Welcome to Cyber Security Today. It’s Monday February 19th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Today is the President’s Day holiday in many U.S. states and a civic holiday in several Canadian provinces. If you’re off, thanks for tuning in.
A mischief-maker has managed to fool the attorney general’s office of the state of Maine into posting a phony data breach notification. Maine is one of several American states with laws forcing firms and government agencies to fill out an online form outlining data breaches that affect their residents. Those notifications are posted on state websites so the public know about data breaches. Well, on Saturday Maine’s data breach notification website included an obviously fake listing. It claims to be a report about an attack on the police department of the city of “Saint Louis,” Missouri. I say it’s obviously a fake because the person who submitted the notification wrote that he owns the state of Missouri, as well as owns the police department. The explanation of the attack is garbled nonsense involving criminals in the building, RFID tagging of account numbers, a Google private investigator, low pass filters on bank antennas … and so on. And they misspelled St. Louis. I assume an automated system approved the posting, because surely a bureaucrat couldn’t have allowed it to go through. On Sunday afternoon I emailed the Maine attorney general’s office asking for an explanation.
UPDATE: The face posting was deleted Tuesday.
Among the real data breach notifications recently posted on Maine’s website the Golden Corral restaurant chain, which has outlets in 39 states, said it’s notifying over 185,000 people of a data breach last August. And a school district in Maryland is notifying almost 100,000 people their personal data was stolen in a ransomware attack last August.
A Ukrainian man once on the FBI’s Most Wanted List has pleaded guilty in the U.S. to a conspiracy charge for his role in distributing and leveraging the Zeus and IcedID malware. One ransomware victim was the University of Vermont Medical Centre. The man was arrested in Switzerland in 2022 and extradited to the U.S. last year. He will be sentenced in May.
Meanwhile police in Ukraine arrested a hacker who allegedly stole and sold personal data of people in Canada and the U.S. by initially infecting their Android devices. The victims downloaded what they thought was free software. It was really malware that let the attacker steal bank account access information of victims. That bank account data was sold to those willing to loot the bank accounts. Over the years police believe the accused made the equivalent of about US$91,000. The man’s accomplices are being sought.
An American internet provider called U.S. Internet Corp. left more than a decade’s worth of customers’ email messages open on a secure email server. That’s according to reporter Brian Krebs. Krebs was tipped off by a cybersecurity company that found the link to the server, which had over 6,500 domain names of customers. Anyone who clicked on one of those domain names went to a list of emails of the customers. Some messages dated back to 2008. When Krebs asked the company how this happened the server was quickly secured. The company blames a former employee for misconfiguring the server. The lesson here is IT leaders have to regularly check the configurations of anything that connected to the internet.
Cyber experts say using biometric facial scanning is better than passwords for login security. However, an Asian threat actor may have found a way around biometric protections. Security researchers at Group-IB say the latest version of a family of iOS and Android malware has this capability and is being used to hack into victims’ bank accounts and steal their money. The gang uses social engineering to convince a victim to download an app to their mobile device by things like pretending to be from a government department. The victim is told to record a video of themselves for confirmation. That video is then used by the gang to create a deepfake video using artificial intelligence, allowing the gang to get into the victim’s bank account. I’ve simplified the process, but the discovery is a warning to firms that offer facial recognition solutions for logins that they’ve got to upgrade their protection. This technique is being used in Asia. It will come to other countries.
A threat actor is using Amazon Web Services’ simple notification service (SNS) to send bulk spam text messages to people. That’s according to researchers at SentinelOne. These messages often appear to come from the U.S. Postal Service about an alleged missing package. The goal is to get people to click on a link that goes to a fake login page where they can track the alleged package — if they give a credit card number to pay a 30 cent re-delivery fee. That credit card number is what the attackers want. Companies using AWS have to make sure their account isn’t being abused this way by regularly checking the configuration of their SNS capability.
Last week the last of a series of patches for domain name servers and other network applications was released to plug a critical flaw in DNS Security Extensions. This hole, dubbed KeyTrap, was discovered months ago and vendors have been quietly issuing patches since, and DNS providers — like Google and Cloudflare — have been applying them. Hopefully, your IT team has been doing the same.
Finally, at this weekend’s Munich Security Conference 20 tech companies including Meta, TikTok, X, Microsoft, IBM, Adobe, OpenAI and Amazon pledged to help prevent deceptive AI content from interfering with elections. The goal is to reduce the amount of fake texts, social media posts, videos and other content. There are no concrete goals, just pledges to go after deceptive crap.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to to your Flash Briefing on your smart speaker.
By the way, IT World Canada also offers a daily podcast of general IT news. It’s called Hashtag Trending, and it’s also available on Apple and Google podcasts.