Credit Card Details of 3 Million Dickey’s BBQ Customers Up for Sale on Dark Web Marketplace

Bad actors are selling access to 3 million Dickey’s Barbecue Pit customer credit cards, cyber-security researchers disclosed earlier this week.

On October 12, the dark web marketplace known as Joker’s Stash uploaded a collection of millions of compromised credit cards, most of them belonging to US-based customers.

According to Gemini Advisory researchers, who analyzed the data, the data appears to have originated from compromised point-of-sale (POS) systems used at Dickey’s restaurants.

A Gemini analysis indicates that 156 out of 456 current Dickey’s Barbecue Pit locations were compromised in the breach. Specifically, locations across 30 states, “with the highest exposure in California and Arizona.”

“Gemini sources have also determined that the payment transactions were processed via the outdated magstripe method, which is prone to malware attacks,” the report said. “It remains unclear if the affected restaurants were using outdated terminals or if the EMV terminals were misconfigured; either of these possibilities may hold serious liability for Dickey’s.”

The company also established the exposure window between July 2019 and August 2020, giving cybercriminals 10 months to steal payment records.
While Dickey’s has yet to release an official report, the company said it has started an investigation with the FBI.

“We received a report indicating that a payment card security incident may have occurred,” Dickey’s said. “We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway.

“We are currently focused on determining the locations affected and time frames involved,” the company added. “We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks.”

Zoom Is Finally Testing Full End-to-End Encryption

Zoom finally announced that it’s starting to roll out end-to-end encryption (E2EE) for all users, marking a significant change in the security deployment of one of the most famous video-conferencing apps.

The Zoom platform has had its share of problems amid its rise to fame, mostly due to the coronavirus pandemic. Because the company allowed users without premium accounts to join and use the platform, the number of people on the platform increased substantially.

This generated unintended side effects, as security researchers started to scrutinize the platform. They found numerous vulnerabilities and discovered that the company is not really encrypting conversations as they were claiming, or least not by using an industry standard.

“Zoom’s end-to-end encryption (E2EE) offering will be available as a technical preview, which means we’re proactively soliciting feedback from users for the first 30 days,” said Max Krohn, head of security and engineering at the company. “Zoom users – free and paid – around the world can host up to 200 participants in an E2EE meeting on Zoom, providing increased privacy and security for your Zoom sessions.”

For now, only a handful of people will benefit from the Zoom features, but the encryptions should make their way to the general public soon.

Zoom has made some progress in recent months, dealing with malevolent users entering open meetings and abusing participants and to more zero-day severe vulnerabilities, some of which threat actors used in the wild.

Beware COVID-19 Charity Fraudsters, Warns the FBI

Scammers have no qualms about exploiting the pandemic to steal from the unwary

Don’t just look out for yourself, warn vulnerable friends and family of scams too

From the as-if-you-didn’t-have-enough-to-worry-about-in-2020 department, the FBI has warned that scammers are attempting to defraud the public by exploiting the COVID-19 pandemic.

Scams can, of course, arrive via all manner of routes – face-to-face on the doorstep, via phone calls or text message, but it’s even easier for fraudsters to target a larger pool of victims by making their initial contact via email or social media.

And with so many people more reliant than ever on the internet for staying in touch with friends, family, and work colleagues, there’s danger that more people than ever before are being exposed to the risk of being scammed.

And what better lure might there be than by exploiting an individual’s anxiety about the Coronavirus? Or plucking on heartstrings through an emotional appeal to help others who might have had their lives turned upside down by the pandemic?

As early as April 2020, the UK’s National Computer Security Center (NCSC) revealed that in just a one month period they had taken down more than 2,000 online scams related to the Coronavirus pandemic.

That statistic included hundreds of fake online shops selling masks, hand sanitiser, and other fraudulent items. In addition, 555 malicious Coronavirus-related webpages had been found designed to distribute malware, and 200 phishing pages attempting to steal passwords, payment card details, and other personal information.

And, most common of all, over 800 online scams related to advance-fee fraud scams which claimed to offer large windfalls if a setup payment was made.

Here’s an example of one Covid-19 charity scam, first spotted by Bitdefender’s Liviu Arsene earlier this year:

Part of the email reads:

Help rush life-saving medical care to families an children in China, neighboring countries and beyond. Your girt will ensure that these vulnerable individuals receive coronavirus vaccines to the medical services they desperately need.

The email goes on to ask for a Bitcoin payment to be made to “contribute towards this noble cause.”

There’s a simple way to help you and your loved ones spot the tell-tale signs that something may be a scam: apply the simple SCAM test:

S – seems to be too good to be true.

C – contacted out of the blue.

A – asked for personal details.

M – money is requested.

To be honest, I’m not too worried about you falling for one of the Coronavirus-related charity scams. You’re reading the Hot for Security blog, so you’re already demonstrating much more security savviness than the typical internet user.

But you may have vulnerable friends and family who could be tricked by a convincing scammer to donate money, or hand over personal information, in the belief that they were doing good or going to benefit personally.

For their sake, get clued up about the scam techniques used by fraudsters and help educate them to spot threats for themselves.

Because sick-minded scammers themselves have no qualms about taking advantage of the most vulnerable, and exploiting the biggest global health crisis of our lifetime.

For more tips on how to protect yourself against scams and charity fraud, check out the tips from the FBI.

Law Firm Seyfarth Shaw Hit by Apparent Ransomware Attack

Seyfarth Shaw fell victim to a crippling malware attack over the weekend, the global law firm disclosed earlier this week.

According to an official statement, unauthorized activity was detected by the company’s monitoring systems on Saturday.

“On Saturday, October 10, 2020, Seyfarth was the victim of a sophisticated and aggressive malware attack that appears to be ransomware,” the company said. “We understand that a number of other entities were simultaneously hit with this same attack. Our monitoring systems detected the unauthorized activity, and our IT team acted quickly to prevent its spread and protect our systems.”

Although Seyfarth stressed that it found no evidence that client or internal data was removed or accessed, many computer systems were encrypted, forcing the IT team to “shut them down as a precautionary measure.”

The latest update suggests the company has not been able to bring its systems back online. However, it is coordinating with the FBI to track down the culprits.

“Our team continues to work around the clock to resolve this incident,” Seyfarth said on October 13. “As reported earlier, we have found no evidence that any of our client or firm data was accessed or removed.”

Headquartered in Chicago, Illinois, the Am Law 100 firm serves more than 300 of the Fortune 500 companies with a fleet of over 900 lawyers spread across 18 offices worldwide.

Barnes & Noble Cyberattack May Have Exposed Personal Information of Shoppers

Barnes & Noble has fallen victim to a cyberattack, which resulted in unauthorized access to company networks and exposure of customer information, the bookstore giant disclosed earlier this week.

The attack also affected the entire NOOK system, and customers still can’t sync recent purchases to their e-readers or access e-book content on their devices.

The systems outage began on October 10, and customers quickly turned to social media platforms inquiring about the sudden disappearance of their NOOK library.

“Hey, what gives? My app updated and now the 3 books I paid for have still not come in for days, there’s no updated info on the website,” one customer said in a tweet.

Unfortunately, NOOK servers are still down, and the bookseller has yet to say when the issue will be fixed.

“We are continuing to experience a systems failure that is interrupting NOOK content,” reads an alert posted by the company. “We are working urgently to get all NOOK services back to full operation.”

The attack did more than cripple Barns & Noble corporate network. According to a notice sent to customers, the security incident may have exposed email addresses, billing, shipping information and telephone numbers of shoppers.

“Firstly, to reassure you, there has been no compromise of payment card or other such financial data,” the email reads. “These are encrypted and tokenized and not accessible. The systems impacted, however, did contain your email address and, if supplied by you, your billing and shipping address and telephone number.”

Although there is not enough evidence to suggest data exfiltration at this time, the possibility cannot be ruled out. If confirmed, the attackers could have also viewed customer transaction history, such as purchase information related to products purchased from Barnes & Noble online store.

Until further notice, shoppers are advised to look out for any unsolicited emails. Despite these drawbacks, the company expects that NOOK will soon be fully operational once their systems are back online.

“We expect NOOK to be fully operational shortly and will post an update once systems are restored. Thank you for your patience,” reads the latest update from October 14.

Norway Accuses Russia of Cyber Attack on Parliament

Norway this week said it has reason to believe Russia was behind an August cyber attack targeting the email system of the country’s parliament, according to an AFP report.

In August, Norway announced hackers had gained access to some lawmakers’ emails. Today, the country believes Russian actors were behind the hack. Despite not specifying what information prompted its conclusions, the country’s foreign ministry is convinced of its findings. So much so that it encouraged businesses to follow guidelines on cyber security, the AFP reports.

“Based on the information the government has, it is our view that Russia is responsible for these activities,” foreign minister Ine Eriksen Søreide said in a statement.

“This is a very serious incident, affecting our most important democratic institution,” she added.

Norway’s government made similar accusations in 2017 when the country’s Labour Party claimed Russian actors conducted covert intelligence activities on its parliament. The attack was believed to be in line with the hacking of the Democratic National Committee the year prior, which US intelligence agencies pinned on the Kremlin.

COVID-19-Related Emails Remain Prevalent in Phishing Campaigns

Coronavirus-related email subjects continue to dominate phishing campaigns, remaining the primary threat, with more than half of phishing emails containing some information related to the COVID-19 pandemic.

Phishing campaigns represent a primary attack vector for cybercriminals looking tosteal personal information or infect devices with malware. The pandemic proved to be a gold mine for these criminals, as people’s thirst for information regarding this subject increases from one day to the next.

“Covering the entire third quarter, simulated phishing tests with a message related to the coronavirus were the most popular, with a total of 50%,” states the report. “Social media messages are another area of concern when it comes to phishing, and LinkedIn phishing messages dominate as the top social media email subject to watch out for, holding the number one spot at 47%.”

Of course, remote working also offers fertile ground for phishing campaigns, as people relax too much at home and don’t watch out for emails that mimic official ones from colleagues or the IT department.

The KnowBe4 gathered a top 10 of email subjects, and it’s clear that many of them are actually directed at employees and not regular users:

  • Microsoft: View your Microsoft 365 Business Basic invoice
  • HR: Pandemic Policy Update
  • IT: Remote Access Infrastructure
  • Facebook: Account Warning
  • Check your passport expiration date
  • TeleMed Appointment Reminder
  • Twitter: Confirm your identity
  • Apple: Take part in our iPhone 12 trial and enter for the chance to win a FREE iPhone12
  • Exchange ActiveSync service disabled for [[email]]
  • HR: Benefit Report

Of course, people working from home should always be cautious when opening emails seemingly coming from inside the company. If an email looks suspicious, report it immediately to the IT department so other people won’t make the mistake of opening it, if it proves to be fake.

CISA and FBI Observed APT Groups Targeting State Networks Related to US Election Systems

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued an advisory after spotting advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities combined with a newer privilege escalation vulnerability—CVE-2020-1472—in Windows Netlogon.

Less than a month before the November 3 elections in the United States, law agencies have detected APT actors trying to exploit known vulnerabilities, attacking federal and state, local, tribal and territorial (SLTT) government networks. The two agencies stated the attackers chose these targets because of their proximity to elections information.

So far, CISA has no evidence that election data integrity has been compromised, but the agency noticed some instances where this activity resulted in unauthorized access to elections support systems.

“CISA is aware of multiple cases where the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability CVE-2018-13379 has been exploited to gain access to networks,” states the advisory. “To a lesser extent, CISA has also observed threat actors exploiting the MobileIron vulnerability CVE-2020-15505. While these exploits have been observed recently, this activity is ongoing and still unfolding.”

These vulnerabilities are useful in conjunction with the recent critical Netlogon vulnerability, tracked as CVE-2020-1472 , which attackers use to compromise all Active Directory (AD) identity services. When these credentials become available to threat actors, they use legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environments.

Of course, the first course of action for any private or state entity is to ensure that allvulnerabilities are patched. Secondly, if security professionals observe any activity related to CVE-2020-1472, they should immediately assume that APT actors have compromised AD administrative accounts and take the appropriate action.

This new campaign is still ongoing and will likely cause problems as long as CVE-2020-1472 remains active in unpatched systems.

Morgan Stanley Receives $60 Million Fine for Improper Handling of Customer Data

Morgan Stanley investment bank must pay a whopping $60 million fine for failing to properly decommission multiple business data centers that stored sensitive customer information, the Office of the Comptroller of the Currency (OCC) announced earlier this month.

According to a civil penalty consent order, the oversights in handling the retirement of the data centers began in 2016. However, similar shortcomings were observed in 2019, when the bank failed to properly dispose of customer data stored on computer servers at a local branch.

“In 2016, the Bank failed to exercise proper oversight of the decommissioning of two Wealth Management business data centers located in the US,” The OCC said.

“In connection with the decommissioning, the Bank, among other things, failed to effectively assess or address the risks associated with the decommissioning of its hardware; failed to adequately assess the risk of using third-party vendors, including subcontractors; and failed to maintain an appropriate inventory of customer data stored on the devices. The Bank failed to exercise adequate due diligence in selecting the third party vendor engaged by Morgan Stanley and failed to adequately monitor the vendor’s performance.”

A $5 million class-action lawsuit on behalf of about 100 customers was also filed against the bank earlier this year.

The lawsuit claims Morgan Stanley failed to secure and safeguard personal identifiable information on previously decommissioned company-owned equipment. Additionally, the bank doesn’t know the whereabouts of the retired equipment that stored unencrypted customer data, such as Social Security numbers, passport numbers, addresses, telephone numbers, email addresses, account numbers, dates of birth, income, asset value and holding information.

“Plaintiff brings this class action against Morgan Stanley for its failure to properly secure and safeguard personal identifiable information,” a class action complaint reads. “Plaintiff also alleges Defendant failed to provide timely, accurate, and adequate notice to Plaintiff and similarly situated Morgan Stanley current and former customers (“Class Members”) that their PII had been lost and precisely what types of information was unencrypted and in the possession of unknown third parties.”

Data breaches don’t necessarily stem from a malicious actor or intrusions on a company network. Although data mismanagement is often attributed to errors on the part of IT, employee behavior and carelessness of third-party vendors are as much to blame for exposing data.

Security Researchers Awarded over $250,000 for Reporting 55 Vulnerabilities in Apple’s Bug Bounty Program

A comprehensive three-month analysis of Apple’s online services has netted a team of security researchers a $288,500 reward after reporting critical vulnerabilities as part of its bug bounty program.

In total, the researchers disclosed 55 vulnerabilities, including 11 flagged critical, 29 high and 13 medium in severity.

If exploited, these vulnerabilities “would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account,” the researchers said.

Some flaws could even give bad actors the means to take over employees’ sessions, allowing access to management tools or sensitive resources.

As their report suggests, the iPhone manufacturer was highly responsive, fixing some critical bugs in just a couple of hours.

“Overall, Apple was very responsive to our reports. The turnaround for our more critical reports was only four hours between time of submission and time of remediation,” the researchers added.

The critical bugs flagged by security researchers include:

• Remote Code Execution via Authorization and Authentication Bypass
• Authentication Bypass via Misconfigured Permissions allows Global Administrator Access
• Command Injection via Unsanitized Filename Argument
• Remote Code Execution via Leaked Secret and Exposed Administrator Tool
• Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications
• Vertica SQL Injection via Unsanitized Input Parameter
• Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
• Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
• Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources
• Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking
• Server Side PhantomJS Execution allows an attacker to Access Internal Resources and Retrieve AWS IAM Keys

One of the critical bugs was found in the Apple Distinguished Educators website (“ade.apple.com”). The flaw could have letattackers access the administrator console and execute arbitrary code by byspassing authentication using a hidden default password.

A separate critical flaw could allow bad actors to steal iCloud data such as photos, calendar information and documents through a modified email address.

“There is a mail app on both iOS and Mac which is installed by default on the products,” the report reads.

“The mail service is hosted on ’www.icloud.com‘ alongside all of the other services like file and document storage. This meant, from an attacker’s perspective, that any cross-site scripting vulnerability would allow an attacker to retrieve whatever information they wanted to from the iCloud service. We began to look for any cross-site scripting issues at this point.”

Posts navigation

1 2 3 4 5 6 7
Scroll to top