Information Technology

Researchers have highlighted tactics used by fraudsters today in voice-based phishing campaigns. 

Phishing attempts involve fraudulent messages sent over email, social media networks, SMS, and other text-based platforms. They may appear to be from your bank, popular online services — such as PayPal or Amazon — or they may attempt to lure in victims with promises of tax rebates and competition prizes. These messages often contain malicious attachments designed to deploy malware, or they may try to direct victims to fake websites.  So-called “vishing” is a subset of phishing techniques that combines ‘voice’ and ‘phishing’. Victims may be cold-called or emails could contain phone numbers, voice notes, and messages — but the overall goal is the same: to swipe your personal data.  Scam artists can employ “spray and pray” techniques in campaigns and blast out thousands of emails in one go, and now, voice over internet protocol (VoIP) technology has allowed fraudsters to do the same, all while spoofing their caller IDs and identities.  In separate case studies published by Armorblox on Thursday, the team highlighted two Amazon vishing attacks intent on stealing customer credit card details — and how the use of voice messages can bypass existing spam filters.  The first example vishing attempt, tracked to roughly 9,000 email inboxes, was sent from a Gmail account and contained the subject line: “Invoice:ID,” followed by an invoice number and content containing color markers used by Amazon. 

This email says that an order for a television and gaming console had been placed — a purchase worth hundreds of dollars — and urges the recipient to contact them using a phone number if there are any errors. 
Armorblox
Armorblox called the ‘payload’ phone number and a person on the other end of the line answered, pretending to be from Amazon customer service. The scammer requested the order number, customer name, and credit card details before cutting the call and blocking the number.  According to the researchers, the use of a zero in “AMAZ0N TEAM” helped the message bypass existing spam filters, including Microsoft Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MSDO). A spam level of “1” was assigned to the email, which means that the message was not considered fraudulent. In the second example, which reached roughly 4,000 inboxes and was also able to circumvent EOP and MSDO, fraudsters impersonated Amazon via a spoofed email address — “no-reply@amzeinfo[.]com” — and used the subject line, “A shipment with goods is being delivered.” The email contained an order number, a payment amount of $556.42, and another phone number ‘payload’ for customers to make return requests. However, in this case, the researchers found that the scam appeared to have been shut down as the phone number was not in service. As the emails did not contain malicious attachments or links, this allowed the fraudsters to bypass spam filters. In both cases, the fraudsters used a combination of social engineering, brand impersonation, and emotive triggers — the apparent loss of hundreds of dollars — to induce victims into calling them. If successful, victims could end up handing over their personal data and credit card details, leading to consequences such as identity theft or fraudulent payments made on their behalf.  As many of us remain at home due to the pandemic and we’ve come to rely more heavily on online shopping, fraudsters will continue to try and exploit these trends. In August, the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory warning of an increase in vishing attacks against the private sector.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A top Apple exec has said that Mac malware has now exceeded Apple’s level of tolerance, and framed security as the reason for keeping iPhones locked to the App Store, during testimony defending Apple in a lawsuit with Fortnite maker Epic Games. Apple’s head of software engineering Craig Federighi told a court in California that Apple found current levels of malware “unacceptable”. 

ZDNet Recommends

“Today, we have a level of malware on the Mac that we don’t find acceptable,” he said in response to questions from Apple’s lawyers, as ZDNet sister site CNET reports.   SEE: Top 10 iPad tips (free PDF) (TechRepublic) Apple is defending its practices after Epic Games filed a US lawsuit against Apple because the iPhone maker kicked its Fortnight game off the App Store after Epic put in place a direct payment system for in-game currency, which would bypass the 30% fee charged by Apple to developers. Epic says Apple is too restrictive.  The Apple-Epic case commenced on May 3. Yesterday, App Store boss Phil Schiller emphasized the App Store was focused on security and privacy from the outset.  Federighi said that since last May, there have been 130 types of Mac malware – and one variant infected 300,000 systems. 

He added that Macs have a “significantly larger malware problem” than iPhones and iPads, comparing the Mac problem to an “endless game of whack-a-mole”.  Macs can install software from anywhere on the internet whereas iOS devices can only install apps from Apple’s App Store.   US security firm Malwarebytes, which sells Mac antivirus, reported that Mac malware was now outpacing Windows malware. But the company also noted that the threats to Macs, mostly adware, were not as dangerous as malware for Windows.   Per 9to5Mac, Federighi compared the Mac to a car whereas iOS was designed with safety for children in mind.  “The Mac is a car. You can take it off road if you want and you can drive wherever you want. That’s what you wanted to buy. There’s a certain level of responsibility required. With iOS, you wanted to buy something where children can operate an iOS device and feel safe doing so. It’s really a different product,” he said.  SEE: This malware has been rewritten in the Rust programming language to make it harder to spot Federighi also contended that, if Apple allowed iOS users to sideload apps, things would change dramatically.  “No human policy review could be enforced because if software could be signed by people and downloaded directly, you could put an unsafe app up and no one would check that policy,” he said.  

Apple Event More

Researchers analyzing Android apps have discovered serious cloud misconfigurations leading to the potential exposure of data belonging to over 100 million users. 

ZDNet Recommends

In a report published on Thursday by Check Point Research, the cybersecurity firm said no less than 23 popular mobile apps contained a variety of “misconfigurations of third party cloud services.” Cloud services are widely used by online services and apps today, perhaps even more so due to the rapid shift to remote working caused by the coronavirus pandemic. While useful in data management, storage, and processing, it only takes one access or authorization oversight to expose or leak records held.  Apps, in particular, will often integrate with real-time databases to store and synchronize data across different platforms. However, the developers of some of the apps examined failed to make sure authentication mechanisms were in place. According to CPR, the 23 Android apps examined — including a taxi app, logo maker, screen recorder, fax service, and astrology software — leaked data including email records, chat messages, location information, user IDs, passwords, and images.  In 13 cases, sensitive data was publicly available in unsecured cloud setups. These apps accounted for between 10,000 and 10 million downloads each.  While investigating the taxi service app, for example, the team was able to send one simple request to the app’s database and pull up messages sent between drivers and customers, names, phone numbers, and both pick-up and drop-off locations.

The cloud services providing backend data management for the screen recorder and fax apps, too, were not adequately secured. CPR was able to recover the keys to grant access to stored recordings and fax documents by analyzing the applications’ files.  Push notification keys were also found in the apps, left open to abuse. If push services are exploited, they can be used to send malicious alerts to app users.  The researchers say these security failures are due to developers failing to follow “best practices when configuring and integrating third party cloud services into their applications.” “This misconfiguration of real-time databases is not new, but [..] the scope of the issue is still far too broad and affects millions of users,” CPR says. “If a malicious actor gains access to this data it could potentially result in service-swipe (trying to use the same username-password combination on other services), fraud, and identity theft.” CPR informed the app developers of the misconfigurations prior to disclosure and several have tightened up their controls. Earlier this month, the researchers published an advisory on Qualcomm MSM data services and the discovery of a vulnerability that could theoretically be used to tamper with and inject malicious code into Android handset modems.  

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The chief executive of Colonial Pipeline has defended paying cybercriminals who launched a devastating attack on the company, calling it the “right thing to do for the country.”

more coverage

Speaking to the Wall Street Journal, Colonial Pipeline CEO Joseph Blount acknowledged that a $4.4 million ransom demand was paid after a ransom note was found by an employee on the firm’s systems on May 7. Alpharetta, Georgia-based Colonial Pipeline was forced to close down its pipeline operations and IT systems following a ransomware attack launched by DarkSide ransomware operators.  Colonial Pipeline says it provides approximately 45% of the East Coast’s fuel, including gasoline, diesel, and military supplies. The public disclosure of the incident prompted panic-buying in some cities across the United States, the price of gas rose, and despite pleas for customers not to panic, a number of gas stations reported themselves as running dry. It took the best part of a week for Colonial Pipeline to restore both main and small lateral fuel lines as the company worked to keep the hardest-hit areas supplied as best as it could.  As a core energy infrastructure asset of the US, the chief executive said that he authorized the $4.4 million payment due to “the stakes involved,” according to the WSJ. 

At the time, the company was not sure of the scope of the attack and how long the pipelines would be out of operation. DarkSide was a double-extortion group, in which confidential information is stolen at the time of a cyberattack and before systems are encrypted — which would alert victim organizations to their presence. The cybercriminals then threaten their victims if they refuse to pay for a decryption key with the public exposure of their information on a leak site.  Blount acknowledged that paying up was a “highly controversial” decision and not one to be “made lightly.” However, the CEO said it was the right thing to do considering the potential energy supply implications to the United States.  The FBI confirmed that a DarkSide operator was responsible for the attack.  DarkSide, a ransomware-as-a-service (RaaS) affiliate operation, has since lost control of its blog and servers, effectively closing down the criminal outfit — at least, in its current form.  According to Elliptic, DarkSide operators raked in over $90 million in cryptocurrency ransom payments from at least 47 victims.  US President Joe Biden has since signed an executive order to improve federal security requirements.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

ByteDance’s founder Zhang Yiming is stepping down from his CEO role and moving to a new role that focuses on “long-term strategy”. Co-founder and head of human resources Liang Rubo will take over the chief executive hat, as the two executives work on a transition slated to take place by end-2021. The parent company of video platform TikTok, ByteDance on Wednesday released an internal letter Zhang wrote to employees, explaining his decisions and stating his new role also would focus on corporate culture and social responsibility–areas in which he had hoped to achieve more than he currently had. He noted that stepping away as CEO would relieve him from having to manage day-to-day operations and better allow him to have a greater impact on initiatives that were long-term. it was the benefit of time that had enabled him to lay the foundation for ByteDance, which he cultivated between graduating from college and starting the company some nine years ago.

Zhang said: “I spent a lot of time thinking and learning about challenges like effectively disseminating information, using technology to improve products, and approaching the development of a company–much like one would a product: through constant re-evaluation, adjustment, and iteration.”He said innovation and success required years of exploration, noting that companies such as Telsa was 18 years old and had started out experimenting with laptop batteries to power its vehicles, while the early development days of Apple’s HomeBrew software management tool dated as far back as the 1970s.In efforts to scale and expand their business, he noted that entrepreneurs often ended up “overly central” and in the daily routine of listening to presentations, handling approvals, and making decisions reactively. This led to them depending on old ideas and being slow to develop new ones.”I believe I can best challenge the limits of what the company can achieve over the next decade, and drive innovation, by drawing on my strengths of highly-focused learning, systematic thought, and a willingness to attempt new things,” he said. 

Zhang also revealed that he lacked some skillsets that “an ideal manager” should have as well as the desire to manage people, preferring instead to analyse organisational and market principles and tapping these to reduce management work. He added that he was not sociable and would rather participate in “solitary activities” such as reading and listening to music.”I think someone else can better drive progress through areas like improved daily management,” he said. Pointing to Liang’s strengths in management and social engagement, he said his co-founder had assumed various roles in ByteDance, which included leading the company’s research and development efforts.He added that Liang had developed key recruitment and corporate policies as well as management systems. The two executives would use the next six months to ensure a smooth transition, Zhang said. His announcement comes weeks after ByteDance’s current CFO and Singaporean Chew Shou Zi was appointed TikTok’s new CEO, as part of a “strategic reorganisation”. Chew, who had assumed his CFO position in March. is based in Singapore. TikTok’s US operations had been poised to be sold to Oracle and Walmart, but the sale was “shelved indefinitely” following a review by the Biden administration to assess security risks of foreign-owned apps and software. The sale had been prompted by former president Trump’s executive orders banning the downloads of Chinese-owned social media apps WeChat and TikTok, alleging they posed threats to his country’s national security, foreign policy, and economy due to the data they collected.RELATED COVERAGE More

Three weeks after Google released the May 2021 Android security update, the Google Project Zero team has revealed that four of the vulnerabilities patched were already under attack. “There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 may be under limited, targeted exploitation,” Google said in a note on its May 2021 bulletin, which was published on May 1.  SEE: Network security policy (TechRepublic Premium)Google Project Zero security researcher Maddie Stone flagged that these were zero-day or previously unknown flaws in a tweet. The four flaws affect Qualcomm’s GPU (CVE-2021-1905, CVE-2021-1906) and the Arm Mali GPU (CVE-2021-28663, CVE-2021-28664). 

Android has updated the May security with notes that 4 vulns were exploited in-the-wild. Qualcomm GPU: CVE-2021-1905, CVE-2021-1906ARM Mali GPU: CVE-2021-28663, CVE-2021-28664https://t.co/mT8vE2Us74— Maddie Stone (@maddiestone) May 19, 2021

As Project Zero notes in its “0day ‘in the wild'” spreadsheet, the Arm bugs allow an attacker to write to read-only memory in the Mail GPU and a use-after-free memory flaw in the GPU. The Qualcomm bugs include improper error handling and a use-after-free flaw in the GPU.  Google copped flack from security reporter Dan Goodin for saying the bugs “may be under limited, targeted exploitation” because it was “vague to the point of being meaningless”. 

Shane Huntley from Google’s Threat Analysis Group (TAG), who in November revealed three zero-day flaws in Apple’s iOS, defended Google’s phrasing, highlighting that Google doesn’t always have the information at hand to say whether a vulnerability is under attack. TAG also discovered and disclosed the zero-day flaws in Apple’s WebKit browser that prompted Apple to issue the emergency iOS 14.4.2 update in March. Apple even updated older iOS devices to version 12.5.2 to address those issues.

Google I/O 2021

“I understand the frustration sometimes that people aren’t always getting the IOCs and details they want but I can maybe shed a little more light here,” he wrote, referring to indicators of compromise (IOC).  “Firstly not all “In The Wild” reports mean that we know exactly the target set. “In The Wild” could mean that the exploit was discovered on the black market or a hacker forum or reported to us from a source that wished to remain anonymous. In those cases the IOCs or targeting isn’t available or known.SEE: This malware has been rewritten in the Rust programming language to make it harder to spot”We strongly believe that there’s a difference between exploits found ourselves or reported through coordinated disclosure and ones we know to be in the hands of attackers. Flagging the latter helps with prioritization.”We are working to provide more information where possible on what we observe but it is a trade off and sometimes either don’t have the details or can’t reveal all the info that some people want. We still think there’s value releasing what we can.”Qualcomm says in its advisory that CVE-2021-1905 was reported to on 17 November 2020 and rates it as a high-severity flaw. CVE-2021-1906 is a medium-severity flaw reported to it on 7 December 2020.  The flaws affect an enormous number of Qualcomm chipsets but require local access to be exploited, according to the chip maker. Samsung only yesterday started rolling out the May 2021 Android security patch to flagship Galaxy S21 phones, as Sammobile reports. But Samsung’s hugely popular A-series smartphones have not received this update yet. More

Singapore has instructed Facebook and Twitter to carry correction notices on posts claiming there is a local strain of the COVID-19 virus. The order, however, only applies to the platforms’ users in the country. The Ministry of Health said Thursday that the directive also had been given to SPH Magazines–specifically, its HardwareZone user forum. It would require the online platforms to carry a correction notice to “all end-users in Singapore” who accessed Facebook, Twitter, and HardwareZone.com, said the ministry. It referred to false statements circulating online that suggested a new variant of COVID-19 had originated in Singapore and was at risk of spreading to India. 

“There is no new ‘Singapore’ variant of COVID-19. Neither is there evidence of any COVID-19 variant that is ‘extremely dangerous for kids’,” the Health Ministry said. “The strain that is prevalent in many of the COVID-19 cases detected in Singapore in recent weeks is the B.1.617.2 variant, which originated from India. The existence and spread of the B.1.617.2 variant within India predates the detection of the variant in Singapore, and this has been publicly known and reported by various media sources from as early as May 5, 2021.”The correction notice order was issued by the Protection from Online Falsehoods and Manipulation Act (POFMA) Office, tasked for overseeing the Act.The move came days after India’s Chief Minister of Delhi Arvind Kejriwal said on Twitter that a Singapore variant of the virus was particularly harmful to children and could trigger a third wave of infections in India. He also urged his government to cancel flights from Singapore.In response, Singapore’s Ministry of Foreign Affairs said Wednesday that it “regrets the unfounded assertions” and was “disappointed” that a prominent political figure failed to ascertain facts before making such claims. The ministry added that it met with the High Commission of India to express its concerns.

On its part, India’s Foreign Minister Subrahmanyam Jaishankar rebuked Kejriwal, whose is from the country’s largest opposition party Aam Aadmi. Jaishankar said on Twitter: “Irresponsible comments from those who should know better can damage longstanding partnerships. So, let me clarify — Delhi CM does not speak for India.”He added that both countries had been partners in combating COVID-19 and India was “grateful” for Singapore’s role as a logistics hub and supplier of medical oxygen that India needed during its second wave. India on Wednesday reported a daily record of 4,529 deaths from COVID-19, exceeding a previous global record in the US where 4,475 deaths were recorded on January 12. Singapore currently is seeing a second wave in infections, with 34 community cases recorded on Wednesday and the 24th consecutive days such infections had been detected. In total, 31 people had succumbed to the virus in the city-state.POFMA was passed in May 2019, following a brief public debate, and kicked in October 2019 with details on how appeals against directives could be made. The bill was passed amidst strong criticism that it gave the government far-reaching powers over online communication and would be used to stifle free speech as well as quell political opponents.Non-compliance to a POFMA directive is an offence under the Act. Offenders could face up to three or five years’ imprisonment, a SG$30,000 or SG$50,000 fine, or both. If bots or inauthentic accounts are used to amplify falsehoods, the potential penalties that could be applied would be doubled. Offending internet intermediaries, meanwhile, could face up to SG$1 million in fines, and could also receive a daily SG$100,000 fine for each day they continue to breach the Act after conviction.RELATED COVERAGE More

Australian digital real estate business, Domain Group, has confirmed its platform was the victim of a phishing attack.”We have identified a scam that used a phishing attack to gain access to Domain’s administrative systems to engage with people who have made rental property enquiries,” the company’s CEO Jason Pellegrino said in a statement to ZDNet.”We understand the scammers then contacted some of these people by email to suggest that they pay a ‘deposit’ to secure a rental property on a website nominated by the scammer.”Domain said that while the attack is a serious matter, at this point, its investigation showed only a small number of people may have engaged with the scam. “Clearly people are becoming more aware of how to spot suspicious online behaviour and taking protective measures not to engage in such activity,” Pellegrino added. “Unfortunately, since Covid, scams like these have been on the rise. It is disappointing for us to find out that after such a challenging past twelve months for many of us, some see this as an opportunity to take advantage of others.”The CEO said since becoming aware of the scam, Domain has implemented several additional security controls and “elevated” its level of monitoring even further.

“We continue to implement further ways to identify and prevent phishing and have engaged external security consultants to provide further expertise in the management and prevention of online scams,” he said.Domain Group is approximately 65% owned by Nine Entertainment Co as a result of the Fairfax-Nine merger. Nine earlier this year had its services disrupted by a cyber attack that had forced it off air. Domain said the latest incident was not related to the one experienced by Nine.Over the ditch, New Zealand’s Waikato District Health Board has been working to get its systems back online, after it experienced a full outage of its information services on Tuesday. Stuff is reporting the incident was ransomware and that the head of Waikato DHB said “no ransom will be paid” to cyber criminals.In an update posted Wednesday afternoon, Waikato DHB said it was making “good progress” on restoring the infected systems and on the remediation process. “We are currently working with other government departments to investigate the cause, but are working on the theory that the initial incursion was via an email attachment. A forensic investigation is ongoing,” it said.This meant services across its Waikato, Thames, Te Kūiti, Tokoroa, and Taumarunui hospitals have this week been impacted. At Waikato Hospital, some elective surgeries have been deferred, while the number of outpatient clinics has been reduced.Of the 102 elective surgeries planned for inpatients at Waikato Hospital on Wednesday, 73 were still going ahead, with six elective surgeries cancelled on Tuesday, and 95 still performed.Elective surgeries at Thames Hospital have been postponed and all outpatient activity at Waikato DHB’s rural hospitals have been deferred.Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaRELATED COVERAGE More