details of “certain players” of Draw Something and Words with Friends “may have been accessed”, and shared links with information about how players could change their passwords.

Zynga said that it did not believe any financial information had been accessed, and said that it had informed law enforcement agencies of the security breach. What it did not share, however, was any indication of the scale of a breach involving some of the world’s most popular smartphone games.

However, a report published yesterday by The Hacker News suggests that simply suggesting (as Zynga did) that “certain players” are affected may be underplaying the scale of the breach.

Pakistani hacker Gnosticplayers told The Hacker News that he managed to extract 218 million records from Zynga’s servers.

According to the hacker, details stolen included:

  • names
  • email addresses
  • usernames
  • hashed passwords, SHA1 with salt
  • phone numbers
  • Facebook IDs (if linked)
  • password reset tokens (if previously requested)

If you are, or ever have been, a player of Words with Friends or Draw Something my advice would be to change your password and ensure that you are not reusing that same password anywhere else online.

You can find instructions for changing your Words with Friends password here.

You can find instructions for changing your Draw Something password here.

If you have no intention of playing the games ever again you might go one step further, and request Zynga deletes your gaming account and personal data (requests can take up to 30 days)

According to Zynga, players who connected to Draw Something via Facebook Login do not need to take any further action at this time.

Polish retailer gets €645,000 fine under GDPR for “insufficient organizational and technical safeguards”

An online
retailer in Poland has received a hefty fine under the General Data Protection
Regulation (GDPR) after failing to protect the data collected from 2.2 million
customers through the company’s nine websites.

The European Union last year passed the General Data Protection Regulation, a law that makes organizations more responsible in collecting and processing their customers’ personal data. While not enforcing a particular set of technological tools and processes, the GDPR imposes a minimum threshold that organizations must consider to ensure compliance. For Polish retailer Morele.net, this was sadly not the case.

Morele.net
reportedly became aware of a breach on its systems in November 2018, when
customers reported receiving SMS messages demanding additional payments to
complete an order. The SMS scam contained a link to a fake electronic payment
gateway controlled by the hackers.

While
Morele.net took steps to remedy the situation following the breach, Poland’s
Personal Data Protection Office (UODO) this week decided to fine the company PLN
2.8 million, or €645,000 for “insufficient organizational and technical
safeguards”.

The
President of UODO stated that Morele.net, “by not using sufficient technical
means of data protection, violated, among others specified in art. 5
paragraph 1 letter f GDPR, the principle of confidentiality.”

According to itgovernance.eu, for most of the affected customers, the leaked data included names, telephone numbers, email addresses and delivery addresses. Of the 2.2 million customers affected, 35,000 had additional information leaked, including their payment instalment information (including Personal ID number), education, source of income and net income, household maintenance costs and marital status, according to the report.

Starting
with mid-2019, data protection authorities across the EU have switched from an educative
stance to a more corrective attitude, dealing the first fines under the newly
adopted regulation. Among the highest-reported penalties this year are those
incurred by British Airways (205$ million euros), hotel chain Marriott (111
million euros) and Google (50 million euros).

World of Warcraft’s suspected DDoS attacker has been arrested

World of Warcraft's suspected DDoS attacker has been arrested

Blizzard, the developers of World of Warcraft Classic, has revealed that a person suspected of orchestrating a disruptive Distributed Denial of Service (DDoS) attack against the games’ servers has been arrested.

In a Blizzard forum post, community manager Kaivax told players that the suspected perpetrator had been identified and arrested.

“Immediately after the Distributed Denial of Service attacks against our game service began, the Blizzard Security Team worked around the clock with local and international law enforcement agencies to track down the source of the DDoS. It is our understanding that, within a few days, authorities were able to successfully identify and arrest a suspect.”

Blizzard shared no details related to the identity of the person arrested, or which country they were based in.

What we do know, however, is that Blizzard’s customer service team confirmed that its servers were under attack on September 7th, trying the patience of some players who found themselves unexpectedly disconnected from the game and unable to reconnect.

Overwatch was also reportedly affected by the DDoS attack, with some users being booted out of games and finding themselves unable to log back in.

At the time, a Twitter account calling itself UKDrillas claimed responsibility for the attack against Blizzard as well as a DDoS attack which briefly overloaded Wikipedia. Prior to Twitter disabling its account, UKDrillas posted a series of tweets bragging about its attacks.

Clues left by UKDrillas – and they go beyond the fact they have “UK” in their account handle – strongly suggest that whoever was behind the account (and thus likely to responsible for the DDoS attacks) is based in the United Kingdom.

If Blizzard is right and police have arrested the person responsible for the DDoS attacks against World of Warcraft Classic then I certainly wouldn’t want to be wearing the suspect’s shoes.

Many DDoS attacks are not particularly sophisticated, and can be perpetrated by maliciously-minded gamers showing off to their buddies with relative ease. But the financial damage and inconvenience caused by a DDoS attack can be considerable, and in the past has sometimes resulted in the perpetrators being imprisoned for multiple years.

You may think it’s easy to do. You may think it’s funny. You may think it’s unlikely that you will ever be identified and brought to justice. But, if you are caught and found guilty, there’s a chance that the sentence you receive will cast a shadow over the rest of your life.

You will have plenty of time to consider whether it was really worth it. Don’t do it.

Ransom notes shoot out of school printers but district denies hackers their prize

Ransomware
operators have breached yet another school district in the United States,
demanding ransom to unlock the district’s data. But this time, the district was
prepared.

Ransom notes started shooting out of printers in the Ava School District in the State of Missouri earlier this week, reports local news station KY3. When IT staff realized it was under ransomware attack, they immediately took the network offline. While some data got encrypted, the district was well prepared to recover.

“Ava uses encrypted data, stores information on off-site servers and has a good backup system, so the district’s financial, employee and student information was never threatened,” according to the report.

Superintendent
Dr. Jason Dial told reporters he doesn’t think the hackers got hold of the
district’s data. However, district employees have enlisted the help of an
unnamed cybersecurity company “to ensure that no important information was
stolen during the hack.”

“It
could have been a lot worse,” Dial said. “We still got compromised.”

Asked if the district would have paid ransom if recovery were impossible, the Superintendent said “We would have not have done that. We’re not in that business.”

The school district also has insurance covering cyber-attacks.

“We found
some holes. We’re in the middle of fixing those. We knew some were there, that
we were in the middle of fixing anyway. So we feel really comfortable about
moving forward,” Dial added.

The attack
on Ava is the latest in a long string of ransomware infections across government
and educational institutions in the United States this year. So far in 2019,
ransomware operators (probably the same ones) have breached 70 national
infrastructures.

Ava
officials wouldn’t say what ransomware strain was used in the attack, but many
of the US infrastructures targeted this year were infected with Ryuk, a
ransomware strain specifically used to target enterprise environments and
critical infrastructures.

How to get away with hacking a US satellite

By now we’re used to the idea of software companies running bug bounty initiatives which hand out thousands of dollars in prizes to independent researchers who find and responsibly disclose security holes.

But, as Wired reports, it’s not just technology companies who are recognising the advantages of having white hat hackers test their systems.

The US Air Force is said to be so happy with how a group of non-military researchers uncovered serious vulnerabilities in an F-15 fighter jet system at the DEF CON hacking conference in Las Vegas, that it is promising to run a similar competition next year that will probe the security of orbiting satellites.

The objective? To see if they can hijack control of an orbiting satellite and turn its camera from staring at Earth to point at the moon instead.

Of course, the Air Force isn’t going to open the door for any Tom, Dmitry or Harry to try to hack one of its satellites or ground stations.

Instead I imagine it will invite applications from vulnerability researchers who agree to its terms, and then whittle down the group to those who they feel have the best chances of success and won’t get up to any monkey business with an expensive piece of space hardware!

In other words, the Air Force will require participating hackers to be pre-registered and approved to take part, and my guess is that they are unlikely to look favourably on applications which come from certain parts of the world… sorry Syrian and North Korean hackers, you’re unlikely to be invited.

I doubt they will also be interested in signing you up if you’re unwilling to undergo a background check to see if you’ve been a wrong ‘un in the past.

So what has motivated the US Air Force to launch a hacking challenge that is likely to grab the media’s attention?

I think the reason is simple. Many of the components used on a satellite and its associated ground station may come from small specialist companies, which may not have enough resources to adequately check that their technology would withstand a determined state-sponsored hacking attempt originating from the likes of China, Russia, or North Korea.

As Wired explains, once the Air Force learns about the common security issues impacting third-party parts it can begin to build stronger security requirements into its contracts, hardening the supply chain.

Will Roper, assistant secretary of the Air Force for acquisition, technology, and logistics, says its important for the US military to recognise the value that external vulnerability researchers can being to the table, ensuring that the security of systems is tested before it is exploited by a malicious attacker.

“We have to get over our fear of embracing external experts to help us be secure. We are still carrying cybersecurity procedures from the 1990s,” says Roper. “We have a very closed model. We presume that if we build things behind closed doors and no one touches them, they’ll be secure. That might be true to some degree in an analog world. But in the increasingly digital world, everything has software in it.”

A series of bug bounty challenges have been created by the US Department of Defense since “Hack the Pentagon” was launched back in 2016. These include “Hack the Army”, “Hack the Air Force”, “Hack the Defense Travel System”, and “Hack the Marine Corps.”

In all more than 5000 vulnerabilities have been reported in government systems through the initiatives, proving that the initiative is a win-win for both vulnerability researchers and the US Department of Defense.

The “Hack the Air Force” bug bounty, for instance, paid out over US $130,000 to hackers after over 120 vulnerabilities were found in just a one-month period last year.

I believe it’s a positive thing to see the US Air Force bringing outside experts in to see how easy it is to hack an orbiting satellite. It’s always going to be better having someone friendly testing your systems than waiting for a malicious attacker to find the serious security hole on your orbiting satellite.

Police raids after data on most of Ecuador’s citizens leaks online

It’s bad enough when a company suffers a data leak that exposes the personal information of its customers. But things can be even worse when the business suffering a data breach was storing the detailed information about potentially the population of an entire country.

Researchers at vpnMentor report that they were able to access data on a Miami-based ElasticSearch server, that was not protected by a password.

The server, which the researchers say appeared to belong to Ecuadorian consultancy firm Novaestrat, contained details of more than 20 million citizens in the South American country of Ecuador.

As Ecuador only has a population of some 16 million people, it’s likely that some of the records are duplicates or related to individuals who have since deceased.

Information exposed in the breach includes individuals’:

  • full name
  • gender
  • date and place of birth
  • home address
  • email address
  • phone number
  • marital status
  • date of marriage
  • level of education
  • date of death (where applicable)
  • family tree information
  • national ID card number

Over 6.7 million database entries relate to children under the age of 18.

In addition, sensitive information contained in the exposed databases includes care registration details, employer information, and millions of financial records and bank balances, and even the branch where accounts were opened.

According to the researchers, the data appears to have been sourced from the Ecuadorian government, automotive association AEADE (Asociación de Emprees Automotrices del Ecuador) and Ecuadorian national bank Biess.

Such information, if it fell into the hands of criminals, could clearly be exploited for fraud on a massive scale. It’s easy to imagine, for instance, how individuals exposed by the breach could be targeted by scammers via email and telephone – using the leaked data to make the communications appear more legitimate.

To the amusement of some, victims of the breach include Wikileaks founder Julian Assange who spent seven years hiding from British police in the Ecuador’s British embassy until his detention earlier this year.

Whatever you might think of Assange and the practices of Wikileaks, he doesn’t deserve to have his personal information exposed on the internet anymore than anyone else.

Although the leaking ElasticSearch server has been closed soon after vpnMentor’s researchers got in contact, that’s naturally not enough to allay concern in Ecuador about damage which might have been done.

On Monday, police in Ecuador raided the home of one of Novaestrat’s directors, seizing computer equipment and taking him in for questioning.

Telecoms minister Andres Michelena posted on Twitter that if it was confirmed that Novaestrat staff violated the personal privacy of Ecuadorians, “it is a criminal offense that must be punished.”

This incident underlines once again that even if you do everything in your power to keep your personal information safe and secure, you are powerless to do anything other than hope that companies are doing a good enough job to protect your data. And sometimes the organisations which end up leaking your data may be ones you have never heard of, and never realised were storing your sensitive information without your knowledge.

WhatsApp ‘Delete for Everyone’ feature potentially puts user privacy at risk

WhatsApp’s
“Delete for Everyone” feature, meant to allow people to delete files they
accidentally sent, works differently on iPhones than it does on Android phones,
a researcher has warned. This discrepancy could place senders’ privacy at risk
by leaving some media files undeleted on recipients’ iPhones.

WhatsApp has
a vast install base of 1.5 billion users in over 180 countries. Most WhatsApp
customers use the service daily, including for group chats with friends, family
members or co-workers. Such a popular service is subject to scrutiny from
privacy activists and cybersecurity researchers.

Most recently, researcher Shitesh Sachan has raised a red flag regarding WhatsApp’s functionality – specifically, a discrepancy surrounding the “Delete for Everyone” feature on iPhones (iOS) and Android devices. According to Sachan, the feature doesn’t delete media files sent to iPhones of users who have the “Save to Camera Roll” setting on. While the message containing the deleted file does disappear for everyone in the group chat, regardless of platform, if any iPhones in the group chat have “Save to Camera Roll” set to On, the files stay with the recipients.

On Android, WhatsApp
behaves differently even with the identical configuration. If a user accidentally
sends a file to a group, by deleting it for everyone, the actual file saved to
the Android recipient’s photo gallery is deleted as well.

The
difference in behavior between the two platforms could put users at risk. For
example, Android users accustomed to the app’s standard functionality might not
know that their iPhone counterparts could still have the accidentally-sent file
stored locally on their devices.

The WhatsApp
folks disagree with the researcher in that this is a privacy / security issue.

As reported by The Hacker News, when Sachan reported the issue to the company, a spokesperson allegedly replied:

“The
functionality provided via ‘Delete for Everyone’ is intended to delete the
message and there is no guarantee that the media (or message) will be
permanently deleted—the implementation focuses around the message presence in
WhatsApp.”

If you have any of these 24 Android apps installed, delete them now!

Security
researchers are sounding the alarm over 24 Android apps laced with a stealthy trojan
that signs you up for a costly subscription without your permission. If you’ve
downloaded any of the 24 apps, delete them now and check your bank statements
for any suspicious activity!

Hiding
within the advertisement frameworks and not exposing too much of its malicious
code out in the open, the Joker is a stealthy piece of malware that made its
way onto Google Play as early as June.

The malware
leeches money out of its victims by signing them up for premium subscription
services through automated clicks behind ad banners, security researcher
Aleksejs Kuprins warns. The Joker even copies the authorization code sent to
the user via SMS and steals the user’s entire address book.

As reported by TechCrunch, so far, these 24 apps are known to be laced with the Joker Trojan:

  • Advocate Wallpaper
  • Age Face
  • Altar Message
  • Antivirus Security – Security Scan
  • Beach Camera
  • Board picture editing
  • Certain Wallpaper
  • Climate SMS
  • Collate Face Scanner
  • Cute Camera
  • Dazzle Wallpaper
  • Declare Message
  • Display Camera
  • Great VPN
  • Humour Camera
  • Ignite Clean
  • Leaf Face Scanner
  • Mini Camera
  • Print Plant scan
  • Rapid Face Scanner
  • Reward Clean
  • Ruddy SMS
  • Soby Camera
  • Spark Wallpaper

Google quickly
removed them from Play Store, so there’s no danger of anyone downloading one of
these apps again. However, there is no guarantee that no other apps have been
infected. Also, if one of these apps is still on your phone, delete it pronto!
And check your bank statement for any subscriptions you haven’t personally signed
up for.

For those interested, Kuprins has an in-depth analysis of the Joker and how it works.

Bitdefender Mobile Security for Android detects Joker and all its variants as Android.Trojan.Downloader.TL and blocks it.

As a rule of
thumb, always keep close tabs on your device’s permissions when downloading
apps from the Google Play store. Stay safe out there!

Ransomware cripples Internet and phone lines at Rockford Public Schools District

A ransomware
attack on Rockford Public Schools (RPS) District 205 in the State of Illinois has
downed school systems, including phone lines, the district said in a letter to
staff and parents. The outage will likely last “several more days” as IT staff
wrestles with the contagion.

“The electronic and digital systems outage districtwide will continue this week and could last several days,” the letter says  The outage was triggered by ransomware, and we’re working with our Information Technology team and an outside computer forensics firm to restore access.”

RPS won’t
say what ransomware strain was used in the attack, nor will it say how much the
attackers demand in ransom to decrypt school systems, whether the district paid
or how the attack occurred.

However, RPS
does confirm that its access to the Internet has been severed and that phone
access at its schools has been intermittent. Because of this, management has
been rerouting any downed phone lines to working lines so parents and guardians
can still contact their children’s schools.

“Our No. 1
priority is the safety of our students and staff,” the letter continues.
“This includes protecting staff and students’ data and information. We have
field experts helping our IT team evaluate the impact of this outage. We are
working to get a complete picture of this incident and understand any impact to
our data. We will provide additional updates and information when they’re
available.”

The RPS incident is the latest in a long string of ransomware attacks on school systems across the United States as the new school year is just starting. In wake of these attacks, some parents and legal guardians have expressed deep concern that taxpayer money is being used to pay attackers for the decryption keys. In a study conducted by Morning Consult on behalf of IBM, more than 60% of respondents said they would prefer their city avoid paying ransom and instead deal with recovery costs, even if they’re higher.

Cybercriminals count on human interaction in 99% of attacks, research shows

Cybercrooks exploit
human flaws in about 99% of their attacks, using social engineering across
email, cloud applications and social media to gain a foothold in a targeted
infrastructure, new research shows. Almost all cyber-attacks begin with luring
employees into clicking on malicious content.

Cybercriminals target mainly people, rather than systems, to install malware, steal data or initiate fraudulent transactions, according to Proofpoint’s 2019 Human Factor report.

“Cybercriminals
are aggressively targeting people because sending fraudulent emails, stealing
credentials, and uploading malicious attachments to cloud applications is
easier and far more profitable than creating an expensive, time-consuming
exploit that has a high probability of failure,” says Proofpoint’s chief of
threat operations.

More than 99%
of threats require human interaction to execute, such as enabling a macro,
opening a file, following a link, or opening a malicious document. This means
social engineering plays a crucial role in a successful attack.

Nearly 1 in
4 phishing emails sent in 2018 were associated with Microsoft products, and the
top phishing lures focused on credential theft, creating feedback loops,
lateral movement and internal phishing.

Hackers are
refining tools and techniques while the top malware families over the past 18
months have consistently included banking Trojans, information stealers, RATs,
and malware designed to remain undetected on infected devices and exfiltrate
data to help in future attacks.

Other
findings include:

  • Imposters mimic business routines to
    evade detection (message delivery closely mirrors legitimate organizational email
    traffic patterns)
  • Malware actors are less likely to
    follow expected email traffic (i.e. campaigns that began on Sundays)
  • Click times show significant
    geographic differences, reflecting differences in work culture and email habits
    between major global regions
  • Education, finance and
    advertising/marketing topped the industries with the highest average Attack
    Index
  • The Chalbhai phish kit was the the third-most-popular
    lure in the first half of 2019
  • The most effective phishing lures in
    2018 were dominated by “Brainfood,” a diet and brain enhancement affiliate scam
    that harvests credit cards, which had click rates over 1.6 clicks per message, indicating
    that attackers also leverage human insecurity with great success

The results underscore the importance of conducting thorough cybersecurity audits as well as staff training, as employees remain the weakest link in targeted cyber threats.

Posts navigation

1 2
Scroll to top