U.S. city hit by business email scam, Linux servers being hunted and sloppy thinking in mobile app
Welcome to Cyber Security Today. It’s Monday July 8th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanda.com.
It’s bad enough that a number of U.S. cities have recently been hit by ransomware attacks. Now news is emerging that the city of Griffin, Georgia was stung for over $800,000 in what’s called a business email scam. According to a local news site called The Grip, a company the city uses for water treatment emailed the finance department that it should change the bank where payment are sent. Two payments went out before the city got wise. That happened when the real supplier called the city and asked why it hadn’t been paid. The email requesting the account change was a fraud made to look like it came from the real supplier. The suspicion is the supplier’s email was hacked, allowing the criminal to learn how it did business with the city.
The lesson to all organizations is to teach employees to be careful when an email or a phone request comes in to change banking or financial transaction information. And suppliers — even small companies — need to remember that criminals see them as the way into bigger organizations.
If you’re running a Linux server watch out for a new strain of cryptomining malware. Security company F5 Networks warns that a campaign by attackers started in June to spread this software, which uses your server to mine for cryptocurrency. They get the profit, you get a slow computer. The malware is being pushed out by thousands of compromised computers looking for holes in web applications like the Drupal content management system and the Confluence collaboration software. It also tries to compromise systems running Redis databases.
Administrators should watch for suspicious network and processor activity.
Finally, another example of how companies let customers down with poor security happened this week in Japan. Nine hundred customers of 7-Eleven in that country lost a combined $500,000 within days of the company launching a mobile payment app that linked to credit and debit card accounts. The cause? A badly-designed password reset function in the app. According to the ZDNet news site, if I knew your date of birth and phone number I could request a password reset link for your account, and the password reset link would come to my email. Then I could get the app to send money from your credit card to me. Knowing a date of birth for many people isn’t hard with a decade or so of stolen data available to hackers. In short, it took hackers only a few hours to figure out the vulnerability. This is a big lesson to software developers: Not only does code need to be tested thoroughly for bugs, the processes have to be looked at for vulnerabilities. Experts have been saying for some time that password reset processes are an opening for attackers.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.